Embodiment
It should be noted that, in the situation that not conflicting, embodiment and the feature in embodiment in the application can combine mutually.Describe below with reference to the accompanying drawings and in conjunction with the embodiments the present invention in detail.
In order to make those skilled in the art person understand better the present invention program, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the embodiment of a part of the present invention, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, should belong to the scope of protection of the invention.
It should be noted that, the term " first " in specification of the present invention and claims and above-mentioned accompanying drawing, " second " etc. are for distinguishing similar object, and needn't be for describing specific order or precedence.The data that should be appreciated that such use suitably can exchanged in situation, so as embodiments of the invention described herein can with except diagram here or describe those order enforcement.In addition, term " comprises " and " having " and their any distortion, intention is to cover not exclusive comprising, for example, those steps or unit that the process that has comprised series of steps or unit, method, system, product or equipment are not necessarily limited to clearly list, but can comprise clearly do not list or for these processes, method, product or equipment intrinsic other step or unit.
The embodiment of the present invention provides a kind of data processing method for network safety prevention.
Fig. 1 is according to the flow chart of the data processing method of first embodiment of the invention.As shown in the figure, this data processing method comprises the steps:
Step S102, the request of receiving terminal access application server.
User, when using terminal, cannot directly see the IP address of application server, and user sees the domain name that will access, for example service.aaa.com in terminal.If user needs access application, the safeguard such as fire compartment wall, after receiving user's access request, is resolved the domain name service.aaa.com of needs access.
Step S104, according to the IP address of request analysis application server.
The IP address of resolving application server comprises and utilizes dns server to resolve IP address, also can in the DNS of fire compartment wall this locality buffer memory, search IP address.The method of utilizing dns server to resolve IP address can be utilized the method for the parsing IP address of dns server routine, because the method for utilizing dns server to resolve IP address is not that the present invention pays close attention to, at this, does not repeat.Utilize the particular content of the DNS cache lookup IP address of fire compartment wall this locality to have in the following embodiments corresponding description.
Step S106, judgement resolves whether the IP address obtaining is unsafe IP address.
Utilize dns server to resolve the IP address obtaining, or in DNS buffer memory, find corresponding IP address, all need the judgement by fire compartment wall, take and determine whether the IP that parsing obtains is unsafe IP address.
In IP credit database, search and resolve the IP address obtaining, the IP prestige corresponding according to each IP address of storing in IP credit database, determines whether the IP address that this parsing obtains is unsafe IP address.
If it is low to find the IP prestige of the IP address that this parsing obtains in IP credit database, determine that resolving the IP address obtaining is unsafe IP address.
Step S108, if judged, to resolve the IP address obtain be unsafe IP address, unsafe IP address deleted from response message.
After unsafe IP address is deleted from response message, terminal cannot the unsafe IP of perception address, therefore, can be good at avoiding the unsafe IP of terminal access address, has increased the fail safe that terminal makes application.
Step S110, is sent to terminal by the response message of deleting behind unsafe IP address.
After having deleted unsafe IP address, in response message, only included safe IP address, there is no unsafe IP address, therefore, any one IP address in terminal access response message is all safe, can both guarantee that terminal can be used application terminal, and the application server of access security.
If after having deleted unsafe IP address, there is no IP address in response message, return to terminal replying of cannot accessing.
Pass through the embodiment of the present invention, judgement resolves whether the IP address obtaining is unsafe IP address, if it is unsafe judging IP address, unsafe IP address is deleted from response message, and the response message of having deleted unsafe IP address is sent to terminal, make the terminal cannot the unsafe IP of perception address, and the application server that any one the IP address in terminal access response message can both access security.Because terminal can be utilized the safe IP address access application server except unsafe IP address, therefore, when certain application server of this terminal is unsafe server, can also utilize other safe application servers that this terminal can normally be used, improve the robustness of terminal program.
Simultaneously, when resolving the IP address of application server, can directly in DNS buffer memory, inquire about the IP address of application server, if can inquire this IP address, can send the request of resolving application server IP address to dns server, improve the efficiency of inquiry, further improved the efficiency of network protection.
Fig. 2 is the data processing method flow chart according to second embodiment of the invention.As shown in the figure, before the response message behind deletion unsafe IP address is sent to terminal, this data processing method also comprises the steps:
Step S202, sorts the safe IP address in the response message of deleting behind unsafe IP address according to IP prestige.
After deleting unsafe IP address, IP prestige corresponding to safe IP address in IP credit database China inquiry response message, and according to the height of IP prestige, sorted in the IP address of safety.
Step S204, is kept at safe IP address in response message according to the order of the IP prestige after sequence.
After sorting according to the height of IP prestige, the IP address of safety is kept in response message according to the height of IP prestige.
Higher owing to coming the IP prestige of IP address above in response message, terminal selects IP address forward in response message to conduct interviews as the IP address of application server conventionally, and the access speed of the higher application server of IP prestige and access stability are all better, therefore, the safe IP address after the height sequence according to IP prestige is kept in response message.
Step S206, in the local safe IP address of preserving of fire compartment wall.
In the safe IP address of the local preservation of fire compartment wall, within certain time period, use this terminal, and while accessing this application server, can directly in the buffer memory of fire compartment wall, call corresponding IP address, without being sent to dns server, resolve, not only can guarantee the fail safe of the application server of terminal access, can also improve the protection efficiency of safeguard, improve barrier propterty.
By said method, the IP address that IP prestige is higher sends to terminal as first-selected IP address, for terminal provides more stable and safe application server, not only can guarantee user's access security, can also improve user and experience.
Further, according to the IP address of the request analysis application server of access services device, comprise: the IP address of searching application server in fire compartment wall this locality.Whether judgement finds the IP address of application server in fire compartment wall this locality.And if in fire compartment wall this locality, search the IP address less than application server, request is sent to dns server, and receives the IP address that dns server is resolved the application server obtain.
There is DNS buffer memory fire compartment wall this locality, in DNS buffer memory, can store the IP address of application server, when resolving the IP address of terminal request access, first in DNS buffer memory, search the IP address corresponding with the application server of asking, if searched in the DNS of fire compartment wall buffer memory less than IP address corresponding to the application server with request, the request of this parsing application server IP address is sent to dns server, by dns server, resolve the IP address corresponding with application server, after dns server is resolved and is obtained the IP address corresponding with application server, the IP address that parsing is obtained returns to fire compartment wall, fire compartment wall receives whether the IP address of searching after parsing behind the IP address after parsing is safe IP address.
Further, according to the IP address of the request analysis application server of access services device, comprise: the IP address of searching application server in fire compartment wall this locality.Whether judgement finds the IP address of application server in fire compartment wall this locality.And if the IP address that finds application server in fire compartment wall this locality, request is not sent to dns server, directly call IP address the replying as dns server of the application server finding.
Similarly, if can find the IP address of application server in fire compartment wall this locality, without the request of resolving IP address is sent to dns server, direct IP address corresponding to the application server of search request in DNS buffer memory, if find the IP address corresponding with the application server of asking, directly call the IP address of searching, and whether the IP address that judgement finds is safe IP address.
No matter be to resolve by dns server the IP address obtaining, or the IP address that finds in fire compartment wall this locality, whether the IP address that all needs through fire compartment wall judgement to resolve to obtain safety.
In IP credit database, search and resolve the IP address obtain, judgement resolves whether the IP address obtaining is safe, if judged, to resolve the IP address obtaining be unsafe IP address, this unsafe IP address deleted from response message.
It should be noted that, resolving the IP address obtaining may be one or more, and terminal can have a plurality of IP address conventionally, has a first-selected IP address in a plurality of IP address, and terminal is according to first-selected IP address access application server.
Further, after unsafe IP address is deleted from response message, data processing method also comprises: whether the number that judges the safe IP address in response message is 0.If judging the number of the safe IP address in response message is 0, to terminal, send the response message of disable access.
After being resolved to IP address, unsafe IP address is deleted from response message, unsafe IP address cannot be by terminal perception, and terminal cannot be accessed unsafe IP address naturally, thereby has guaranteed to use the fail safe of terminal access application server.Whether the number that judges the IP address in response message is 0, if judge the number of the IP address in response message, is 0, in response message, there is no safe IP address provision with using, and to terminal, sends the response message of disable access.If the number of the IP address in response message is not 0, sorted according to IP prestige in the IP address of safety, the response message that stores the IP address after sequence is sent to terminal, the IP address that IP prestige is the highest comes in response message front end as first-selected IP address, terminal is after receiving response message, according to first-selected IP address access application server, thereby make terminal security access application server.
By the present invention, first to resolving the IP address search IP prestige obtaining, unsafe IP address is deleted from response message, make the terminal cannot the unsafe IP of perception address, thereby guarantee terminal security access application server, further, after deleting unsafe IP address, the sequence of IP prestige is carried out in the IP address of safety, using the highest IP address of IP prestige as first-selected IP address, for terminal program access, thereby while making to be first-selected IP address in unsafe IP address, after deleting unsafe IP address, application program can also normally be used, utilize said method, not only guarantee the fail safe of terminal access application server, can also when unsafe IP address disable, terminal can also normally use, thereby solved the low problem of the barrier propterty of network-safeguard system in prior art, and then reached the effect of the barrier propterty that improves network-safeguard system.
Fig. 3 be take the schematic diagram of the application P data processing method that is example according to the embodiment of the present invention.
Particularly, take and apply P as example, suppose that application P is used two application servers, be respectively application server A300 and application server B400, two corresponding different IP addresses are A, B.Hypothesize attack person attacks and has controlled application server A300, and just A server is offered the user in S area by dns server as the preferred server of somewhere S.
Terminal 100 in access application P, the access request of fire compartment wall 200 receiving terminals 100, and inquire about the server address of the application P of this terminal 100 requests in the DNS of fire compartment wall 200 buffer memory 600.
If inquire the server address of the application P of these terminal 100 requests in DNS buffer memory 600, fire compartment wall is searched the IP prestige of the server address of application P.If do not inquire the server address of the application P of these terminal 100 requests in DNS buffer memory 600, the request of terminal 100 is sent to dns server 500, request by 500 pairs of terminals 100 of dns server is resolved, and the server address of the application P after resolving is back to fire compartment wall 200.
The server address of the application P that fire compartment wall 200 is inquired about or received is A, B, now querying server address A, B in IP credit database 700, supposing to inquire A is unsafe IP address, A is deleted from response message, and the server address of reservation is B.
Server address in response message is B, B is sent to terminal 100, and terminal 100 is according to access IP address B.If also comprise safe server address C in response message, the server address retaining in response message is B, C, IP prestige according to B, C sorts, for example the prestige of B is greater than the prestige of C, B is come C before, if the IP prestige of the B inquiring, C is identical, according to the order in original response message, arrange.
Server address B, the C retaining in response message is safe IP address, the response message that contains server address B, C can be sent to terminal 100, the server address B that IP prestige is higher offers terminal 100 as first-selected IP address, and in the DNS buffer memory 600 that the server address B retaining in response message, C are kept to fire compartment wall.
After user obtains server address B, can access services device B, thus can use application P.
Utilize said method, when dns resolution server address, the server address that IP prestige is low deleted from response message, make terminal cannot perception malice IP address, improved the whole efficiency of network-safeguard system.In addition, after parsing obtains a plurality of IP address, search and resolve a plurality of IP address obtaining in IP credit database, according to the height of IP prestige, sort, the IP address that IP prestige is high sends to terminal, the high server of IP prestige that terminal access receives.After sequence, changed the first-selected IP address in original response message, not only make terminal normally use application P, can also avoid the unsafe IP of terminal access address, improved the stability of application.
Simultaneously, utilize the DNS buffer memory in fire compartment wall to preserve the IP address that parsing obtains according to terminal request, in the time of need to resolving same request, directly in fire compartment wall, search, without being sent to dns server, resolve, improved and resolved the efficiency of terminal request, thereby improved the operational efficiency of terminal applies.
The data processing equipment that the data processing method of the embodiment of the present invention can provide by the embodiment of the present invention is carried out, the data processing method that the data processing equipment of the embodiment of the present invention also can provide for carrying out the embodiment of the present invention.
The embodiment of the present invention also provides a kind of data processing equipment for network safety prevention.
Fig. 4 is according to the schematic diagram of the data processing equipment of first embodiment of the invention.As shown in the figure, this data processing equipment comprises receiving element 10, resolution unit 20, judging unit 30, delete cells 40 and response unit 50.
Receiving element 10 is for the request of receiving terminal access application server.
User, when using terminal, cannot directly see the IP address of application server, and user sees the domain name that will access, for example service.aaa.com in terminal.If user needs access application, the safeguard such as fire compartment wall, after receiving user's access request, is resolved the domain name service.aaa.com of needs access.
Resolution unit 20 is for the IP address according to request analysis application server.
The IP address of resolving application server comprises and utilizes dns server to resolve IP address, also can in the DNS of fire compartment wall this locality buffer memory, search IP address.The method of utilizing dns server to resolve IP address can be utilized the method for the parsing IP address of dns server routine, because the method for utilizing dns server to resolve IP address is not that the present invention pays close attention to, at this, does not repeat.Utilize the particular content of the DNS cache lookup IP address of fire compartment wall this locality to have in the following embodiments corresponding description.
Judging unit 30 resolves for judging whether the IP address obtaining is unsafe IP address.
Utilize dns server to resolve the IP address obtaining, or in DNS buffer memory, find corresponding IP address, all need the judgement by fire compartment wall, take and determine whether the IP that parsing obtains is unsafe IP address.
In IP credit database, search and resolve the IP address obtaining, the IP prestige corresponding according to each IP address of storing in IP credit database, determines whether the IP address that this parsing obtains is unsafe IP address.
If it is low to find the IP prestige of the IP address that this parsing obtains in IP credit database, determine that resolving the IP address obtaining is unsafe IP address.
Delete cells 40, for resolving the IP address obtain while being unsafe IP address judging, is deleted unsafe IP address from response message.
After unsafe IP address is deleted from response message, terminal cannot the unsafe IP of perception address, therefore, can be good at avoiding the unsafe IP of terminal access address, has increased the fail safe that terminal makes application.
Response unit 50 is for being sent to terminal by the response message of deleting behind unsafe IP address.
After having deleted unsafe IP address, in response message, only included safe IP address, there is no unsafe IP address, therefore, any one IP address in terminal access response message is all safe, can both guarantee that terminal can be used application terminal, and the application server of access security.
If after having deleted unsafe IP address, there is no IP address in response message, return to terminal replying of cannot accessing.
Pass through the embodiment of the present invention, judgement resolves whether the IP address obtaining is unsafe IP address, if it is unsafe judging IP address, unsafe IP address is deleted from response message, and the response message of having deleted unsafe IP address is sent to terminal, make the terminal cannot the unsafe IP of perception address, and the application server that any one the IP address in terminal access response message can both access security.Because terminal can be utilized the safe IP address access application server except unsafe IP address, therefore, when certain application server of this terminal is unsafe server, can also utilize other safe application servers that this terminal can normally be used, improve the robustness of terminal program.
Simultaneously, when resolving the IP address of application server, can directly in DNS buffer memory, inquire about the IP address of application server, if can inquire this IP address, can send the request of resolving application server IP address to dns server, improve the efficiency of inquiry, further improved the efficiency of network protection.
Fig. 5 is according to the schematic diagram of the data processing equipment of second embodiment of the invention.As shown in the figure, this data processing equipment comprises: receiving element 10, resolution unit 20, judging unit 30 and delete cells 40, also comprise sequencing unit 60, message storage unit 70 and local memory cell 80.
Sequencing unit 60, for before the response message behind deletion unsafe IP address is sent to terminal, sorts the safe IP address in the response message of deleting behind unsafe IP address according to IP prestige.
After deleting unsafe IP address, IP prestige corresponding to safe IP address in IP credit database China inquiry response message, and according to the height of IP prestige, sorted in the IP address of safety.
Message storage unit 70 is for being kept at response message by the highest safe IP address of IP prestige.And
Higher owing to coming the IP prestige of IP address above in response message, terminal selects IP address forward in response message to conduct interviews as the IP address of application server conventionally, and the access speed of the higher application server of IP prestige and access stability are all better, therefore, the safe IP address after the height sequence according to IP prestige is kept in response message.
Local memory cell 80 is for preserving safe IP address in fire compartment wall this locality.
In the safe IP address of the local preservation of fire compartment wall, within certain time period, use this terminal, and while accessing this application server, can directly in the buffer memory of fire compartment wall, call corresponding IP address, without being sent to dns server, resolve, not only can guarantee the fail safe of the application server of terminal access, can also improve the protection efficiency of safeguard, improve barrier propterty.
By said method, the IP address that IP prestige is higher sends to terminal as first-selected IP address, for terminal provides more stable and safe application server, not only can guarantee user's access security, can also improve user and experience.
Further, resolution unit 20 comprises and searches module, judge module and transceiver module.
Search module for search the IP address of application server in fire compartment wall this locality.Judge module is for judging the IP address that whether finds application server in fire compartment wall this locality.Transceiver module when searching the IP address less than application server in fire compartment wall this locality, sends to dns server by request, and receives the IP address that dns server is resolved the application server obtaining.
There is DNS buffer memory fire compartment wall this locality, in DNS buffer memory, can store the IP address of application server, when resolving the IP address of terminal request access, first in DNS buffer memory, search the IP address corresponding with the application server of asking, if searched in the DNS of fire compartment wall buffer memory less than IP address corresponding to the application server with request, the request of this parsing application server IP address is sent to dns server, by dns server, resolve the IP address corresponding with application server, after dns server is resolved and is obtained the IP address corresponding with application server, the IP address that parsing is obtained returns to fire compartment wall, fire compartment wall receives whether the IP address of searching after parsing behind the IP address after parsing is safe IP address.
Further, resolution unit 20 comprises: search module for search the IP address of application server in fire compartment wall this locality.Judge module is for judging the IP address that whether finds application server in fire compartment wall this locality.And calling module is when finding the IP address of application server in fire compartment wall this locality, request is not sent to dns server, directly calls IP address the replying as dns server of the application server finding.
Similarly, if can find the IP address of application server in fire compartment wall this locality, without the request of resolving IP address is sent to dns server, direct IP address corresponding to the application server of search request in DNS buffer memory, if find the IP address corresponding with the application server of asking, directly call the IP address of searching, and whether the IP address that judgement finds is safe IP address.
No matter be to resolve by dns server the IP address obtaining, or the IP address that finds in fire compartment wall this locality, whether the IP address that all needs through fire compartment wall judgement to resolve to obtain safety.
In IP credit database, search and resolve the IP address obtain, judgement resolves whether the IP address obtaining is safe, if judged, to resolve the IP address obtaining be unsafe IP address, this unsafe IP address deleted from response message.
It should be noted that, resolving the IP address obtaining may be one or more, and terminal can have a plurality of IP address conventionally, has a first-selected IP address in a plurality of IP address, and terminal is according to first-selected IP address access application server.
Further, this data processing equipment also comprises message judging unit and transmitting element.
Message judging unit for by unsafe IP address after response message is deleted, judge whether the number of the safe IP address in response message is 0.
Transmitting element, for being in the number of judging the safe IP address of response message, sends the response message of disable access at 0 o'clock to terminal.
After being resolved to IP address, unsafe IP address is deleted from response message, unsafe IP address cannot be by terminal perception, and terminal cannot be accessed unsafe IP address naturally, thereby has guaranteed to use the fail safe of terminal access application server.Whether the number that judges the IP address in response message is 0, if judge the number of the IP address in response message, is 0, in response message, there is no safe IP address provision with using, and to terminal, sends the response message of disable access.If the number of the IP address in response message is not 0, sorted according to IP prestige in the IP address of safety, the response message that stores the IP address after sequence is sent to terminal, the IP address that IP prestige is the highest comes in response message front end as first-selected IP address, terminal is after receiving response message, according to first-selected IP address access application server, thereby make terminal security access application server.
By the present invention, first to resolving the IP address search IP prestige obtaining, unsafe IP address is deleted from response message, make the terminal cannot the unsafe IP of perception address, thereby guarantee terminal security access application server, further, after deleting unsafe IP address, the sequence of IP prestige is carried out in the IP address of safety, using the highest IP address of IP prestige as first-selected IP address, for terminal program access, thereby while making to be first-selected IP address in unsafe IP address, after deleting unsafe IP address, application program can also normally be used, utilize said method, not only guarantee the fail safe of terminal access application server, can also when unsafe IP address disable, terminal can also normally use, thereby solved the low problem of the barrier propterty of network-safeguard system in prior art, and then reached the effect of the barrier propterty that improves network-safeguard system.
It should be noted that, in the step shown in the flow chart of accompanying drawing, can in the computer system such as one group of computer executable instructions, carry out, and, although there is shown logical order in flow process, but in some cases, can carry out shown or described step with the order being different from herein.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.