CN111193692A - Request response method, device, edge node and authentication system - Google Patents

Request response method, device, edge node and authentication system Download PDF

Info

Publication number
CN111193692A
CN111193692A CN201811371745.3A CN201811371745A CN111193692A CN 111193692 A CN111193692 A CN 111193692A CN 201811371745 A CN201811371745 A CN 201811371745A CN 111193692 A CN111193692 A CN 111193692A
Authority
CN
China
Prior art keywords
user equipment
edge node
blacklist
access
service request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811371745.3A
Other languages
Chinese (zh)
Inventor
王永强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Cloud Network Technology Co Ltd
Beijing Kingsoft Cloud Technology Co Ltd
Original Assignee
Beijing Kingsoft Cloud Network Technology Co Ltd
Beijing Kingsoft Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Cloud Network Technology Co Ltd, Beijing Kingsoft Cloud Technology Co Ltd filed Critical Beijing Kingsoft Cloud Network Technology Co Ltd
Priority to CN201811371745.3A priority Critical patent/CN111193692A/en
Priority to PCT/CN2019/118711 priority patent/WO2020098773A1/en
Publication of CN111193692A publication Critical patent/CN111193692A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention provides a request response method, a request response device, an edge node and an authentication system, and belongs to the technical field of the Internet. According to the request response method, the request response device, the edge node and the authentication system provided by the embodiment of the invention, when a first service request sent by first user equipment is received, the edge node can determine whether to respond to the first service request of the first user equipment according to a locally stored blacklist; the authentication server does not need to wait for authentication and feed back the authentication result, so that the response speed of the edge node can be improved, and the user experience is improved.

Description

Request response method, device, edge node and authentication system
Technical Field
The invention relates to the technical field of internet, in particular to a request response method, a request response device, an edge node and an authentication system.
Background
A CDN (Content Delivery Network) is used to deliver Content of a website to a Network "edge" closest to a user, and based on user proximity and determination of server load, the user can obtain desired Content nearby. In the current content delivery network, when an edge node of the CDN receives a request from a user equipment to access a certain specific URL (Uniform Resource Locator) or specific encrypted data, authentication needs to be performed. For example, for a certain encrypted data, only a limited number of user devices are allowed to access the whole network, and if this number is exceeded, the next user device accessing the encrypted data will be denied access during the authentication process.
In the related art, when a user equipment requests an edge node of a CDN to obtain data, the edge node needs to send an authentication request to an authentication server of the CDN, and after receiving authentication passing information fed back by the authentication server, the edge node may respond to the data obtaining request of the user equipment to obtain data from a local cache or request a source station of the data to obtain data, and send the data to the user equipment. The above process can prolong the response time of the edge node of the CDN for returning data to the user equipment, and if the authentication server receives a large number of authentication requests, the feedback speed of the authentication server is slow, which further causes the first packet time of the edge node returning data to the user equipment to become long, service quality to degrade, and user experience to degrade.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a request response method, a request response device, an edge node and an authentication system, which can improve the response speed of the edge node and improve the user experience.
In a first aspect, an embodiment of the present invention provides a request response method, which is applied to an edge node of a CDN, and the method includes:
receiving a first service request sent by first user equipment;
determining whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored on the edge node; and the blacklist stores the condition that the edge node refuses to respond to the service request sent by the user equipment.
With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, where the first service request includes at least one of: the device information of the first user equipment, the Uniform Resource Locator (URL) information that the first user equipment needs to access, and the identification information of the encrypted data that the first user equipment needs to access.
With reference to the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, where the condition includes at least one of: specifying that the uniform resource locator URL does not allow access by the user device, specifying that the encrypted data does not allow access by the user device, specifying that the uniform resource locator URL does not allow access by the user device in the specified area, specifying that the encrypted data does not allow access by the user device in the specified area.
With reference to the first aspect, an embodiment of the present invention provides a third possible implementation manner of the first aspect, where after receiving a first service request sent by a first user equipment, the method further includes:
sending an access request to an authentication server; wherein the authentication server is configured to update a blacklist based on the access request and a denial rule.
With reference to the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where the method further includes:
and receiving and storing the blacklist or the variation of the blacklist sent by the authentication server every a set time period.
In a second aspect, an embodiment of the present invention further provides a request response device, which is applied to an edge node of a CDN, and the device includes:
a service request receiving unit, configured to receive a first service request sent by a first user equipment;
an authentication unit, configured to determine whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored on the edge node; and the blacklist stores the condition that the edge node refuses to respond to the service request sent by the user equipment.
With reference to the second aspect, an embodiment of the present invention provides a first possible implementation manner of the second aspect, where the first service request includes at least one of: the device information of the first user equipment, the Uniform Resource Locator (URL) information that the first user equipment needs to access, and the identification information of the encrypted data that the first user equipment needs to access.
In combination with the second aspect, the present embodiments provide a second possible implementation manner of the second aspect, where the condition includes at least one of: specifying that the uniform resource locator URL does not allow access by the user device, specifying that the encrypted data does not allow access by the user device, specifying that the uniform resource locator URL does not allow access by the user device in the specified area, specifying that the encrypted data does not allow access by the user device in the specified area.
With reference to the second aspect, an embodiment of the present invention provides a third possible implementation manner of the second aspect, where the apparatus further includes:
an access request sending unit, configured to send an access request to an authentication server; wherein the authentication server is configured to update a blacklist based on the access request and a denial rule.
With reference to the second aspect, an embodiment of the present invention provides a fourth possible implementation manner of the second aspect, where the apparatus further includes:
and the blacklist receiving unit is used for receiving and storing the blacklist or the variation of the blacklist sent by the authentication server every set time period.
In a third aspect, an embodiment of the present invention further provides an edge node, including a first processor and a first memory connected to the first processor;
the first memory stores machine executable instructions executable by the first processor to perform the method of any of the first aspects.
In a fourth aspect, an embodiment of the present invention further provides an authentication system, including the edge node and the authentication server in the third aspect; the authentication server is connected with at least one edge node.
In a fifth aspect, an embodiment of the present invention further provides a computer-readable storage medium storing computer program instructions for implementing the request response method of the first aspect.
The embodiment of the invention has the following beneficial effects:
according to the request response method, the request response device, the edge node and the authentication system provided by the embodiment of the invention, when a first service request sent by first user equipment is received, the edge node can determine whether to respond to the first service request of the first user equipment according to a locally stored blacklist; the edge node authenticates based on the locally stored blacklist, and then determines whether to respond to the first service request of the first user equipment, without waiting for the authentication server to authenticate and feed back an authentication result, so that the response speed of the edge node can be improved, and the user experience is improved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic diagram illustrating a response process of an edge node of a CDN to a service request of a user equipment in the prior art;
FIG. 2 is a flow chart of a request response method according to an embodiment of the present invention;
fig. 3 is a flowchart of an information sending method according to another embodiment of the present invention;
FIG. 4 is an interaction diagram of a request response method according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating a response process of an edge node of a CDN to a service request of a user equipment according to an embodiment of the present invention;
FIG. 6 is a block diagram of a request response device according to an embodiment of the present invention;
fig. 7 is a block diagram of an information transmitting apparatus according to another embodiment of the present invention;
fig. 8 is a block diagram of an edge node according to an embodiment of the present invention;
fig. 9 is a block diagram of an authentication server according to an embodiment of the present invention;
fig. 10 is a block diagram of an authentication system according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the current content delivery network, when an edge node of the CDN receives a request from a user equipment to access a certain specific URL (Uniform Resource Locator) or specific encrypted data, authentication needs to be performed. For example, for a certain encrypted data, only a limited number of user devices are allowed to access the whole network, and if this number is exceeded, the next user device accessing the encrypted data will be denied access during the authentication process.
In a case that the edge node of the CDN does not cache data and needs to obtain data from the source station, a process in which a user equipment requests the edge node of the CDN to obtain the data is shown in fig. 1, and includes the following steps:
step 1: user equipment sends a data acquisition request to an edge node;
step 2: the edge node sends an authentication request to an authentication server of the CDN;
and step 3: the authentication server feeds back authentication passing information to the edge node;
and 4, step 4: the edge node sends a data access request to an upper node of the CDN;
and 5: the upper node sends a data acquisition request to a source station server;
step 6: the source station server sends data to an upper node;
and 7: the upper layer node sends the data to the edge node;
and 8: the edge node sends the data to the user equipment.
If the cache data of the edge node contains data requested to be obtained by the user equipment, the existing process that the user equipment requests the edge node of the CDN to obtain the data includes the following steps:
step 1: user equipment sends a data acquisition request to an edge node;
step 2: the edge node sends an authentication request to an authentication server of the CDN;
and step 3: the authentication server feeds back authentication passing information to the edge node;
and 8: and the edge node extracts data from the local cache data and sends the data to the user equipment.
In short, when the existing user equipment requests the edge node of the CDN to obtain data, the edge node needs to send an authentication request to the authentication server of the CDN first, and receives authentication passing information fed back by the authentication server, and the edge node will respond to the data obtaining request of the user equipment. The process can prolong the response time of the edge node of the CDN for returning the data to the user equipment, so that the first packet time of the edge node for returning the data is prolonged. If the authentication server receives more authentication requests and the QPS (Query Per Second, Query rate) of the authentication server is very high, the pressure of the authentication server is high, the feedback speed is slow, so that the response speed of the edge node to the user equipment is slower, the service quality is reduced, and the user experience is reduced.
In order to solve the above problem, embodiments of the present invention provide a request response method, an apparatus, an edge node, an authentication server, and an authentication system, and first, the request response method of the present invention is described in detail below.
Example one
The embodiment provides a request response method, which is applied to an edge node of a CDN, and as shown in fig. 2, the method includes the following steps:
step 202, a first service request sent by a first user equipment is received.
The user sends a first service request to an edge node of the CDN through a first user equipment, where the first service request may be to request access to a certain URL or request access to certain encrypted data, and so on. If the first service request is a request to access a certain URL, the first service request may include device information of the first user equipment and URL information that the first user equipment needs to access. If the first service request is a request for accessing certain encrypted data, the first service request may include device information of the first user equipment and identification information of the encrypted data that the first user equipment needs to access. The device information of the first user device may include a device identification, an IP (Internet Protocol) address of the user device, and the like.
Step 204, determining whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored on the edge node.
The blacklist stores the condition that the edge node refuses to respond to the service request sent by the user equipment. The conditions may include at least one of: specifying that the uniform resource locator URL does not allow access by the user device, specifying that the encrypted data does not allow access by the user device, specifying that the uniform resource locator URL does not allow access by the user device in the specified area, specifying that the encrypted data does not allow access by the user device in the specified area.
And the edge node authenticates the first service request of the first user equipment based on a pre-stored blacklist. The following description takes an example that a blacklist includes a certain specified URL and does not allow the user equipment in the first specified area to access, and after receiving a service request for the first user equipment to access the URL, the edge node determines whether the first user equipment belongs to the first specified area according to the equipment information of the first user equipment; if so, the edge node will refuse to respond to the service request of the first user equipment. If the service request does not belong to the service request, the edge node will respond to the service request of the first user equipment, for example, the edge node may send a request for accessing the URL to an upper node of the CDN, the upper node obtains data or a link from the source station server and returns the data or the link to the edge node, and the edge node sends the data or the link to the first user equipment, so that the first user equipment may access the URL.
Alternatively, the blacklist stored on the edge node may be sent by the authentication server. For example, after receiving the first service request sent by the first user equipment, if the edge node passes authentication, the edge node responds to the first service request of the first user equipment. Meanwhile, the edge node may send an access request to the authentication server, where the access request includes a first service request of the first user equipment. The authentication server is configured to update a blacklist based on the access request and a denial rule.
It should be noted that, after receiving the first service request sent by the first user equipment, if the authentication of the edge node is not passed, the edge node rejects to respond to the first service request of the first user equipment, and does not need to send an access request to the authentication server.
The edge node sends the access request to an authentication server, and the authentication server can carry out statistics according to the access request and generate or revise a blacklist according to a statistical result. Specifically, the authentication server records information contained in the access request, such as which URL the IP address of the user equipment has accessed. The black list may be formed by the authentication server according to a preset rule. For example, if it is predefined that a URL only allows access to n user equipments with different IP addresses, if an access request is received from n user equipments with IP addresses, the following is added to the blacklist: the specified URL does not allow access. If it is predefined that a certain encrypted data only allows the user equipment with n different IP addresses to access, after receiving the access request of the user equipment with n IP addresses, adding: the specified encrypted data is not allowed to be accessed. If it is specified in advance, a certain URL only allows the user equipment with at most n different IP addresses in the designated area to access, and can determine whether the user equipment belongs to the designated area according to the IP address of the user equipment, and after receiving the access request of the user equipment with n IP addresses in the designated area, add in the blacklist: the specified encrypted data is not allowed to be accessed by the user equipment of the specified area. If the user equipment in the specified area is monitored to be offline, the blacklist can be dynamically adjusted, and the condition is removed from the blacklist.
Optionally, every set time period, the edge node receives and stores the blacklist or the variation of the blacklist sent by the authentication server, so that the blacklist stored on the edge node and the single-name list on the authentication server can be kept synchronous.
In the request response method provided by this embodiment, when receiving a service request sent by a user equipment, an edge node may determine whether to respond to the service request of the user equipment according to a locally stored blacklist; the authentication server does not need to wait for authentication and feed back the authentication result, so that the response speed of the edge node can be improved, and the user experience is improved.
Example two
The embodiment provides another information sending method, which is applied to an authentication server of a CDN, and as shown in fig. 3, the method includes the following steps:
step S302, when receiving the access request sent by the edge node, counting the access request.
For example, the user equipment with the IP address IP1 in the access request requests to access the URL1, and adds 1 to the IP address of the access URL1 to obtain that the number of the IP addresses of the access URL1 is n.
And step S304, adjusting the blacklist according to the statistical result.
If it is predefined that URL1 only allows access to n user equipments with different IP addresses in the whole network, it is added to the black list: URL1 does not allow access. After synchronously sending the blacklist to each edge node, the user equipment having other IP addresses accessing the URL1 is rejected.
Step S306, every set time period, sending the blacklist or the variation of the blacklist to each edge node connected with the authentication server.
The variable quantity of the blacklist refers to the change of the blacklist between the current transmission and the last transmission, and comprises increased content and decreased content in the blacklist. The set time period may be 2 minutes.
For ease of understanding, fig. 4 shows an interaction diagram between the authentication server and the edge node. As shown in fig. 4, in the content distribution network, the authentication server may be connected to a plurality of edge nodes, and an edge node a and an edge node B are taken as an example in fig. 4 to explain, when the edge node a receives a first service request sent by the first user equipment, it is determined whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored in the edge node a, without waiting for feedback information of the authentication server. The blacklist stores the condition that the edge node refuses to respond to the service request sent by the user equipment. If the node A determines to respond to the first service request of the first user equipment, an access request is generated and sent to the authentication server according to the first service request of the first user equipment. And the authentication server performs statistics according to the received access request and adjusts the blacklist according to a statistical result. When the edge node B receives the second service request sent by the second user equipment, the action is the same as that of the edge node a, and the second user equipment and the first user equipment may be the same user equipment or different user equipment, which is not limited herein. And the authentication server receives the access requests sent by each edge node, performs statistics and adjusts the blacklist. And the authentication server synchronously sends the blacklist to each edge node every set time period, so that the blacklist on each edge node is consistent with the authentication server.
In the embodiment of the present invention, when there is no cache data in an edge node of a CDN, a process in which a user equipment requests the edge node to obtain data is shown in fig. 5, and includes the following steps:
step a: user equipment sends a data acquisition request to an edge node; the edge node determines whether to respond to the request of the user equipment according to a pre-stored blacklist, and if the response is determined, the following steps are executed:
step b: the edge node sends an access request to an authentication server of the CDN; meanwhile, the edge node sends a data access request to an upper node of the CDN;
and the authentication server updates the blacklist based on the access request and the rejection rule, and synchronizes the updated blacklist to the edge node at set time intervals.
Step c: the upper node sends a data acquisition request to a source station server;
step d: the source station server sends data to an upper node;
step e: the upper layer node sends the data to the edge node;
step f: the edge node sends the data to the user equipment.
As can be seen from the process shown in fig. 1 and fig. 5, in the embodiment of the present invention, the existing synchronous authentication mode (sending an authentication request to the authentication server for authentication) is changed into an asynchronous authentication mode (without sending an authentication request to the authentication server each time), and after the user equipment initiates a service request, the edge node authenticates the user equipment according to the locally stored blacklist without obtaining a response of the authentication server. For the authentication server, the QPS of the authentication server is reduced, for the edge node, the result of waiting for the authentication server is not needed, namely, time consumption for establishing connection and communication with the authentication server does not exist, data is directly responded, first packet time is not influenced, and the service quality of the edge node is improved.
EXAMPLE III
Corresponding to the first method embodiment, this embodiment provides a request response device, which is applied to an edge node of a CDN. As shown in fig. 6, the apparatus includes:
a service request receiving unit 61, configured to receive a first service request sent by a first user equipment;
an authentication unit 62, configured to determine whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored in the edge node; and the blacklist stores the condition that the edge node refuses to respond to the service request sent by the user equipment.
Wherein the first service request comprises at least one of: the device information of the first user equipment, the Uniform Resource Locator (URL) information that the first user equipment needs to access, and the identification information of the encrypted data that the first user equipment needs to access.
The conditions include at least one of: specifying that the uniform resource locator URL does not allow access by the user device, specifying that the encrypted data does not allow access by the user device, specifying that the uniform resource locator URL does not allow access by the user device in the specified area, specifying that the encrypted data does not allow access by the user device in the specified area.
Optionally, the apparatus may further include an access request sending unit, connected to the authentication unit 62, and configured to send an access request to the authentication server; wherein the authentication server is configured to update a blacklist based on the access request and a denial rule.
The device may further include a blacklist receiving unit, configured to receive and store the blacklist or the variation of the blacklist sent by the authentication server at set time intervals. The blacklist receiving unit may be connected to the service request receiving unit 61, may also be connected to the authentication unit 62, or may be connected to the service request receiving unit 61 and the authentication unit 62.
Example four
Corresponding to the above two embodiments of the method, the present embodiment provides an information sending apparatus, which is applied to an authentication server of a CDN. As shown in fig. 7, the apparatus includes:
a counting unit 71, configured to count the access information when receiving an access request sent by an edge node;
the blacklist revising unit 72 adjusts the blacklist according to the statistical result.
Optionally, the apparatus may further include: and a blacklist sending unit 73, configured to send a blacklist or a variation of the blacklist to each edge node connected to the authentication server every set time period.
EXAMPLE five
The embodiment provides an edge node in the CDN, and as shown in fig. 8, the edge node includes a first processor 81, a first memory 82 connected to the first processor 81, and a first communication interface 84. The first processor 81, the first communication interface 84, and the first memory 82 may be connected by a first bus 83.
The first memory 82 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the system network element and at least one other network element (such as a cooking appliance) is realized through at least one first communication interface 84 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used. The first bus 83 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 8, but that does not indicate only one bus or one type of bus.
The first processor 81 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be implemented by integrated logic circuits of hardware or instructions in the form of software in the first processor 81. The first processor 81 may be a general-purpose processor, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present disclosure. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present disclosure may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the first memory 82, the first processor 81 reads information in the first memory 82, and completes the request response method in combination with hardware thereof, optionally, the following operations may be implemented:
receiving a first service request sent by first user equipment;
determining whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored on the edge node; and the blacklist stores the condition that the edge node refuses to respond to the service request sent by the user equipment.
EXAMPLE six
The embodiment provides an authentication server in the CDN, and as shown in fig. 9, the edge node includes a second processor 91, a second memory 92 connected to the second processor 91, and a second communication interface 94. The second processor 91, the second communication interface 94 and the second memory 92 may be connected by a second bus 93.
The second memory 92 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the network element of the system and at least one other network element (such as a cooking appliance) is realized through at least one second communication interface 94 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used. The second bus 93 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
The second processor 91 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be implemented by integrated logic circuits of hardware or instructions in the form of software in the second processor 91. The second processor 91 may be a general-purpose processor, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present disclosure. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present disclosure may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the second memory 92, the second processor 91 reads information in the second memory 92, and completes the information sending method in combination with hardware thereof, optionally, the following operations may be implemented:
when an access request sent by an edge node is received, counting the access information;
and adjusting the blacklist according to the statistical result.
And sending the blacklist or the variation of the blacklist to each edge node connected with the authentication server every set time period.
Further, embodiments of the present invention also provide a machine-readable storage medium storing machine-executable instructions, which when invoked and executed by a processor, cause the processor to implement the method of the first or second embodiment.
EXAMPLE seven
The embodiment provides an authentication system which is applied to a content distribution network. As shown in fig. 10, the system includes an authentication server 90 and edge nodes 80, and the authentication server 90 is connected to a plurality of edge nodes 80 in the system. When receiving a service request sent by the user equipment, the edge node 80 generates access information according to the equipment information and the service request of the user equipment, and sends the access information to the authentication server 90, and meanwhile, the edge node 80 determines whether to respond to the service request of the user equipment according to a locally stored blacklist. The authentication server 90 makes statistics based on the received access information and revises the blacklist based on the statistical result. And the authentication server 90 synchronously sends the blacklist to each edge node 80 every set time period, so that the blacklist on each edge node 80 is consistent with the authentication server 90.
The request response method, the device, the edge node and the authentication system provided by the embodiment of the invention have the same technical characteristics, so the same technical problems can be solved, and the same technical effect can be achieved.
It should be noted that, in the embodiments provided in the present invention, it should be understood that the disclosed system and method can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments provided by the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (13)

1. A request response method is applied to an edge node of a CDN, and is characterized by comprising the following steps:
receiving a first service request sent by first user equipment;
determining whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored on the edge node; and the blacklist stores the condition that the edge node refuses to respond to the service request sent by the user equipment.
2. The method of claim 1, wherein the first service request comprises at least one of: the device information of the first user equipment, the Uniform Resource Locator (URL) information that the first user equipment needs to access, and the identification information of the encrypted data that the first user equipment needs to access.
3. The method of claim 1, wherein the conditions comprise at least one of: specifying that the uniform resource locator URL does not allow access by the user device, specifying that the encrypted data does not allow access by the user device, specifying that the uniform resource locator URL does not allow access by the user device in the specified area, specifying that the encrypted data does not allow access by the user device in the specified area.
4. The method of claim 1, wherein after receiving the first service request sent by the first user equipment, the method further comprises:
sending an access request to an authentication server; wherein the authentication server is configured to update a blacklist based on the access request and a denial rule.
5. The method of claim 1, further comprising:
and receiving and storing the blacklist or the variation of the blacklist sent by the authentication server every a set time period.
6. A request response device applied to an edge node of a CDN, the device comprising:
a service request receiving unit, configured to receive a first service request sent by a first user equipment;
an authentication unit, configured to determine whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored on the edge node; and the blacklist stores the condition that the edge node refuses to respond to the service request sent by the user equipment.
7. The apparatus of claim 6, wherein the first service request comprises at least one of: the device information of the first user equipment, the Uniform Resource Locator (URL) information that the first user equipment needs to access, and the identification information of the encrypted data that the first user equipment needs to access.
8. The apparatus of claim 6, wherein the condition comprises at least one of: specifying that the uniform resource locator URL does not allow access by the user device, specifying that the encrypted data does not allow access by the user device, specifying that the uniform resource locator URL does not allow access by the user device in the specified area, specifying that the encrypted data does not allow access by the user device in the specified area.
9. The apparatus of claim 6, further comprising:
an access request sending unit, configured to send an access request to an authentication server; wherein the authentication server is configured to update a blacklist based on the access request and a denial rule.
10. The apparatus of claim 6, further comprising:
and the blacklist receiving unit is used for receiving and storing the blacklist or the variation of the blacklist sent by the authentication server every set time period.
11. An edge node comprising a first processor and a first memory coupled to the first processor;
the first memory stores machine executable instructions executable by the first processor to perform the method of any one of claims 1 to 5.
12. An authentication system comprising the edge node and the authentication server of claim 11; the authentication server is connected with at least one edge node.
13. A computer-readable storage medium storing computer program instructions for use in implementing the request response method of any of claims 1 to 5.
CN201811371745.3A 2018-11-15 2018-11-15 Request response method, device, edge node and authentication system Pending CN111193692A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201811371745.3A CN111193692A (en) 2018-11-15 2018-11-15 Request response method, device, edge node and authentication system
PCT/CN2019/118711 WO2020098773A1 (en) 2018-11-15 2019-11-15 Request response method and device, edge node and authentication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811371745.3A CN111193692A (en) 2018-11-15 2018-11-15 Request response method, device, edge node and authentication system

Publications (1)

Publication Number Publication Date
CN111193692A true CN111193692A (en) 2020-05-22

Family

ID=70710638

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811371745.3A Pending CN111193692A (en) 2018-11-15 2018-11-15 Request response method, device, edge node and authentication system

Country Status (2)

Country Link
CN (1) CN111193692A (en)
WO (1) WO2020098773A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835773A (en) * 2020-07-15 2020-10-27 中国电子技术标准化研究院 User identity authentication system based on edge calculation

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105357190A (en) * 2015-10-26 2016-02-24 网宿科技股份有限公司 Method and system for performing authentication on access request
CN105871919A (en) * 2016-06-12 2016-08-17 北京六间房科技有限公司 Network application firewall system and realization method thereof
CN105897674A (en) * 2015-11-25 2016-08-24 乐视云计算有限公司 DDoS attack protection method applied to CDN server group and system
CN105991603A (en) * 2015-02-26 2016-10-05 阿里巴巴集团控股有限公司 Authority determination method and device
CN106357651A (en) * 2016-09-23 2017-01-25 成都知道创宇信息技术有限公司 Method for geographically limiting IP access on CDN
CN106961451A (en) * 2017-05-25 2017-07-18 网宿科技股份有限公司 Method for authenticating, right discriminating system, fringe node and authentication server in CDN
CN108768979A (en) * 2018-05-17 2018-11-06 网宿科技股份有限公司 Corporate intranet access method, for corporate intranet access device and its system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013134211A2 (en) * 2012-03-09 2013-09-12 Interdigital Patent Holdings, Inc. Method and system for cdn exchange nterconnection
CN102932380B (en) * 2012-11-30 2016-06-29 网宿科技股份有限公司 The distributed preventing malicious attack method and system of content-based distribution network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991603A (en) * 2015-02-26 2016-10-05 阿里巴巴集团控股有限公司 Authority determination method and device
CN105357190A (en) * 2015-10-26 2016-02-24 网宿科技股份有限公司 Method and system for performing authentication on access request
CN105897674A (en) * 2015-11-25 2016-08-24 乐视云计算有限公司 DDoS attack protection method applied to CDN server group and system
CN105871919A (en) * 2016-06-12 2016-08-17 北京六间房科技有限公司 Network application firewall system and realization method thereof
CN106357651A (en) * 2016-09-23 2017-01-25 成都知道创宇信息技术有限公司 Method for geographically limiting IP access on CDN
CN106961451A (en) * 2017-05-25 2017-07-18 网宿科技股份有限公司 Method for authenticating, right discriminating system, fringe node and authentication server in CDN
CN108768979A (en) * 2018-05-17 2018-11-06 网宿科技股份有限公司 Corporate intranet access method, for corporate intranet access device and its system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835773A (en) * 2020-07-15 2020-10-27 中国电子技术标准化研究院 User identity authentication system based on edge calculation

Also Published As

Publication number Publication date
WO2020098773A1 (en) 2020-05-22

Similar Documents

Publication Publication Date Title
CN107360184B (en) Terminal equipment authentication method and device
WO2018121331A1 (en) Attack request determination method, apparatus and server
CN110830564B (en) CDN scheduling method, device, system and computer readable storage medium
CN110519183B (en) Node speed limiting method and device, electronic equipment and storage medium
US20130344903A1 (en) Method for allocating identification, method for paging group, and communication device
CN112153160A (en) Access request processing method and device and electronic equipment
CN110636068B (en) Method and device for identifying unknown CDN node in CC attack protection
CN107426241B (en) Network security protection method and device
US20070265976A1 (en) License distribution in a packet data network
CN111935306B (en) Node scheduling method and device
CN110430062B (en) Login request processing method, device, equipment and medium
CN105208654B (en) Notification message sending method and device
CN107864070A (en) Network status monitoring method, equipment and system
CN113015116B (en) Dynamic quota method and device based on flow prediction
US10700879B2 (en) Charging method and device, access device, service quality control method and device
CN108616896B (en) Operator identification method and device and internet access system
CN114640504A (en) CC attack protection method, device, equipment and storage medium
CN111193692A (en) Request response method, device, edge node and authentication system
CN110401553B (en) Server configuration method and device
CN108460042B (en) Page display method, related equipment and system
CN111556109B (en) Request processing method and device, electronic equipment and storage medium
CN109688171B (en) Cache space scheduling method, device and system
CN113596105B (en) Content acquisition method, edge node and computer readable storage medium
CN110555040A (en) Data caching method and device and server
CN112839070B (en) Data processing method and device and node equipment in CDN (content delivery network)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200522

RJ01 Rejection of invention patent application after publication