Algorithm Optimization And Design Of Embedded Firewall Filter Rules

Along with the development of science and technology, the connection between computer network and people's daily life is becoming increasing close, at the same time, the unceasing development of network attack technology causes a lot trouble, and firewall is dedicated to the protection of network attack and Intranet security, and embedded firewall occupies a leading position in network security domain for its superiority of cost performance.Embedded operation procedure should be compact and efficient, it is determined by embedded itself hardware features, such as small memory, low CPU frequency, etc. Nowadays, order matching is used in many embedded firewall filter rules matching algorithm, it is suitable for small-scale rule library, while the rules are larger, certain effect on processing efficiency and throughput rate of embedded network firewall will be brought. So in this paper, Binary Search in Leafs of Tries algorithm is put forward to improve the matching speed of filter rules subsystem, it is done by constructing Trie tree, and rules are stored in leaf nodes, binary search is used duo to the rules stored in leaf nodes are an orderly sequences. Compared to order matching, this algorithm can improve the throughput of firewall network and is more adapt to the embedded environment.In addition, on account of famous distributed denial-of-service(short for DDoS) in modern network security, DDoS defense subsystem is designed, some key part of it is detailed analyzed and implemented, such as the code detection of typical DoS, statistics of Session Number, Session Rate, Packet Per Second, communication mechanism between user mode and the kernel mode. Finally, SYN Cookie algorithm and code realization are elicited through the calculation of Cookie value, and results show that this algorithm has very good defense when the network attack flow is not very high.Finally, packet bag passing test is carried out by the configuration the specified number of filter rules on WebUI. Data statistics is conducted with the sending packet tools and capturing Packet tools, and throughput rate comparison diagram is obtained. It is the same with DDoS, DoS rules and Profile threshold files are configurated by WebUI, defense function modules is on, specified machine is attacked with DDoS attack tool, the final results is obtained, and the desired design goal is achieved.But the job is quite limited, such as the system is wrote for IPv4, compiling procedure that can operate in IPv6 is one of the direction of future research.