CN112994941A

CN112994941A - Method and device for deploying anti-DDoS cloud host and anti-DDoS attack protection system

Info

Publication number: CN112994941A
Application number: CN202110204982.6A
Authority: CN
Inventors: 王海波; 范渊; 杨勃
Original assignee: Hangzhou Dbappsecurity Technology Co Ltd
Current assignee: Hangzhou Dbappsecurity Technology Co Ltd
Priority date: 2021-02-24
Filing date: 2021-02-24
Publication date: 2021-06-18
Anticipated expiration: 2041-02-24
Also published as: CN112994941B

Abstract

The application relates to a method and a device for deploying a DDoS (distributed denial of service) resistant cloud host and a DDoS attack resistant protection system, wherein the method comprises the following steps: acquiring tenant request information; acquiring equipment information of a plurality of target server cloud hosts, and creating a distributed anti-DDoS cloud host in a physical computing node corresponding to each target server cloud host based on tenant request information and the equipment information; acquiring configuration information, wherein the configuration information comprises first configuration information and second configuration information; configuring a first virtual communication network port between each distributed anti-DDoS cloud host and the virtual switch based on the first configuration information, and configuring a second virtual communication network port between the virtual switch and the target server cloud host based on the second configuration information. Through the application, the problems that the anti-DDoS server cannot be adapted to the VPC network cloud platform, the service performance of the anti-DDoS server is improved, and the cost is reduced in the related technology are solved.

Description

Method and device for deploying anti-DDoS cloud host and anti-DDoS attack protection system

Technical Field

The application relates to the technical field of computers, in particular to a method and a device for deploying a DDoS (distributed denial of service) resistant cloud host and a DDoS attack resistant protection system.

Background

With the development of cloud computing technology, server clouding has become a trend. The cloud platform is composed of a plurality of physical servers, wherein a plurality of two-layer or large two-layer networks are arranged in the cloud network, such as a vlan network, a vxlan network and the like. Some large private clouds or public clouds usually adopt a VPC network form, that is, each tenant can customize its own three-layer network segment, for example, tenant 1 and tenant 2 can each define 192.168.1.0/24 of the three-layer network segment, and both adopt different two-layer networks, for example, vlan2 and vlan 3. The anti-DDoS server becomes a necessary option for all public network servers by virtue of safe three, four and seven-layer protection performance of the network.

In the related art, the anti-DDoS server is adapted to the VPC network cloud platform by installing a physical/virtual three-layer forwarding device between the anti-DDoS server and the cloud host, however, the following disadvantages exist in this method: (1) when the anti-DDoS server is communicated with the cloud host, the anti-DDoS server needs to pass through the same forwarding device for multiple times, and due to the fact that the bandwidth of the forwarding device is limited, communication delay between the anti-DDoS server and the cloud host is too long, and the problem that the using performance of the anti-DDoS server is poor is caused. (2) Hardware configuration of the DDoS resistant server cannot be distributed as required, resulting in higher cost for users.

At present, no effective solution is provided aiming at the problems that the anti-DDoS server can not be adapted to a VPC network cloud platform, the service performance of the anti-DDoS server is improved and the cost is reduced in the related technology.

Disclosure of Invention

The embodiment of the application provides a method and a device for deploying a DDoS-resistant cloud host and a DDoS-resistant attack protection system, so that the problems that in the related technology, a DDoS-resistant server cannot be adapted to a VPC network cloud platform, the service performance of the DDoS-resistant server is improved, and the cost is reduced are solved.

In a first aspect, an embodiment of the present application provides a method for deploying an anti-DDoS cloud host, where the method includes:

acquiring tenant request information, wherein the tenant request information comprises information of a tenant request for creating a DDoS (distributed denial of service) resistant cloud host, and the DDoS resistant cloud host represents a cloud host with a DDoS attack resistant protection function;

acquiring equipment information of a plurality of target server cloud hosts, and creating a distributed anti-DDoS cloud host in a physical computing node corresponding to each target server cloud host based on the tenant request information and the equipment information; the device information comprises position information of a physical computing node where the target server cloud host is located, and the target server cloud host represents a server cloud host needing to be protected against DDoS attack;

acquiring configuration information, wherein the configuration information comprises first configuration information and second configuration information and is used for configuring a virtual communication network port between the distributed DDoS-resistant cloud host and a virtual switch and between the virtual switch and the target server side cloud host;

configuring a first virtual communication network port between each distributed anti-DDoS cloud host and the virtual switch based on the first configuration information, and configuring a second virtual communication network port between the virtual switch and the target server cloud host based on the second configuration information.

In some embodiments, the obtaining the configuration information includes:

acquiring network demand information of the tenant and internal network information corresponding to the target server cloud host, wherein the internal network information represents network information of an internal network having a communication relation with the target server cloud host; the network demand information represents the network port information of the virtual communication network port required by the tenant and the network information of the external network corresponding to the required virtual communication network port;

acquiring the first configuration information based on the network demand information, wherein the first configuration information comprises the number and the type of the first virtual communication network ports and network information corresponding to an external network;

and acquiring the second configuration information based on the internal network information, wherein the second configuration information comprises the number and the type of the second virtual communication network ports and network information corresponding to the internal network.

In some of these embodiments, the method further comprises: acquiring a current user access mode, wherein the user access mode comprises a common account access mode and an operation account access mode;

setting a flow control rule of the virtual switch based on the current user access mode and an Openflow protocol, wherein the flow control rule is used for controlling data flow of an inlet and an outlet of the virtual switch; the flow control rule comprises a data packet discarding rule and a data packet address modifying rule, and the data flow comprises data packets passing through the virtual switch gateway.

In some embodiments, the setting of the flow control rule of the virtual switch based on the current user access mode and the Openflow protocol includes:

if the current user access mode is the common account access mode, setting a data packet discarding rule of the virtual switch gateway based on an Openflow protocol; the packet dropping rules include a first dropping rule and a second dropping rule; the first discarding rule includes discarding the data packet if a destination MAC address of the data packet in the egress direction of the virtual switch is the same as an MAC address of the second virtual communication port; the second discarding rule includes discarding the data packet if a destination IP address of the data packet in the egress direction of the virtual switch is the same as an IP address of the second virtual communication port;

if the current user access mode is the operation account access mode, setting a data packet address modification rule of the virtual switch gateway based on an Openflow protocol; the data packet address modification rule comprises a first address modification rule and a second address modification rule; the first address modification rule comprises that if the source IP address of the data packet in the outlet direction of the virtual switch is the same as the IP address of the second virtual communication network port, the source MAC address of the data packet is modified into a local MAC address; the second address modification rule includes modifying the destination MAC address of the data packet to the MAC address of the second virtual communication port if the destination MAC address of the data packet in the ingress direction of the virtual switch is a local MAC address.

In a second aspect, an embodiment of the present application provides a device for deploying a DDoS-resistant cloud host, where the device includes:

the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring tenant request information, the tenant request information comprises information that a tenant requests to establish a DDoS (distributed denial of service) resistant cloud host, and the DDoS resistant cloud host represents a cloud host with a DDoS attack resistant protection function;

the cloud host creating module is used for acquiring equipment information of a plurality of target server cloud hosts and creating a distributed anti-DDoS cloud host in a physical computing node corresponding to each target server cloud host based on the tenant request information and the equipment information; the device information comprises position information of a physical computing node where the target server cloud host is located, and the target server cloud host represents a server cloud host needing to be protected against DDoS attack;

a second obtaining module, configured to obtain configuration information, where the configuration information includes first configuration information and second configuration information, and is used to configure a virtual communication network port between the distributed DDoS-resistant cloud host and a virtual switch and between the virtual switch and the target server cloud host;

and the network port configuration module is used for configuring a first virtual communication network port between each distributed anti-DDoS cloud host and the virtual switch based on the first configuration information and configuring a second virtual communication network port between the virtual switch and the target server cloud host based on the second configuration information.

In a third aspect, an embodiment of the present application provides an anti-DDoS attack protection system, where the anti-DDoS attack protection system includes: the system comprises a control platform, a plurality of physical computing nodes, and a distributed anti-DDoS cloud host, a virtual switch and a target server cloud host which are arranged in each physical computing node, wherein:

a first virtual communication network port is arranged between the distributed DDoS-resistant cloud host and the virtual switch, and a second virtual communication network port is arranged between the virtual switch and the target server side cloud host;

the control platform is connected to the distributed DDoS-resistant cloud host, the target server cloud host, and the virtual switch, respectively, and is configured to execute the method for deploying the DDoS-resistant cloud host according to the first aspect.

In some embodiments, the target server cloud host is configured to send an address resolution broadcast message, and receive an address resolution feedback message sent by the second virtual communication port, so as to obtain a first communication address of the second virtual communication port from the address resolution feedback message;

the virtual switch is configured to obtain the address resolution broadcast packet through the second virtual communication network port, obtain a second communication address of the target server cloud host from the address resolution broadcast packet, send the address resolution feedback packet to the target server cloud host based on the second communication address, and discard the address resolution broadcast packet.

In some embodiments, the DDoS attack prevention system further includes a client and a physical switch, where the client sends an access packet to the first virtual communication port through the physical switch;

the distributed DDoS-resistant cloud host acquires the access data packet from the first virtual communication network port, performs DDoS attack-resistant cleaning processing on the access data packet, and sends the cleaned access data packet to the second virtual communication network port;

and the target server cloud host acquires the cleaned access data packet from the second virtual communication network port, and sends a feedback data packet to the client based on the access data packet.

In a fourth aspect, an embodiment of the present application provides a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor, when executing the computer program, implements the method for deploying an anti-DDoS cloud host according to the first aspect.

In a fifth aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for deploying the DDoS-resistant cloud host according to the first aspect.

Compared with the related art, the method and the device for deploying the DDoS-resistant cloud host and the DDoS-resistant attack protection system provided by the embodiment of the application have the advantages that tenant request information is obtained, the tenant request information comprises information of a tenant request for creating the DDoS-resistant cloud host, and the DDoS-resistant cloud host represents a cloud host with a DDoS-resistant attack protection function; acquiring equipment information of a plurality of target server cloud hosts, and creating a distributed anti-DDoS cloud host in a physical computing node corresponding to each target server cloud host based on tenant request information and the equipment information; the device information comprises position information of a physical computing node where a target server cloud host is located, and the target server cloud host represents a server cloud host needing DDoS attack prevention; acquiring configuration information, wherein the configuration information comprises first configuration information and second configuration information and is used for configuring virtual communication network ports between a distributed DDoS (distributed denial of service) resistant cloud host and a virtual switch and between the virtual switch and a target server side cloud host; configuring a first virtual communication network port between each distributed anti-DDoS cloud host and the virtual switch based on the first configuration information, and configuring a second virtual communication network port between the virtual switch and the target server cloud host based on the second configuration information. According to the application, a distributed anti-DDoS cloud host is established in the physical computing node corresponding to each target server side cloud host, the anti-DDoS server is adapted to the VPC network cloud platform in a clouding mode, and the problems that in the related technology, the anti-DDoS server cannot be adapted to the VPC network cloud platform, the service performance of the anti-DDoS server is improved, and the cost is reduced are solved.

The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a flowchart of a method for deploying a DDoS-resistant cloud host according to an embodiment of the present application;

FIG. 2 is a flowchart of obtaining configuration information in an embodiment of the present application;

fig. 3 is a flowchart of setting a flow control rule of a virtual switch in an embodiment of the present application;

fig. 4 is a schematic diagram of a conventional anti-DDoS server clouding scheme;

fig. 5 is a schematic structural diagram of a DDoS attack prevention system according to an embodiment of the present application;

fig. 6 is a block diagram of a configuration apparatus of a DDoS-resistant cloud host according to an embodiment of the present application;

fig. 7 is a schematic hardware structure diagram of a computer device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.

It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.

Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.

Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.

The various techniques described herein may be used for various cloud service platforms, systems, and devices.

Fig. 1 is a flowchart of a method for deploying a DDoS-resistant cloud host according to an embodiment of the present application, and as shown in fig. 1, the flowchart includes the following steps.

Step S110, obtaining tenant request information, where the tenant request information includes information that a tenant requests to create an anti-DDoS cloud host, and the anti-DDoS cloud host represents a cloud host with an anti-DDoS attack protection function.

DDoS (Distributed Denial of Service) attacks are attack modes in which a plurality of computers are combined as an attack platform by means of client/server technology to launch an attack on one or more targets. Typically, an attacker installs a DDoS master on a computer using a stolen account number, and at a set time the master will communicate with a number of agents that have been installed on many computers on the network. The agent, upon receiving the instruction, launches an attack. With client/server technology, the host can activate hundreds or thousands of runs of agents in a few seconds.

Step S120, acquiring device information of a plurality of target server cloud hosts, and creating a distributed anti-DDoS cloud host in a physical computing node corresponding to each target server cloud host based on tenant request information and the device information; the device information comprises position information of a physical computing node where a target server cloud host is located, and the target server cloud host represents a server cloud host needing DDoS attack prevention.

It should be noted that a plurality of distributed anti-DDoS cloud hosts together form a complete anti-DDoS cloud host. The DDoS-resistant cloud host adopts an extensible equipment structure, and a plurality of distributed DDoS-resistant cloud hosts are used for sharing attack defense loads, so that the bottleneck problem of a single forwarding device in the related technology can be solved, and the reliability, usability and expansibility of the whole DDoS-resistant cloud host can be improved.

Step S130, configuration information is obtained, wherein the configuration information comprises first configuration information and second configuration information and is used for configuring a virtual communication network port between the distributed DDoS-resistant cloud host and the virtual switch and between the virtual switch and the target server side cloud host.

Step S140, configuring a first virtual communication network port between each distributed DDoS-resistant cloud host and the virtual switch based on the first configuration information, and configuring a second virtual communication network port between the virtual switch and the target server cloud host based on the second configuration information.

Further, the first virtual communication network port may be connected to the distributed anti-DDoS cloud host and the virtual switch in a wired manner, or may be connected to the distributed anti-DDoS cloud host and the virtual switch in a wireless manner, which is not limited in this embodiment of the application.

Further, the second virtual communication network port may be connected to the virtual switch and the target server cloud host in a wired manner, or may be connected to the virtual switch and the target server cloud host in a wireless manner, which is not limited in the embodiment of the present application.

Through the steps S110 to S140, the distributed DDoS-resistant cloud host is created in the physical computing node corresponding to each target server cloud host, so that the DDoS-resistant server is adapted to the VPC network cloud platform in a clouding manner, the target server cloud host can directly communicate with the distributed DDoS-resistant cloud host in the physical computing node without passing through the same forwarding device for many times, the problem of bandwidth bottleneck of a single forwarding device is avoided, and the usability of the DDoS-resistant cloud host can be improved. In addition, a user does not need to purchase physical forwarding equipment, so that the use performance of the DDoS-resistant cloud host can be improved, the cost can be reduced, and the problems that the DDoS-resistant server cannot be adapted to a VPC network cloud platform, the use performance of the DDoS-resistant server can be improved, and the cost can be reduced in the related technology are solved.

It should be added that, in the related art, the DDoS resistant server and the cloud host communicate with each other through one forwarding device, and the DDoS resistant server and the cloud host are two independent devices. The DDoS-resistant cloud host in the application is a cloud host with a DDoS attack resistance protection function, namely, the DDoS attack resistance protection function of the DDoS-resistant server is fused to the original cloud host, and the DDoS-resistant cloud host is a product for resisting the DDoS server to perform clouding. Therefore, the anti-DDoS server in the related art is not in specific contact with the anti-DDoS cloud host in the present application, but is different from the anti-DDoS server in the related art.

In some embodiments, the configuration information further includes CPU configuration parameters and memory configuration parameters of the distributed DDoS-resistant cloud host. The embodiment can set the CPU configuration parameters and the memory configuration parameters of the distributed anti-DDoS cloud host by acquiring the actual requirements of the tenants, and can realize the allocation of the CPUs and the memories of the distributed anti-DDoS cloud host according to the requirements, thereby further saving the cost for the tenants.

In some embodiments, fig. 2 is a flowchart of acquiring configuration information in the embodiment of the present application, and as shown in fig. 2, the flowchart includes the following steps.

Step S210, network demand information of a tenant and internal network information corresponding to a target server cloud host are obtained, wherein the internal network information represents network information of an internal network having a communication relation with the target server cloud host; the network demand information represents the network port information of the virtual communication network port required by the tenant and the network information of the external network corresponding to the required virtual communication network port.

Step S220, acquiring first configuration information based on the network requirement information, where the first configuration information includes the number and type of the first virtual communication ports and network information corresponding to the external network.

The network demand information includes network information of a front-end virtual network port that the tenant needs to create and network information of an external network corresponding to the front-end virtual network port, where the first virtual communication network port is the front-end virtual network port.

Step S230, obtaining second configuration information based on the internal network information, where the second configuration information includes the number and type of the second virtual communication ports and the network information corresponding to the internal network.

Specifically, the number and the type of the second virtual communication network ports are determined according to network information of an internal network having a connection relationship with the communication network ports of the target server cloud host, wherein the number of the second virtual communication network ports is the same as the number of the internal networks, that is, how many internal networks are configured with how many second virtual communication network ports, and the second virtual communication network ports are rear-end virtual network ports. The type of the second virtual communication portal is related to the type of the internal network.

Through the steps S210 to S230, network demand information of the tenant and internal network information corresponding to the target server cloud host are obtained; acquiring first configuration information based on the network demand information, wherein the first configuration information comprises the number and the type of the first virtual communication network ports and network information corresponding to an external network; and acquiring second configuration information based on the internal network information, wherein the second configuration information comprises the number and the type of the second virtual communication network ports and network information corresponding to the internal network. The number, the type and the network information corresponding to the external network of the first virtual communication network port can be set according to the actual requirements of the tenant, and the number, the type and the network information corresponding to the internal network of the second virtual communication network port can also be set according to the number, the type and the like of the target server cloud host related to the internal network, so that the virtual communication network port can be configured according to the actual requirements, the cost can be further saved, and the flexibility and the expandability of the DDoS attack prevention system can be further improved.

In some embodiments, fig. 3 is a flowchart illustrating setting of a flow control rule of a virtual switch in an embodiment of the present application, where, as shown in fig. 3, the flowchart includes the following steps.

Step S310, obtaining a current user access mode, wherein the user access mode comprises a common account access mode and an operation account access mode.

The common account access mode represents an access mode of a common tenant accessing a server cloud host through a registered account. The operating account access mode represents an access mode of an operating account of the system accessing the cloud host of the server during debugging and optimization of the system.

Step S320, setting a flow control rule of the virtual switch based on the current user access mode and the Openflow protocol, wherein the flow control rule is used for controlling the data flow of the virtual switch inlet and outlet; the flow control rule comprises a data packet discarding rule and a data packet address modification rule, and the data flow comprises data packets passing through the virtual switch gateway.

The OpenFlow protocol is used to describe standards for information used for interaction between a controller and a switch, and standards for interfaces between the controller and the switch. The core part of the protocol is a set of information structures for the OpenFlow protocol.

The flow control rule may be understood as a flow entry issued to an access of a virtual switch based on a current user access mode and an Openflow protocol, that is, a general technical term of the flow control rule in the art is a flow entry.

In some embodiments, if the current user access mode is a common account access mode, setting a packet discarding rule of an access of a virtual switch based on an Openflow protocol; the packet dropping rules include a first dropping rule and a second dropping rule; the first discarding rule comprises that if the destination MAC address of the data packet in the outlet direction of the virtual switch is the same as the MAC address of the second virtual communication network port, the data packet is discarded; the second discarding rule includes discarding the data packet if the destination IP address of the data packet in the egress direction of the virtual switch is the same as the IP address of the second virtual communication port.

In particular, the first dropping rule comprises dropping data packets having a destination MAC address that is the same as the MAC address of the second virtual communication port in the virtual switch egress direction. The second discard rule comprises discarding packets having a destination IP address in the direction of the virtual switch egress that is the same as the IP address of the second virtual communication portal.

Due to the problem that the IP address and the MAC address of some backend virtual network ports (i.e., the second virtual communication network port) in the local physical computing node are duplicated with other backend virtual network ports, if the destination IP address of the data packet is the same as the IP address of the second virtual communication network port (i.e., the data packet needs to enter a local communication channel between the virtual switch and the target service end cloud host through the second virtual communication network port or reach the second virtual communication network port through the local communication channel), the data packet needs to be discarded in the outlet direction of the virtual switch.

That is to say, the data packet can only enter the target server cloud host through the local communication channel, or enter the distributed DDoS-resistant cloud host through the local communication channel, but cannot enter the outside of the local physical computing node through the exit of the virtual switch, otherwise, the data packet may be confused with data packets coming out from other physical computing nodes due to the problem of duplication of IP addresses and MAC addresses.

For example, a data packet coming out of the distributed DDoS-resistant cloud host enters the local communication channel through the second virtual communication port, and then enters the target server-side cloud host through the local communication channel, but cannot enter the outside of the local physical computing node through the outlet of the virtual switch.

For another example, an APR request packet coming out of the target server cloud host reaches the second virtual communication network port through the local communication channel, and then enters the distributed DDoS-resistant cloud host through the second virtual communication network port, but cannot enter the outside of the local physical computing node through the outlet of the virtual switch.

Through the embodiment, the data packet discarding rule of the virtual switch outlet is set based on the Openflow protocol, and then the data packet with the destination MAC address identical to the MAC address of the second virtual communication network port is discarded in the virtual switch outlet direction, and the data packet with the destination IP address identical to the IP address of the second virtual communication network port is discarded in the virtual switch outlet direction, so that the problem that data packets arriving at the outside of the physical computing node from the virtual switch outlet are mutually confused due to the fact that the IP addresses and the MAC addresses of a plurality of back-end virtual network ports (namely, the second virtual communication network ports) are mutually repeated can be avoided, and the reliability of the distributed DDoS-resistant cloud host is further improved.

In some embodiments, if the current user access mode is the operation account access mode, setting a data packet address modification rule of an access of a virtual switch based on an Openflow protocol; the data packet address modification rule comprises a first address modification rule and a second address modification rule; the first address modification rule comprises that if the source IP address of the data packet in the outlet direction of the virtual switch is the same as the IP address of the second virtual communication network port, the source MAC address of the data packet is modified into a local MAC address; the second address modification rule includes modifying the destination MAC address of the data packet to the MAC address of the second virtual communication port if the destination MAC address of the data packet in the ingress direction of the virtual switch is the local MAC address.

It should be noted that, for the first address modification rule, if the source IP address of the data packet in the egress direction of the virtual switch is the same as the IP address of the second virtual communication port (that is, the data packet enters the virtual switch from the second virtual communication port and exits from the egress of the second virtual communication port), the source MAC address of the data packet is modified to be the local MAC address, that is, the source MAC address of the data packet is changed to be an MAC address that is uniquely shared by the local physical computing node, so that after the data packet exits from the egress of the second virtual communication port, the data packet can only enter the target service cloud host through the local communication channel between the virtual switch and the target cloud host, but cannot reach the outside of the local physical computing node, thereby ensuring the validity of the local communication channel.

For the second address modification rule, if the destination MAC address of the data packet in the ingress direction of the virtual switch is the local MAC address (i.e., the data packet enters the virtual switch from the outside of the local computing node), the destination MAC address of the data packet is modified to the MAC address of the second virtual communication port, that is, after the data packet enters the local computing node from the outside, the destination MAC address of the data packet is modified to the MAC address of the second virtual communication port, that is, after the data packet enters the local computing node, the destination MAC address of the data packet does not need to be distinguished.

For example, as shown in fig. 5 below, the IP address of the back-end virtual network port 1 in the local physical computing node 1 is IP0 and the MAC address is MAC0, and the IP address of the back-end virtual network port 2 in the local physical computing node 2 is IP0 and the MAC address is MAC 0. The MAC address of the back-end virtual network port 1 outside the local physical computing node is MAC1, and the MAC address of the back-end virtual network port 2 outside the local physical computing node is MAC 2.

For the second address modification rule, if the source IP address of the packet in the egress direction of the virtual switch is the same as the IP address of the second virtual communication port (i.e., IP0), the source MAC address of the packet is modified to be the local MAC address (i.e., modified to MAC1 or MAC2), so that the packet with the source MAC address of MAC1 may enter the target service cloud host in the local physical computing node 1 through the local communication channel, and the packet with the source MAC address of MAC2 may enter the target service cloud host in the local physical computing node 2 through the local communication channel.

For the second address modification rule, if the destination MAC address of the packet in the ingress direction of the virtual switch is a local MAC address (namely MAC1 or MAC2), when the packet enters the local physical computing node 1 or the local physical computing node 2 from the ingress direction of the virtual switch, the destination MAC address of the packet is modified to MAC0, because the local physical computing node 1 and the local physical computing node 2 are two completely independent and isolated physical computing nodes, and confusion will not be caused even if the destination addresses of the packets inside the local physical computing nodes are the same, and therefore, the destination MAC addresses of the packets do not need to be distinguished in the local computing nodes.

Through the embodiment, the data packet address modification rule of the virtual switch inlet and outlet is set based on the Openflow protocol, so that the address of the data packet can be modified adaptively when the data packet enters and exits the local physical computing node from the virtual switch inlet and outlet, the problem that the data packets arriving at the outside of the physical computing node from the virtual switch outlet are mutually confused due to the fact that the IP addresses and the MAC addresses of a plurality of rear-end virtual network ports (namely second virtual communication network ports) are mutually repeated can be avoided, and the reliability of the distributed anti-DDoS cloud host is further improved.

It should be further noted that the flow control rule in this application only relates to the discarding process and address modification of the data packet associated with the back-end virtual network port (i.e. the second virtual communication network port) where the IP address and MAC address duplication phenomenon exists. The method does not involve discarding and modifying the data packet related to the front-end virtual network port (i.e. the first virtual communication network port) and the back-end virtual network port without the duplication of the IP address and the MAC address, i.e. the related data traffic is controlled according to the conventional flow.

The following describes and explains a deployment method of a DDoS-resistant cloud host in the embodiment of the present application by a specific embodiment.

In this particular embodiment, the method includes the following steps.

(1) And acquiring tenant request information, wherein the tenant request information comprises information of a tenant request for creating a DDoS (distributed denial of service) resistant cloud host, and the DDoS resistant cloud host represents a cloud host with a DDoS attack resistant protection function. Acquiring equipment information of a plurality of target server cloud hosts, and creating a distributed anti-DDoS cloud host in a physical computing node corresponding to each target server cloud host based on tenant request information and the equipment information; the device information comprises position information of a physical computing node where a target server cloud host is located, and the target server cloud host represents a server cloud host needing DDoS attack prevention.

(2) Acquiring network demand information of a tenant and internal network information corresponding to a target server cloud host, wherein the internal network information represents network information of an internal network having a communication relation with the target server cloud host; the network demand information represents the network port information of the virtual communication network port required by the tenant and the network information of the external network corresponding to the required virtual communication network port; acquiring first configuration information based on the network demand information, wherein the first configuration information comprises the number and the type of the first virtual communication network ports and network information corresponding to an external network; and acquiring second configuration information based on the internal network information, wherein the second configuration information comprises the number and the type of the second virtual communication network ports and network information corresponding to the internal network.

(3) Configuring a first virtual communication network port between each distributed anti-DDoS cloud host and the virtual switch based on the first configuration information, and configuring a second virtual communication network port between the virtual switch and the target server cloud host based on the second configuration information. And acquiring a current user access mode, wherein the user access mode comprises a common account access mode and an operation account access mode.

(4) If the current user access mode is the common account access mode, setting a data packet discarding rule of an access of the virtual switch based on an Openflow protocol; the packet dropping rules include a first dropping rule and a second dropping rule; the first discarding rule comprises that if the destination MAC address of the data packet in the outlet direction of the virtual switch is the same as the MAC address of the second virtual communication network port, the data packet is discarded; the second discarding rule includes discarding the data packet if the destination IP address of the data packet in the egress direction of the virtual switch is the same as the IP address of the second virtual communication port.

(5) If the current user access mode is the operation account access mode, setting a data packet address modification rule of an access of the virtual switch based on an Openflow protocol; the data packet address modification rule comprises a first address modification rule and a second address modification rule; the first address modification rule comprises that if the source IP address of the data packet in the outlet direction of the virtual switch is the same as the IP address of the second virtual communication network port, the source MAC address of the data packet is modified into a local MAC address; the second address modification rule includes modifying the destination MAC address of the data packet to the MAC address of the second virtual communication port if the destination MAC address of the data packet in the ingress direction of the virtual switch is the local MAC address.

It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here. For example, with reference to fig. 2, the execution sequence of step S220 and step S230 may be interchanged, that is, step S220 may be executed first, and then step S230 may be executed; step S230 may be performed first, and then step S220 may be performed.

The anti-DDoS server basically adopts a proxy agent form based on four-layer session, namely, a local front-end IP (namely a front-end virtual network port) is used for acting a real server IP (namely a server cloud host) to be connected with a client in four layers, and a local back-end IP (namely a back-end virtual network port) is used for being connected with the real server IP in four layers.

Under the scene of a VPC network cloud platform, because of the phenomenon that a plurality of internal two-layer networks are in the same network segment, if an anti-DDoS server needs to serve the VPC network cloud platform, a plurality of network ports are required, and proxy for anti-DDoS protection can not be provided for cloud platform virtual servers in the same three-layer network segment but different two-layer networks. Therefore, the DDoS server must be clouded, otherwise, the DDoS server cannot be adapted to the VPC network cloud platform.

Fig. 4 is a schematic diagram of a principle of a conventional anti-DDoS server cloud scheme, and as shown in fig. 4, an anti-DDoS cloud host is created for a VPC network of each tenant inside a physical network node of a cloud platform, where the physical network node is a physical server that provides various network services for the cloud host in the entire cloud platform. The network services that the physical network node can provide include providing virtual routing services, virtual DHCP services, virtual load balancing services, and virtual anti-DDoS protection services. In the whole network flow of executing proxy agent, all network traffic will pass through the physical network node, that is, the physical network bandwidth of the physical network node becomes the performance bottleneck of the whole anti-DDoS protection function.

Based on this, the present embodiment further provides an anti-DDoS attack protection system, so as to solve at least the problem that the physical network bandwidth of the physical network node in the conventional scheme becomes the performance bottleneck of the entire anti-DDoS protection function.

Fig. 5 is a schematic structural diagram of an anti-DDoS attack protection system according to an embodiment of the present application, and as shown in fig. 5, the anti-DDoS attack protection system includes: the system comprises a control platform (not shown in fig. 5), a plurality of physical computing nodes, and a distributed anti-DDoS cloud host, a virtual switch and a target server cloud host arranged in each physical computing node.

A first virtual communication network port is arranged between the distributed DDoS-resistant cloud host and the virtual switch, and a second virtual communication network port is arranged between the virtual switch and the target server side cloud host.

The control platform is respectively connected with the distributed DDoS-resistant cloud host, the target server-side cloud host and the virtual switch, and is configured to execute any one of the DDoS-resistant cloud host deployment methods in the foregoing embodiments.

In some embodiments, the target server cloud host is configured to send an address resolution broadcast message and receive an address resolution feedback message sent by the second virtual communication network port, so as to obtain the first communication address of the second virtual communication network port from the address resolution feedback message.

The virtual switch is used for acquiring the address resolution broadcast message through the second virtual communication network port, acquiring a second communication address of the target server cloud host from the address resolution broadcast message, sending an address resolution feedback message to the target server cloud host based on the second communication address, and discarding the address resolution broadcast message.

In some embodiments, as shown in fig. 5, the DDoS attack prevention system further includes a client and a physical switch, where the client sends an access packet to the first virtual communication port through the physical switch.

The distributed DDoS-resistant cloud host acquires the access data packet from the first virtual communication network port, performs DDoS attack-resistant cleaning processing on the access data packet, and sends the cleaned access data packet to the second virtual communication network port.

The DDoS attack prevention system in the embodiment of the present application is described and illustrated below with a specific embodiment.

In this embodiment, the DDoS attack prevention system includes: control platform, a plurality of physical computation nodes and set up anti DDoS cloud host, virtual switch, target service end cloud host, customer end and the physical switch of distributed in each physical computation node, wherein: a first virtual communication network port is arranged between the distributed DDoS-resistant cloud host and the virtual switch, and a second virtual communication network port is arranged between the virtual switch and the target server side cloud host.

The client sends an access data packet to the first virtual communication network port through the physical switch, the distributed DDoS-resistant cloud host acquires the access data packet from the first virtual communication network port, performs DDoS attack-resistant cleaning processing on the access data packet, and sends the cleaned access data packet to the second virtual communication network port.

The target server cloud host is used for sending an address resolution broadcast message and receiving an address resolution feedback message sent by the second virtual communication network port so as to obtain a first communication address of the second virtual communication network port from the address resolution feedback message. The virtual switch is used for acquiring the address resolution broadcast message through the second virtual communication network port, acquiring a second communication address of the target server cloud host from the address resolution broadcast message, sending an address resolution feedback message to the target server cloud host based on the second communication address, and discarding the address resolution broadcast message.

The Address Resolution broadcast packet may also be referred to as an ARP broadcast packet, where ARP (Address Resolution Protocol) is a TCP/IP Protocol that obtains a physical Address according to an IP Address. The address resolution feedback message may also be referred to as an ARP feedback message.

Specifically, when the cloud host of the target service end sends information, an ARP broadcast message containing a target IP address is sent to the second virtual communication network port through broadcasting, and an ARP feedback message returned by the second virtual communication network port is received, so that the physical address (namely the first communication address) of the second virtual communication network port is determined; after receiving the return message, the IP address and the physical address are stored in the local ARP cache and are kept for a certain time, and the ARP cache is directly inquired when the next request is made so as to save resources. Meanwhile, the virtual switch may also obtain a physical address (i.e., a second communication address) of the target server cloud host according to the ARP broadcast packet sent by the target server cloud host and store the physical address in the memory.

The target server cloud host is further used for obtaining the cleaned access data packet from the second virtual communication network port, and sending a feedback data packet to the second virtual communication network port based on the access data packet, so that the feedback data packet is sent to the client side through the second virtual communication network port, the virtual switch and the physical switch.

To sum up, in the present application, the four-layer connection between the client and the anti-DDoS cloud host (i.e., the process of communication connection establishment through three-way handshake) only occurs between the client and a certain distributed anti-DDoS cloud host related to a specific service, and does not relate to other distributed anti-DDoS cloud hosts or other forwarding devices. Meanwhile, four-layer connection between the distributed DDoS-resistant cloud host and the target server cloud host only occurs in the same local physical computing node, and other physical computing nodes or other forwarding devices are not involved, that is, cross-node communication is not performed, so that the communication performance of the DDoS-resistant protection system can be improved, the overall performance of the DDoS-resistant protection system cannot be limited by the bandwidth of a certain physical server, the bandwidth performance bottleneck is relieved, and the performance of the DDoS-resistant protection system is improved.

The embodiment also provides a device for deploying a DDoS-resistant cloud host, which is used for implementing the foregoing embodiments and preferred embodiments, and the description of the device is omitted here. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.

Fig. 6 is a block diagram of a configuration apparatus of a DDoS-resistant cloud host according to an embodiment of the present application, and as shown in fig. 6, the apparatus includes:

the first obtaining module 610 is configured to obtain tenant request information, where the tenant request information includes information that a tenant requests to create an anti-DDoS cloud host, and the anti-DDoS cloud host represents a cloud host with an anti-DDoS attack protection function.

The cloud host creating module 620 is configured to obtain device information of multiple target server cloud hosts, and create a distributed DDoS-resistant cloud host in a physical computing node corresponding to each target server cloud host based on tenant request information and the device information; the device information comprises position information of a physical computing node where a target server cloud host is located, and the target server cloud host represents a server cloud host needing DDoS attack prevention.

The second obtaining module 630 is configured to obtain configuration information, where the configuration information includes first configuration information and second configuration information, and is used to configure a virtual communication network port between the distributed DDoS-resistant cloud host and the virtual switch and between the virtual switch and the target server cloud host.

The network port configuration module 640 is configured to configure a first virtual communication network port between each distributed DDoS-resistant cloud host and the virtual switch based on the first configuration information, and configure a second virtual communication network port between the virtual switch and the target server cloud host based on the second configuration information.

In some embodiments, the second obtaining module 630 includes a user requirement obtaining unit, a first configuration information obtaining unit, and a second configuration information obtaining unit.

The system comprises a user demand acquisition unit, a service end cloud host and a tenant management unit, wherein the user demand acquisition unit is used for acquiring network demand information of the tenant and internal network information corresponding to the target service end cloud host, and the internal network information represents network information of an internal network having a communication relation with the target service end cloud host; the network demand information represents the network port information of the virtual communication network port required by the tenant and the network information of the external network corresponding to the required virtual communication network port.

The first configuration information acquisition unit is used for acquiring first configuration information based on the network demand information, wherein the first configuration information comprises the number and the type of the first virtual communication network ports and network information corresponding to an external network.

And the second configuration information acquisition unit is used for acquiring second configuration information based on the internal network information, wherein the second configuration information comprises the number and the type of the second virtual communication network ports and network information corresponding to the internal network.

In some embodiments, the deployment apparatus of the DDoS-resistant cloud host further includes a flow control module, where the flow control module includes a user data obtaining unit and a control rule setting unit.

And the user data acquisition unit is used for acquiring the current user access mode, and the user access mode comprises a common account access mode and an operation account access mode.

The control rule setting unit is used for setting a flow control rule of the virtual switch based on a current user access mode and an Openflow protocol, and the flow control rule is used for controlling data flow of an inlet and an outlet of the virtual switch; the flow control rule comprises a data packet discarding rule and a data packet address modification rule, and the data flow comprises data packets passing through the virtual switch gateway.

In some of these embodiments, the control rule setting unit comprises a first setting subunit and a second setting subunit, wherein.

The first setting subunit is used for setting a data packet discarding rule of an inlet and an outlet of the virtual switch based on an Openflow protocol if the current user access mode is a common account access mode; the packet dropping rules include a first dropping rule and a second dropping rule; the first discarding rule comprises that if the destination MAC address of the data packet in the outlet direction of the virtual switch is the same as the MAC address of the second virtual communication network port, the data packet is discarded; the second discarding rule includes discarding the data packet if the destination IP address of the data packet in the egress direction of the virtual switch is the same as the IP address of the second virtual communication port.

The second setting subunit is used for setting a data packet address modification rule of an inlet and an outlet of the virtual switch based on an Openflow protocol if the current user access mode is an operation account access mode; the data packet address modification rule comprises a first address modification rule and a second address modification rule; the first address modification rule comprises that if the source IP address of the data packet in the outlet direction of the virtual switch is the same as the IP address of the second virtual communication network port, the source MAC address of the data packet is modified into a local MAC address; the second address modification rule includes modifying the destination MAC address of the data packet to the MAC address of the second virtual communication port if the destination MAC address of the data packet in the ingress direction of the virtual switch is the local MAC address.

The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.

In addition, the deployment method of the DDoS-resistant cloud host according to the embodiment of the present application described in conjunction with fig. 1 may be implemented by a computer device. Fig. 7 is a schematic hardware structure diagram of a computer device according to an embodiment of the present application.

The computer device may comprise a processor 71 and a memory 72 in which computer program instructions are stored.

Specifically, the processor 71 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.

Memory 72 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 72 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 72 may include removable or non-removable (or fixed) media, where appropriate. The memory 72 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 72 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 72 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.

The memory 72 may be used to store or cache various data files that need to be processed and/or used for communication, as well as possible computer program instructions executed by the processor 71.

The processor 71 reads and executes the computer program instructions stored in the memory 72 to implement any one of the above-described embodiments of the DDoS-resistant cloud host deployment methods.

In some of these embodiments, the computer device may also include a communication interface 73 and a bus 70. As shown in fig. 7, the processor 71, the memory 72, and the communication interface 73 are connected via the bus 70 to complete mutual communication.

The communication interface 73 is used for realizing communication among modules, devices, units and/or equipment in the embodiment of the present application. The communication interface 73 may also enable communication with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.

The bus 70 comprises hardware, software, or both that couple the components of the computer device to one another. Bus 70 includes, but is not limited to, at least one of the following: data Bus (Data Bus), Address Bus (Address Bus), Control Bus (Control Bus), Expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example, and not limitation, Bus 70 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (FSB), a Hyper Transport (HT) Interconnect, an ISA (ISA) Bus, an InfiniBand (InfiniBand) Interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a microchannel Architecture (MCA) Bus, a PCI (PerIPheral Component Interconnect) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Bus (audio Electronics Association), abbreviated VLB) bus or other suitable bus or a combination of two or more of these. Bus 70 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.

The computer device may execute the method for deploying the DDoS-resistant cloud host in the embodiment of the present application based on the acquired tenant request information and the device information of the multiple target server cloud hosts, thereby implementing the method for deploying the DDoS-resistant cloud host described in conjunction with fig. 1.

In addition, in combination with the deployment method of the DDoS-resistant cloud host in the foregoing embodiment, an embodiment of the present application may provide a computer-readable storage medium to implement. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any one of the above-described embodiments of a method for deploying a DDoS-resistant cloud host.

The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. A method for deploying an anti-DDoS cloud host is characterized by comprising the following steps:

2. The method of claim 1, wherein the obtaining configuration information comprises:

3. The method of claim 1, further comprising:

acquiring a current user access mode, wherein the user access mode comprises a common account access mode and an operation account access mode;

4. The method of claim 3, wherein setting the flow control rule of the virtual switch based on the current user access mode and an Openflow protocol comprises:

5. A device for deploying anti-DDoS cloud hosts, the device comprising:

6. An anti-DDoS attack protection system, comprising: the system comprises a control platform, a plurality of physical computing nodes, and a distributed anti-DDoS cloud host, a virtual switch and a target server cloud host which are arranged in each physical computing node, wherein:

the control platform is respectively connected with the distributed anti-DDoS cloud host, the target server side cloud host and the virtual switch, and is configured to execute the anti-DDoS cloud host deployment method according to any one of claims 1 to 4.

7. The system according to claim 6, wherein the target server cloud host is configured to send an address resolution broadcast message and receive an address resolution feedback message sent by the second virtual communication port, so as to obtain the first communication address of the second virtual communication port from the address resolution feedback message;

8. The system of claim 6, wherein the DDoS attack prevention system further comprises a client and a physical switch, wherein the client sends an access packet to the first virtual communication port through the physical switch;

9. A computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the method for deployment of anti-DDoS cloud hosts of any of claims 1 to 4 when executing the computer program.

10. A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the method for deployment of a DDoS-resistant cloud host according to any one of claims 1 to 4.