CN113992347B - Message processing method and device - Google Patents

Message processing method and device Download PDF

Info

Publication number
CN113992347B
CN113992347B CN202111090839.5A CN202111090839A CN113992347B CN 113992347 B CN113992347 B CN 113992347B CN 202111090839 A CN202111090839 A CN 202111090839A CN 113992347 B CN113992347 B CN 113992347B
Authority
CN
China
Prior art keywords
message
address
tunnel
flow cleaning
network message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111090839.5A
Other languages
Chinese (zh)
Other versions
CN113992347A (en
Inventor
佟立超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202111090839.5A priority Critical patent/CN113992347B/en
Publication of CN113992347A publication Critical patent/CN113992347A/en
Application granted granted Critical
Publication of CN113992347B publication Critical patent/CN113992347B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/215Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a message processing method and device. After receiving a remote traction instruction of a target IP address, the flow cleaning device issues a traction route to the core router through a first interface, wherein the traction route comprises a first IP address of a second interface used for remotely forwarding a message on the flow cleaning device; receiving a first network message sent by a core router through a first interface, wherein the destination IP address of the first network message is a first IP address; according to the preset next-hop IP address of the second interface, carrying out tunnel encapsulation on the first network message to obtain a first tunnel message, wherein the destination IP address of the first tunnel message is the next-hop IP address, and the next-hop IP address is the tunnel IP address of the high-security center equipment; and sending the first tunnel message to the high security center equipment through a first tunnel corresponding to the second interface, so that the high security center equipment analyzes the first network message from the first tunnel message and cleans the flow of the first network message.

Description

Message processing method and device
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for processing a message.
Background
With the development of the network, the attack traffic is increased, and in order to avoid the attack of the abnormal traffic, traffic cleaning is introduced, whereas the conventional abnormal traffic cleaning system only supports local cleaning, and the abnormal traffic cleaning system shown in fig. 1 is referred to. The management center issues a traction instruction to the cleaning equipment, configures the guard route so that BGP introduces the guard route and issues the guard route to the neighbor core router. The original route of the core router is 24-bit mask, and through accurate matching, the traffic generated by the server 192.168.1.2 is hit on the guard route, so that the traffic generated by the server is forwarded to the cleaning device. The cleaning equipment cleans the traffic, and the searching route is forwarded to the core router after the cleaning is completed. In order to avoid re-hit of the traction route, a reinjection strategy is configured, and the next hop of the strategy route is a downstream aggregation switch, so that the cleaned flow can be forwarded to the aggregation switch, and the normal forwarding of the route is completed by searching the aggregation switch.
However, in recent years, DDoS attacks are frequent, the attack flow and the influence are larger and larger, and the situation that the cleaning capability of the cleaning device is insufficient may be caused, so that a large number of high-protection center devices pull the attack flow to the high-protection center devices for protection. Therefore, how to draw the traffic to the high security center device and how to reinject the cleaned traffic to the original network becomes a difficulty of the high security center device, and the scheme provided at present is that when the attack finds that the traffic is abnormal, the CNAME domain name is artificially changed to the domain name DNS server, so that the DNS server updates the DNS domain name of the network, and when the new traffic reaches the network, the traffic is transmitted to the high security center device by default. However, the existing method for manually modifying the CNAME has a manual processing delay, and the user equipment may have suffered a long-time attack in the modification process; in addition, the IP address of the DNS server can be acquired before the attack is carried out, if the attacker initiates the attack aiming at the IP address, the modified DNS can not be immediately effective, and further the subsequent flow can not be led to the high-protection center equipment.
Therefore, how to timely pull the abnormal traffic to the high protection center device and avoid the user device from being attacked is one of the technical problems that are worth considering.
Disclosure of Invention
In view of this, the present application provides a method and apparatus for processing a message, which are used to timely pull abnormal traffic to a high protection center device and prevent a user device from being attacked.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of the present application, there is provided a message processing method, applied to a flow cleaning device, the method comprising:
after a remote traction instruction of a target IP address is received, issuing a traction route to a core router through a first interface, wherein the traction route comprises a first IP address of a second interface used for remotely forwarding a message on the flow cleaning equipment;
receiving a first network message sent by the core router through the first interface, wherein the destination IP address of the first network message is the first IP address;
according to a preconfigured next-hop IP address of the second interface, carrying out tunnel encapsulation on the first network message to obtain a first tunnel message, wherein a destination IP address of the first tunnel message is the next-hop IP address, and the next-hop IP address is a tunnel IP address of high-security center equipment;
And sending the first tunnel message to high-security center equipment through a first tunnel corresponding to the second interface, which is pre-established, so that the high-security center equipment analyzes the first network message from the first tunnel message and cleans the first network message in flow.
According to a second aspect of the present application, there is provided a message processing method applied to a high security center device, the method including:
receiving a first tunnel message sent by flow cleaning equipment, wherein the first tunnel message is obtained by performing tunnel encapsulation on a first network message sent by a core router after the flow cleaning equipment receives a remote traction instruction;
and analyzing the first network message from the first tunnel message, and performing flow cleaning on the first network message.
According to a third aspect of the present application, there is provided a message processing apparatus provided in a flow cleaning device, the apparatus comprising:
and the control module is used for receiving the remote traction instruction of the target IP address.
The first sending module is used for issuing a traction route to the core router through a first interface after the control module receives a remote traction instruction of a target IP address, wherein the traction route comprises a first IP address of a second interface used for remotely forwarding a message on the flow cleaning equipment;
The first receiving module is used for receiving a first network message sent by the core router through the first interface, and the destination IP address of the first network message is the first IP address;
the encapsulation module is used for carrying out tunnel encapsulation on the first network message according to a preset next-hop IP address of the second interface to obtain a first tunnel message, wherein the destination IP address of the first tunnel message is the next-hop IP address, and the next-hop IP address is the tunnel IP address of the high-security center device;
and the second sending module is used for sending the first tunnel message to the high-security center equipment through a first tunnel corresponding to the second interface, so that the high-security center equipment analyzes the first network message from the first tunnel message and cleans the first network message in flow.
According to a fourth aspect of the present application, there is provided a message processing apparatus, provided in a high security center device, the apparatus comprising:
the receiving module is used for receiving a first tunnel message sent by the flow cleaning equipment, wherein the first tunnel message is obtained by carrying out tunnel encapsulation on a first network message sent by the core router after the flow cleaning equipment receives a remote traction instruction;
And the flow cleaning module is used for analyzing the first network message from the first tunnel message and cleaning the flow of the first network message.
According to a fifth aspect of the present application there is provided an electronic device comprising a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method provided by the first aspect of the embodiment of the present application.
According to a sixth aspect of the present application there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method provided by the first aspect of the embodiments of the present application.
The embodiment of the application has the beneficial effects that:
after receiving a remote traction instruction of a target IP address, the flow cleaning equipment sends a traction route comprising a second interface to the core router, so that the core router sends a first network message comprising the target IP address to the flow cleaning equipment; after the flow cleaning device receives the first network message, the first network message can be packaged based on the preset next hop IP address of the second interface, namely the tunnel IP address of the high security center device, and then the first tunnel message obtained by packaging is sent to the high security center device, so that the high security center device cleans the received message, the flow to be cleaned can timely and accurately reach the high security center device, and CNAME does not need to be manually modified, thereby avoiding the flow cleaning delay caused by manually modifying CAME and the attack of user equipment caused by manual modification.
Drawings
FIG. 1 is a schematic diagram of a flow cleaning architecture currently provided;
FIG. 2 is a flow chart of a message processing method according to an embodiment of the present application;
FIG. 3 is a flow chart of another message processing method according to an embodiment of the present application;
FIG. 4 is an interactive schematic diagram of a message processing method according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a message processing apparatus according to an embodiment of the present application;
FIG. 6 is a schematic diagram of remote message processing according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a local processing message according to an embodiment of the present application;
FIG. 8 is a schematic diagram of another message processing apparatus according to an embodiment of the present application;
fig. 9 is a schematic hardware structure of an electronic device implementing a message processing method according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this disclosure, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The message processing method provided by the application is described in detail below.
Referring to fig. 2, fig. 2 is a flowchart of a message processing method provided by the present application, which is applied to a flow cleaning device, and the method may include the following steps:
S201, after receiving a remote traction instruction of a target IP address, issuing a traction route to a core router through a first interface.
The traction route comprises a first IP address of a second interface used for remotely forwarding the message on the flow cleaning equipment.
In this step, when detecting that the flow on the core router satisfies the flow cleaning condition and the high anti-center is required to protect the flow, the detection device sends a remote traction instruction to the flow cleaning device. Specifically, the remote traction instruction is sent when the detection device detects that the flow corresponding to the target IP address reaches the set flow.
Alternatively, the set traffic may be, but not limited to, 10Gbps, that is, when the traffic corresponding to the target IP address reaches 10Gbps, it is confirmed that the traffic corresponding to the target IP address needs to be traffic-protected, which may include, but is not limited to, traffic detection, traffic cleaning, and so on.
Specifically, when the traffic cleaning device receives the remote traction instruction, in order to enable the traffic corresponding to the target IP address to perform traffic cleaning on the high security center device, the traffic cleaning device sends a traction route to the core router, where the traction route includes a first IP address of a second interface for forwarding the message, and then sends the traction route to the core router through the first interface.
It should be noted that, before the traction route is sent to the core router through the first interface, a communication relationship is established with the core router in advance, specifically, a BGP protocol may be utilized to establish a communication relationship with the core router, and after the communication relationship is established, an interface corresponding to the communication relationship, that is, the first interface, is recorded on each device. Thus, after receiving the remote traction instruction, the traffic cleaning device generates a traction route locally and then sends the traction route to the core router through the first interface.
Optionally, the flow washer itself has a flow protection function. In general, when the detecting device confirms that the flow of the target IP address is between the preset threshold and the set flow, the detecting device starts a local flow protection function of the flow cleaning device, that is, the detecting device sends a local traction instruction to the flow cleaning device.
Note that the above-described set threshold value may be, but is not limited to, 1Gbps or the like. When the detection device detects that the flow of the target IP address is greater than 1Gbps but less than 10Gbps, the detection device sends a local traction instruction to the flow cleaning device. In this way, when the flow cleaning device receives the local traction instruction, the local flow protection function is started, and after the flow cleaning device triggers the local flow protection function, the flow executed by the flow cleaning device can adopt the existing local flow protection function, which is not described in detail here.
In addition, when the detection device detects that the traffic of the target IP address is smaller than 1Gbps, the traffic corresponding to the target IP address is indicated to be in a normal detection range, and the traffic protection function does not need to be triggered. When the detection device sends the local or remote traction instruction to the flow cleaning device, the detection device will send the local or remote traction instruction to the management center, and then the management center sends the local or remote traction instruction to the flow cleaning device.
S202, receiving a first network message sent by the core router through the first interface, wherein the destination IP address of the first network message is a first IP address.
In this step, after the core router receives the traction route, the routing table entry corresponding to the destination IP address is modified, so that the core router pulls the traffic of the destination IP address to the traffic cleaning device. In this way, the traffic cleaning device receives the first network message whose outer IP address is the destination IP address of the first IP address in the pull route. That is, the inner IP address of the first network packet is the destination IP address, and the outer destination IP address is the first IP address of the second interface in the traction route.
S203, tunnel packaging is carried out on the first network message according to the preset next hop IP address of the second interface, and a first tunnel message is obtained.
The destination IP address of the first tunnel packet is the next-hop IP address, and the next-hop IP address is the tunnel IP address of the high security center device.
Specifically, in order to send a message to a high security center device without manually modifying a CNAME, after receiving a first network message, a flow cleaning device analyzes a first IP address from the first network message, searches a routing table, queries that an interface corresponding to the first IP address is a second interface, queries that a next hop IP address of the first network message is based on the second interface, and tunnel packages the first network message according to the next hop IP address of the second interface to obtain a first tunnel message, wherein the tunnel IP address of the first tunnel message is the tunnel IP address of the high security center.
S204, the first tunnel message is sent to the high security center equipment through a first tunnel corresponding to the second interface, which is established in advance, so that the high security center equipment analyzes the first network message from the first tunnel message and cleans the flow of the first network message.
In this step, after the flow cleaning device encapsulates the first network packet to obtain a first tunnel packet, the first tunnel packet is sent to the high security center device through a first tunnel corresponding to the second interface that is pre-established. In this way, after the high security center device receives the first tunnel message, the first network message of the cluster can be parsed from the first tunnel message, and then the first network message is subjected to flow cleaning. Therefore, the message to be cleaned is sent to the high-protection center equipment through the tunnel, and the CNAME is not required to be manually modified in the prior art, so that the flow to be cleaned can be timely and rapidly sent to the high-protection center equipment, and the attack on the user equipment is avoided.
It should be noted that the first tunnel is pre-established, and the first tunnel may be, but is not limited to, a GRE (generic routing encapsulation protocol, generic Routing Encapsulation) tunnel. And the first tunnel is pre-established. Specifically, the traffic cleaning device establishes a first tunnel with the high security center device through the core router, designates an interface and a tunnel IP address of the first tunnel at the traffic cleaning device, and an interface and a tunnel IP address of the first tunnel at the high security center device, and records both in the traffic cleaning device and the high security center device.
By implementing the message processing method provided by the application, after the flow cleaning equipment receives the remote traction instruction of the target IP address, the traction route comprising the second interface is sent to the core router, so that the core router sends the first network message comprising the target IP address to the flow cleaning equipment; after the flow cleaning device receives the first network message, the first network message can be packaged based on the preset next hop IP address of the second interface, namely the tunnel IP address of the high security center device, and then the first tunnel message obtained by packaging is sent to the high security center device, so that the high security center device cleans the received message, the flow to be cleaned can timely and accurately reach the high security center device, and CNAME does not need to be manually modified, thereby avoiding the flow cleaning delay caused by manually modifying CAME and the attack of user equipment caused by manual modification.
Optionally, the method for processing a message provided by the application further includes: receiving a second tunnel message sent by the high security center equipment through a second tunnel corresponding to a pre-established third interface, wherein the second tunnel message carries a second network message without abnormality after flow cleaning; analyzing the second network message from the second tunnel message; and sending the second network message to a core router corresponding to the next hop IP address in the reinjection route according to the preset next hop IP address in the reinjection route.
Specifically, in order to ensure that the real-time performance and the mutual noninterference of message sending and receiving are ensured, the application proposes to establish a second tunnel between the flow cleaning device and the high security center device, and then negotiate with the high security center device, so that the high security center device receives the network message needing to be subjected to flow cleaning by using the first tunnel, and then sends the network message through which the flow cleaning passes by using the second tunnel. Therefore, after the high security center equipment receives the tunnel message, the network message to be cleaned is analyzed from the tunnel message, and then the network message is subjected to flow cleaning. When the cleaning is finished and the network message is confirmed to be free of abnormality, for convenience of description, the network message which is free of abnormality after flow cleaning is recorded as a second network message, the second network message is packaged in a tunnel, and the second tunnel message obtained by packaging is sent to flow cleaning equipment through the second tunnel.
Thus, after the flow cleaning device receives the second tunnel message, since the second tunnel message is a message returned after flow cleaning, which indicates that the inner layer message in the second tunnel message is safe, the flow cleaning device needs to analyze the second network message from the second tunnel message and then reinject the second network message into the core router, and then the flow cleaning device sends the second network message to the core router according to the next hop IP address in the preconfigured reinjection route. Therefore, the reinjection process of the cleaned message is realized, and the message without abnormality can be ensured to normally reach the actual receiver.
It should be noted that the second network packet may be a first network packet with no traffic wash and no anomaly.
Based on any one of the foregoing embodiments, the method for processing a message provided in this embodiment further includes: after receiving a remote traction instruction of a target IP address, closing a local flow cleaning function of the flow cleaning equipment; and when the local traction instruction is received, starting a local flow cleaning function of the flow cleaning equipment.
Specifically, after the flow cleaning device receives the remote traction instruction sent by the detection device, because the flow cleaning device is mainly used for sending a message to be cleaned to the high-protection center device, in order to reduce the resource consumption of the flow cleaning device, the embodiment proposes to close the local flow cleaning function of the flow cleaning device after receiving the remote traction instruction, so that the resources occupied by the local flow cleaning function can be reduced, the message can be better forwarded for remote protection, the real-time performance of flow cleaning is improved to a certain extent, and the user device is further prevented from being attacked.
Furthermore, since some flows also need to be locally protected from attack, after receiving the local traction instruction sent by the detection device, the flow cleaning function of the flow cleaning device is started, so that the flow cleaning device can perform flow cleaning locally better.
In sum, not only can the remote cleaning of flow be realized, but also the remote cleaning of flow can be realized, and the CNAME does not need to be manually modified, so that the efficiency of flow cleaning is greatly improved. In addition, because the CNAME does not need to be modified, the situation that an attacker acquires the IP address of the DNS server before attacking is avoided, and the situation that traffic cannot be led to high-security center equipment after the CNAME is modified artificially due to the fact that the attacker attacks the IP address is avoided.
Based on the same inventive concept, the application also provides a message processing method, which is applied to the high security center equipment, and when the high security center equipment implements the method, the method can be implemented according to the flow shown in fig. 3, and comprises the following steps:
s301, receiving a first tunnel message sent by flow cleaning equipment, wherein the first tunnel message is obtained by performing tunnel encapsulation on a first network message sent by a core router after the flow cleaning equipment receives a remote traction instruction;
in this step, the high protection center device receives a first tunnel message sent by the flow cleaning device based on a first tunnel established between the high protection center device and the flow cleaning device in advance, where the first tunnel message is a message to be cleaned, and the first tunnel message is obtained by performing tunnel encapsulation on a first network message sent by the core router after the flow cleaning device receives a remote traction instruction. The outer layer destination IP address of the first tunnel message is the tunnel IP address of the high security center device.
S302, analyzing the first network message from the first tunnel message, and cleaning the flow of the first network message.
In this step, after the high security center device receives the first tunnel message, the outer layer encapsulation of the first tunnel message may be stripped to strip out the first network message, and then the first network message may be subjected to flow cleaning.
It should be noted that, when the flow cleaning is performed on the first network packet, the flow cleaning policies of different user devices may be the same or different, and when the cleaning policies are different, the cleaning policies for processing the first network packet may be queried based on the packet information of the first network packet, and then the cleaning flow is performed on the cleaning policies.
By adopting the flow shown in fig. 3, the message to be cleaned is accurately sent to the high-protection center equipment, and further the timely detection and protection of the message are realized.
Optionally, based on the foregoing embodiment, the method for processing a message provided by the present application further includes: when the first network message is subjected to flow cleaning and no abnormality of the first network message is confirmed, the first network message is packaged into a second tunnel message according to a preset next-hop IP address, wherein the next-hop IP address is the tunnel IP address of the flow cleaning equipment; and sending the second tunnel message to the flow cleaning equipment.
Specifically, after the high-protection center device cleans the received message to be cleaned according to the cleaning protection policy, if the message is confirmed to be abnormal, the message is reinjected into the flow cleaning device, and based on the fact, the high-protection center device can pre-configure a reinjection route of the cleaned flow, namely, the reinjection route is pre-recorded in the high-protection center device, and the next hop IP address in the reinjection route is the tunnel IP address of the flow cleaning device; based on the above, when the high security center device performs traffic cleaning on the first network message and confirms that the first network message is not abnormal, the routing table is queried, then a next hop IP address (tunnel IP address of the traffic cleaning device) of the first network message is confirmed, then the first network message is subjected to tunnel encapsulation processing by using the next hop IP address to obtain a second tunnel message, wherein the outer IP address of the second tunnel message is the tunnel IP address of the high security center device and the traffic cleaning device, and the inner IP address is the actual IP address of the first network message. And then the second tunnel message is sent to the flow cleaning equipment through a second pre-configured tunnel. In this way, after the traffic cleaning device receives the second tunnel packet, the second tunnel packet may be decapsulated to parse the second network packet, and then the second network packet is sent to the core router based on the next hop IP address (the IP address of the core router) recorded in the local reinjection route, so that the core router sends the second network packet to the actual receiver of the packet. Therefore, the cleaning and accurate reinjection of the message are realized, and the message is accurately sent to the actual receiving party of the message.
Optionally, to better ensure isolation of the cleaning policies between different users, the high security center device may pre-configure a virtual route forwarding (Virtual Route Forwarding, VRF) for each user, and then record the traffic cleaning policies under different VRFs, that is, different users respectively correspond to different traffic cleaning policies. When the method is concretely implemented, each user can be configured with a unique VRF, then a physical interface for receiving or transmitting the message of the user is established for the user based on the VRF, and similarly, the VRF is allocated for each user configuration at the flow cleaning equipment side, and correspondingly, the flow cleaning equipment allocates the physical interface for the user for forwarding the message of the user, so that the isolation between the flows of different users can be realized.
It should be noted that the high security center device may be, but is not limited to, a network node dedicated to efficient security protection, and the like.
In order to better understand the message processing method provided by the application, an interactive diagram shown in fig. 4 is taken as an example for explanation, and the flow with the destination IP address of 192.168.1.254 detected by the detection device is taken as an example for explanation, whether the flow cleaning device performs local cleaning or remote cleaning at the high-protection center device, when the process of issuing the traction route by the flow cleaning device is the same, the issued traction route is different in content. Specifically, when the traffic washing device receives a local traction instruction (the local traction instruction is triggered when the detection device detects that the traffic of 192.168.1.254 is between 1Gbps and 10 Gbps) or a remote traction instruction (the remote traction instruction is triggered when the detection device detects that the traffic of 192.168.1.254 is not less than 10 Gbps), the traffic washing device sends a traction route to the core router after receiving the local traction instruction, and referring to fig. 4, a next hop IP address next-hop with a target IP address of 192.168.1.254 in the issued traction route is 10.1.1.1, that is, the IP address of the first interface of the traffic washing device, so that when the core router receives the traction route, the core router modifies a routing table item corresponding to 192.168.1.254 in the core router to modify the next hop IP address to 10.1.1.1 in the routing table item, and further enables the core router to send a network message with the target IP address of 192.168.1.254 to the core router to perform the function of washing the network traffic washing device when the core router subsequently receives the network message with the target IP address of 192.168.1.254.
When the traffic cleaning device receives the remote traction instruction, the traction route shown in fig. 4 is issued to the core router, where the traction route carries a first IP address of the second interface, i.e. 11.1.1.1, where the first IP address is a physical address of the second interface. In addition, in order to realize that the message can be successfully sent to the high security center device without modifying the CNAME, the traffic cleaning device will pre-establish a first tunnel between the traffic cleaning device and the high security center device (for the traffic cleaning device, the first tunnel is a sending tunnel and is a GRE tunnel), so as to transmit the message to be cleaned, the manner of establishing the tunnel may refer to the scheme existing at present, and the tunnel IP address of the first interface related to the first tunnel is also shown in fig. 4 and is 12.1.1.1, the IP address of the interface on the high security center device side of the first tunnel is 15.1.1.1, the tunnel IP address is 16.1.1.1, and then a route enabling the first interface is recorded, and the next hop IP address of the route is the tunnel IP address of the high security center device and is shown in fig. 4. Meanwhile, the high-protection center device records and stores a reinjection route, namely 0.0.0/0next-hop 14.1.1.1, wherein the reinjection route comprises a next-hop IP address, namely an IP address for reinjecting the message to the flow cleaning device, namely a tunnel IP address 14.1.1.1 of the flow cleaning device. In this way, when the flow cleaning device receives the first network message sent by the core router, the first network message is encapsulated based on the tunnel IP addresses of both the first tunnels, and then the first tunnel message obtained by encapsulation is sent to the core router and then forwarded to the high-protection center device by the core router; after the high security center equipment receives the first tunnel message, analyzing a first network message from the first tunnel message, and then carrying out flow cleaning on the first network message; and when the cleaning is finished and the fact that the message is abnormal is confirmed, the first network message is recorded as a second network message, then the message is packaged into a second tunnel message based on the reinjection route recorded by the high security center equipment and is sent to the flow cleaning equipment through a core router by a second tunnel (for the flow cleaning equipment, the second tunnel is a receiving tunnel and is a pre-established GRE tunnel), and an interface of the second tunnel on the flow cleaning equipment is recorded as a third interface corresponding to the tunnel address 14.1.1.1. In this way, the traffic cleaning device receives the second tunnel message through the third interface, and then unpacks the second network message from the second tunnel message. In order to successfully forward the second network packet to the core router, the traffic cleaning device may pre-configure a reinjection route of the third interface, where the reinjection route includes a next hop IP address as an IP address of the core router: 13.1.1.2, referring to fig. 4, in this way, the traffic cleaning device can find the next hop IP address of the second network packet by querying the reinjection route, and then send the second network packet to the core router. Therefore, on the premise of not modifying CNAME, the method realizes the cleaning and reinjection of the message by the high-protection center.
Based on the same inventive concept, the application also provides a message processing device corresponding to the message processing method implemented by the flow cleaning equipment. The implementation of the message processing apparatus may refer specifically to the description of the message processing method implemented by the traffic washing device, which is not discussed here.
Referring to fig. 5, fig. 5 is a schematic diagram of a message processing apparatus according to an exemplary embodiment of the present application, which is disposed in a flow cleaning device, and includes:
a control module 501 for receiving a remote traction instruction for a target IP address.
A first sending module 502, configured to issue, after the control module 501 receives a remote traction instruction of a target IP address, a traction route to a core router through a first interface, where the traction route includes a first IP address of a second interface on the traffic cleaning device that is used to remotely forward a message;
a first receiving module 503, configured to receive, through the first interface, a first network packet sent by the core router, where a destination IP address of the first network packet is the first IP address;
the encapsulating module 504 is configured to perform tunnel encapsulation on the first network packet according to a preconfigured next-hop IP address of the second interface, so as to obtain a first tunnel packet, where a destination IP address of the first tunnel packet is the next-hop IP address, and the next-hop IP address is a tunnel IP address of the high-protection center device;
The second sending module 505 is configured to send the first tunnel packet to a high security center device through a first tunnel corresponding to the second interface, so that the high security center device analyzes the first network packet from the first tunnel packet and performs flow cleaning on the first network packet.
Optionally, the message processing apparatus provided in this embodiment further includes:
a second receiving module (not shown in the figure) configured to receive, through a second tunnel corresponding to a third interface that is pre-established, a second tunnel packet sent by the high security center device, where the second tunnel packet carries a second network packet without abnormality after flow cleaning;
an parsing module (not shown in the figure) configured to parse the second network packet from the second tunnel packet;
and a third sending module (not shown in the figure) configured to send the second network packet to a core router corresponding to the next hop IP address in the reinjection route according to the preset next hop IP address in the reinjection route.
Optionally, the message processing apparatus provided in this embodiment further includes:
a closing module (not shown in the figure) for closing the flow cleaning function of the flow cleaning equipment after receiving the remote traction instruction of the target IP address;
An opening module (not shown in the figure) is used for opening the flow cleaning function of the flow cleaning equipment when the local traction instruction is received.
Optionally, the remote traction instruction is sent by the detection device when detecting that the traffic corresponding to the target IP address reaches the set traffic.
In order to better understand the message processing method provided by the present application, the description is made with reference to the message processing architecture diagram shown in fig. 6, and it should be noted that the first sending module, the first receiving module, and the second sending module in fig. 5 may be disposed in the forwarding module shown in fig. 6, and all the modules in fig. 5 are not shown in fig. 6, which is merely an example and does not limit the structure of the message apparatus. On the basis, after receiving a remote traction instruction sent by the detection equipment, the control module locally generates a traction route, and then sends the traction route to a first sending module in the forwarding module so that the first sending module sends the traction route to the core router through a first interface; and then a first receiving module of the forwarding module receives a first network message sent by the core router through a first interface, forwards the first network message to the encapsulation module, and then the encapsulation module carries out tunnel encapsulation on the first network message according to a preset next hop IP address of the second interface to obtain a first tunnel message, and sends the first tunnel message to a second sending module in the forwarding module, and the second sending module sends the first tunnel message to a high protection center through the first tunnel, so that the high protection center equipment analyzes the first network message from the first tunnel message and carries out flow cleaning. After the flow of the high-protection center equipment is cleaned, a second tunnel message is sent to the flow cleaning equipment, so that a second receiving module in the forwarding module receives the second tunnel message and forwards the second tunnel message to the analyzing module, after the analyzing module analyzes the second network message from the second tunnel message, the second network message is sent to a third sending module in the forwarding module, and then the third sending module sends the second network message to a core router corresponding to a next hop IP address in the reinjection route according to a preset next hop IP address in the reinjection route. Thus, the cleaning and reinjection of the message by the high-protection center equipment are completed.
In addition, the traffic washing device further has a local protection function, and referring to fig. 7, the general processing logic is that the traffic washing device receives a local traction instruction sent by the detection device, and the control module in the traffic washing device sends a local traction route to the core router based on the local traction instruction, so that the core router tows the traffic of the subsequent target IP address into the traffic washing device. In this way, the protection module in the traffic cleaning device in fig. 7 receives the traction traffic (traffic corresponding to the target IP address) sent by the core router, and when the protection module receives the traction traffic, the protection module performs traffic cleaning on the traction traffic; after the cleaning is finished, if the traction flow is confirmed to be correct, the traction flow is sent to a forwarding module, so that the forwarding module reinjects the cleaned traction flow to a core router, and the core router sends the traction flow to an actual receiving party of the flow.
Based on the same inventive concept, the application also provides a message processing device corresponding to the message processing method implemented by the high security center equipment. The implementation of the message processing apparatus may refer specifically to the above description of the message processing method implemented by the high security center device, which is not discussed here.
Referring to fig. 8, fig. 8 is a message processing apparatus provided in an exemplary embodiment of the present application, which is disposed in a high security center device, and includes:
a receiving module 801, configured to receive a first tunnel packet sent by a traffic cleaning device, where the first tunnel packet is obtained by performing tunnel encapsulation on a first network packet sent by a core router after the traffic cleaning device receives a remote traction instruction;
the flow cleaning module 802 is configured to parse the first network packet from the first tunnel packet, and perform flow cleaning on the first network packet.
Optionally, the message processing apparatus provided in this embodiment further includes:
the encapsulation module (not shown in the figure) is configured to encapsulate the first network packet into a second tunnel packet according to a preset next-hop IP address when the first network packet is subjected to traffic cleaning and the first network packet is confirmed to be abnormal, where the next-hop IP address is a tunnel IP address of the traffic cleaning device;
and the sending module (not shown in the figure) is used for sending the second tunnel message to the traffic cleaning equipment.
Based on the same inventive concept, the embodiments of the present application provide an electronic device, which may be, but not limited to, the above-described flow cleaning device, high protection center device, and the like. As shown in fig. 9, the electronic device includes a processor 901 and a machine-readable storage medium 902, the machine-readable storage medium 902 storing a computer program executable by the processor 901, the processor 901 being caused by the computer program to perform a message processing method provided by any one of the embodiments of the present application. The electronic device further comprises a communication interface 903 and a communication bus 904, wherein the processor 901, the communication interface 903, and the machine readable storage medium 902 communicate with each other via the communication bus 904.
The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the electronic device and other devices.
The Memory may include random access Memory (Random Access Memory, RAM), DDR SRAM (Double Data Rate Synchronous Dynamic Random Access Memory, double rate synchronous dynamic random access Memory), or Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
In addition, the embodiment of the application provides a machine-readable storage medium, and the machine-readable storage medium stores a computer program which, when being called and executed by a processor, causes the processor to execute the message processing method provided by the embodiment of the application.
For the electronic device and the machine-readable storage medium embodiments, the description is relatively simple, and reference should be made to the description of the method embodiments for relevant points, since the method content involved is substantially similar to that of the method embodiments described above.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and roles of each unit/module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be repeated here.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The above described apparatus embodiments are merely illustrative, wherein the units/modules illustrated as separate components may or may not be physically separate, and the components shown as units/modules may or may not be physical units/modules, i.e. may be located in one place, or may be distributed over a plurality of network units/modules. Some or all of the units/modules may be selected according to actual needs to achieve the purposes of the present solution. Those of ordinary skill in the art will understand and implement the present application without undue burden.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the application.

Claims (11)

1. The message processing method is characterized by being applied to flow cleaning equipment, and comprises the following steps:
after a remote traction instruction of a target IP address is received, issuing a traction route to a core router through a first interface, wherein the traction route comprises a first IP address of a second interface used for remotely forwarding a message on the flow cleaning equipment;
receiving a first network message sent by the core router through the first interface, wherein the destination IP address of the first network message is the first IP address;
according to a preconfigured next-hop IP address of the second interface, carrying out tunnel encapsulation on the first network message to obtain a first tunnel message, wherein a destination IP address of the first tunnel message is the next-hop IP address, and the next-hop IP address is a tunnel IP address of high-security center equipment;
and sending the first tunnel message to high-security center equipment through a first tunnel corresponding to the second interface, which is pre-established, so that the high-security center equipment analyzes the first network message from the first tunnel message and cleans the first network message in flow.
2. The method as recited in claim 1, further comprising:
Receiving a second tunnel message sent by the high security center equipment through a second tunnel corresponding to a pre-established third interface, wherein the second tunnel message carries a second network message without abnormality after flow cleaning;
analyzing the second network message from the second tunnel message;
and sending the second network message to a core router corresponding to the next hop IP address in the reinjection route according to the preset next hop IP address in the reinjection route.
3. The method as recited in claim 1, further comprising:
after receiving a remote traction instruction of a target IP address, closing a local flow cleaning function of the flow cleaning equipment;
and when a local traction instruction is received, starting a local flow cleaning function of the flow cleaning equipment.
4. The method of claim 1, wherein the remote traction instruction is sent by the detection device when detecting that the traffic corresponding to the target IP address reaches a set traffic.
5. The message processing method is characterized by being applied to high security center equipment, and comprises the following steps:
receiving a first tunnel message sent by flow cleaning equipment, wherein the first tunnel message is obtained by performing tunnel encapsulation on a first network message sent by a core router after the flow cleaning equipment receives a remote traction instruction;
And analyzing the first network message from the first tunnel message, and performing flow cleaning on the first network message.
6. The method as recited in claim 5, further comprising:
when the first network message is subjected to flow cleaning and no abnormality of the first network message is confirmed, the first network message is packaged into a second tunnel message according to a preset next-hop IP address, wherein the next-hop IP address is the tunnel IP address of flow cleaning equipment;
and sending the second tunnel message to the flow cleaning equipment.
7. A message processing apparatus, disposed in a flow washer device, the apparatus comprising:
the control module is used for receiving a remote traction instruction of the target IP address;
the first sending module is used for issuing a traction route to the core router through a first interface after the control module receives a remote traction instruction of a target IP address, wherein the traction route comprises a first IP address of a second interface used for remotely forwarding a message on the flow cleaning equipment;
the first receiving module is used for receiving a first network message sent by the core router through the first interface, and the destination IP address of the first network message is the first IP address;
The encapsulation module is used for carrying out tunnel encapsulation on the first network message according to a preset next-hop IP address of the second interface to obtain a first tunnel message, wherein the destination IP address of the first tunnel message is the next-hop IP address, and the next-hop IP address is the tunnel IP address of the high-security center device;
and the second sending module is used for sending the first tunnel message to the high-security center equipment through a first tunnel corresponding to the second interface, so that the high-security center equipment analyzes the first network message from the first tunnel message and cleans the first network message in flow.
8. The apparatus as recited in claim 7, further comprising:
the second receiving module is used for receiving a second tunnel message sent by the high-security center equipment through a second tunnel corresponding to a pre-established third interface, wherein the second tunnel message carries a second network message without abnormality after flow cleaning;
the analysis module is used for analyzing the second network message from the second tunnel message;
and the third sending module is used for sending the second network message to a core router corresponding to the next hop IP address in the reinjection route according to the preset next hop IP address in the reinjection route.
9. The apparatus as recited in claim 7, further comprising:
the closing module is used for closing the local flow cleaning function of the flow cleaning equipment after receiving the remote traction instruction of the target IP address;
and the starting module is used for starting the local flow cleaning function of the flow cleaning equipment when receiving the local traction instruction.
10. A message processing apparatus, disposed in a high security center device, the apparatus comprising:
the receiving module is used for receiving a first tunnel message sent by the flow cleaning equipment, wherein the first tunnel message is obtained by carrying out tunnel encapsulation on a first network message sent by the core router after the flow cleaning equipment receives a remote traction instruction;
and the flow cleaning module is used for analyzing the first network message from the first tunnel message and cleaning the flow of the first network message.
11. The apparatus as recited in claim 10, further comprising:
the encapsulation module is used for encapsulating the first network message into a second tunnel message according to a preset next-hop IP address when the first network message is subjected to flow cleaning and the first network message is confirmed to be abnormal, wherein the next-hop IP address is the tunnel IP address of the flow cleaning equipment;
And the sending module is used for sending the second tunnel message to the flow cleaning equipment.
CN202111090839.5A 2021-09-17 2021-09-17 Message processing method and device Active CN113992347B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111090839.5A CN113992347B (en) 2021-09-17 2021-09-17 Message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111090839.5A CN113992347B (en) 2021-09-17 2021-09-17 Message processing method and device

Publications (2)

Publication Number Publication Date
CN113992347A CN113992347A (en) 2022-01-28
CN113992347B true CN113992347B (en) 2023-09-19

Family

ID=79735985

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111090839.5A Active CN113992347B (en) 2021-09-17 2021-09-17 Message processing method and device

Country Status (1)

Country Link
CN (1) CN113992347B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107995324A (en) * 2017-12-04 2018-05-04 北京奇安信科技有限公司 A kind of cloud means of defence and device based on tunnel mode
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium
CN111355649A (en) * 2018-12-20 2020-06-30 阿里巴巴集团控股有限公司 Flow reinjection method, device and system
CN112532621A (en) * 2020-11-26 2021-03-19 杭州迪普科技股份有限公司 Flow cleaning method and device, electronic equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9888028B2 (en) * 2013-05-03 2018-02-06 Centurylink Intellectual Property Llc Combination of remote triggered source and destination blackhole filtering

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107995324A (en) * 2017-12-04 2018-05-04 北京奇安信科技有限公司 A kind of cloud means of defence and device based on tunnel mode
CN111355649A (en) * 2018-12-20 2020-06-30 阿里巴巴集团控股有限公司 Flow reinjection method, device and system
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium
CN112532621A (en) * 2020-11-26 2021-03-19 杭州迪普科技股份有限公司 Flow cleaning method and device, electronic equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
分布式防范DDos攻击的解决方案探析;程作品;;科协论坛(下半月)(第05期);全文 *
基于P2P的僵尸网络防治技术研究;聂利颖;高静;;现代电子技术(第11期);全文 *

Also Published As

Publication number Publication date
CN113992347A (en) 2022-01-28

Similar Documents

Publication Publication Date Title
US10148573B2 (en) Packet processing method, node, and system
US10191758B2 (en) Directing data traffic between intra-server virtual machines
US10708146B2 (en) Data driven intent based networking approach using a light weight distributed SDN controller for delivering intelligent consumer experience
EP3846406A1 (en) Dynamic security actions for network tunnels against spoofing
EP3449600B1 (en) A data driven intent based networking approach using a light weight distributed sdn controller for delivering intelligent consumer experiences
US8509243B2 (en) Method and device for sending a packet based on tunneling protocol used in layer 2
US9674142B2 (en) Monitoring network traffic
US20120063450A1 (en) Data Path Processing Information included in the Pseudowire Layer of Packets
CN106341423B (en) Message processing method and device
CN113452594B (en) Inner layer message matching method and device of tunnel message
US10263901B2 (en) Service packet processing method, apparatus, and system
US20210258251A1 (en) Method for Multi-Segment Flow Specifications
CN105637819A (en) Methods and systems for transmitting broadcast data
CN107241294B (en) Network flow processing method and device, cleaning equipment and network equipment
CN111147519A (en) Data detection method, device, electronic equipment and medium
CN112165460A (en) Flow detection method and device, computer equipment and storage medium
US20230097734A1 (en) Wire-speed routing and policy enforcement without dpi or decryption
CN107690004A (en) The processing method and processing device of address analysis protocol message
CN113992347B (en) Message processing method and device
CN105850091B (en) For providing method, border networks device and the IP server of the connection between communication service providers and the IP server for providing service
WO2022001937A1 (en) Service transmission method and apparatus, network device, and storage medium
CN111654474B (en) Safety detection method and device
US20180234334A1 (en) Redirecting flow control packets
EP4333382A1 (en) Packet transmission method, apparatus and system, network device, and storage medium
WO2023185502A1 (en) Traffic reinjection method and protection system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant