CN111800343A - A speed limiting method and device suitable for industrial control Internet - Google Patents
A speed limiting method and device suitable for industrial control Internet Download PDFInfo
- Publication number
- CN111800343A CN111800343A CN202010641005.8A CN202010641005A CN111800343A CN 111800343 A CN111800343 A CN 111800343A CN 202010641005 A CN202010641005 A CN 202010641005A CN 111800343 A CN111800343 A CN 111800343A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- speed
- port
- destination
- token bucket
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 230000000670 limiting effect Effects 0.000 title claims description 46
- 238000004458 analytical method Methods 0.000 claims abstract description 21
- 230000008569 process Effects 0.000 claims abstract description 6
- 238000012545 processing Methods 0.000 claims description 12
- 230000000694 effects Effects 0.000 claims description 8
- 230000000903 blocking effect Effects 0.000 claims description 7
- 230000007261 regionalization Effects 0.000 claims 1
- 230000005540 biological transmission Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 9
- 238000004519 manufacturing process Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/215—Flow control; Congestion control using token-bucket
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2425—Traffic characterised by specific attributes, e.g. priority or QoS for supporting services specification, e.g. SLA
- H04L47/2433—Allocation of priorities to traffic types
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/25—Flow control; Congestion control with rate being modified by the source upon detecting a change of network conditions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
技术领域technical field
本发明涉及一种适用于工控互联网的限速方法和装置,属于互联网限速技术领域。The invention relates to a speed limiting method and device suitable for industrial control Internet, and belongs to the technical field of Internet speed limiting.
背景技术Background technique
随着计算机网络的不断发展,互联网不仅走进了家家户户,也让生产变得更加智能 化和便利化。但是对于工控互联网来说,工控协议的时效性、准确性和快速性尤为重要,然而目前的限速方法和装置都是针对所有流量进行限速,严重影响工控互联网的时效性、准确性和快速性,并不能适用于工控互联网,如何保证工控协议快速稳定的传输,并且 针对非工控流量进行限速,是工控互联网亟需解决的问题。With the continuous development of computer networks, the Internet has not only entered every household, but also made production more intelligent and convenient. However, for the industrial control Internet, the timeliness, accuracy and rapidity of the industrial control protocol are particularly important. However, the current speed limiting methods and devices limit the speed of all traffic, which seriously affects the timeliness, accuracy and speed of the industrial control Internet. It is not suitable for the industrial control Internet. How to ensure the fast and stable transmission of industrial control protocols and limit the speed of non-industrial control traffic is an urgent problem to be solved in the industrial control Internet.
传统的令牌桶算法是对非工控流量进行限速,所谓的令牌桶算法,就是预先设定一 个大小固定的令牌桶,每一定的时间源源不断的产生令牌;每通过一个数据包,都从桶里拿走相应的令牌,如果令牌数小于流量包需要扣除的令牌数,则不准许流量通过。但 是传统的令牌桶算法,不能处理流量剧增的情况。The traditional token bucket algorithm is to limit the rate of non-industrial control traffic. The so-called token bucket algorithm is to preset a token bucket with a fixed size, and to generate tokens continuously every certain time; , all take the corresponding tokens from the bucket. If the number of tokens is less than the number of tokens to be deducted from the traffic packet, the traffic is not allowed to pass. However, the traditional token bucket algorithm cannot handle the surge in traffic.
发明内容SUMMARY OF THE INVENTION
针对现有技术的不足,本发明提供一种适用于工控互联网的限速方法和装置,对传 统令牌桶算法进行改进,不针对工控流量限速,只针对非工控流量进行限速,适用于工控互联网的安全防护,并且,能够适当的自动上调和下调协议解析顺序,最大程度的减 少装置给工控协议带来的延时。In view of the deficiencies of the prior art, the present invention provides a speed limiting method and device suitable for industrial control Internet, improves the traditional token bucket algorithm, does not limit the speed of industrial control traffic, but only limits the speed of non-industrial control traffic, which is suitable for The security protection of the industrial control Internet, and can appropriately automatically increase and decrease the protocol parsing sequence, minimizing the delay caused by the device to the industrial control protocol.
本发明采用以下技术方案:The present invention adopts following technical scheme:
一种适用于工控互联网的限速方法,包括以下步骤:A speed limiting method suitable for industrial control Internet, comprising the following steps:
(1)初始化工控协议,并判断流量包是否为工控协议,若为工控协议,则跳过, 若为非工控协议,则进一步判断其目的ip和端口判断流量包是否满足限速条件;(1) Initialize the industrial control protocol, and judge whether the flow packet is an industrial control protocol, if it is an industrial control protocol, skip it, if it is a non-industrial control protocol, then further judge its destination ip and port to judge whether the flow packet meets the speed limit condition;
(2)如果该流量包有对应的目的ip和端口时,则进一步判断,是否有带有源ip的条件,如果两者同时存在,以目的ip、端口和源ip为主;(2) If the traffic packet has a corresponding destination ip and port, it is further judged whether there is a condition with a source ip, and if both exist at the same time, the destination ip, port and source ip are the main ones;
(3)根据改进的令牌桶算法判断是否转发,具体为:通过令牌数量和流量包的大小判断是否对流量包进行转发,如果令牌桶中已无令牌,则根据限速等级判断是否进行 转发,如果限速等级没有达到限速的最高标准,则消耗阈值的令牌,并且限速等级提高 一级,转发流量包;如果令牌桶中有剩余令牌,则进行转发,并且将限速等级降低一级;(3) Judging whether to forward according to the improved token bucket algorithm, specifically: according to the number of tokens and the size of the flow packet to judge whether to forward the flow packet, if there is no token in the token bucket, judge according to the speed limit level Whether to forward or not, if the rate limit level does not reach the highest rate limit standard, the threshold token will be consumed, and the rate limit level will be increased by one level, and the traffic packet will be forwarded; if there are remaining tokens in the token bucket, forwarding will be performed, and Lower the speed limit by one level;
(4)当限速等级达到限速的最高标准时,不转发流量包;(4) When the speed limit level reaches the highest standard of speed limit, traffic packets will not be forwarded;
限速等级包括三个等级,分别为:放行,告警和阻断,限速等级初始化为放行等级,当令牌桶中已无剩余令牌,并且限速等级为放行时,填入令牌桶容量的20%,然后把等 级提升至告警;当令牌桶限速等级为告警且要转发的流量包消耗的令牌大于当前剩余令 牌时,等级提升至阻断,对一切非工控协议进行不转发处理。The speed limit level includes three levels, namely: release, alarm and block. The speed limit level is initialized to the release level. When there are no remaining tokens in the token bucket and the speed limit level is release, fill in the token bucket. 20% of the capacity, and then raise the level to alarm; when the token bucket rate limit level is alarm and the token consumption of the traffic packet to be forwarded is greater than the current remaining tokens, the level is raised to block, and all non-industrial control protocols are implemented. Do not forward processing.
给令牌桶添加新令牌时,若为阻断等级,仅添加令牌桶的80%,将限速等级设置为放行;若为告警模式,则根据剩余令牌计算填入的20%令牌的使用情况,从添加的令牌 中移除相等的数量,然后限速等级设置为放行。When adding a new token to the token bucket, if it is a blocking level, only 80% of the token bucket is added, and the speed limit level is set to release; if it is an alarm mode, the filled 20% order is calculated according to the remaining tokens. card usage, remove an equal amount from the added tokens, and then set the speed limit level to pass.
优选的,在流量包完成二层转发后,根据步骤(1)判断是否为工控协议,将工控 协议种类的权重进行微调,没有通过记录的工控协议不进行解析,优先判断通过数量最 多的工控协议。Preferably, after the traffic packet is forwarded at Layer 2, it is judged according to step (1) whether it is an industrial control protocol, and the weight of the industrial control protocol type is fine-tuned. The industrial control protocol that has not passed the record is not analyzed, and the industrial control protocol with the largest number of passes is preferentially judged. .
优选的,步骤(1)中工控协议判断时,每通过一个工控协议的流量包,首先进行 解析流量包,进行协议种类的解析,并记录协议权重,进一步对工控协议判断的优先程 度来进行调整,调整解析顺序,没有记录的工控协议不进行限速;Preferably, when judging the industrial control protocol in step (1), each time a traffic packet of an industrial control protocol is passed, the traffic packet is first parsed, the protocol type is analyzed, the protocol weight is recorded, and the priority of the industrial control protocol judgment is further adjusted. , adjust the parsing sequence, and no speed limit will be applied to industrial control protocols that are not recorded;
解析工控协议为计算网络流量捕包组包一体框架,能够自动的完成捕包,组包功能, 并且根据流量包的内容,将其分别投放至计算机网络的各个层次的解析入口:网络层,传输层,应用层等,解析工控协议种类可以根据报文所在的计算机网络的层面,加上报 文中的关键字段一起判断。Parsing the industrial control protocol is an integrated framework for computing network traffic, capturing and grouping packets, which can automatically complete the functions of packet capture and packet grouping, and according to the content of the traffic packets, they are respectively put into the analysis portals of each level of the computer network: network layer, transmission Layer, application layer, etc., the type of industrial control protocol can be analyzed according to the layer of the computer network where the message is located, plus the key fields in the message.
可以解析的工控协议种类包括s7,s7plus,modbus,iec104,dnp3,opc和ams,目 前只挂载了7个插件,也可增加至25种,具有良好的可扩展性;The types of industrial control protocols that can be parsed include s7, s7plus, modbus, iec104, dnp3, opc and ams. At present, only 7 plug-ins are mounted, and it can be increased to 25, with good scalability;
工控协议解析的的顺序初始化为:s7,s7plus,modbus,iec104,ams,dnp3和opc,储存在一个有序列表中,假设此时过来一条opc协议,则opc协议的权重就会加1,和 左右的节点进行权重比较和移动,直到找到一个合适的位置,每十分钟,会把权重记录 到配置文件,保证装置重启时,可以按照之前的权重运行。The order of industrial control protocol analysis is initialized as: s7, s7plus, modbus, iec104, ams, dnp3 and opc, which are stored in an ordered list. If an opc protocol comes at this time, the weight of the opc protocol will increase by 1, and The left and right nodes compare and move their weights until a suitable position is found. Every ten minutes, the weights are recorded in the configuration file to ensure that when the device is restarted, it can operate according to the previous weights.
本发明中,每通过一个工控协议流量包,装置都会进行协议种类的解析,进而影响工控协议的权值,进一步对工控协议判断的优先度程度来进行调整,对于没有通过记录 的工控协议,则不进行判断,最大限度的减少传输给工控协议带来的时间损耗,最大幅 度的提高工控协议传输的准确性和效率性。In the present invention, each time an industrial control protocol traffic packet is passed, the device will analyze the protocol type, thereby affecting the weight of the industrial control protocol, and further adjusting the priority of the industrial control protocol judgment. Without judgment, the time loss caused by the transmission to the industrial control protocol is minimized, and the accuracy and efficiency of the transmission of the industrial control protocol are greatly improved.
优选的,对于通过的每一个非工控协议的流量包,采用目的ip和端口的方式来确定 其是否需要限速,支持互联网区域化限速和设备全端口限速,在确定流量包的目的ip和端口属于限速队列后,进一步判断是否存在源ip,从而更加精确的进行流量包的限速,如果没有源ip的限速队列,则使用目的ip和端口的标准从令牌桶中扣除所需要的令牌, 如若令牌桶剩余令牌不足,则不对流量包进行二层转发,从而达到限速效果;Preferably, for each non-industrial control protocol traffic packet that passes through, use the destination ip and port method to determine whether it needs speed limit, support Internet regionalized speed limit and device full port speed limit, after determining the destination ip of the traffic packet After the port and port belong to the rate-limiting queue, it is further judged whether there is a source ip, so as to more accurately limit the rate of traffic packets. The required tokens, if the remaining tokens in the token bucket are insufficient, the traffic packets will not be forwarded at Layer 2, so as to achieve the rate limiting effect;
如果存在源ip的限度队列,则使用目的ip、端口和源ip从令牌桶中扣除所需要的令牌,如若令牌桶剩余令牌不足,则不对流量包进行二层转发,从而达到限速效果。If there is a limited queue of source IPs, use the destination IP, port and source IP to deduct the required tokens from the token bucket. If the remaining tokens in the token bucket are insufficient, the traffic packets will not be forwarded at Layer 2, so as to achieve the limit. quick effect.
进一步优选的,判断是否属于限速队列的过程为:Further preferably, the process of judging whether it belongs to the speed limit queue is:
假设现有两台设备A和B,IP为A(192.168.0.10),B(192.168.0.20),两台设备 通过本发明的装置相连;Assuming that there are two existing devices A and B, the IPs are A (192.168.0.10) and B (192.168.0.20), and the two devices are connected through the device of the present invention;
此时,装置中有六条限速规则:At this point, there are six speed limit rules in the unit:
1.dest:192.168.0.20dport:*speed:20kb/s1.dest:192.168.0.20dport:*speed:20kb/s
(任何发往B的非工控协议都限速20kb/s)(Any non-industrial control protocol sent to B has a speed limit of 20kb/s)
2.dest:192.168.0.20dport:60speed:50kb/s2.dest:192.168.0.20dport:60speed:50kb/s
(任何发往B机器60端口的非工控协议都限速50kb/s)(Any non-industrial control protocol sent to
3.dest:192.168.0.20dport:*source:192.168.0.10sport:*speed:30kb/s3.dest:192.168.0.20dport:*source:192.168.0.10sport:*speed:30kb/s
(任何从A发往B的非工控协议都限速30kb/s)(Any non-industrial control protocol sent from A to B has a speed limit of 30kb/s)
4.dest:192.168.0.20dport:*source:192.168.0.10sport:30speed:40kb/s4.dest:192.168.0.20dport:*source:192.168.0.10sport:30speed:40kb/s
(任何A机器30端口发往B的非工控协议都限速40kb/s)(Any non-industrial control protocol sent from
5.dest:192.168.0.20dport:60source:192.168.0.10sport:*speed:60kb/s5.dest:192.168.0.20dport:60source:192.168.0.10sport:*speed:60kb/s
(任何A发往B机器60端口的非工控协议都限速60kb/s)(Any non-industrial control protocol sent from A to
6.dest:192.168.0.20dport:60source:192.168.0.10sport:30speed:70kb/s6.dest:192.168.0.20dport:60source:192.168.0.10sport:30speed:70kb/s
(任何A机器30端口发往B机器60端口的非工控协议都限速70kb/s)(Any non-industrial control protocol sent from
①现有一条非工控协议流量包从A的10000端口发往B的20000端口:① There is a non-industrial control protocol traffic packet sent from port 10000 of A to port 20000 of B:
装置会先判断其限速队列是否有目的IP,显然,1-6号规则的目的IP都是192.168.0.20;The device will first determine whether its rate-limiting queue has a destination IP. Obviously, the destination IPs of rules 1-6 are all 192.168.0.20;
之后会进而继续判断目的端口,192.168.0.20为目的IP的规则,目的端口有20,30, 60和*,其中20,30,60均不满足,*表示所有端口,满足20000端口;然而根据图7 所示,目的端口*还有一个规则列表和一个规则,遍历规则列表发现源IP满足 192.168.0.10,源端口满足详细分支中的源端口*,所以这条流量,同时满足1,3号规则, 3号规则比1号规则更加详细,所以抛弃1号规则,按照3号规则的来进行限速。After that, it will continue to judge the destination port. 192.168.0.20 is the destination IP rule. The destination ports are 20, 30, 60 and *, of which 20, 30, and 60 are not satisfied. * means all ports and 20000 ports are satisfied; however, according to the figure As shown in 7, the destination port* also has a rule list and a rule, traversing the rule list finds that the source IP satisfies 192.168.0.10, and the source port satisfies the source port* in the detailed branch, so this traffic satisfies
②随后,又有一条非工控协议流量包从A的10000端口发往B的60端口:② Then, another non-industrial control protocol traffic packet was sent from port 10000 of A to
装置依然会先判断限速队列是否含有目的IP为192.168.0.20的规则;The device will still first determine whether the rate-limiting queue contains a rule whose destination IP is 192.168.0.20;
之后进而判断端口号,发现目的端口60和端口*都可能存在满足条件的规则;After that, the port number is judged, and it is found that both the
此时装置会先把端口*的规则列表搁置到一边,优先判断目的端口60的规则列表;At this time, the device will put the rule list of port * aside first, and prioritize the rule list of
发现在目的端口60的规则中,2、5号规则满足,并且,5号规则比2号规则详细, 按照5号规则规则来进行限速。It is found that in the rules of the
③以下一条同时满足的6条规则的流量包:③ A traffic packet that satisfies the following 6 rules at the same time:
现有一条非工控协议流量包从A的30端口发往B的60端口,同时满足6条规则, 最详细的规则是6号规则,所以按照6号规则来进行限速处理。An existing non-industrial control protocol traffic packet is sent from
本发明的规则优先总结:The rules of the present invention are preferentially summarized:
1.带有源IP的规则权重大于不带源IP的规则;1. The weight of rules with source IP is greater than that without source IP;
2.明确的端口号权重大于*端口;2. The explicit port number has more weight than *port;
3.如果遇到上述6条规则的4和5,目的端口号明确的5号规则优先匹配;3. If you encounter 4 and 5 of the above 6 rules, rule 5 with a clear destination port number will be matched first;
也可以将规则优先级从低到高分为六种情况:The rule priority can also be divided into six cases from low to high:
a、目的IP+任意目的端口:a. Destination IP + any destination port:
b、目的IP+目的端口:b. Destination IP + destination port:
c、目的IP+任意目的端口+源IP+任意源端口:c. Destination IP + any destination port + source IP + any source port:
d、目的IP+任意目的端口+源IP+源端口:d. Destination IP + any destination port + source IP + source port:
e、目的IP+目的端口+源IP+任意源端口;e. Destination IP + destination port + source IP + any source port;
f、目的IP+目的端口+源IP+源端口。f. Destination IP + destination port + source IP + source port.
优选的,对于传统的令牌桶算法不能处理突出流量的弊端,本发明改进的令牌桶算 法设置有阈值和限速等级,当此时的流量超过设定的速度,也就是令牌桶中已无令牌可以消耗时,将限速等级提升一级,并将阈值中的令牌倒入令牌桶,继续处理;当限速等 级达到一定程度时(即到达最高限速程度),停止对流量包的二层转发,从而达到限速 目的;如在下一时刻,令牌桶中已有令牌可以消耗(即剩余令牌时),则说明突发流量 时段已经过去,则将限速等级逐步下调,极大程度的缓解了令牌桶算法无法应对突发流 量的弊端。Preferably, for the disadvantage that the traditional token bucket algorithm cannot handle outstanding traffic, the improved token bucket algorithm of the present invention is set with a threshold and a speed limit level. When there are no tokens to consume, increase the speed limit level by one level, and pour the tokens in the threshold into the token bucket to continue processing; when the speed limit level reaches a certain level (that is, the maximum speed limit level), stop Layer 2 forwarding of traffic packets to achieve the purpose of rate limiting; if there are tokens in the token bucket that can be consumed at the next moment (that is, when there are remaining tokens), it means that the burst traffic period has passed, and the rate will be limited The level is gradually lowered, which greatly alleviates the drawback that the token bucket algorithm cannot cope with burst traffic.
本发明针对传统令牌桶算法不能处理流量剧增的情况,本系统对令牌桶算法进行了 改进(即本发明改进的令牌桶算法),设置了一个阈值来处理突发流量的情况。在一定时间内,如果令牌桶中已无令牌可用,则消耗阈值中的令牌,并且把限速等级上调一级, 当限速等级达到某一程度时,则禁止流量通过。然而,当接下来,令牌桶中有剩余令牌 时,则下调限速等级,这样可以有效的缓解令牌桶算法处理流量剧增的不足性。Aiming at the situation that the traditional token bucket algorithm cannot handle the sudden increase of traffic, the present invention improves the token bucket algorithm (namely the improved token bucket algorithm of the present invention), and sets a threshold to handle the situation of burst traffic. Within a certain period of time, if there are no tokens available in the token bucket, the tokens in the threshold will be consumed, and the speed limit level will be raised by one level. When the speed limit level reaches a certain level, traffic will be prohibited from passing. However, when there are remaining tokens in the token bucket, the rate limit level is lowered, which can effectively alleviate the insufficiency of the token bucket algorithm in handling the surge in traffic.
本发明在改进的令牌桶算法上,增加了工控协议流量的判断,针对s7,s7plus等多种工控协议的解析,不针对工控流量限速,只针对非工控流量进行限速,适用于工控互 联网的安全防护,并且会对通过的流量类型进行解析和记录,适当的自动上调和下调协 议解析顺序,没有通过的记录的工控协议不进行解析,最大程度的减少装置给工控协议 带来的延时。In the improved token bucket algorithm, the invention increases the judgment of industrial control protocol traffic, and for the analysis of various industrial control protocols such as s7, s7plus, etc., it does not limit the speed of industrial control traffic, but only limits the speed of non-industrial control traffic, which is suitable for industrial control. Internet security protection, and will parse and record the types of traffic that pass through, and automatically adjust the protocol parsing order appropriately. The industrial control protocol that has not passed the record will not be parsed, minimizing the delay caused by the device to the industrial control protocol. Time.
一种适用于工控互联网的限速装置,包括源设备、路由器和目的设备,所述路由器包括:A speed limiting device suitable for industrial control Internet, including source equipment, router and destination equipment, and the router includes:
工控协议解析模块,用于判断流量包是否为工控协议;The industrial control protocol analysis module is used to determine whether the traffic packet is an industrial control protocol;
匹配限速模块,用于判断流量包是否符合限速条件;Matching speed limit module, used to judge whether the traffic packet meets the speed limit condition;
改进的令牌桶算法模块,用于通过改进的令牌桶算法对流量包判断是否需要转发;The improved token bucket algorithm module is used to judge whether traffic packets need to be forwarded through the improved token bucket algorithm;
转发流量包模块,用于转发符合标准的流量包;The forwarding traffic packet module is used to forward traffic packets that conform to the standard;
调整协议解析模块,用于判断工控协议解析的权值和优先程度是否需要调整。Adjust the protocol parsing module, which is used to judge whether the weight and priority of industrial control protocol parsing need to be adjusted.
本发明中,首先,源设备先向目的设备发送流量包,流量包通过路由器,转发给目的设备。In the present invention, first, the source device first sends a traffic packet to the destination device, and the traffic packet is forwarded to the destination device through the router.
路由器对流量包进行如下的判断:The router judges the traffic packets as follows:
1、流量包是否为工控协议;1. Whether the traffic packet is an industrial control protocol;
2、流量包是否符合限速条件;2. Whether the traffic packet meets the speed limit conditions;
3、根据改进的令牌桶算法判断是否对流量包进行转发;3. Determine whether to forward traffic packets according to the improved token bucket algorithm;
4、工控协议解析的权值和优先度是否需要调整。4. Whether the weight and priority of industrial control protocol analysis need to be adjusted.
在判断工控协议时,先初始化,将s7,s7plus协议按照顺序依次判断,如果遇到工控协议,则跳过,进入下一步。When judging the industrial control protocol, initialize it first, and judge the s7 and s7plus protocols in order. If an industrial control protocol is encountered, skip it and go to the next step.
优选的,工控协议解析模块判断时,每通过一个工控协议的流量包,首先进行解析流量包,进行协议种类的解析,并记录协议权重,进一步对工控协议判断的优先程度来 进行调整,调整解析顺序,没有记录的工控协议不进行限速。Preferably, when judging by the industrial control protocol parsing module, each time a traffic packet of an industrial control protocol is passed, it first parses the traffic packet, parses the protocol type, records the protocol weight, and further adjusts the priority of the industrial control protocol judgment, and adjusts the parsing. Sequentially, the undocumented industrial control protocol does not limit the speed.
优选的,对于通过的每一个非工控协议的流量包,采用目的ip和端口的方式来确定 其是否需要限速,在确定流量包的目的ip和端口属于限速队列后,进一步判断是否存在源ip,如果没有源ip的限速队列,则使用目的ip和端口的标准从令牌桶中扣除所需要 的令牌,如若令牌桶剩余令牌不足,则不对流量包进行二层转发,从而达到限速效果;Preferably, for each non-industrial control protocol traffic packet that passes through, use the destination ip and port to determine whether it needs speed limiting, and after determining that the destination ip and port of the traffic packet belong to the speed limiting queue, further determine whether there is a source ip, if there is no rate-limiting queue for the source ip, the required token is deducted from the token bucket using the criteria of the destination ip and port. If the remaining tokens in the token bucket are insufficient, the traffic packet will not be forwarded at Layer 2, thus achieve the speed limit effect;
如果存在源ip的限度队列,则使用目的ip、端口和源ip从令牌桶中扣除所需要的令牌,如若令牌桶剩余令牌不足,则不对流量包进行二层转发,从而达到限速效果。If there is a limited queue of source IPs, use the destination IP, port and source IP to deduct the required tokens from the token bucket. If the remaining tokens in the token bucket are insufficient, the traffic packets will not be forwarded at Layer 2, so as to achieve the limit. quick effect.
优选的,改进的令牌桶算法模块中设置有阈值和限速等级,当此时的流量超过设定 的速度,也就是令牌桶中已无令牌可以消耗时,将限速等级提升一级,并将阈值中的令牌倒入令牌桶,继续处理;当限速等级达到一定程度时(即到达最高限速程度),停止 对流量包的二层转发,从而达到限速目的;如在下一时刻,令牌桶中已有令牌可以消耗 (即剩余令牌时),则说明突发流量时段已经过去,则将限速等级逐步下调。Preferably, a threshold and a speed limit level are set in the improved token bucket algorithm module. When the current traffic exceeds the set speed, that is, when there are no tokens to consume in the token bucket, the speed limit level is increased by one. When the speed limit level reaches a certain level (that is, the maximum speed limit level), the Layer 2 forwarding of traffic packets is stopped, so as to achieve the purpose of speed limit; If at the next moment, there are tokens in the token bucket that can be consumed (that is, when there are remaining tokens), it means that the burst traffic period has passed, and the speed limit level is gradually lowered.
互联网流量限速是通过二层转发来实现的,假设现在有一个流量包,从源设备发送 到目的设备,中间途径路由器,路由器会根据条件,判断流量包是否是工控协议,是否达到限速条件,令牌桶是否有剩余令牌来决定对其进行转发还是抛弃。The speed limit of Internet traffic is realized through Layer 2 forwarding. Suppose there is a traffic packet, which is sent from the source device to the destination device, through the router in the middle, and the router will judge whether the traffic packet is an industrial control protocol according to the conditions and whether it reaches the speed limit condition. , whether the token bucket has remaining tokens to decide whether to forward it or discard it.
对于一个流量包,先进行七种工控协议的判断,七种工控协议包括s7,s7plus,modbus, iec104,dnp3,opc和ams,本发明的工控协议解析模块会根据流经的流量包类型,对工 控协议的判断优先度自动化的进行微调,最大程度的对工控协议的传输的延时降到最低, 进一步提高工控协议传输的准确性和效率性。For a flow packet, first judge seven industrial control protocols. The seven industrial control protocols include s7, s7plus, modbus, iec104, dnp3, opc and ams. The judgment priority of the industrial control protocol is automatically fine-tuned, and the delay of the transmission of the industrial control protocol is minimized to the greatest extent, and the accuracy and efficiency of the transmission of the industrial control protocol are further improved.
对于一个非工控协议的流量包,根据其目的ip+端口做为一个最重要的键值,源ip作为辅助键值,来进行精准的设备与设备之间的限速,不仅仅可以限制流量包的大小, 还可以限制流量包的多少。For a traffic packet of a non-industrial control protocol, the destination ip+port is used as the most important key value, and the source ip is used as the auxiliary key value to accurately limit the speed between devices, not only to limit the flow rate of traffic packets. size, you can also limit the number of traffic packets.
对于令牌桶算法进行流量限速的弊端,本装置设置了一个阈值和限度等级,来极大 程度的缓解令牌桶算法应对突发流量程度差的问题。For the drawbacks of the token bucket algorithm for traffic rate limiting, the device sets a threshold and limit level to greatly alleviate the problem that the token bucket algorithm can deal with the poor degree of burst traffic.
本发明的方法和装置,支持linux平台,可以有效的保证工控互联网过滤掉不需要的繁杂流量,使工控协议更加快速,准确,低延迟的传达到相应的设备,适用于中小型 生产企业的工控互联网安全的防护。The method and device of the present invention support the Linux platform, can effectively ensure that the industrial control Internet filters out unnecessary complicated traffic, make the industrial control protocol more quickly, accurately, and transmit to the corresponding equipment with low delay, and is suitable for the industrial control of small and medium-sized production enterprises. Internet security protection.
本发明的装置对通过流量包的协议解析,匹配限速队列,然后使用改进的令牌桶算 法来极大程度的缓解传统的令牌桶算法无法处理突然激增流量的弊端,从而实现了一种 适用于工业互联网的限速方法和装置,极大程度的使工业生产企业的工控互联网可以减 少众多繁琐的流量,使工控协议流量包的传输和传达更加便捷,快速,低延时。The device of the present invention parses the protocol passing through the traffic packets, matches the rate-limiting queue, and then uses the improved token bucket algorithm to greatly alleviate the disadvantage that the traditional token bucket algorithm cannot handle the sudden surge of traffic, thereby realizing a The speed limiting method and device suitable for the industrial Internet can greatly reduce the cumbersome traffic in the industrial control Internet of industrial production enterprises, and make the transmission and transmission of industrial control protocol traffic packets more convenient, fast, and low-latency.
本发明中,未详尽之处,均可采用现有技术进行。In the present invention, the existing technology can be used for the places that are not detailed.
本发明的有益效果为:The beneficial effects of the present invention are:
1)本发明对传统的令牌桶算法进行了改进,设置了一个阈值来处理突发流量的情况,在一定时间内,如果令牌桶中已无令牌可用,则消耗阈值中的令牌,并且把限速等 级上调一级,当限速等级达到某一程度时,则禁止流量通过;然而,当接下来,令牌桶 中有剩余令牌时,则下调限速等级。可以有效的缓解令牌桶算法处理流量剧增的不足性, 极大程度的缓解令牌桶算法应对突发流量程度差的问题。1) The present invention improves the traditional token bucket algorithm, and sets a threshold to deal with the situation of burst traffic. In a certain period of time, if there is no token available in the token bucket, the token in the threshold will be consumed. , and increase the speed limit level by one level. When the speed limit level reaches a certain level, traffic is prohibited from passing; however, when there are remaining tokens in the token bucket, the speed limit level is lowered. It can effectively alleviate the insufficiency of the token bucket algorithm in dealing with the sudden increase in traffic, and greatly alleviate the problem that the token bucket algorithm can deal with the poor degree of burst traffic.
2)本发明不针对工控流量限速,只针对非工控流量进行限速,适用于工控互联网的安全防护,并且,能够适当的自动上调和下调协议解析顺序,最大程度的减少装置给 工控协议带来的延时。2) The present invention does not limit the speed of industrial control traffic, but only limits the speed of non-industrial control traffic, which is suitable for the security protection of the industrial control Internet, and can appropriately automatically increase and decrease the protocol parsing sequence, and minimize the burden of the device on the industrial control protocol. come delay.
3)本发明极大程度的使工控互联网减少众多繁琐的流量,使工控协议流量包的传输和传达更加便捷,快速,低延时。并且,在此基础上添加了工控协议的解析顺序调整, 使流量包从解析到二层转发的耗时更加少,更加贴切于工控协议的准确,快速送达的原 则。3) The present invention greatly reduces numerous cumbersome traffic in the industrial control Internet, and makes the transmission and transmission of industrial control protocol traffic packets more convenient, fast and low-latency. In addition, on this basis, the adjustment of the parsing sequence of the industrial control protocol is added, so that the time-consuming of traffic packets from parsing to Layer 2 forwarding is less, and it is more suitable for the principle of accurate and fast delivery of industrial control protocols.
本发明不仅对工控协议有着自动化调整的匹配优先级,改进后的令牌桶算法还可以 针对网络中的流量突发情况作出回应,极大地减轻了传统令牌桶算法遇到突发大流量时 带来的负面影响,保障了通讯的顺畅,可有效地为工控生产企业限制不必要的流量,为工控生产企业更加高效的传输工控协议,为中小企业和科研单位限速测试,为网络靶场 中的工控协议的防护提供支持。The invention not only has the matching priority of automatic adjustment to the industrial control protocol, but the improved token bucket algorithm can also respond to the sudden traffic situation in the network, which greatly relieves the traditional token bucket algorithm when it encounters sudden large traffic. The negative impact brought by it ensures the smooth communication, which can effectively limit unnecessary traffic for industrial control production enterprises, transmit industrial control protocols more efficiently for industrial control production enterprises, limit speed testing for small and medium-sized enterprises and scientific research institutions, and provide network shooting range. Provide support for the protection of industrial control protocols.
附图说明Description of drawings
图1为本发明的适用于工控互联网的限速方法的流程图;Fig. 1 is the flow chart of the speed limiting method applicable to the industrial control Internet of the present invention;
图2为本发明某一实施例的控协议判断过程示意图;2 is a schematic diagram of a control protocol judgment process according to an embodiment of the present invention;
图3为本发明某一实施例的限速过程示意图;3 is a schematic diagram of a speed limiting process according to an embodiment of the present invention;
图4为本发明某一实施例改进的令牌桶算法示意图;4 is a schematic diagram of an improved token bucket algorithm according to an embodiment of the present invention;
图5为本发明某一实施例的适用于工控互联网的限速装置结构示意图;5 is a schematic structural diagram of a speed limiting device suitable for industrial control Internet according to an embodiment of the present invention;
图6为本发明某一实施例的路由器组成结构示意图;6 is a schematic diagram of a router composition structure according to an embodiment of the present invention;
图7为本发明的实施例2的六条限速规则储存结构图;7 is a storage structure diagram of six speed limit rules according to Embodiment 2 of the present invention;
图8为本发明的实施例4的四台设备A、B、C、D的结构示意图;8 is a schematic structural diagram of four devices A, B, C, and D according to
图9为本发明的实施例4的一条S7COMM报文示意图;9 is a schematic diagram of an S7COMM message according to
图10为本发明的实施例4的一条SSH协议的报文示意图。FIG. 10 is a schematic diagram of a message of an SSH protocol according to
具体实施方式:Detailed ways:
为使本发明要解决的技术问题、技术方案和优点更加清楚,下面将结合附图及具体 实施例进行详细描述,但不仅限于此,本发明未详尽说明的,均按本领域常规技术。In order to make the technical problems, technical solutions and advantages to be solved by the present invention clearer, the following will be described in detail in conjunction with the accompanying drawings and specific embodiments, but not limited to this, the present invention is not described in detail, all according to the conventional technology in the art.
实施例1:Example 1:
一种适用于工控互联网的限速方法,如图1-4所示,包括以下步骤:A speed limit method suitable for industrial control Internet, as shown in Figure 1-4, includes the following steps:
(1)初始化工控协议,并判断流量包是否为工控协议,若为工控协议,则跳过, 若为非工控协议,则进一步判断其目的ip和端口判断流量包是否满足限速条件;(1) Initialize the industrial control protocol, and judge whether the flow packet is an industrial control protocol, if it is an industrial control protocol, skip it, if it is a non-industrial control protocol, then further judge its destination ip and port to judge whether the flow packet meets the speed limit condition;
(2)如果该流量包有对应的目的ip和端口时,则进一步判断,是否有带有源ip的条件,如果两者同时存在,以目的ip、端口和源ip为主;(2) If the traffic packet has a corresponding destination ip and port, it is further judged whether there is a condition with a source ip, and if both exist at the same time, the destination ip, port and source ip are the main ones;
(3)根据改进的令牌桶算法判断是否转发,具体为:通过令牌数量和流量包的大小判断是否对流量包进行转发,如果令牌桶中已无令牌,则根据限速等级判断是否进行 转发,如果限速等级没有达到限速的最高标准,则消耗阈值的令牌,并且限速等级提高 一级,转发流量包;如果令牌桶中有剩余令牌,则进行转发,并且将限速等级降低一级;(3) Judging whether to forward according to the improved token bucket algorithm, specifically: according to the number of tokens and the size of the flow packet to judge whether to forward the flow packet, if there is no token in the token bucket, judge according to the speed limit level Whether to forward or not, if the rate limit level does not reach the highest rate limit standard, the threshold token will be consumed, and the rate limit level will be increased by one level, and the traffic packet will be forwarded; if there are remaining tokens in the token bucket, forwarding will be performed, and Lower the speed limit by one level;
(4)当限速等级达到限速的最高标准时,不转发流量包;(4) When the speed limit level reaches the highest standard of speed limit, traffic packets will not be forwarded;
限速等级包括三个等级,分别为:放行,告警和阻断,限速等级初始化为放行等级,当令牌桶中已无剩余令牌,并且限速等级为放行时,填入令牌桶容量的20%,然后把等 级提升至告警;当令牌桶限速等级为告警且要转发的流量包消耗的令牌大于当前剩余令 牌时,等级提升至阻断,对一切非工控协议进行不转发处理。The speed limit level includes three levels, namely: release, alarm and block. The speed limit level is initialized to the release level. When there are no remaining tokens in the token bucket and the speed limit level is release, fill in the token bucket. 20% of the capacity, and then raise the level to alarm; when the token bucket rate limit level is alarm and the token consumption of the traffic packet to be forwarded is greater than the current remaining tokens, the level is raised to block, and all non-industrial control protocols are implemented. Do not forward processing.
给令牌桶添加新令牌时,若为阻断等级,仅添加令牌桶的80%,将限速等级设置为放行;若为告警模式,则根据剩余令牌计算填入的20%令牌的使用情况,从添加的令牌 中移除相等的数量,然后限速等级设置为放行。When adding a new token to the token bucket, if it is a blocking level, only 80% of the token bucket will be added, and the speed limit level will be set to release; if it is an alarm mode, the 20% order will be calculated according to the remaining tokens. card usage, remove an equal amount from the added tokens, and then set the speed limit level to pass.
在流量包完成二层转发后,根据步骤(1)判断是否为工控协议,将工控协议种类的权重进行微调,没有通过记录的工控协议不进行解析,优先判断通过数量最多的工控 协议。After the traffic packet is forwarded at Layer 2, it is judged according to step (1) whether it is an industrial control protocol, and the weight of the industrial control protocol type is fine-tuned. The industrial control protocol that has not passed the record will not be parsed, and the industrial control protocol with the largest number of passed is given priority.
步骤(1)中工控协议判断时,每通过一个工控协议的流量包,首先进行解析流量包,进行协议种类的解析,并记录协议权重,进一步对工控协议判断的优先程度来进行 调整,调整解析顺序,没有记录的工控协议不进行限速;When judging the industrial control protocol in step (1), each time a traffic packet of an industrial control protocol passes, first parse the traffic packet, analyze the protocol type, record the protocol weight, and further adjust the priority of the industrial control protocol judgment, and adjust the analysis. order, no speed limit is applied to industrial control protocols that are not recorded;
解析工控协议计算网络流量捕包组包一体框架,能够自动的完成捕包,组包功能,并且根据流量包的内容,将其分别投放至计算机网络的各个层次的解析入口:网络层, 传输层,应用层等,解析工控协议种类可以根据报文所在的计算机网络的层面,加上报 文中的关键字段一起判断。Parse the industrial control protocol and calculate the network traffic capture and packet integration framework, which can automatically complete the function of packet capture and packet grouping, and according to the content of the traffic packet, it will be put into the analysis portal of each level of the computer network: network layer, transport layer , application layer, etc., the type of industrial control protocol can be parsed according to the layer of the computer network where the message is located, plus the key fields in the message.
可以解析的工控协议种类包括s7,s7plus,modbus,iec104,dnp3,opc和ams,目 前只挂载了7个插件,也可增加至25种,具有良好的可扩展性;The types of industrial control protocols that can be parsed include s7, s7plus, modbus, iec104, dnp3, opc and ams. At present, only 7 plug-ins are mounted, and it can be increased to 25, with good scalability;
工控协议解析的的顺序初始化为:s7,s7plus,modbus,iec104,ams,dnp3和opc,储存在一个有序列表中,假设此时过来一条opc协议,则opc协议的权重就会加1,和 左右的节点进行权重比较和移动,直到找到一个合适的位置,每十分钟,会把权重记录 到配置文件,保证装置重启时,可以按照之前的权重运行。The order of industrial control protocol analysis is initialized as: s7, s7plus, modbus, iec104, ams, dnp3 and opc, which are stored in an ordered list. If an opc protocol comes at this time, the weight of the opc protocol will increase by 1, and The left and right nodes compare and move their weights until a suitable position is found. Every ten minutes, the weights are recorded in the configuration file to ensure that when the device is restarted, it can operate according to the previous weights.
本发明中,每通过一个工控协议流量包,装置都会进行协议种类的解析,进而影响工控协议的权值,进一步对工控协议判断的优先度程度来进行调整,对于没有通过记录 的工控协议,则不进行判断,最大限度的减少传输给工控协议带来的时间损耗,最大幅 度的提高工控协议传输的准确性和效率性。In the present invention, each time an industrial control protocol traffic packet is passed, the device will analyze the protocol type, thereby affecting the weight of the industrial control protocol, and further adjusting the priority of the industrial control protocol judgment. Without judgment, the time loss caused by the transmission to the industrial control protocol is minimized, and the accuracy and efficiency of the transmission of the industrial control protocol are greatly improved.
实施例2:Example 2:
一种适用于工控互联网的限速方法,与实施例1所述,所不同的是,对于通过的每一个非工控协议的流量包,采用目的ip和端口的方式来确定其是否需要限速,支持互联 网区域化限速和设备全端口限速,在确定流量包的目的ip和端口属于限速队列后,进一 步判断是否存在源ip,从而更加精确的进行流量包的限速,如果没有源ip的限速队列, 则使用目的ip和端口的标准从令牌桶中扣除所需要的令牌,如若令牌桶剩余令牌不足, 则不对流量包进行二层转发,从而达到限速效果;A speed-limiting method applicable to the industrial control Internet is different from that described in
如果存在源ip的限度队列,则使用目的ip、端口和源ip从令牌桶中扣除所需要的令牌,如若令牌桶剩余令牌不足,则不对流量包进行二层转发,从而达到限速效果。If there is a limited queue of source IPs, use the destination IP, port and source IP to deduct the required tokens from the token bucket. If the remaining tokens in the token bucket are insufficient, the traffic packets will not be forwarded at Layer 2, so as to achieve the limit. quick effect.
判断是否属于限速队列的过程为:The process of judging whether it belongs to the speed limit queue is as follows:
假设现有两台设备A和B,IP为A(192.168.0.10),B(192.168.0.20),两台设备 通过本发明的装置相连;Assuming that there are two existing devices A and B, the IPs are A (192.168.0.10) and B (192.168.0.20), and the two devices are connected through the device of the present invention;
此时,装置中有六条限速规则(储存结构图7所示):At this time, there are six speed limit rules in the device (the storage structure is shown in Figure 7):
1.dest:192.168.0.20dport:*speed:20kb/s1.dest:192.168.0.20dport:*speed:20kb/s
(任何发往B的非工控协议都限速20kb/s)(Any non-industrial control protocol sent to B has a speed limit of 20kb/s)
2.dest:192.168.0.20dport:60speed:50kb/s2.dest:192.168.0.20dport:60speed:50kb/s
(任何发往B机器60端口的非工控协议都限速50kb/s)(Any non-industrial control protocol sent to port 60 of machine B has a speed limit of 50kb/s)
3.dest:192.168.0.20dport:*source:192.168.0.10sport:*speed:30kb/s3.dest:192.168.0.20dport:*source:192.168.0.10sport:*speed:30kb/s
(任何从A发往B的非工控协议都限速30kb/s)(Any non-industrial control protocol sent from A to B has a speed limit of 30kb/s)
4.dest:192.168.0.20dport:*source:192.168.0.10sport:30speed:40kb/s4.dest:192.168.0.20dport:*source:192.168.0.10sport:30speed:40kb/s
(任何A机器30端口发往B的非工控协议都限速40kb/s)(Any non-industrial control protocol sent from
5.dest:192.168.0.20dport:60source:192.168.0.10sport:*speed:60kb/s5.dest:192.168.0.20dport:60source:192.168.0.10sport:*speed:60kb/s
(任何A发往B机器60端口的非工控协议都限速60kb/s)(Any non-industrial control protocol sent from A to
6.dest:192.168.0.20dport:60source:192.168.0.10sport:30speed:70kb/s6.dest:192.168.0.20dport:60source:192.168.0.10sport:30speed:70kb/s
(任何A机器30端口发往B机器60端口的非工控协议都限速70kb/s)(Any non-industrial control protocol sent from
①现有一条非工控协议流量包从A的10000端口发往B的20000端口:① There is a non-industrial control protocol traffic packet sent from port 10000 of A to port 20000 of B:
装置会先判断其限速队列是否有目的IP,显然,1-6号规则的目的IP都是192.168.0.20;The device will first determine whether its rate-limiting queue has a destination IP. Obviously, the destination IPs of rules 1-6 are all 192.168.0.20;
之后会进而继续判断目的端口,192.168.0.20为目的IP的规则,目的端口有20,30, 60和*,其中20,30,60均不满足,*表示所有端口,满足20000端口;然而根据图7 所示,目的端口*还有一个规则列表和一个规则,遍历规则列表发现源IP满足 192.168.0.10,源端口满足详细分支中的源端口*,所以这条流量,同时满足1,3号规则, 3号规则比1号规则更加详细,所以抛弃1号规则,按照3号规则的来进行限速。After that, it will continue to judge the destination port. 192.168.0.20 is the destination IP rule. The destination ports are 20, 30, 60 and *, of which 20, 30, and 60 are not satisfied. * means all ports and 20000 ports are satisfied; however, according to the figure As shown in 7, the destination port* also has a rule list and a rule, traversing the rule list finds that the source IP satisfies 192.168.0.10, and the source port satisfies the source port* in the detailed branch, so this traffic satisfies
②随后,又有一条非工控协议流量包从A的10000端口发往B的60端口:② Then, another non-industrial control protocol traffic packet was sent from port 10000 of A to
装置依然会先判断限速队列是否含有目的IP为192.168.0.20的规则;The device will still first determine whether the rate-limiting queue contains a rule whose destination IP is 192.168.0.20;
之后进而判断端口号,发现目的端口60和端口*都可能存在满足条件的规则;After that, the port number is judged, and it is found that both the
此时装置会先把端口*的规则列表搁置到一边,优先判断目的端口60的规则列表;At this time, the device will put the rule list of port * aside first, and prioritize the rule list of
发现在目的端口60的规则中,2、5号规则满足,并且,5号规则比2号规则详细, 按照5号规则规则来进行限速。It is found that in the rules of the
③以下一条同时满足的6条规则的流量包:③ A traffic packet that satisfies the following 6 rules at the same time:
现有一条非工控协议流量包从A的30端口发往B的60端口,同时满足6条规则, 最详细的规则是6号规则,所以按照6号规则来进行限速处理。An existing non-industrial control protocol traffic packet is sent from
本发明的规则优先总结:The rules of the present invention are preferentially summarized:
1.带有源IP的规则权重大于不带源IP的规则;1. The weight of rules with source IP is greater than that without source IP;
2.明确的端口号权重大于*端口;2. The explicit port number has more weight than *port;
3.如果遇到上述6条规则的4和5,目的端口号明确的5号规则优先匹配;3. If you encounter 4 and 5 of the above 6 rules, rule 5 with a clear destination port number will be matched first;
也可以将规则优先级从低到高分为六种情况:The rule priority can also be divided into six cases from low to high:
a、目的IP+任意目的端口:a. Destination IP + any destination port:
b、目的IP+目的端口:b. Destination IP + destination port:
c、目的IP+任意目的端口+源IP+任意源端口:c. Destination IP + any destination port + source IP + any source port:
d、目的IP+任意目的端口+源IP+源端口:d. Destination IP + any destination port + source IP + source port:
e、目的IP+目的端口+源IP+任意源端口;e. Destination IP + destination port + source IP + any source port;
f、目的IP+目的端口+源IP+源端口。f. Destination IP + destination port + source IP + source port.
对于传统的令牌桶算法不能处理突出流量的弊端,本发明改进的令牌桶算法设置有 阈值和限速等级,当此时的流量超过设定的速度,也就是令牌桶中已无令牌可以消耗时, 将限速等级提升一级,并将阈值中的令牌倒入令牌桶,继续处理;当限速等级达到一定程度时(即到达最高限速程度),停止对流量包的二层转发,从而达到限速目的;如在 下一时刻,令牌桶中已有令牌可以消耗(即剩余令牌时),则说明突发流量时段已经过 去,则将限速等级逐步下调,极大程度的缓解了令牌桶算法无法应对突发流量的弊端。For the disadvantage that the traditional token bucket algorithm cannot handle outstanding traffic, the improved token bucket algorithm of the present invention is set with a threshold value and a speed limit level. When the current traffic exceeds the set speed, that is, there is no order in the token bucket When the card can be consumed, increase the speed limit level by one level, and pour the tokens in the threshold into the token bucket to continue processing; when the speed limit level reaches a certain level (that is, the maximum speed limit level), stop the traffic packet If there are tokens in the token bucket that can be consumed at the next moment (that is, when there are remaining tokens), it means that the burst traffic period has passed, and the speed limit level will be gradually lowered. , which greatly alleviates the disadvantage that the token bucket algorithm cannot cope with burst traffic.
本发明针对传统令牌桶算法不能处理流量剧增的情况,本系统对令牌桶算法进行了 改进(即本发明改进的令牌桶算法),设置了一个阈值来处理突发流量的情况。在一定时间内,如果令牌桶中已无令牌可用,则消耗阈值中的令牌,并且把限速等级上调一级, 当限速等级达到某一程度时,则禁止流量通过。然而,当接下来,令牌桶中有剩余令牌 时,则下调限速等级,这样可以有效的缓解令牌桶算法处理流量剧增的不足性。Aiming at the situation that the traditional token bucket algorithm cannot handle the sudden increase of traffic, the present invention improves the token bucket algorithm (namely the improved token bucket algorithm of the present invention), and sets a threshold to handle the situation of burst traffic. Within a certain period of time, if there are no tokens available in the token bucket, the tokens in the threshold will be consumed, and the speed limit level will be raised by one level. When the speed limit level reaches a certain level, traffic will be prohibited from passing. However, when there are remaining tokens in the token bucket, the rate limit level is lowered, which can effectively alleviate the insufficiency of the token bucket algorithm in handling the surge in traffic.
本发明在改进的令牌桶算法上,增加了工控协议流量的判断,针对s7,s7plus等多种工控协议的解析,不针对工控流量限速,只针对非工控流量进行限速,适用于工控互 联网的安全防护,并且会对通过的流量类型进行解析和记录,适当的自动上调和下调协 议解析顺序,没有通过的记录的工控协议不进行解析,最大程度的减少装置给工控协议 带来的延时。In the improved token bucket algorithm, the invention increases the judgment of industrial control protocol traffic, and for the analysis of various industrial control protocols such as s7, s7plus, etc., it does not limit the speed of industrial control traffic, but only limits the speed of non-industrial control traffic, which is suitable for industrial control. Internet security protection, and will parse and record the types of traffic that pass through, and automatically adjust the protocol parsing order appropriately. The industrial control protocol that has not passed the record will not be parsed, minimizing the delay caused by the device to the industrial control protocol. Time.
实施例3:Example 3:
一种适用于工控互联网的限速装置,如图5所示,包括源设备、路由器和目的设备,路由器包括:A speed limiting device suitable for industrial control Internet, as shown in Figure 5, includes a source device, a router and a destination device, and the router includes:
工控协议解析模块,用于判断流量包是否为工控协议;The industrial control protocol analysis module is used to determine whether the traffic packet is an industrial control protocol;
匹配限速模块,用于判断流量包是否符合限速条件;Matching speed limit module, used to judge whether the traffic packet meets the speed limit condition;
改进的令牌桶算法模块,用于通过改进的令牌桶算法对流量包判断是否需要转发;The improved token bucket algorithm module is used to judge whether traffic packets need to be forwarded through the improved token bucket algorithm;
转发流量包模块,用于转发符合标准的流量包;The forwarding traffic packet module is used to forward traffic packets that conform to the standard;
调整协议解析模块,用于判断工控协议解析的权值和优先程度是否需要调整。Adjust the protocol parsing module, which is used to judge whether the weight and priority of industrial control protocol parsing need to be adjusted.
本发明中,首先,源设备先向目的设备发送流量包,流量包通过路由器,转发给目的设备。In the present invention, first, the source device first sends a traffic packet to the destination device, and the traffic packet is forwarded to the destination device through the router.
路由器对流量包进行如下的判断:The router judges the traffic packets as follows:
1、流量包是否为工控协议;1. Whether the traffic packet is an industrial control protocol;
2、流量包是否符合限速条件;2. Whether the traffic packet meets the speed limit conditions;
3、根据改进的令牌桶算法判断是否对流量包进行转发;3. Determine whether to forward traffic packets according to the improved token bucket algorithm;
4、工控协议解析的权值和优先度是否需要调整。4. Whether the weight and priority of industrial control protocol analysis need to be adjusted.
在判断工控协议时,先初始化,将s7,s7plus协议按照顺序依次判断,如果遇到工控协议,则跳过,进入下一步。When judging the industrial control protocol, initialize it first, and judge the s7 and s7plus protocols in order. If an industrial control protocol is encountered, skip it and go to the next step.
工控协议解析模块判断时,每通过一个工控协议的流量包,首先进行解析流量包,进行协议种类的解析,并记录协议权重,进一步对工控协议判断的优先程度来进行调整,调整解析顺序,没有记录的工控协议不进行限速。When judging by the industrial control protocol parsing module, each time a traffic packet of an industrial control protocol is passed, it first parses the traffic packet, parses the protocol type, records the protocol weight, and further adjusts the priority of the industrial control protocol judgment, and adjusts the parsing sequence. The recorded industrial control protocol does not limit the speed.
对于通过的每一个非工控协议的流量包,采用目的ip和端口的方式来确定其是否需 要限速,在确定流量包的目的ip和端口属于限速队列后,进一步判断是否存在源ip, 如果没有源ip的限速队列,则使用目的ip和端口的标准从令牌桶中扣除所需要的令牌, 如若令牌桶剩余令牌不足,则不对流量包进行二层转发,从而达到限速效果;For each non-industrial control protocol traffic packet that passes through, the destination ip and port are used to determine whether it needs rate limiting. After determining that the destination ip and port of the traffic packet belong to the rate limiting queue, it is further judged whether there is a source ip, if If there is no rate-limiting queue for the source IP, the required tokens are deducted from the token bucket using the criteria of the destination IP and port. If the remaining tokens in the token bucket are insufficient, the traffic packets will not be forwarded at Layer 2 to achieve the rate limit. Effect;
如果存在源ip的限度队列,则使用目的ip、端口和源ip从令牌桶中扣除所需要的令牌,如若令牌桶剩余令牌不足,则不对流量包进行二层转发,从而达到限速效果。If there is a limited queue of source IPs, use the destination IP, port and source IP to deduct the required tokens from the token bucket. If the remaining tokens in the token bucket are insufficient, the traffic packets will not be forwarded at Layer 2, so as to achieve the limit. quick effect.
改进的令牌桶算法模块中设置有阈值和限速等级,当此时的流量超过设定的速度, 也就是令牌桶中已无令牌可以消耗时,将限速等级提升一级,并将阈值中的令牌倒入令 牌桶,继续处理;当限速等级达到一定程度时(即到达最高限速程度),停止对流量包 的二层转发,从而达到限速目的;如在下一时刻,令牌桶中已有令牌可以消耗(即剩余 令牌时),则说明突发流量时段已经过去,则将限速等级逐步下调。The improved token bucket algorithm module is set with a threshold and a speed limit level. When the traffic at this time exceeds the set speed, that is, when there are no tokens to consume in the token bucket, the speed limit level will be increased by one level, and Pour the tokens in the threshold into the token bucket and continue processing; when the speed limit level reaches a certain level (that is, the maximum speed limit level), stop the Layer 2 forwarding of traffic packets, so as to achieve the purpose of speed limit; At the moment, there are tokens in the token bucket that can be consumed (that is, when there are remaining tokens), it means that the burst traffic period has passed, and the speed limit level is gradually lowered.
实施例4:Example 4:
一种适用于工控互联网的限速装置,如图8所示,假设现有四台设备分别为A、B、C、D,A的IP为:192.168.1.10;B的IP为:192.168.1.20;C的IP为192.168.1.135; D的IP为192.168.1.157,四台设备通过限速装置相连。限速装置运行时,令牌桶的数 量和限速速度有关(一般为b),限速等级初始化为放行等级。A speed limiting device suitable for industrial control Internet, as shown in Figure 8, assuming that the existing four devices are A, B, C, and D respectively, the IP of A is: 192.168.1.10; the IP of B is: 192.168.1.20 ; C's IP is 192.168.1.135; D's IP is 192.168.1.157, and the four devices are connected through a speed limiting device. When the speed limiter is running, the number of token buckets is related to the speed limit (usually b), and the speed limit level is initialized to the release level.
此时,设备中有两条规则:At this point, there are two rules in the device:
1.dest:192.168.1.135dport:*source:192.168.1.157sport:*speed:10kb/s1.dest:192.168.1.135dport:*source:192.168.1.157sport:*speed:10kb/s
(任何A发往B的非工控协议都限速10kb/s)(Any non-industrial control protocol sent from A to B has a speed limit of 10kb/s)
2.dest:192.168.1.157dport:*source:192.168.1.135sport:*speed:10kb/s2.dest:192.168.1.157dport:*source:192.168.1.135sport:*speed:10kb/s
(任何A发往B的非工控协议都限速10kb/s)(Any non-industrial control protocol sent from A to B has a speed limit of 10kb/s)
1)现收到一条S7COMM报文,如图9所示,S7COMM是基于tcp传输的,装置 中的工控协议解析模块率先启动,使用捕包组包一体框架,将其扔到tcp的接口,然后 根据其报文的关键字和计算机网络层来判断报文种类。1) Now a S7COMM message is received, as shown in Figure 9, S7COMM is transmitted based on tcp, and the industrial control protocol analysis module in the device starts first, uses the integrated framework of packet capture and grouping, and throws it to the tcp interface, and then According to the keyword of the message and the computer network layer, the type of the message is judged.
装置启动时,初始化了工控协议的解析顺序,按照s7,s7plus,modbus,iec104,ams,dnp3和opc的顺序来匹配工控协议,先进行s7的协议解析,发现报文为s7comm 协议,装置对该报文进行无条件放行,二层转发。When the device starts, the parsing sequence of the industrial control protocol is initialized, and the industrial control protocol is matched according to the order of s7, s7plus, modbus, iec104, ams, dnp3 and opc, and the protocol analysis of s7 is performed first, and it is found that the message is the s7comm protocol. Packets are released unconditionally and forwarded at Layer 2.
然后s7协议的权重加1,和左边协议的权重进行对比,发现其已经在最左边,无法左移。Then the weight of the s7 protocol is increased by 1, and compared with the weight of the left protocol, it is found that it is already on the far left and cannot be moved left.
因为通过的是工控协议,所以对令牌桶和限速等级不做任何处理。Because the industrial control protocol is passed, no processing is performed on the token bucket and the speed limit level.
2)接下来收到一条SSH协议的报文,如图10所示:SSH协议是基于tcp传输的, 装置中的工控协议解析模块率先启动,使用捕包组包一体框架,将其扔到tcp的接口。 然后根据其报文的关键字和计算机网络层来判断报文种类。2) Next, an SSH protocol message is received, as shown in Figure 10: SSH protocol is transmitted based on tcp, and the industrial control protocol parsing module in the device starts first, uses the integrated framework of packet capture and grouping, and throws it to tcp Interface. Then according to the keyword of the message and the computer network layer to judge the type of the message.
装置启动时,初始化了工控协议的解析顺序,按照s7,s7plus,modbus,iec104,ams,dnp3 和opc的顺序来匹配解析工控协议。先进行工控协议的解析,发现报文为非工控协议。 之后,装置对该报文进行限速队列的匹配。When the device starts, the parsing sequence of the industrial control protocol is initialized, and the industrial control protocol is matched and parsed in the order of s7, s7plus, modbus, iec104, ams, dnp3 and opc. First analyze the industrial control protocol, and find that the message is a non-industrial control protocol. Afterwards, the device performs rate-limiting queue matching on the packet.
由图10报文可知,该报文是由192.168.1.135:22发往192.168.1.157:3363;It can be seen from the message in Figure 10 that the message is sent from 192.168.1.135:22 to 192.168.1.157:3363;
目的IP为192.168.1.157,目的端口为3363,源IP为192.168.1.135,源端口为22,满足规则2,所以进行限速处理。The destination IP is 192.168.1.157, the destination port is 3363, the source IP is 192.168.1.135, and the source port is 22, which satisfies rule 2, so rate limiting processing is performed.
然后判断令牌桶的令牌剩余。由于第一条通过的为工控协议并不消耗令牌,此时令 牌桶依然是满状态,限速条件为10kb/s,令牌桶中有10240(10kb=10240b)个令牌,而此报文长度为1460。则准许通过,剩余令牌为10240-1460=8780。对报文进行转发。此 时限速等级:放行。Then judge the remaining tokens in the token bucket. Since the first pass is an industrial control protocol and does not consume tokens, the token bucket is still full at this time, the speed limit condition is 10kb/s, there are 10240 (10kb=10240b) tokens in the token bucket, and this The packet length is 1460. It is allowed to pass, and the remaining tokens are 10240-1460=8780. Forward the message. Speed limit level at this time: release.
3)在通过了几个SSH报文后,令牌桶渐渐的没有了令牌,仅仅剩下5令牌,此时 依然又来了一个SSH报文,发现不为工控协议,并且符合规则2,要进行限速,此时, 令牌桶中仅剩5个令牌,不满足长度1460的报文通行,则判断装置的限速等级为放行, 将报文转发,剩余令牌清0,再填入令牌桶的20%令牌(2048个令牌),限速等级提升 至告警,现总计剩余2048个令牌,限速等级为:告警。3) After passing through several SSH packets, the token bucket gradually loses tokens, and only 5 tokens remain. At this time, another SSH packet is still sent, and it is found that it is not an industrial control protocol and complies with rule 2. , to limit the speed. At this time, there are only 5 tokens left in the token bucket, and the packets that do not meet the length of 1460 are allowed to pass, and the speed limit level of the device is judged to be released, the packets are forwarded, and the remaining tokens are cleared to 0. Then fill in 20% tokens (2048 tokens) of the token bucket, and the speed limit level is raised to alarm. Now there are 2048 tokens remaining, and the speed limit level is: alarm.
4)此时又来了一个SSH报文,发现不为工控协议,并且符合规则2,要进行限速 判断。4) At this time, another SSH message came, and it was found that it was not an industrial control protocol and complied with rule 2, and the speed limit judgment was performed.
此时,令牌桶中仅剩余2048个令牌,扣除报文通过所需的1460后转发报文,此时剩余588个令牌,限速等级为:告警。At this time, there are only 2048 tokens left in the token bucket. After deducting the 1460 required for the packet to pass through, the packet is forwarded. At this time, there are 588 tokens remaining, and the rate limit level is: alarm.
5)最后又来了一个SSH报文,发现不为工控协议,并且符合规则2,要进行限速 判断。5) Finally, another SSH message came, and it was found that it was not an industrial control protocol and complied with rule 2, and a speed limit judgment was required.
剩余不满足长度1460的报文长度,判断此时装置的限速等级为告警,则移除令牌桶中所有令牌,限速等级提升至阻断,阻断此报文和接下来符合规则2的所有报文。If the length of the remaining packets does not meet the length of 1460, it is judged that the rate limit level of the device at this time is an alarm, then all tokens in the token bucket are removed, and the rate limit level is raised to blocking, blocking this packet and the following rules. 2 all messages.
限速装置每隔一秒会刷新一次令牌桶,给令牌桶装满新的令牌。The rate limiting device refreshes the token bucket every second, filling the token bucket with new tokens.
若此时装置限速等级为放行,则刷新令牌桶。If the speed limit level of the device is release at this time, the token bucket is refreshed.
若此时装置限速等级为告警,则根据剩余令牌数扣除添加的令牌。例如上述情况的 告警模式,限速10kb/s,令牌桶容量为10240,剩余588个令牌,说明添加的20%的令 牌桶(2048)用了1460个,则扣除多用的令牌,将剩余的添加至令牌桶即可(添加 2048-1460=588个);If the speed limit level of the device is alarm at this time, the added tokens will be deducted according to the number of remaining tokens. For example, in the alarm mode of the above situation, the speed limit is 10kb/s, the token bucket capacity is 10240, and there are 588 tokens remaining, indicating that the added 20% token bucket (2048) uses 1460 tokens, then the multi-purpose tokens are deducted. Just add the rest to the token bucket (add 2048-1460=588);
若此时装置限速等级为阻断,则说明不仅多用了告警模式添加的20%令牌桶的令牌, 还有剩余的流量包被阻断,给令牌桶添加80%的令牌,将限速等级调至放行等级即可。If the speed limit level of the device is blocking at this time, it means that not only the tokens in the 20% token bucket added in the alarm mode are used more, but also the remaining traffic packets are blocked, and 80% tokens are added to the token bucket. Adjust the speed limit level to the release level.
以上所述是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来 说,在不脱离本发明所述原理的前提下,还可以作出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above are the preferred embodiments of the present invention. It should be pointed out that for those skilled in the art, without departing from the principles of the present invention, several improvements and modifications can be made. It should be regarded as the protection scope of the present invention.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010641005.8A CN111800343A (en) | 2020-07-06 | 2020-07-06 | A speed limiting method and device suitable for industrial control Internet |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010641005.8A CN111800343A (en) | 2020-07-06 | 2020-07-06 | A speed limiting method and device suitable for industrial control Internet |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111800343A true CN111800343A (en) | 2020-10-20 |
Family
ID=72811499
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010641005.8A Pending CN111800343A (en) | 2020-07-06 | 2020-07-06 | A speed limiting method and device suitable for industrial control Internet |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111800343A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114548982A (en) * | 2020-11-26 | 2022-05-27 | 腾讯科技(深圳)有限公司 | Service request processing method and device, computer equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7646718B1 (en) * | 2005-04-18 | 2010-01-12 | Marvell International Ltd. | Flexible port rate limiting |
| CN102082693A (en) * | 2011-02-15 | 2011-06-01 | 中兴通讯股份有限公司 | Method and device for monitoring network traffic |
| CN103259743A (en) * | 2012-02-15 | 2013-08-21 | 中兴通讯股份有限公司 | Method and device for controlling output flow based on token bucket |
| CN105897610A (en) * | 2016-03-31 | 2016-08-24 | 乐视控股(北京)有限公司 | Flow control method and device |
| CN108650192A (en) * | 2018-04-28 | 2018-10-12 | 国网福建省电力有限公司 | A kind of flow control methods based on token bucket optimization algorithm |
-
2020
- 2020-07-06 CN CN202010641005.8A patent/CN111800343A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7646718B1 (en) * | 2005-04-18 | 2010-01-12 | Marvell International Ltd. | Flexible port rate limiting |
| CN102082693A (en) * | 2011-02-15 | 2011-06-01 | 中兴通讯股份有限公司 | Method and device for monitoring network traffic |
| CN103259743A (en) * | 2012-02-15 | 2013-08-21 | 中兴通讯股份有限公司 | Method and device for controlling output flow based on token bucket |
| CN105897610A (en) * | 2016-03-31 | 2016-08-24 | 乐视控股(北京)有限公司 | Flow control method and device |
| CN108650192A (en) * | 2018-04-28 | 2018-10-12 | 国网福建省电力有限公司 | A kind of flow control methods based on token bucket optimization algorithm |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114548982A (en) * | 2020-11-26 | 2022-05-27 | 腾讯科技(深圳)有限公司 | Service request processing method and device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1278524C (en) | Group processor for multi-stage warning management logic | |
| CN102075423B (en) | Hardware multi-level table-based method for controlling output traffic | |
| CN108282497A (en) | For the ddos attack detection method of SDN control planes | |
| CN102291389A (en) | Cross-layer congestion control method in satellite network | |
| CN101729573B (en) | A Dynamic Load Balancing Method for Network Intrusion Detection | |
| CN101977162A (en) | Load balancing method of high-speed network | |
| CN105847151A (en) | Multi-constraint QoS routing strategy design method for software defined network | |
| CN108848095A (en) | The detection of server ddos attack and defence method under SDN environment based on double entropys | |
| US8942090B2 (en) | Technique for throughput control for packet switches | |
| CN101741603A (en) | Method and device for supervising traffic based on token bucket | |
| CN103414650A (en) | Routing method and device for congestion avoidance | |
| CN108270691A (en) | A kind of alternative ecn (explicit congestion notification) labeling method for data center | |
| CN113064738B (en) | An Active Queue Management Method Based on Summary Data | |
| CN101426014A (en) | Method and system for multicast source attack prevention | |
| CN102664807B (en) | Method and device for controlling flow | |
| CN111800343A (en) | A speed limiting method and device suitable for industrial control Internet | |
| CN116132335A (en) | A method and device for identifying flow | |
| WO2014040554A1 (en) | Method and apparatus for determining energy-efficient routing | |
| CN101094180B (en) | Method and device for supervising compressed flow | |
| CN101820385A (en) | Method for controlling flow of IP data stream | |
| CN102271092B (en) | Congestion control system and method based on node load quantization level | |
| CN101997776B (en) | Router queue control system based on congestion identification and control method thereof | |
| CN115002040B (en) | Load balancing method and system based on big data-aware priority flow control | |
| CN104702528A (en) | Flow control method and flow control system | |
| CN101355567A (en) | A method for safety protection of central processor of switching and routing equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20201020 |