CN109743238B - Distributed access system - Google Patents
Distributed access system Download PDFInfo
- Publication number
- CN109743238B CN109743238B CN201811606024.6A CN201811606024A CN109743238B CN 109743238 B CN109743238 B CN 109743238B CN 201811606024 A CN201811606024 A CN 201811606024A CN 109743238 B CN109743238 B CN 109743238B
- Authority
- CN
- China
- Prior art keywords
- address
- node
- access
- data packet
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a distributed access system, which constructs an access service node, a springboard node and an exit node, defines the topological connection relation among all the nodes and can realize the effects of one-point access and whole network resource availability; meanwhile, based on a distributed address translation technology and a connection tracking technology, the invention fuses address pools of multiple operators and multiple regions together through a global resource, namely an address resource and bandwidth resource exchange scheduling technology, virtualizes the whole distributed access system into an internet access service, allows users to be connected into the system through various access modes, shares the global address and bandwidth resources, and provides services of changing the export IP address in 'on-demand', 'real-time' and 'dynamic' so as to meet the requirement of hidden access of the users and achieve the aim of preventing the users from being defended, traced to the source or portrayed.
Description
Technical Field
The invention belongs to the technical field of network communication, and particularly relates to a distributed access system.
Background
Fixed IP cannot continuously obtain data from a single source in a network. Access to a particular task is typically targeted with a relatively fixed goal. A large number of connection probes or data downloads to a single or small set of targets (e.g., fixed web sites, services) can be easily discovered by the other party and thus denied service. In the determination of denial of service, the basic method is behavior recognition or IP attribute recognition. The behavior identification records the access frequency, law and the like of a single IP address, and the attribute identification relies on an open or self-accumulated IP address attribute library. Since the user cannot change his own IP address at will, the defense strategy of the other party cannot be prevented or avoided when the countermeasure or acquisition is performed at present.
The purpose of anonymously accessing the internet can be achieved by using a common proxy or a VPN, but how to meet the real requirements of an actual service scene and the complexity of a user is achieved, for example: a user initiates multiple accesses, including multiple accesses to the same target, and an outlet IP needs to be dispersed to different outlet nodes, so that the access behavior of the user is concealed; the user needs to keep the outlet IP address unchanged for a period of time; and the user selects an outlet IP address with specific attributes according to the requirement of the user, and the like.
Disclosure of Invention
In order to solve the above problems, the present invention provides a distributed access system, which constructs an access service node, a springboard node and an egress node, defines a topological connection relationship among all nodes, and can achieve the effects of "one-point access and full network resource availability".
A distributed access system comprises an access service node, an exit node and at least one springboard node;
when a user accesses the Internet, the user is connected with the access service node through the host, and simultaneously selects an outlet IP attribute type and a springboard node through a control instruction, wherein the outlet IP attribute type comprises a geographical position, an operator and the property of the node where the outlet IP is located; the access service node carries out address translation on an access data packet sent to the Internet by a user according to the outlet IP attribute type, then sends the access data packet after address translation to the outlet node through a springboard node selected by the user, and finally sends the access data packet after address translation to the Internet by the outlet node;
and when the internet receives the access data packet after the address translation output by the exit node, generating a response data packet, returning the response data packet to the access service node through the corresponding exit node and the springboard node, and finally returning the response data packet to the host where the user is located by the access service node.
Further, the access service node comprises a configuration module, a first equipment module, an address translation engine, a first routing module and a first communication module;
after a user selects an outlet IP attribute type through a control instruction, the configuration module selects at least one public IP address from a preset public IP address set and adds the public IP address into an available public IP address list, and then the available public IP address list is placed into a memory, wherein the initial state of the available public IP address list is an empty list;
after a user selects the springboard node through a control instruction, the configuration module selects at least one ID number from a preset ID set as the ID number of the springboard node, adds the ID number into an available ID list, and then puts the available ID list into a memory; wherein, the initial state of the available ID list is an empty list;
the first equipment module receives an access data packet sent to the Internet by a host where a user is located, and forwards the access data packet to the address translation engine, wherein the access data packet carries a private IP address of the host where the user is located;
the address translation engine randomly selects one IP address from an available public IP address list as a public IP address, takes a node corresponding to the IP address as an outlet node, replaces a private IP address carried by the head of an access data packet with the public IP address of the outlet node so as to finish address translation, and finally sends the access data packet after address translation to the first routing module;
a routing table is arranged in the first routing module, wherein the routing table stores the one-to-one correspondence relationship between the ID number and the IP address; the first routing module receives the access data packet after the address translation, calls an available ID list stored in a memory, obtains an IP address of a springboard node corresponding to an ID number in the available ID list by looking up a routing table, attaches the obtained IP address of the springboard node to the head of the access data packet after the address translation layer by layer according to the reverse sequence stored in the available ID list, and attaches the obtained IP address of the springboard node to the head of the access data packet after the address translation layer by layer according to the same sequence stored in the available ID list, obtains an access message carrying the access data packet after the address translation, and forwards the access message to the first communication module;
and the first communication module takes the IP address of the springboard node carried by the head of the access message as a destination IP address and sends the destination IP address to the springboard node.
Further, if only one springboard node is provided, the springboard node directly transmits the access message to the exit node;
and if more than one springboard node is provided, the access message is transmitted to the last springboard node through multiple times of forwarding of each springboard node and then is transmitted to the exit node by the last springboard node.
Further, the access service node further comprises a first connection management engine;
the first connection management engine is provided with a first connection tracking table, the first connection tracking table stores a plurality of connection table items, the first connection management engine judges whether the first connection tracking table has corresponding connection information, and if the first connection tracking table has corresponding connection information, the connection information is updated; and if the connection table entry does not exist, establishing a connection table entry, wherein each connection table entry stores an ID number of a user and information of a transmission path from the access service node to the exit node, and simultaneously, each connection table entry corresponds to a quintuple, and each quintuple corresponds to each session generated when the user accesses the Internet.
Further, the egress node comprises a second communication module, a second connection management engine, and a second device module;
the second communication module receives an access message which is forwarded by the springboard node and carries the access data packet after address translation, and forwards the access message to the second equipment module;
the second device module receives the access message forwarded by the second communication module, and then takes out and forwards an access data packet after address translation carried in the access message to the second connection management engine;
the second connection management engine constructs a second connection tracking table according to the access data packet after address translation forwarded by the second equipment module, judges whether corresponding connection information exists in the second connection tracking table or not, and updates the connection information if the corresponding connection information exists; and if the address translation does not exist, establishing a connection table entry, wherein the second connection tracking table stores a plurality of connection table entries, each connection table entry stores the ID number of the access service node corresponding to the session generated when the user accesses the Internet and the return path information from the exit node to the access service node, and directly sending the access data packet after the address translation to the Internet.
Further, the egress node further comprises a second routing module;
the second equipment module receives a response data packet sent by the Internet and forwards the response data packet to the second connection management engine;
the second connection management engine obtains an access service ID number corresponding to the session and return path information returned from the exit node to the access service node by searching for a connection table entry in the second connection tracking table, and then adds an IP address included in the return path information to the head of the response data packet layer by layer according to an opposite sequence to obtain a response message;
the second connection management engine sends the response message to a second routing module;
the second routing module forwards the response message to a second communication module;
and the second communication module sends a response message back to the springboard node.
Further, if only one springboard node is provided, the springboard node directly transmits the response message to the access service node;
if the number of the springboard nodes is more than one, after the response message reaches the first springboard node through the repeated forwarding of each springboard node, the ID number of the access service node corresponding to the same session is obtained by searching the second connection tracking table according to the second connection management engine, and finally the response message is forwarded to the corresponding access service node.
Further, the first communication module of the access service node receives the response message carrying the response data packet, and forwards the response data packet to the address translation engine after taking out the response data packet;
the address translation engine obtains the private IP address of the host where the user is located by searching the first connection tracking table, replaces the public IP address carried by the header of the response data packet with the private IP address of the host where the user is located, thereby completing address translation, and then forwards the response message carrying the response data packet after address translation to the first equipment module;
and the first equipment module forwards the response message carrying the response data packet after the address translation to the host where the user is located.
Further, a distributed access system supports a user to change a public IP address according to connection, and specifically includes:
when the user initiates access to the internet again, the configuration module of the access service node selects a group of IP addresses for the user according to the exit IP attribute type specified by the user to be used as an available IP address list, the address translation engine randomly selects one IP address from the available IP address list again, the node corresponding to the IP address is used as an exit node, and then the private IP address carried by the header of a subsequent data packet sent to the internet by the host where the user is located is replaced by the newly selected public IP address.
Further, a distributed access system supports a user to change a public IP address according to time, and specifically includes:
and at intervals of set time, the configuration module of the access service node selects an IP address for the user as an available IP address according to the exit IP attribute type specified by the user, the address translation engine randomly selects one IP address from the available IP address list again, the node corresponding to the IP address is used as an exit node, and then the private IP address carried by the header of a subsequent data packet sent to the Internet by the host where the user is located is replaced by the newly selected public IP address.
Further, a distributed access system supports a user to manually change a public IP address, and specifically includes:
the configuration module of the access service node selects a public network IP address designated by a user as an available IP address, and the address translation engine replaces a private IP address carried by a header of a subsequent data packet sent to the Internet by a host where the user is located with the newly selected public IP address.
Has the advantages that:
the invention provides a distributed access system, which constructs an access service node, a springboard node and an exit node, defines the topological connection relation among all the nodes and can realize the effects of one-point access and whole network resource availability; meanwhile, based on a distributed address translation technology and a connection tracking technology, the invention fuses address pools of multiple operators and multiple regions together through a global resource, namely an address resource and bandwidth resource exchange scheduling technology, virtualizes the whole distributed access system into an internet access service, allows users to be connected into the system through various access modes, shares the global address and bandwidth resources, and provides services of changing the export IP address in 'on-demand', 'real-time' and 'dynamic' so as to meet the requirement of hidden access of the users and achieve the aim of preventing the users from being defended, traced to the source or portrayed.
Drawings
FIG. 1 is a diagram of a distributed network access system architecture provided by the present invention;
FIG. 2 is a schematic diagram illustrating an interaction flow of an access service node according to the present invention;
fig. 3 is a schematic view of an interaction flow of an egress node provided in the present invention.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
Referring to fig. 1, the architecture diagram of the distributed network access system provided in this embodiment is shown. The access network divides the functions of a traditional gateway system to form a distributed network access service system, and comprises the following components: the system comprises an access service subsystem, a springboard node subsystem and an exit node subsystem. Each subsystem contains many nodes. And the user accesses the service subsystem through the client connection. The access service subsystem is a customized gateway system, can translate the access data packet address of the user into the access data packet of the exit node according to the requirement of the user, and sends the access data packet to the corresponding exit node through the springboard node, and finally the exit node sends the access data packet to the internet. And when the response data packet of the Internet reaches the exit node, the response data packet is sent back to the access service subsystem through the springboard node, and the response data packet is packaged by the access service subsystem and then sent to the client. The management subsystem mainly manages resources and configuration in the system and monitors the running state of the system.
The packet inside-out and outside-in processing flow is described in detail below with reference to fig. 2 and 3.
First, the inside-out access packet processing is described.
When a user accesses the internet, the corresponding export IP attribute type and the springboard node can be freely selected through the client, wherein the export IP attribute type specifically comprises tags such as geographic position, operators, IP located node property and the like.
Referring to the flow of fig. 2, a first device module receives an access data packet initiated by a host where a user is located to the internet, and forwards the access data packet to an address translation engine, wherein the access data packet carries a private IP address of the host where the user is located;
in the process shown in fig. 2, the address translation engine randomly selects one IP address from the public IP address list as a public IP address from the address pool, and uses a node corresponding to the IP address as an egress node, then replaces a private IP address carried by the header of the access data packet with the public IP address of the egress node to complete address translation, and finally sends the access data packet after address translation to the first routing module;
referring to the flow of fig. 2, a first routing module is provided with a routing table, wherein the routing table stores a one-to-one correspondence relationship between ID numbers and IP addresses; after receiving the access data packet after address translation, the first routing module calls an available ID list stored in a memory, obtains an IP address of a springboard node corresponding to an ID number in the available ID list by searching a routing table, attaches the obtained IP address of the springboard node to the head of the access data packet after address translation layer by layer according to the reverse sequence stored in the available ID list, and then attaches the IP address of the springboard node to the head of the access data packet after address translation layer by layer according to the same sequence stored in the available ID list, obtains an access message carrying the access data packet after address translation, and then forwards the access message to the first communication module; and the first communication module takes the IP address of the springboard node carried by the head of the access message as a destination IP address and sends the destination IP address to the springboard node.
If only one springboard node exists, the springboard node directly transmits the access message to an exit node;
and if more than one springboard node is provided, the access message is transmitted to the last springboard node through multiple times of forwarding of each springboard node and then is transmitted to the exit node by the last springboard node.
Referring to the flow of fig. 2, the access service node further includes a first connection management engine, where a first connection tracking table is arranged in the first connection management engine, the first connection tracking table stores a plurality of connection table entries, and the first connection management engine determines whether the first connection tracking table has corresponding connection information, and if so, updates the connection information; and if the connection table entry does not exist, establishing a connection table entry, wherein each connection table entry stores an ID number of a user and information of a transmission path from the access service node to the exit node, and simultaneously, each connection table entry corresponds to a quintuple, and each quintuple corresponds to each session generated when the user accesses the Internet.
In the flow shown in fig. 3, the second communication module receives the access message carrying the address-translated access data packet forwarded by the springboard node, and forwards the access message to the second device module; and the second equipment module receives the access message which is forwarded by the second communication module and carries the access data packet after address translation, and then takes out the access data packet after address translation carried in the access message and forwards the access data packet to the second connection management engine.
Referring to the flow (ii) of fig. 3, the second connection management engine constructs a second connection tracking table according to the access packet after address translation forwarded by the second device module. The second connection management engine judges whether corresponding connection information exists in the second connection tracking table or not, and if the corresponding connection information exists in the second connection tracking table, the connection information is updated; if not, a connection table entry is newly created. The second connection tracking table stores a plurality of connection table entries, each connection table entry stores an ID number of an access service node corresponding to a session generated when a user accesses the Internet and return path information from an exit node to the access service node, and an access data packet after address translation is directly sent to the Internet. The packet processing flow ends from inside to outside.
The outside-in response packet processing is described below.
And when the internet receives the access data packet after the address translation output by the exit node, generating a response data packet. When the response data packet of the internet reaches the exit node, as shown in the flow third of fig. 3, the second device module receives the response data packet sent by the internet and forwards the response data packet to the second connection management engine, and the second connection management engine obtains the access service ID number corresponding to the session and the return path information returned from the exit node to the access service node by searching the connection table entry in the second connection tracking table; and then, the IP address included in the return path information is added to the head of the response data packet layer by layer according to the reverse sequence to obtain a response message. The second connection management engine sends the response message to the second routing module. The second routing module forwards the response message to the second communication module. The second communication module sends the response message back to the springboard node.
If only one springboard node is available, the springboard node directly transmits the response message to the access service node; if the number of the springboard nodes is more than one, after the response message reaches the first springboard node through the repeated forwarding of each springboard node, the ID number of the access service node corresponding to the same session is obtained by searching the second connection tracking table according to the second connection management engine, and finally the response message is forwarded to the corresponding access service node.
Referring to the flow chart of fig. 2, the first communication module of the access service node receives the response message carrying the response data packet, and forwards the response data packet to the address translation engine after taking out the response data packet; the address translation engine obtains the private IP address of the host where the user is located by searching the first connection tracking list, replaces the public IP address carried by the header of the response data packet with the private IP address of the host where the user is located to complete address translation, and then forwards the response message carrying the response data packet after address translation to the first equipment module; and the first equipment module forwards the response message carrying the response data packet after the address translation to the host where the user is located. The packet processing flow ends from inside to outside.
Further, the distributed access system provided in this embodiment supports a user to change a public IP address according to a connection, and specifically includes:
when the user initiates access to the internet again, the configuration module of the access service node selects a group of IP addresses for the user according to the exit IP attribute type specified by the user to be used as an available IP address list, the address translation engine randomly selects one IP address from the available IP address list again, the node corresponding to the IP address is used as an exit node, and then the private IP address carried by the header of a subsequent data packet sent to the internet by the host where the user is located is replaced by the newly selected public IP address.
Further, the distributed access system provided in this embodiment also supports a user to change a public IP address according to a connection, specifically:
and at intervals of set time, the configuration module of the access service node selects an IP address for the user as an available IP address according to the exit IP attribute type specified by the user, the address translation engine randomly selects one IP address from the available IP address list again, the node corresponding to the IP address is used as an exit node, and then the private IP address carried by the header of a subsequent data packet sent to the Internet by the host where the user is located is replaced by the newly selected public IP address.
Further, the distributed access system provided in this embodiment also supports that the user manually changes the public IP address, which specifically includes:
the configuration module of the access service node selects a public network IP address designated by a user as an available IP address, and the address translation engine replaces a private IP address carried by a header of a subsequent data packet sent to the Internet by a host where the user is located with the newly selected public IP address.
Therefore, the distributed network access method is realized based on the address translation and connection tracking technology, the effects of 'one-point access and whole network resource availability' are realized, the utilization rate of IP resources in the NAT system can be improved, and diversified exit node types are flexibly provided, so that the real IP address of a user is well hidden, and the purposes of source tracing prevention and portrait tracing prevention are finally achieved.
The distributed access service designed by the embodiment provides the access service of the internet and the user access policy management for the user. The user connected to the access service can access the internet just like using a common proxy or a gateway, transparently uses the service provided by the distributed system, and simultaneously, strategically uses all IP address resources held by the system. When a user accesses the Internet, the user only needs to inform the access service of selecting the export IP attribute requirement and the springboard path requirement through a control instruction, so that the export and the path of the user are controlled during access, the purposeful tracing and tracing difficulty of an attacker is increased, and the purpose of portrait prevention can be achieved.
The present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof, and it will be understood by those skilled in the art that various changes and modifications may be made herein without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (10)
1. A distributed access system is characterized by comprising an access service node, an exit node and at least one springboard node;
when a user accesses the Internet, the user is connected with the access service node through the host, and simultaneously selects an outlet IP attribute type and a springboard node through a control instruction, wherein the outlet IP attribute type comprises a geographical position, an operator and the property of the node where the outlet IP is located; the access service node carries out address translation on an access data packet sent to the Internet by a user according to the outlet IP attribute type, then sends the access data packet after address translation to the outlet node through a springboard node selected by the user, and finally sends the access data packet after address translation to the Internet by the outlet node;
when the internet receives an access data packet which is output by an exit node and is subjected to address translation, a response data packet is generated, the response data packet is returned to the access service node through the corresponding exit node and the springboard node, and finally the access service node returns the response data packet to a host where a user is located;
the access service node comprises a configuration module, a first equipment module, an address translation engine, a first routing module and a first communication module;
after a user selects an outlet IP attribute type through a control instruction, the configuration module selects at least one public IP address from a preset public IP address set and adds the public IP address into an available public IP address list, and then the available public IP address list is placed into a memory, wherein the initial state of the available public IP address list is an empty list;
after a user selects the springboard node through a control instruction, the configuration module selects at least one ID number from a preset ID set as the ID number of the springboard node, adds the ID number into an available ID list, and then puts the available ID list into a memory; wherein, the initial state of the available ID list is an empty list;
the first equipment module receives an access data packet sent to the Internet by a host where a user is located, and forwards the access data packet to the address translation engine, wherein the access data packet carries a private IP address of the host where the user is located;
the address translation engine randomly selects one IP address from an available public IP address list as a public IP address, takes a node corresponding to the IP address as an outlet node, replaces a private IP address carried by the head of an access data packet with the public IP address of the outlet node so as to finish address translation, and finally sends the access data packet after address translation to the first routing module;
a routing table is arranged in the first routing module, wherein the routing table stores the one-to-one correspondence relationship between the ID number and the IP address; the first routing module receives the access data packet after the address translation, calls an available ID list stored in a memory, obtains an IP address of a springboard node corresponding to an ID number in the available ID list by looking up a routing table, attaches the obtained IP address of the springboard node to the head of the access data packet after the address translation layer by layer according to the reverse sequence stored in the available ID list, and attaches the obtained IP address of the springboard node to the head of the access data packet after the address translation layer by layer according to the same sequence stored in the available ID list, obtains an access message carrying the access data packet after the address translation, and forwards the access message to the first communication module;
and the first communication module takes the IP address of the springboard node carried by the head of the access message as a destination IP address and sends the destination IP address to the springboard node.
2. The distributed access system of claim 1, wherein if there is only one springboard node, the springboard node directly transmits the access message to the egress node;
and if more than one springboard node is provided, the access message is transmitted to the last springboard node through multiple times of forwarding of each springboard node and then is transmitted to the exit node by the last springboard node.
3. The distributed access system of claim 1, wherein said access service node further comprises a first connection management engine;
the first connection management engine is provided with a first connection tracking table, the first connection tracking table stores a plurality of connection table items, the first connection management engine judges whether the first connection tracking table has corresponding connection information, and if the first connection tracking table has corresponding connection information, the connection information is updated; and if the connection table entry does not exist, establishing a connection table entry, wherein each connection table entry stores an ID number of a user and information of a transmission path from the access service node to the exit node, and simultaneously, each connection table entry corresponds to a quintuple, and each quintuple corresponds to each session generated when the user accesses the Internet one by one.
4. The distributed access system of claim 1, wherein said egress node comprises a second communication module, a second connection management engine, and a second device module;
the second communication module receives an access message which is forwarded by the springboard node and carries the access data packet after address translation, and forwards the access message to the second equipment module;
the second device module receives the access message forwarded by the second communication module, and then takes out and forwards an access data packet after address translation carried in the access message to the second connection management engine;
the second connection management engine constructs a second connection tracking table according to the access data packet after address translation forwarded by the second equipment module, judges whether corresponding connection information exists in the second connection tracking table or not, and updates the connection information if the corresponding connection information exists; and if the address translation does not exist, establishing a connection table entry, wherein the second connection tracking table stores a plurality of connection table entries, each connection table entry stores the ID number of the access service node corresponding to the session generated when the user accesses the Internet and the return path information from the exit node to the access service node, and directly sending the access data packet after the address translation to the Internet.
5. The distributed access system of claim 4, wherein said egress node further comprises a second routing module;
the second equipment module receives a response data packet sent by the Internet and forwards the response data packet to the second connection management engine;
the second connection management engine obtains an access service ID number corresponding to the session and return path information returned from the exit node to the access service node by searching for a connection table entry in the second connection tracking table, and then adds an IP address included in the return path information to the head of the response data packet layer by layer according to an opposite sequence to obtain a response message;
the second connection management engine sends the response message to a second routing module;
the second routing module forwards the response message to a second communication module;
and the second communication module sends a response message back to the springboard node.
6. The distributed access system of claim 5, wherein if there is only one springboard node, the springboard node directly transmits the response message to the access service node;
if the number of the springboard nodes is more than one, after the response message reaches the first springboard node through the repeated forwarding of each springboard node, the ID number of the access service node corresponding to the same session is obtained by searching the second connection tracking table according to the second connection management engine, and finally the response message is forwarded to the corresponding access service node.
7. A distributed access system according to claim 6, wherein:
the first communication module of the access service node receives the response message carrying the response data packet, takes out the response data packet and forwards the response data packet to the address translation engine;
the address translation engine obtains the private IP address of the host where the user is located by searching the first connection tracking table, replaces the public IP address carried by the header of the response data packet with the private IP address of the host where the user is located, thereby completing address translation, and then forwards the response message carrying the response data packet after address translation to the first equipment module;
and the first equipment module forwards the response message carrying the response data packet after the address translation to the host where the user is located.
8. The distributed access system according to claim 1, wherein the support user changes the public IP address according to the connection, specifically:
when the user initiates access to the internet again, the configuration module of the access service node selects a group of IP addresses for the user according to the exit IP attribute type specified by the user to be used as an available IP address list, the address translation engine randomly selects one IP address from the available IP address list again, the node corresponding to the IP address is used as an exit node, and then the private IP address carried by the header of a subsequent data packet sent to the internet by the host where the user is located is replaced by the newly selected public IP address.
9. The distributed access system according to claim 1, wherein the user is supported to change the public IP address according to time, specifically:
and at intervals of set time, the configuration module of the access service node selects an IP address for the user as an available IP address according to the exit IP attribute type specified by the user, the address translation engine randomly selects one IP address from the available IP address list again, the node corresponding to the IP address is used as an exit node, and then the private IP address carried by the header of a subsequent data packet sent to the Internet by the host where the user is located is replaced by the newly selected public IP address.
10. The distributed access system of claim 1, wherein the support user manually changes the public IP address by:
the configuration module of the access service node selects a public network IP address designated by a user as an available IP address, and the address translation engine replaces a private IP address carried by a header of a subsequent data packet sent to the Internet by a host where the user is located with the newly selected public IP address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811606024.6A CN109743238B (en) | 2018-12-27 | 2018-12-27 | Distributed access system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811606024.6A CN109743238B (en) | 2018-12-27 | 2018-12-27 | Distributed access system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109743238A CN109743238A (en) | 2019-05-10 |
| CN109743238B true CN109743238B (en) | 2021-07-30 |
Family
ID=66360021
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811606024.6A Active CN109743238B (en) | 2018-12-27 | 2018-12-27 | Distributed access system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109743238B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110557462B (en) * | 2019-07-26 | 2022-11-25 | 北京天元特通科技有限公司 | Distributed access system based on public agent |
| CN112416514B (en) * | 2020-11-19 | 2022-11-08 | 山东可信云信息技术研究院 | Virtual machine starting credibility measuring method, system, storage medium and equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101217536A (en) * | 2007-12-28 | 2008-07-09 | 腾讯科技(深圳)有限公司 | A method, system and client to traverse network address transferring device/firewall |
| CN101321128A (en) * | 2008-06-27 | 2008-12-10 | 中国科学院计算技术研究所 | Communication equipment, communication network system and communication method |
| CN101594263A (en) * | 2009-01-09 | 2009-12-02 | 成都四方信息技术有限公司 | System to monitoring network communication data packets |
| US7742479B1 (en) * | 2006-12-01 | 2010-06-22 | Cisco Technology, Inc. | Method and apparatus for dynamic network address reassignment employing interim network address translation |
| CN104601738A (en) * | 2014-12-09 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Distributed network address translation system |
-
2018
- 2018-12-27 CN CN201811606024.6A patent/CN109743238B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7742479B1 (en) * | 2006-12-01 | 2010-06-22 | Cisco Technology, Inc. | Method and apparatus for dynamic network address reassignment employing interim network address translation |
| CN101217536A (en) * | 2007-12-28 | 2008-07-09 | 腾讯科技(深圳)有限公司 | A method, system and client to traverse network address transferring device/firewall |
| CN101321128A (en) * | 2008-06-27 | 2008-12-10 | 中国科学院计算技术研究所 | Communication equipment, communication network system and communication method |
| CN101594263A (en) * | 2009-01-09 | 2009-12-02 | 成都四方信息技术有限公司 | System to monitoring network communication data packets |
| CN104601738A (en) * | 2014-12-09 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Distributed network address translation system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109743238A (en) | 2019-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9712422B2 (en) | Selection of service nodes for provision of services | |
| US9253149B2 (en) | Method for providing an internal server with a shared public IP address | |
| US8375434B2 (en) | System for protecting identity in a network environment | |
| CN110971714B (en) | Enterprise exit access request processing method, device and system | |
| CN107819732A (en) | The method and apparatus of user terminal access local network | |
| CN208656814U (en) | A kind of export enterprise access request processing system | |
| JP4873960B2 (en) | Method for facilitating application server functions and access nodes including application server functions | |
| US20100017500A1 (en) | Methods and systems for peer-to-peer proxy sharing | |
| CN109743238B (en) | Distributed access system | |
| CN110336730B (en) | Network system and data transmission method | |
| CN103997479B (en) | A kind of asymmetric services IP Proxy Methods and equipment | |
| CN107018057A (en) | Transmitted by the fast path content of Metro access networks | |
| CN106992906B (en) | A kind of method of adjustment and system of access rate | |
| CN106027354B (en) | The reflow method and device of VPN client | |
| CN100365591C (en) | Network address distributing method based on customer terminal | |
| CN104253798A (en) | Network security monitoring method and system | |
| US11245623B2 (en) | Method and apparatus for collecting data in network communication using concealed user address | |
| CN115150312B (en) | Routing method and device | |
| US7711780B1 (en) | Method for distributed end-to-end dynamic horizontal scalability | |
| CN105979405A (en) | Method and device for accessing video device | |
| US8510419B2 (en) | Identifying a subnet address range from DNS information | |
| CN105939404A (en) | NAT (Network Address Translation) resource obtaining method and device | |
| KR102382317B1 (en) | Method and system for downloading cyber training tool | |
| KR101815521B1 (en) | Method and system for providing managed service based on virtual LAN | |
| CN109995637B (en) | S-VXLAN construction method, data forwarding method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 2351, floor 2, building 23, No. 18, anningzhuang East Road, Haidian District, Beijing 100085 Applicant after: Beijing Sixin Feiyang Information Technology Co., Ltd Address before: Room 203, 2nd floor, 3rd floor, Tiandi Neighboring Fengfeng Project, No. 1 North Yongtaizhuang Road, Haidian District, Beijing, 100192 Applicant before: BEIJING YUANTEK INFORMATION TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |