CN110768983B - Message processing method and device - Google Patents

Message processing method and device Download PDF

Info

Publication number
CN110768983B
CN110768983B CN201911016775.7A CN201911016775A CN110768983B CN 110768983 B CN110768983 B CN 110768983B CN 201911016775 A CN201911016775 A CN 201911016775A CN 110768983 B CN110768983 B CN 110768983B
Authority
CN
China
Prior art keywords
port
message
destination
address
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911016775.7A
Other languages
Chinese (zh)
Other versions
CN110768983A (en
Inventor
岳炳词
徐庆伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201911016775.7A priority Critical patent/CN110768983B/en
Publication of CN110768983A publication Critical patent/CN110768983A/en
Application granted granted Critical
Publication of CN110768983B publication Critical patent/CN110768983B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/142Denial of service attacks against network infrastructure

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a message processing method and a message processing device.A firewall can receive a first message sent to a server; acquiring a source IP address and a destination port of a first message; searching a first regional port matched with a source IP address of the first message in a regional port table, wherein the regional port table comprises a corresponding relation between the source IP address and the regional port; if the first area port and the destination port of the first message are the same port, allowing the first message to be sent to the server; otherwise, the first message is discarded. Based on the processing, the interruption of the network service can be avoided to a certain extent.

Description

Message processing method and device
Technical Field
The present application relates to the field of internet technologies, and in particular, to a method and an apparatus for processing a packet.
Background
DDOS (Distributed Denial Of Service) refers to a network attacker controlling a plurality Of user terminals by a malicious means, and sending a large amount Of useless attack messages to an attacked server through a malicious application program in the user terminal, so that the attacked server consumes a large amount Of resources to process the attack messages, and cannot process normal messages Of network services.
In the related art, the message rate of the message received by the server may be monitored, when the message rate is greater than a preset rate threshold, it may be determined that the server is under network attack by the message, and correspondingly, a part of the received message may be discarded.
However, in the related art, when the message rate is greater than the preset rate threshold, the normal message of the network service cannot be determined, and further, the normal message of the normal network service may be discarded, which may cause interruption of the network service.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for processing a packet, which can avoid interruption of a network service to a certain extent. The specific technical scheme is as follows:
in a first aspect, the present application provides a method for processing a packet, where the method is applied to a firewall, and the method includes:
receiving a first message sent to a server;
acquiring a source Internet Protocol (IP) address and a destination port of the first message;
searching a first regional port matched with a source IP address of the first message in a regional port table, wherein the regional port table comprises a corresponding relation between the source IP address and the regional port;
if the first area port and the destination port of the first message are the same port, allowing the first message to be sent to the server; otherwise, the first message is discarded.
Optionally, the area port table further includes a real destination port of the server;
when the destination port of the first packet and the zone port determined in the zone port table are the same port, the method further includes:
determining a real destination port of the server matched with the source IP address of the first message and the destination port of the first message in the regional port table so as to convert the first regional port carried by the first message into the real destination port of the server;
and after the destination port of the first message is converted into the found real destination port of the server, forwarding the converted first message to the server according to the real destination port of the server.
Optionally, the method further includes:
receiving a first response message which is sent by the server and used for responding to the first message;
acquiring a destination IP address and a source port of the first response message;
matching the source IP address in the area port table and the real destination port of the server according to the destination IP address of the first response message and the source port of the first response message to determine the corresponding matched area port in the area port table;
converting the source port of the first response message into the area port searched in the area port table;
and forwarding the converted first response message according to the destination IP address of the converted first response message.
Optionally, before searching for the first local port in the local port table that is matched with the source IP address of the first packet, the method further includes:
judging whether the destination port of the first message is the real destination port of the server or not;
and if the destination port of the first message is not the real destination port of the server, executing a step of searching a first regional port matched with the source IP address of the first message in the regional port table.
Optionally, the method further includes:
if the destination port of the first message is the real destination port of the server, judging whether the first message is a legal message;
and if the first message is a legal message, sending a port mapping table containing the first regional port, the corresponding relation between the destination IP address of the first message and the destination port of the first message to a user terminal sending the first message.
In a second aspect, the present application provides a method for processing a packet, where the method is applied to a user equipment, and the method includes:
acquiring a message to be sent, which is to be sent to a server, of the user terminal;
acquiring a destination Internet Protocol (IP) address and a destination port of the message to be sent;
searching a second area port matched with a target IP address and a target port of the message to be sent in a port mapping table, wherein the port mapping table comprises the target IP address, the target port and the corresponding relation of the area port;
converting the destination port of the message to be sent into the second area port to generate a first message;
and sending the first message.
Optionally, the method further includes:
receiving a converted first response message sent by a firewall, wherein the first response message is a message sent by the server and used for responding to the first message;
obtaining a source IP address and a source port of the converted first response message;
matching a destination IP address and an area port in the port mapping table according to the source IP address of the converted first response message and the source port of the converted first response message to determine a corresponding matched destination port in the port mapping table;
converting the source port of the converted first response message into a target port searched in a port mapping table to obtain the first response message;
and sending the first response message to an application layer of the user terminal.
In a third aspect, the present application provides a packet processing apparatus, where the apparatus is applied to a firewall, and the apparatus includes:
the receiving module is used for receiving a first message sent to the server;
an obtaining module, configured to obtain a source internet protocol IP address and a destination port of the first packet;
the searching module is used for searching a first regional port matched with the source IP address of the first message in a regional port table, and the regional port table comprises the corresponding relation between the source IP address and the regional port;
the first processing module is used for allowing the first message to be sent to the server if the first area port and the destination port of the first message are the same port;
and the discarding module is used for discarding the first message if the first area port and the destination port of the first message are not the same port.
Optionally, the area port table further includes a real destination port of the server;
the device further comprises:
a forwarding module, configured to determine a real destination port of the server in the local port table, where the real destination port is matched with the source IP address of the first packet and the destination port of the first packet, so as to convert the first local port carried in the first packet into a real destination port of the server;
and after the destination port of the first message is converted into the found real destination port of the server, forwarding the converted first message to the server according to the real destination port of the server.
Optionally, the apparatus further comprises:
the second processing module is used for receiving a first response message which is sent by the server and used for responding to the first message;
acquiring a destination IP address and a source port of the first response message;
matching the source IP address in the area port table and the real destination port of the server according to the destination IP address of the first response message and the source port of the first response message to determine the corresponding matched area port in the area port table;
converting the source port of the first response message into the area port searched in the area port table;
and forwarding the converted first response message according to the destination IP address of the converted first response message.
Optionally, the apparatus further comprises:
the judging module is used for judging whether the destination port of the first message is the real destination port of the server or not;
and if the destination port of the first message is not the real destination port of the server, triggering the searching module.
Optionally, the apparatus further comprises:
a sending module, configured to determine whether the first packet is a valid packet if a destination port of the first packet is a real destination port of a server;
and if the first message is a legal message, sending a port mapping table containing the first regional port, the corresponding relation between the destination IP address of the first message and the destination port of the first message to a user terminal sending the first message.
In a fourth aspect, the present application provides a packet processing apparatus, where the apparatus is applied to a user terminal, and the apparatus includes:
the first acquisition module is used for acquiring a message to be sent, which is sent to a server by the user terminal;
a second obtaining module, configured to obtain a destination internet protocol IP address and a destination port of the message to be sent;
the searching module is used for searching a second area port matched with the destination IP address and the destination port of the message to be sent in a port mapping table, wherein the port mapping table comprises the destination IP address, the destination port and the corresponding relation of the area port;
the conversion module is used for converting the destination port of the message to be sent into the second area port so as to generate a first message;
and the sending module is used for sending the first message.
Optionally, the apparatus further comprises:
the processing module is used for receiving a converted first response message sent by a firewall, wherein the first response message is a message sent by the server and used for responding to the first message;
obtaining a source IP address and a source port of the converted first response message;
matching a destination IP address and an area port in the port mapping table according to the source IP address of the converted first response message and the source port of the converted first response message to determine a corresponding matched destination port in the port mapping table;
converting the source port of the converted first response message into a target port searched in a port mapping table to obtain the first response message;
and sending the first response message to an application layer of the user terminal.
In a fifth aspect, an electronic device is provided, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of the first aspect when executing the program stored in the memory.
In a sixth aspect, an electronic device is provided, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of the second aspect when executing the program stored in the memory.
In a seventh aspect, there is provided a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: the method steps of the first aspect are implemented.
In an eighth aspect, there is provided a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: the method steps according to the second aspect are implemented.
In a ninth aspect, there is provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method steps of the first aspect described above.
In a tenth aspect, a computer program product is provided comprising instructions which, when run on a computer, cause the computer to perform the method steps of the second aspect described above.
The embodiment of the application provides a message processing method, wherein a user terminal can obtain a destination IP address and a destination port of a message to be sent to a server, search a second area port matched with the destination IP address and the destination port of the message to be sent in a port mapping table, and then convert the destination port of the message to be sent into the second area port to obtain a first message and send the first message. Correspondingly, the firewall may receive the first packet, acquire the source IP address and the destination port of the first packet, then search for the first local port in the local port table, where the first local port matches the source IP address of the first packet, and if the first local port and the destination port of the first packet are the same port, the firewall allows the first packet to be sent to the server, otherwise, the firewall discards the first packet.
It can be seen that the user terminal can convert the destination port of the message to be sent according to the port mapping table, and correspondingly, when the firewall determines that the destination port of the received message matches the regional port matched with the source IP in the regional port table, it indicates that the received message is a normal message sent by the user terminal, and then the firewall forwards the message, otherwise, the firewall discards the received message, and further, on the premise of preventing attacks, network service interruption can be avoided to a certain extent.
Of course, not all of the above advantages need be achieved in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is an architecture diagram of a network provided by an embodiment of the present application;
fig. 2 is a flowchart of a message processing method according to an embodiment of the present application;
fig. 3 is a flowchart of a message processing method according to an embodiment of the present application;
fig. 4 is a flowchart of an example of a message processing method according to an embodiment of the present application;
fig. 5 is a structural diagram of a message processing apparatus according to an embodiment of the present application;
fig. 6 is a structural diagram of a message processing apparatus according to an embodiment of the present application;
fig. 7 is a block diagram of an electronic device according to an embodiment of the present disclosure;
fig. 8 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the related art, when it is monitored that the message rate of the server for receiving the message is greater than the preset rate threshold, part of the received message is discarded, and in the related art, the normal message of the network service cannot be determined, and further, the normal message of the network service may be discarded, which may cause interruption of the network service.
In order to solve the above problem, an embodiment of the present application provides a message processing method, which may be applied to a firewall and a user terminal.
Referring to fig. 1, fig. 1 is a networking architecture provided in an embodiment of the present application, where the networking architecture may include a firewall 101, a user terminal 1021, a user terminal 1022, a user terminal 1023, a server 1031, and a server 1032. The firewall 101 may obtain messages transmitted between each user terminal and each server.
The user terminal 1021 can obtain a message to be sent to the server 1031, where the message to be sent carries a destination IP (Internet Protocol ) address (i.e., an IP address of the server 1031) and a destination port (i.e., a real destination port of the server 1031).
The user terminal 1021 can search for a region port (i.e. a second region port) in the port mapping table, which is matched with the destination IP address and the destination port of the message to be sent, and then the user terminal 1021 can convert the destination port of the message to be sent into the second region port to obtain a first message, and further can send the first message to the server 1031.
After receiving the first packet, the firewall 101 may obtain a source IP address and a destination port of the first packet, and then the firewall may search for a local port (i.e., a first local port) in the local port table, where the local port is matched with the source IP address of the first packet. When the firewall 101 determines that the first zone port and the destination port of the first message are the same port, the firewall 101 allows the first message to be sent to the server; otherwise, the firewall 101 discards the first packet.
In the embodiment of the present application, only the user terminal 1021 sends a message to the server 1031 is taken as an example for description, and the processing procedure of sending a message to each server by each user terminal in fig. 1 is similar to that, and is not described herein again.
Therefore, based on the message processing method provided by the embodiment of the application, the user terminal can convert the destination port of the message to be sent according to the port mapping table, and correspondingly, when the firewall determines that the destination port of the received message is consistent with the regional port table, the received message is indicated as a normal message sent by the user terminal and is forwarded, otherwise, the received message is discarded, and further, on the premise of preventing attacks, network service interruption can be avoided to a certain extent.
Referring to fig. 2, fig. 2 is a flowchart of a message processing method according to an embodiment of the present disclosure, where the method may be applied to a firewall between a user terminal and a server, and the method may include the following steps:
s201: and receiving a first message sent to the server.
In the application embodiment, the first message may be a message that the user terminal needs to send to the server, and the firewall may obtain the first message and determine whether the first message is a normal message, so as to perform corresponding processing.
S202: and acquiring a source IP address and a destination port of the first message.
In the embodiment of the application, after obtaining the first packet, the firewall may extract the source IP address and the destination port of the first packet.
It can be understood that the source IP address of the first packet may be an IP address of a user terminal that sends the first packet, and the destination port of the first packet may be a real destination port of a server that responds to the first packet, or if the first packet is an attack packet, the destination port of the first packet may also be another port.
It should be noted that, the actual destination port of the server in the present invention refers to an application port of an application carried by the server, and is a logical port. Generally, the application ports are known ports.
S203: and searching a first area port matched with the source IP address of the first message in the area port table.
The area port table includes a corresponding relationship between a source IP address and an area port.
The area port may be a port obtained by dividing according to a geographical area to which the user terminal belongs, and the area port may include a port other than a real destination port of the server (generally, a real destination port of a server carrying a service is generally a well-known port).
In one implementation, the actual destination ports of the servers may belong to 1-1024, and the zone ports may belong to 1025 and 65536, respectively. Different area ports can be allocated to user terminals in different geographical areas, and the division of the geographical areas can be set by technicians according to experience.
For example, the user terminal may be divided according to the province to which the user terminal belongs, and the province to which the user terminal belongs may be determined according to the IP address of the user terminal.
For example, for a user terminal in the south of the river, if the user terminal needs to access a Web service, a destination port of a message sent by the user terminal is 80, and correspondingly, an area port corresponding to an IP address of the user terminal may be 2222; for a user terminal in the north river area, if the user terminal needs to access the Web service, the destination port of the message sent by the user terminal is 80, and correspondingly, the area port corresponding to the IP address of the user terminal may be 3333.
The user terminal may store a port mapping table, where a corresponding relationship between a destination IP address (i.e., an IP address of the server), a destination port (i.e., a real destination port of the server), and a local port may be recorded in the port mapping table. The user terminal may process the message to be sent to the server according to the port mapping table, and a processing method of the user terminal will be described in detail in the following embodiments.
Therefore, after extracting the source IP address and the destination port of the first packet, the firewall may search for the domain port (i.e., the first domain port) in the domain port table that matches the source IP address of the first packet, and then the firewall may determine whether the first domain port and the destination port of the first packet are the same port, so as to perform corresponding processing according to the determination result.
S204: and if the first area port and the destination port of the first message are the same, allowing the first message to be sent to the server.
In the application embodiment, when the firewall determines that the first regional port and the destination port of the first message are the same port, it indicates that the first message is obtained by processing the message to be sent based on the port mapping table according to the regional port corresponding to the geographic region to which the IP address of the user terminal belongs, that is, the first message is a normal message, and correspondingly, the firewall may allow the first message to be sent to the server.
S205: and if the first area port and the destination port of the first message are not the same port, discarding the first message.
In the application embodiment, when the firewall determines that the first domain port and the destination port of the first packet are not the same port, it indicates that the first packet is not obtained by processing the packet to be sent based on the port mapping table by the user terminal, that is, the first packet is an attack packet, and correspondingly, the firewall may discard the first packet.
In addition, the area port table may further include IP addresses of servers that need to be protected, for example, if the servers of company a and company B need to be protected to prevent network attacks, the IP addresses of the servers of company a and company B may be added to the area port table.
Correspondingly, the firewall can judge whether the first message is the message sent to the server needing protection according to the destination IP address of the first message, if so, the firewall can process according to the method, and if not, the firewall can directly forward the first message.
It can be seen that, based on the message processing method provided in the embodiment of the present application, the user terminal may convert the destination port of the message to be sent according to the port mapping table, and accordingly, when the firewall determines that the destination port of the received message matches the regional port in the regional port table that matches the source IP, it indicates that the received message is a normal message sent by the user terminal, and the firewall forwards the message, otherwise, the firewall discards the received message, and further, on the premise of preventing attacks, network service interruption can be avoided to a certain extent.
In addition, based on the above processing, in the transmission process of the message, the real destination port of the server can be replaced by the area port, and further, the real destination port of the server can be hidden, so that the security of the server is further improved.
Optionally, the area port table further includes a real destination port of the server, and correspondingly, when the destination port of the first packet and the area port determined in the area port table are the same port, the method may further include the following steps:
step one, determining a real destination port of a server matched with a source IP address of a first message and a destination port of the first message in a regional port table so as to convert the first regional port carried by the first message into the real destination port of the server.
In the application embodiment, if the destination port of the first message is the same as the determined area port in the area port table, indicating that the first message is a normal message, the firewall may perform a search in the area port table, determine the actual destination port of the server that matches the source IP address and the destination port of the first message, and determine the found actual destination port, that is, the actual destination port of the server that the user terminal needs to access.
And step two, after the destination port of the first message is converted into the found real destination port of the server, the converted first message is forwarded to the server according to the real destination port of the server.
In the application embodiment, after finding the real destination port of the server matched with the source IP address and the destination port of the first packet in the local port table, the firewall may convert the destination port of the first packet into the found real destination port of the server and forward the real destination port to the server.
In addition, the firewall can also normally forward the response message returned by the server according to the area port table so as to ensure the normal processing of the network service.
Optionally, the method may further include the steps of:
step 1, receiving a first response message which is sent by a server and used for responding to the first message.
In the application embodiment, after the server receives the first packet, a packet for responding to the first packet, that is, a first response packet, may be sent to the user terminal, and it may be understood that a source port carried in the first response packet is an actual destination port of the server.
And 2, acquiring a destination IP address and a source port of the first response message, and matching the source IP address in the area port table and the real destination port of the server according to the destination IP address of the first response message and the source port of the first response message so as to determine the corresponding matched area port in the area port table.
In the embodiment of the application, after receiving the first response packet, in order to hide the actual destination port of the server, the firewall may extract the destination IP address (i.e., the IP address of the user terminal) and the source port (i.e., the actual destination port of the server) of the first response packet.
Then, the firewall may match the destination IP address of the first response packet with the source IP address in the local port table, and simultaneously match the source port of the first response packet with the real destination port of the server in the local port table, determine an entry that matches both the destination IP address and the source port of the first response packet, and determine the local port recorded in the entry.
And step 3, converting the source port of the first response message into the area port searched in the area port table, and forwarding the converted first response message according to the destination IP address of the converted first response message.
In the embodiment of the application, after determining the corresponding and matched domain port in the domain port table, the firewall may convert the source port of the first response packet (i.e., the actual destination port of the server) into the determined domain port, and then the firewall may forward the converted first response packet to the corresponding user terminal according to the destination IP address of the converted first response packet.
Optionally, before S203, the method may further include the following steps: and judging whether the destination port of the first message is the real destination port of the server, and if the destination port of the first message is not the real destination port of the server, executing S203.
In the application embodiment, after the destination port of the first packet is extracted, the firewall may determine whether the destination port of the first packet is the real destination port of the server. Since the real destination port of the server is generally a known port, in the specific implementation, it is determined whether the destination port of the first packet is the real destination port of the server, which can be implemented by determining whether the destination port of the first packet is the known port, and correspondingly, if the destination port of the first packet is not the known port, S203 is executed.
When the firewall determines that the destination port of the first message is not the real destination port of the server, it indicates that the first message may be obtained by processing the message to be sent based on the port mapping table and according to the regional port corresponding to the geographic region to which the IP address of the user terminal belongs, and correspondingly, the firewall may execute S203 to determine whether the first message is a normal message.
Optionally, after determining whether the destination port of the first packet is the real destination port of the server, the method may further include the following steps:
step one, if the destination port of the first message is the real destination port of the server, judging whether the first message is a legal message.
In the embodiment of the application, if the destination port of the first packet is the real destination port of the server, there may be two situations for the first packet:
the first condition is as follows: the first message is a normal message, and the user terminal does not convert the target port of the first message because the current user terminal does not have a port mapping table;
case two: the first message is an attack message.
Therefore, when the destination port of the first packet is determined to be the real destination port of the server, the firewall may further determine whether the first packet is a legal packet.
In one implementation, for example, in a handshake process of a TCP (Transmission Control Protocol) connection, the firewall may determine whether the first packet is a first packet of the handshake process, for example, whether the first packet is a TCP SYN (synchronization Sequence number) packet, and if the first packet is the first packet of the handshake process, may determine that the first packet is legal; if the first packet is not a header packet of the handshake process, for example, it is determined that the first packet is a TCP ACK (acknowledgement character) packet, it may be determined that the first packet is not a valid packet. Further, for a non-first message in the TCP connection, whether the message is a legal message may be determined through the matching session.
And step two, if the first message is a legal message, sending a port mapping table containing the corresponding relation of the first area port, the destination IP address of the first message and the destination port of the first message to the user terminal sending the first message. In one implementation, the firewall may write information of the port mapping table into a plug-in program, and send the information to the user terminal, so that the user terminal installs the plug-in, and the user terminal may automatically establish the port mapping table after installing the plug-in.
In the application embodiment, when the firewall determines that the first packet is a valid packet, the firewall may send, to the user terminal, a port mapping table including the first domain port, the correspondence between the destination IP address of the first packet and the destination port of the first packet.
Subsequently, the user terminal can convert the destination port of the message to be sent into a corresponding area port according to the port mapping table and forward the corresponding area port.
In addition, when the firewall determines that the first message is not a legal message, the firewall may directly discard the first message, and may also send an alarm message to a preset terminal to alarm.
It is understood that if the destination port of the first packet is not the actual destination port of the server, it is not the first area port, i.e. the destination port of the first packet may be an area port other than the first area port. The reason for this may be that a malicious attacker determines an area port corresponding to a certain geographic area, and modifies destination ports of attack messages sent by user terminals in all geographic areas into the area port.
For example, based on the above example, a malicious attacker knows that one area port is 2222, and modifies destination ports of attack messages sent by user terminals in all geographic areas to 2222.
The destination port of the message sent by the user terminal belonging to the north river and received by the firewall is also 2222, while the destination port of the message sent by the user terminal belonging to the north river should be 3333 if the conversion is performed by the user terminal. At this time, the firewall determines that the destination port of the message sent by the user terminal belonging to the north river is not consistent with the area port table, and then the firewall can discard the message sent by the user terminal belonging to the north river, so as to prevent the attack message.
In one implementation, a first zone port table and a second zone port table may be set in the firewall.
The first area port table may record a correspondence between an IP address of the user terminal, an IP address of the server, an area port, and a real destination port of the server.
After receiving the first packet, if the destination port of the first packet is not the real destination port of the server, the firewall may query the first domain port table.
If the first area port table has entries matching with the IP address of the user terminal, the IP address of the server, and the area port carried in the first message, the real destination port of the server recorded in the matched entries may be determined, the area port carried in the first message may be converted into the determined real destination port of the server, and the converted first message may be forwarded.
If the first area port table does not have the table entry matched with the IP address of the user terminal, the IP address of the server and the area port carried in the first message, the firewall indicates that the message sent to the server by the user terminal may be received for the first time by the firewall, and the firewall may inquire a second area port table, wherein the second area port table may record the corresponding relation among the geographic area, the IP address of the server, the area port and the real destination port of the server.
If there is no entry in the second regional port table that matches the geographic region to which the IP address of the user terminal carried in the first message belongs, the IP address of the server carried in the first message, and the regional port carried in the first message, it may be determined that the first message is an attack message, and the first message is discarded.
If the second area port table has entries which are matched with the geographic area to which the IP address of the user terminal carried in the first message belongs, the IP address of the server carried in the first message and the area port carried in the first message, the real destination port of the server recorded in the matched entry can be determined, the area port carried in the first message is converted into the determined real destination port of the server, and the converted first message is forwarded. Then, the firewall may also generate a corresponding entry in the first zone port table.
In addition, in order to save the memory space of the firewall, the corresponding aging time can be set for the first zone port table. For each table entry in the first regional port table, when receiving a message matched with the table entry, the firewall may reset the aging time of the table entry; if the message matched with the table entry is not received again when the corresponding aging time duration is reached since the message matched with the table entry is received last time, the table entry can be deleted, so that the memory space is saved, and the efficiency of the firewall for inquiring the first area port table is improved.
Referring to fig. 3, fig. 3 is a flowchart of a message processing method provided in the embodiment of the present application, where the method may be applied to a user terminal, and the method may include the following steps:
s301: and acquiring a message to be sent, which is to be sent to a server by a user terminal.
The message to be sent may be a message that an application layer of the user terminal needs to send to the server.
The user terminal can obtain the message to be sent, process the message to be sent according to the port mapping table and forward the message.
In one mode, the user terminal obtains a message to be sent through a designated application program, processes the message to be sent according to a port mapping table, and forwards the message. And for messages to be sent of other application programs, the user terminal directly carries out forwarding processing.
Alternatively, the method may be applied to a security plug-in the user terminal, which may be bound to a specified application in the user terminal. The security plug-in can obtain the message to be sent of the appointed application program, process the message to be sent according to the port mapping table, and forward the message. And for messages to be sent of other application programs, the security plug-in directly carries out forwarding processing.
S302: and acquiring a destination IP address and a destination port of the message to be sent.
In the application embodiment, after the message to be sent is obtained, the destination IP address and the destination port of the message to be sent can also be extracted.
The destination IP address of the message to be sent is the IP address of the server which the application layer needs to access, and the destination port is the real destination port of the server which the application layer needs to access.
S303: and searching a second area port matched with the destination IP address and the destination port of the message to be sent in the port mapping table.
The port mapping table includes a destination IP address, and a corresponding relationship between a destination port and a regional port. The port mapping table may be sent by the server to the user terminal.
In one implementation, if the message to be sent is a message from a specific application, the user terminal may search the port mapping table to determine an area port (i.e., the second area port) matching the destination IP address and the destination port of the message to be sent.
S304: and converting the destination port of the message to be sent into a second area port to generate a first message and sending the first message.
In the application embodiment, after the second area port is determined, the user terminal may convert the destination port of the message to be sent into the second area port to obtain the first message, and then the user terminal may send the first message to the server.
Correspondingly, when the firewall receives the first message, it may be determined that the destination port of the first message matches the area port table, and forward the first message, where the firewall processing method is described in detail in the above embodiments, and is not described here again.
In addition, if the message to be sent is a message to be sent by other application programs except the specified application program, the user terminal can directly send the message to be sent to the server. Correspondingly, when the firewall receives the message to be sent, the destination port of the message to be sent can be judged not to be consistent with the area port table, and the destination port of the message to be sent is discarded.
Therefore, based on the message processing method provided by the embodiment of the application, the user terminal can convert the destination port of the message to be sent according to the port mapping table, and correspondingly, when the firewall determines that the destination port of the received message is consistent with the regional port table, the received message is indicated as a normal message sent by the user terminal and is forwarded, otherwise, the received message is discarded, and further, on the premise of preventing attacks, network service interruption can be avoided to a certain extent.
In addition, based on the above processing, in the transmission process of the message, the real destination port of the server can be replaced by the area port, and further, the real destination port of the server can be hidden, so that the security of the server is further improved.
Optionally, if the method is applied to a security plug-in installed in a user terminal, the security plug-in may be a message sent by the user terminal when the server receives the message, and send the message to the user terminal when it is determined that a destination port of the message is a real destination port of the server and the message is a legal message.
If the user terminal is not provided with the security plug-in, the destination ports in the messages sent from the user terminal are all the real destination ports of the server.
Correspondingly, when the firewall receives a message sent by the user terminal, the destination port of the message is judged to be the real destination port of the server, and when the message is a legal message, the firewall indicates that the user terminal is not provided with the security plug-in. The firewall can send the security plug-in recorded with the corresponding port mapping table to the user terminal, and then the user terminal can install the security plug-in under the confirmation of the user and bind the specified application program, so that the attack message can be prevented.
Optionally, the method may further include the steps of:
step one, receiving a converted first response message sent by a firewall, and acquiring a source IP address and a source port of the converted first response message.
The first response message is a message sent by the server and used for responding to the first message.
In the application embodiment, the firewall may convert the source port of the first response packet, which is sent by the server to the user terminal and used for responding to the first packet, and forward the converted first response packet, and accordingly, the user terminal may receive the converted first response packet and obtain the source IP address and the source port of the converted first response packet.
It can be understood that the source IP address of the translated first response packet is the IP address of the server, and the source port is the local port.
And step two, according to the source IP address of the converted first response message and the source port of the converted first response message, matching a destination IP address and an area port in a port mapping table to determine a corresponding matched destination port in the port mapping table.
In the embodiment of the application, after the source IP address (i.e., the IP address of the server) and the source port (i.e., the local port) of the converted first response packet are extracted, the firewall may match the source IP address of the converted first response packet with the destination IP address in the port mapping table, simultaneously match the source port of the converted first response packet with the local port in the port mapping table, determine the table entry that matches both the source IP address and the source port of the converted first response packet, and determine the destination port recorded in the table entry.
And step three, converting the source port of the converted first response message into the target port searched in the port mapping table to obtain the first response message, and sending the first response message to the application layer of the user terminal.
In the embodiment of the application, after the destination port corresponding to the port mapping table is determined, the user terminal may convert the source port of the converted first response packet into the determined destination port.
It can be understood that the source port of the converted first response packet is converted, and the obtained packet is the first response packet.
The user terminal may then send the first response message to an application layer of the user terminal.
Referring to fig. 4, fig. 4 is a flowchart of an example of a message processing method provided in the embodiment of the present application, where the method may include the following steps:
s401: the user terminal obtains a message to be sent, which is required to be sent to the server by a specified application program.
S402: and the user terminal searches a second area port matched with the destination IP address and the destination port of the message to be sent in the port mapping table, and converts the destination port of the message to be sent into the second area port so as to generate the first message.
The port mapping table includes a destination IP address, and a corresponding relationship between a destination port and a regional port.
S403: the user terminal sends a first message to the server.
S404: the firewall searches for a first zone port in the zone port table, which is matched with the source IP address of the first message.
The area port table includes a corresponding relationship between a source IP address, an area port, and a real destination port of the server.
S405: and under the condition that the first regional port and the destination port of the first message are judged to be the same, the firewall determines the real destination port of the server matched with the source IP address of the first message and the destination port of the first message in the regional port table, and converts the destination port of the first message into the found real destination port of the server.
S406: and the firewall forwards the converted first message to the server.
S407: the server sends a first response message for responding to the first message to the user terminal.
S408: and the firewall matches the source IP address in the regional port table and the real destination port of the server according to the destination IP address of the first response message and the source port of the first response message, and converts the source port of the first response message into the regional port searched in the regional port table.
S409: and the firewall forwards the converted first response message to the user terminal.
S4010: and the user terminal matches the destination IP address and the regional port in the port mapping table according to the source IP address and the source port of the converted first response message, converts the source port of the converted first response message into the destination port searched in the port mapping table to obtain the first response message, and sends the first response message to the application layer of the user terminal.
Based on the same inventive concept, referring to fig. 5, fig. 5 is a structural diagram of a message processing apparatus provided in an embodiment of the present application, and the apparatus is applied to a firewall, and includes:
a receiving module 501, configured to receive a first message sent to a server;
an obtaining module 502, configured to obtain a source internet protocol IP address and a destination port of the first packet;
a searching module 503, configured to search a first local port in a local port table, where the first local port is matched with a source IP address of the first packet, and the local port table includes a correspondence between the source IP address and a local port;
a first processing module 504, configured to allow the first packet to be sent to the server if the first area port and the destination port of the first packet are the same port;
a discarding module 505, configured to discard the first packet if the first area port is not the same as the destination port of the first packet.
Optionally, the area port table further includes a real destination port of the server;
the device further comprises:
a forwarding module, configured to determine a real destination port of the server in the local port table, where the real destination port is matched with the source IP address of the first packet and the destination port of the first packet, so as to convert the first local port carried in the first packet into a real destination port of the server;
and after the destination port of the first message is converted into the found real destination port of the server, forwarding the converted first message to the server according to the real destination port of the server.
Optionally, the apparatus further comprises:
the second processing module is used for receiving a first response message which is sent by the server and used for responding to the first message;
acquiring a destination IP address and a source port of the first response message;
matching the source IP address in the area port table and the real destination port of the server according to the destination IP address of the first response message and the source port of the first response message to determine the corresponding matched area port in the area port table;
converting the source port of the first response message into the area port searched in the area port table;
and forwarding the converted first response message according to the destination IP address of the converted first response message.
Optionally, the apparatus further comprises:
the judging module is used for judging whether the destination port of the first message is the real destination port of the server or not;
if the destination port of the first packet is not the actual destination port of the server, the lookup module 503 is triggered.
Optionally, the apparatus further comprises:
a sending module, configured to determine whether the first packet is a valid packet if a destination port of the first packet is a real destination port of a server;
and if the first message is a legal message, sending a port mapping table containing the first regional port, the corresponding relation between the destination IP address of the first message and the destination port of the first message to a user terminal sending the first message.
Based on the same inventive concept, referring to fig. 6, fig. 6 is a structural diagram of a message processing apparatus provided in an embodiment of the present application, and the apparatus is applied to a user terminal, and includes:
a first obtaining module 601, configured to obtain a message to be sent, where the message is to be sent by the user terminal to a server;
a second obtaining module 602, configured to obtain a destination internet protocol IP address and a destination port of the message to be sent;
a searching module 603, configured to search a second area port, which is matched with the destination IP address and the destination port of the to-be-sent message, in a port mapping table, where the port mapping table includes the destination IP address, and a corresponding relationship between the destination port and the area port;
a conversion module 604, configured to convert the destination port of the message to be sent into the second area port to generate a first message;
a sending module 605, configured to send the first packet.
Optionally, the apparatus further comprises:
the processing module is used for receiving a converted first response message sent by a firewall, wherein the first response message is a message sent by the server and used for responding to the first message;
obtaining a source IP address and a source port of the converted first response message;
matching a destination IP address and an area port in the port mapping table according to the source IP address of the converted first response message and the source port of the converted first response message to determine a corresponding matched destination port in the port mapping table;
converting the source port of the converted first response message into a target port searched in a port mapping table to obtain the first response message;
and sending the first response message to an application layer of the user terminal.
The embodiment of the present application further provides an electronic device, as shown in fig. 7, which includes a processor 701, a communication interface 702, a memory 703 and a communication bus 704, where the processor 701, the communication interface 702, and the memory 703 complete mutual communication through the communication bus 704,
a memory 703 for storing a computer program;
the processor 701 is configured to, when executing the program stored in the memory 703, enable the electronic device to execute the message processing method applied to the firewall, where the method includes:
receiving a first message sent to a server;
acquiring a source Internet Protocol (IP) address and a destination port of the first message;
searching a first regional port matched with a source IP address of the first message in a regional port table, wherein the regional port table comprises a corresponding relation between the source IP address and the regional port;
if the first area port and the destination port of the first message are the same port, allowing the first message to be sent to the server; otherwise, the first message is discarded.
The embodiment of the present application further provides an electronic device, as shown in fig. 8, which includes a processor 801, a communication interface 802, a memory 803, and a communication bus 804, where the processor 801, the communication interface 802, and the memory 803 complete mutual communication through the communication bus 804,
a memory 803 for storing a computer program;
the processor 801 is configured to, when executing the program stored in the memory 803, enable the electronic device to execute the message processing method applied to the user terminal, where the method includes:
acquiring a message to be sent, which is to be sent to a server, of the user terminal;
acquiring a destination Internet Protocol (IP) address and a destination port of the message to be sent;
searching a second area port matched with a target IP address and a target port of the message to be sent in a port mapping table, wherein the port mapping table comprises the target IP address, the target port and the corresponding relation of the area port;
converting the destination port of the message to be sent into the second area port to generate a first message;
and sending the first message.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In another embodiment provided by the present application, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the above-mentioned message processing methods applied to a firewall.
In another embodiment provided by the present application, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements any of the above steps of the message processing method applied to the user terminal.
In another embodiment provided by the present application, there is also provided a computer program product containing instructions, which when run on a computer, causes the computer to execute any one of the above-mentioned message processing methods applied to a firewall.
In another embodiment provided by the present application, there is also provided a computer program product containing instructions, which when run on a computer, causes the computer to execute any of the message processing methods applied to the user terminal in the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus, the electronic device, the computer-readable storage medium, and the computer program product embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiments.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (16)

1. A message processing method is applied to a firewall, and the method comprises the following steps:
receiving a first message sent to a server; the first message is obtained by converting a destination port of a message to be sent to the server into a second area port by the user terminal; the second area port is an area port which is matched with the destination IP address and the destination port of the message to be sent in the port mapping table; the port mapping table comprises a destination IP address and a corresponding relation between a destination port and a regional port;
acquiring a source Internet Protocol (IP) address and a destination port of the first message;
searching a first regional port matched with a source IP address of the first message in a regional port table, wherein the regional port table comprises a corresponding relation between the source IP address and the regional port;
if the first area port and the destination port of the first message are the same port, allowing the first message to be sent to the server; otherwise, the first message is discarded.
2. The method of claim 1, wherein the zone port table further comprises a real destination port of a server;
when the destination port of the first packet and the zone port determined in the zone port table are the same port, the method further includes:
determining a real destination port of the server matched with the source IP address of the first message and the destination port of the first message in the regional port table so as to convert the first regional port carried by the first message into the real destination port of the server;
and after the destination port of the first message is converted into the found real destination port of the server, forwarding the converted first message to the server according to the real destination port of the server.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
receiving a first response message which is sent by the server and used for responding to the first message;
acquiring a destination IP address and a source port of the first response message;
matching the source IP address in the area port table and the real destination port of the server according to the destination IP address of the first response message and the source port of the first response message to determine the corresponding matched area port in the area port table;
converting the source port of the first response message into the area port searched in the area port table;
and forwarding the converted first response message according to the destination IP address of the converted first response message.
4. The method of claim 1, wherein prior to looking up the first local port in the local port table that matches the source IP address of the first packet, the method further comprises:
judging whether the destination port of the first message is the real destination port of the server or not;
and if the destination port of the first message is not the real destination port of the server, executing a step of searching a first regional port matched with the source IP address of the first message in the regional port table.
5. The method of claim 4, further comprising:
if the destination port of the first message is the real destination port of the server, judging whether the first message is a legal message;
and if the first message is a legal message, sending a port mapping table containing the first regional port, the corresponding relation between the destination IP address of the first message and the destination port of the first message to a user terminal sending the first message.
6. A message processing method is applied to a user terminal, and is characterized in that the method comprises the following steps:
acquiring a message to be sent, which is to be sent to a server, of the user terminal;
acquiring a destination Internet Protocol (IP) address and a destination port of the message to be sent;
searching a second area port matched with a target IP address and a target port of the message to be sent in a port mapping table, wherein the port mapping table comprises the target IP address, the target port and the corresponding relation of the area port;
converting the destination port of the message to be sent into the second area port to generate a first message;
sending the first message; enabling a firewall between the user terminal and the server to receive the first message, acquiring a source Internet Protocol (IP) address and a destination port of the first message, searching a first regional port matched with the source IP address of the first message in a regional port table, if the first regional port and the destination port of the first message are the same port, allowing the first message to be sent to the server, and if not, discarding the first message; the area port table includes a corresponding relationship between a source IP address and an area port.
7. The method of claim 6, further comprising:
receiving a converted first response message sent by a firewall, wherein the first response message is a message sent by the server and used for responding to the first message;
obtaining a source IP address and a source port of the converted first response message;
matching a destination IP address and an area port in the port mapping table according to the source IP address of the converted first response message and the source port of the converted first response message to determine a corresponding matched destination port in the port mapping table;
converting the source port of the converted first response message into a target port searched in a port mapping table to obtain the first response message;
and sending the first response message to an application layer of the user terminal.
8. A message processing apparatus, wherein the apparatus is applied to a firewall, and the apparatus comprises:
the receiving module is used for receiving a first message sent to the server; the first message is obtained by converting a destination port of a message to be sent to the server into a second area port by the user terminal; the second area port is an area port which is matched with the destination IP address and the destination port of the message to be sent in the port mapping table; the port mapping table comprises a destination IP address and a corresponding relation between a destination port and a regional port;
an obtaining module, configured to obtain a source internet protocol IP address and a destination port of the first packet;
the searching module is used for searching a first regional port matched with the source IP address of the first message in a regional port table, and the regional port table comprises the corresponding relation between the source IP address and the regional port;
the first processing module is used for allowing the first message to be sent to the server if the first area port and the destination port of the first message are the same port;
and the discarding module is used for discarding the first message if the first area port and the destination port of the first message are not the same port.
9. The apparatus of claim 8, wherein the zone port table further comprises a real destination port of a server;
the device further comprises:
a forwarding module, configured to determine a real destination port of the server in the local port table, where the real destination port is matched with the source IP address of the first packet and the destination port of the first packet, so as to convert the first local port carried in the first packet into a real destination port of the server;
and after the destination port of the first message is converted into the found real destination port of the server, forwarding the converted first message to the server according to the real destination port of the server.
10. The apparatus of claim 8 or 9, further comprising:
the second processing module is used for receiving a first response message which is sent by the server and used for responding to the first message;
acquiring a destination IP address and a source port of the first response message;
matching the source IP address in the area port table and the real destination port of the server according to the destination IP address of the first response message and the source port of the first response message to determine the corresponding matched area port in the area port table;
converting the source port of the first response message into the area port searched in the area port table;
and forwarding the converted first response message according to the destination IP address of the converted first response message.
11. The apparatus of claim 8, further comprising:
the judging module is used for judging whether the destination port of the first message is the real destination port of the server or not;
and if the destination port of the first message is not the real destination port of the server, triggering the searching module.
12. The apparatus of claim 11, further comprising:
a sending module, configured to determine whether the first packet is a valid packet if a destination port of the first packet is a real destination port of a server;
and if the first message is a legal message, sending a port mapping table containing the first regional port, the corresponding relation between the destination IP address of the first message and the destination port of the first message to a user terminal sending the first message.
13. A message processing apparatus, wherein the apparatus is applied to a user terminal, and the apparatus comprises:
the first acquisition module is used for acquiring a message to be sent, which is sent to a server by the user terminal;
a second obtaining module, configured to obtain a destination internet protocol IP address and a destination port of the message to be sent;
the searching module is used for searching a second area port matched with the destination IP address and the destination port of the message to be sent in a port mapping table, wherein the port mapping table comprises the destination IP address, the destination port and the corresponding relation of the area port;
the conversion module is used for converting the destination port of the message to be sent into the second area port so as to generate a first message;
a sending module, configured to send the first packet; enabling a firewall between the user terminal and the server to receive the first message, acquiring a source Internet Protocol (IP) address and a destination port of the first message, searching a first regional port matched with the source IP address of the first message in a regional port table, if the first regional port and the destination port of the first message are the same port, allowing the first message to be sent to the server, and if not, discarding the first message; the area port table includes a corresponding relationship between a source IP address and an area port.
14. An electronic device, comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory communicate with each other via the communication bus;
the memory is used for storing a computer program;
the processor, when executing the program stored in the memory, implementing the method steps of any of claims 1-5.
15. A machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to: carrying out the method steps of any one of claims 1 to 5.
16. A machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to: -carrying out the method steps of any one of claims 6 to 7.
CN201911016775.7A 2019-10-24 2019-10-24 Message processing method and device Active CN110768983B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911016775.7A CN110768983B (en) 2019-10-24 2019-10-24 Message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911016775.7A CN110768983B (en) 2019-10-24 2019-10-24 Message processing method and device

Publications (2)

Publication Number Publication Date
CN110768983A CN110768983A (en) 2020-02-07
CN110768983B true CN110768983B (en) 2022-04-22

Family

ID=69333362

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911016775.7A Active CN110768983B (en) 2019-10-24 2019-10-24 Message processing method and device

Country Status (1)

Country Link
CN (1) CN110768983B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227287A (en) * 2008-01-28 2008-07-23 华为技术有限公司 Data message processing method and data message processing equipment
CN102761474A (en) * 2011-04-28 2012-10-31 华为技术有限公司 Message filtering method and access equipment
CN106411742A (en) * 2016-10-26 2017-02-15 杭州数梦工场科技有限公司 Message transmission method and device
CN106899474A (en) * 2016-12-07 2017-06-27 新华三技术有限公司 A kind of method and apparatus of message forwarding
CN107770193A (en) * 2017-11-17 2018-03-06 新华三信息安全技术有限公司 A kind of rule matching method, device, firewall box and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227287A (en) * 2008-01-28 2008-07-23 华为技术有限公司 Data message processing method and data message processing equipment
CN102761474A (en) * 2011-04-28 2012-10-31 华为技术有限公司 Message filtering method and access equipment
CN106411742A (en) * 2016-10-26 2017-02-15 杭州数梦工场科技有限公司 Message transmission method and device
CN106899474A (en) * 2016-12-07 2017-06-27 新华三技术有限公司 A kind of method and apparatus of message forwarding
CN107770193A (en) * 2017-11-17 2018-03-06 新华三信息安全技术有限公司 A kind of rule matching method, device, firewall box and storage medium

Also Published As

Publication number Publication date
CN110768983A (en) 2020-02-07

Similar Documents

Publication Publication Date Title
CN110445770B (en) Network attack source positioning and protecting method, electronic equipment and computer storage medium
US11722509B2 (en) Malware detection for proxy server networks
KR101999148B1 (en) System and method for detecting rogue access point and user device and computer program for the same
EP2612488B1 (en) Detecting botnets
CN110519265B (en) Method and device for defending attack
US9338657B2 (en) System and method for correlating security events with subscriber information in a mobile network environment
CN110266650B (en) Identification method of Conpot industrial control honeypot
CN108028835B (en) Automatic configuration server and server execution method
CN107690004B (en) Method and device for processing address resolution protocol message
US10547638B1 (en) Detecting name resolution spoofing
US10097418B2 (en) Discovering network nodes
CN116723020A (en) Network service simulation method and device, electronic equipment and storage medium
CN110768983B (en) Message processing method and device
US8239930B2 (en) Method for controlling access to a network in a communication system
US10015179B2 (en) Interrogating malware
US11683337B2 (en) Harvesting fully qualified domain names from malicious data packets
CN114285818A (en) Terminal device positioning method and device and terminal device
CN109729043B (en) Method, device and system for preventing attack message
CN102857515B (en) Network access control method and network access control device
CN114363083B (en) Security protection method, device and equipment of intelligent gateway
CN111262813A (en) Application service providing method, device, equipment and medium
WO2024116666A1 (en) Detection system, detection method, and program
CN117424711A (en) Network security management method, device, computer equipment and storage medium
CN113630392A (en) Method, system, equipment and medium for protecting ARP table entry based on SONIC
CN115643079A (en) Data packet security risk detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant