CN111510300A - Data processing method, device, equipment and computer readable storage medium - Google Patents

Data processing method, device, equipment and computer readable storage medium Download PDF

Info

Publication number
CN111510300A
CN111510300A CN202010279788.XA CN202010279788A CN111510300A CN 111510300 A CN111510300 A CN 111510300A CN 202010279788 A CN202010279788 A CN 202010279788A CN 111510300 A CN111510300 A CN 111510300A
Authority
CN
China
Prior art keywords
target
resource pool
cloud resource
network request
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010279788.XA
Other languages
Chinese (zh)
Other versions
CN111510300B (en
Inventor
李朝霞
李松悟
房秉毅
杨绍光
张辉
时文丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Unicom Cloud Data Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Unicom Cloud Data Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, Unicom Cloud Data Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202010279788.XA priority Critical patent/CN111510300B/en
Publication of CN111510300A publication Critical patent/CN111510300A/en
Application granted granted Critical
Publication of CN111510300B publication Critical patent/CN111510300B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a data processing method, a device, equipment and a computer readable storage medium, wherein the method comprises the following steps: acquiring and storing a network request packet sent by terminal equipment; signing the network request packet through a preset security certificate to obtain a target data packet; and when the preset trigger condition is met, sending the target data packet to a cloud resource pool where the target Internet protocol address is located. When the acquired network request packet sent by the terminal equipment meets the preset triggering condition, the network request packet is transmitted, so that the request can be prevented from being frequently sent to the cloud resource pool. In addition, the network request packet is signed before being transmitted, so that the subsequent cloud resource pool can verify the target data packet according to the signature, the service end can be effectively prevented from being attacked by the DDOS, and the requirement on the specification of the switch is low.

Description

Data processing method, device, equipment and computer readable storage medium
Technical Field
The present invention relates to the field of internet, and in particular, to a data processing method, apparatus, device, and computer-readable storage medium.
Background
In most of the current applications, in order to maintain efficient communication between the client and the server, it is necessary to keep the client on line for a long time. However, long-line applications require frequent heartbeat messages during interaction with the server. Therefore, the requests sent to the server are increased and easy to be imitated, and the server is subjected to Distributed Denial of Service (DDoS) attack. In addition, the network flow is increased, network congestion is easily caused, and the common method for judging the request packet sent for multiple times according to the ip address causes the technical problem of false killing.
In order to solve the above problems, in the prior art, synchronization requests from the same ip address are generally discarded, so as to achieve the purpose of cleaning the flow, reduce the large-flow cleaning of the server, and ensure that the service of the server is stable and normal.
However, the above method can only perform interception on a core switch, and cannot really reduce traffic in a network, and the pressure on an ingress switch is large, and a high-specification switch is configured around an internet content provider of a server that requires cloud computing.
Disclosure of Invention
The invention provides a data processing method, a data processing device, equipment and a computer readable storage medium, which are used for solving the technical problems that the existing data processing method has higher requirements on the equipment and can not effectively reduce the flow in a network.
A first aspect of the present invention provides a data processing method, including:
acquiring and storing a network request packet sent by terminal equipment, wherein the network request packet comprises application process information, a target Internet protocol address and an application server identifier to be sent;
signing the network request packet through a preset security certificate to obtain a target data packet;
and when a preset trigger condition is met, sending the target data packet to a cloud resource pool where the target Internet protocol address is located.
In a possible design, when a preset trigger condition is met, signing the network request packet through a preset security certificate to obtain a target data packet includes:
and if the message length of the currently acquired network request packet is detected to exceed a preset length threshold, sending the target data packet to a cloud resource pool where the target Internet protocol address is located.
In a possible design, when a preset trigger condition is met, signing the network request packet through a preset security certificate to obtain a target data packet includes:
and if the time for acquiring the network request packet currently exceeds a preset time threshold, sending the target data packet to a cloud resource pool where the target Internet protocol address is located.
In one possible design, the signing the network request packet by the preset security certificate includes:
and signing the network request packet through a safety certificate in a preset sim module.
A second aspect of the present invention provides a data processing method applied to a cloud resource pool, where the cloud resource pool includes an edge inspection node and a cloud resource pool border gateway, and the method includes:
acquiring a target data packet sent by a data processing device, wherein the target data packet is sent when a preset trigger condition is met after the data processing device signs a network request packet through a preset security certificate, and the network request packet comprises application process information, a target internet protocol address and an application server identifier to be sent;
verifying, by the edge check node, a signature of the target packet;
and when the verification is passed, sending the target data packet to a cloud resource pool boundary gateway where the target Internet protocol address is located.
In one possible design, after verifying the signature of the target packet by the edge checking node, the method further includes:
and when the verification fails, sending the target data packet to a preset black hole route for processing.
In one possible design, after sending the target packet to the cloud resource pool boundary gateway where the target internet protocol address is located, the method further includes:
and replacing the target internet protocol address and the target port number in the target data packet by a preset internet protocol address and a preset port number through the cloud resource pool boundary gateway.
In one possible design, after sending the target packet to the cloud resource pool boundary gateway where the target internet protocol address is located, the method further includes:
determining a corresponding relation among a channel identifier for transmitting the target data packet, a sequence number corresponding to the target data packet, a target internet protocol address and a target port number through the cloud resource pool boundary gateway;
and sending the target data packet to an application server to be sent through the cloud resource pool border gateway.
A third aspect of the present invention provides a data processing apparatus comprising:
the system comprises an acquisition module, a sending module and a sending module, wherein the acquisition module is used for acquiring and storing a network request packet sent by terminal equipment, and the network request packet comprises application process information, a target Internet protocol address and an application server identifier to be sent;
the signature module is used for signing the network request packet through a preset security certificate to obtain a target data packet;
and the sending module is used for sending the target data packet to the cloud resource pool where the target internet protocol address is located when a preset trigger condition is met.
A fourth aspect of the present invention provides a cloud resource pool, where the cloud resource pool includes an edge inspection node and a cloud resource pool border gateway, and the cloud resource pool includes:
the data packet acquisition module is used for acquiring a target data packet sent by a data processing device, wherein the target data packet is sent when a preset trigger condition is met after the data processing device signs a network request packet through a preset security certificate, and the network request packet comprises application process information, a target internet protocol address and an application server identifier to be sent;
the verification module is used for verifying the signature of the target data packet through the edge check node;
and the processing module is used for sending the target data packet to the cloud resource pool boundary gateway where the target internet protocol address is located when the verification is passed.
A fifth aspect of the present invention provides a data processing apparatus comprising: a memory, a processor;
a memory; a memory for storing the processor-executable instructions;
wherein the processor is configured to perform the data processing method of the first or second aspect by the processor.
A sixth aspect of the present invention provides a computer-readable storage medium having stored therein computer-executable instructions for implementing the data processing method according to the first or second aspect when executed by a processor.
According to the data processing method, the data processing device, the data processing equipment and the computer readable storage medium, when the acquired network request packet sent by the terminal equipment meets the preset trigger condition, the network request packet is transmitted, so that the request can be prevented from being frequently sent to the cloud resource pool. In addition, the network request packet is signed before being transmitted, so that the subsequent cloud resource pool can verify the target data packet according to the signature, the service end can be effectively prevented from being attacked by the DDOS, and the requirement on the specification of the switch is low.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a schematic diagram of a system architecture on which the present invention is based;
fig. 2 is a schematic flowchart of a data processing method according to an embodiment of the present invention;
fig. 3 is a schematic view of an application scenario provided in an embodiment of the present invention;
FIG. 4 is a block diagram of a data processing apparatus according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of a data processing method according to a second embodiment of the present invention;
fig. 6 is a schematic structural diagram of a data processing apparatus according to a third embodiment of the present invention;
fig. 7 is a schematic structural diagram of a cloud resource pool according to a fourth embodiment of the present invention;
fig. 8 is a schematic structural diagram of a data processing apparatus according to a fifth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other examples obtained based on the examples in the present invention are within the scope of the present invention.
The noun explains:
DDOS: distributed Denial of Service (Distributed Denial of Service) attacks refer to the fact that a plurality of computers are combined together to serve as an attack platform by means of a client/server technology, and DDoS attacks are launched on one or more targets, so that the power of Denial of Service attacks is doubled. Typically, an attacker installs a DDoS master on a computer using a stolen account number, and at a set time the master will communicate with a number of agents that have been installed on many computers on the network. The agent, upon receiving the instruction, launches an attack. With client/server technology, the host can activate hundreds or thousands of runs of agents in a few seconds.
Internet Protocol Address (IP Address for short): the IP address is a uniform address format provided by the IP protocol, and it allocates a logical address to each network and each host on the internet, so as to mask the difference of physical addresses.
In view of the above-mentioned technical problems that the existing data processing method has high requirements on devices and cannot effectively reduce the traffic in the network, the present invention provides a data processing method, an apparatus, a device and a computer readable storage medium.
It should be noted that the data processing method, apparatus, device, and computer-readable storage medium provided in the present application may be applied in various data transmission scenarios.
For example, the method and the device can be applied to the field of games, if the game server cannot timely receive/process the data packet sent by the client, the situations of screen blocking, skill release delay, unsmooth communication of players and the like occur on the side of the user, and even the client is disconnected seriously. The full and dribbling game experience is sloppy and unprecedented, and the experience and the retention of the player are seriously influenced.
For example, the application can be applied to the field of cloud computing, and in the field of cloud computing, if some server sides cannot receive/process data packets sent by the client sides in time, communication contact is lost on the side of a client of a server, and related information cannot be browsed, or webpage data cannot be updated, for example, securities index change information updated in real time cannot be seen by the security industry, so that investment errors occur. Therefore, the safety and stability of the cloud computing service are greatly reduced, and the operation profit of the cloud computing enterprise is reduced on a large scale along with the possible loss.
In order to avoid suffering from ddos attack, in the prior art, when the data volume of the synchronization request acquired by the server is large, the synchronization request from the same IP address is discarded, so that the purpose of reducing the data volume is achieved, and the server is ensured to normally operate. However, the above method can only perform interception on a core switch, and has a large pressure on an ingress switch, and a high-specification switch is required to be provided around an internet content provider of a server for cloud computing.
Therefore, in order to reduce the demand on the device on the basis of reducing the data volume, the inventor finds in the research process that different trigger conditions can be set in advance, and when the trigger conditions are met, the network request packet is sent again. Thereby enabling to avoid frequent transmission of network request packets.
The inventor further researches and discovers that the network request packet sent by the terminal equipment is transmitted when the acquired network request packet meets the preset triggering condition, so that the request can be prevented from being sent to the cloud resource pool frequently. In addition, the network request packet is signed before being transmitted, so that the subsequent cloud resource pool can verify the target data packet according to the signature, and the service end can be effectively prevented from being attacked by the DDOS.
Fig. 1 is a schematic diagram of a system architecture based on the present invention, and as shown in fig. 1, the system architecture based on the present invention at least includes: a terminal device 1 and a data processing apparatus 2. Wherein, the testing device 2 is written by C/C + +, Java, Shell or Python; the terminal device 1 may be a desktop computer, a tablet computer, or the like. The terminal device 1 is connected to the data processing apparatus 2 in a communication manner, so that information interaction with the data processing apparatus is possible.
Fig. 2 is a schematic flow chart of a data processing method according to an embodiment of the present invention, as shown in fig. 2, the method includes:
step 101, a network request packet sent by a terminal device is obtained and stored, wherein the network request packet includes application process information, a target internet protocol address and an application server identifier to be sent.
The execution main body of the embodiment is a data processing device, and the data processing device is in communication connection with the terminal equipment, so that information interaction can be carried out with the terminal equipment. The data processing device may be incorporated in the terminal device, or may be a device independent from the terminal device.
In this embodiment, when the application software installed on the terminal device needs to perform data update, a network request packet may be transmitted to the data processing apparatus. Accordingly, when the data processing device acquires the network request packet sent by the terminal device, the data processing device may not forward the network request packet temporarily. The network request packet may be temporarily stored, and when the stored network request packet satisfies a preset condition, the network request packet is transmitted. The network request packet includes application process information, a target internet protocol address and an application server identifier to be sent.
Specifically, the network request packet is sent after the terminal device signs a signature through a security certificate preset by the terminal, so that after the data processing device acquires the network request packet, the data processing device firstly needs to verify the network request packet, and after the network request packet passes the verification, the data processing device stores the network request packet.
And 102, signing the network request packet through a preset security certificate to obtain a target data packet.
In this embodiment, after the network request packet sent by the terminal device is acquired and stored, the network request packet is signed by using a preset security certificate, and a target data packet to be transmitted is acquired.
Specifically, the network request packet may be signed by a security certificate in a preset sim module. If the data processing device is installed on terminal equipment such as a mobile phone, signature operation can be carried out through an SIM card module of the mobile phone; if the data processing device is installed on a terminal device such as a computer, since the terminal device does not have the SIM module, the SIM module needs to be installed on the terminal device first, and then the signature operation is performed through the SIM module.
And 103, when a preset trigger condition is met, sending the target data packet to a cloud resource pool where the target internet protocol address is located.
In this embodiment, whether the currently acquired target data packet meets a preset trigger condition may be determined. When the trigger condition is met, the data processing device may send the target data packet to a cloud resource pool where the target internet protocol address is located. Therefore, the subsequent cloud resource pool can forward the target data packet to the application server to be sent according to the application server identifier to be sent.
Fig. 3 is a schematic view of an application scenario provided in an embodiment of the present invention, and as shown in fig. 3, when a user browses a page through application software, the page may be refreshed through pull-down, and accordingly, the terminal device may send a network request packet to the data processing apparatus according to the refresh operation, and perform a page refresh operation according to data fed back by the server. The page may be a weather reference information page, and the user may obtain the latest weather through pull-down.
Fig. 4 is a structural diagram of a data processing apparatus according to an embodiment of the present invention, and as shown in fig. 4, a solid line represents a structure of an existing data processing apparatus, which includes an application layer, a Socket abstraction layer, a transport layer, a network layer, and a link layer, and a dotted line represents a newly added module of the present invention, which includes an encryption module and an interception module. The application layer is used for acquiring a network request packet triggered by a user, the encryption module is used for encrypting the network request packet through the SIM after acquiring the network request packet sent by the application layer, the interception module is used for storing the encrypted target data packet, and when a preset trigger condition is met, the target data packet is sent to a hardware interface in the link layer, so that the hardware interface can send the target data packet to the cloud resource pool through a transmission medium.
Further, on the basis of the first embodiment, the step 103 specifically includes:
and if the message length of the currently acquired network request packet is detected to exceed a preset length threshold, sending the target data packet to a cloud resource pool where the target Internet protocol address is located.
In this embodiment, the preset triggering condition may be that the message length exceeds a preset length threshold, and if it is detected that the message length of the currently acquired network request packet exceeds the preset length threshold, the target data packet is sent to the cloud resource pool where the target internet protocol address is located. Therefore, the service pressure caused by frequently sending the target data packet can be effectively avoided. The length threshold may be a default empirical value, or may be set by the user according to actual needs, which is not limited in the present invention.
Further, on the basis of the first embodiment, the step 103 specifically includes:
and if the time for acquiring the network request packet currently exceeds a preset time threshold, sending the target data packet to a cloud resource pool where the target Internet protocol address is located.
In this embodiment, the preset trigger condition may be that the time for acquiring the network request packet exceeds a preset time threshold, and if the time for acquiring the network request packet currently exceeds the preset time threshold, the network request packet is signed by using a preset security certificate to obtain the target data packet. Therefore, the service pressure caused by frequently sending the target data packet can be effectively avoided. The time threshold may be a default empirical value, or may be set by the user according to actual needs, which is not limited in the present invention.
According to the data processing method provided by the embodiment, when the acquired network request packet sent by the terminal device meets the preset trigger condition, the network request packet is transmitted, so that the request can be prevented from being frequently sent to the cloud resource pool. In addition, the network request packet is signed before being transmitted, so that the subsequent cloud resource pool can verify the target data packet according to the signature, and the service end can be effectively prevented from being attacked by the DDOS.
Fig. 5 is a schematic flow chart of a data processing method according to a second embodiment of the present invention, and as shown in fig. 5, the method includes:
step 201, obtaining a target data packet sent by a data processing device, where the target data packet is sent when a preset trigger condition is met after the data processing device signs a network request packet through a preset security certificate, and the network request packet includes application process information, a target internet protocol address, and an application server identifier to be sent;
step 202, verifying the signature of the target data packet through the edge check node;
and 203, when the verification is passed, sending the target data packet to the cloud resource pool border gateway where the target internet protocol address is located.
Further, on the basis of the second embodiment, after the step 202, the method further includes:
and when the verification fails, sending the target data packet to a preset black hole route for processing.
The execution subject of the embodiment is a cloud resource pool, and the cloud resource pool is in communication connection with the data processing device, so that information interaction can be performed with the data processing device. The cloud resource pool may specifically include an edge check node and a cloud resource pool border gateway.
In this embodiment, the cloud resource pool may obtain a target data packet sent by the data processing device, where the target data packet is sent when a preset trigger condition is met after the data processing device signs a network request packet through a preset security certificate, and the network request packet includes application process information, a target internet protocol address, and an identifier of an application server to be sent.
After the target data packet sent by the data processing device is obtained, in order to avoid the application server to be sent from being attacked by DDOS, the validity of the target data packet needs to be verified. Specifically, the signature of the target data packet may be verified through a preset security certificate, and when the signature passes the verification, the target data packet may be sent to the cloud resource pool border gateway where the target internet protocol address is located. Accordingly, when the verification fails, the target data packet may be sent to a preset black hole route for processing in order to ensure the security of the server.
Further, on the basis of the second embodiment, the method further includes:
and replacing the target internet protocol address and the target port number in the target data packet by a preset internet protocol address and a preset port number through the cloud resource pool boundary gateway.
In this embodiment, the cloud resource pool may further replace the target internet protocol address and the target port number in the target data packet with a preset internet protocol address and a preset port number through the cloud resource pool gateway. Thus, it is possible to prevent the service of the long application from directly transmitting the response of the sub-message to the terminal device without passing through the data processing apparatus via the established message transmission special channel.
Further, on the basis of the second embodiment, after the step 203, the method further includes:
determining a corresponding relation among a channel identifier for transmitting the target data packet, a sequence number corresponding to the target data packet, a target internet protocol address and a target port number through the cloud resource pool boundary gateway;
and sending the target data packet to an application server to be sent through the cloud resource pool border gateway.
In this embodiment, the cloud resource pool may further determine, through the cloud resource pool border gateway, a correspondence between a channel identifier for transmitting the target data packet, a sequence number corresponding to the target data packet, a target internet protocol address, and a target port number; and sending the target data packet to an application server to be sent through the cloud resource pool border gateway. Therefore, after the application server identifier to be sent returns the response message of the sub-message, the destination address and the destination port number of the response message can be replaced.
According to the data processing method provided by the embodiment, the target data packet sent by the data processing device is verified, the target data packet is correspondingly processed according to the verification result, and the suspected attack data is sent to the preset black hole route for processing, so that the server side can be effectively prevented from being attacked by the DDOS.
Fig. 6 is a schematic structural diagram of a data processing apparatus according to a third embodiment of the present invention, and as shown in fig. 6, the apparatus includes: the system comprises an acquisition module 31, a signature module 32 and a sending module 33, wherein the acquisition module 31 is configured to acquire and store a network request packet sent by a terminal device, and the network request packet includes application process information, a target internet protocol address and an application server identifier to be sent; the signature module 32 is configured to sign the network request packet through a preset security certificate to obtain a target data packet; and the sending module 33 is configured to send the target data packet to the cloud resource pool where the target internet protocol address is located when a preset trigger condition is met.
Further, on the basis of the third embodiment, the sending module 33 is specifically configured to:
and if the message length of the currently acquired network request packet is detected to exceed a preset length threshold, sending the target data packet to a cloud resource pool where the target Internet protocol address is located.
Further, on the basis of the third embodiment, the sending module 33 is specifically configured to:
and if the time for acquiring the network request packet currently exceeds a preset time threshold, sending the target data packet to a cloud resource pool where the target Internet protocol address is located.
Further, on the basis of the third embodiment, the signature module 32 is specifically configured to:
and signing the network request packet through a safety certificate in a preset sim module.
The data processing apparatus provided in this embodiment transmits the network request packet when the acquired network request packet sent by the terminal device meets the preset trigger condition, so that frequent request sending to the cloud resource pool can be avoided. In addition, the network request packet is signed before being transmitted, so that the subsequent cloud resource pool can verify the target data packet according to the signature, and the service end can be effectively prevented from being attacked by the DDOS.
Fig. 7 is a schematic structural diagram of a cloud resource pool provided in the fourth embodiment of the present invention, and as shown in fig. 7, the cloud resource pool includes an edge inspection node and a cloud resource pool border gateway, and the cloud resource pool includes: the system comprises a data packet acquisition module 41, a verification module 42 and a processing module 43, wherein the data packet acquisition module 41 is configured to acquire a target data packet sent by a data processing device, where the target data packet is sent when a preset trigger condition is met after the data processing device signs a network request packet through a preset security certificate, and the network request packet includes application process information, a target internet protocol address and an application server identifier to be sent; a verification module 42, configured to verify a signature of the target data packet by the edge check node; and the processing module 43 is configured to send the target data packet to the cloud resource pool border gateway where the target internet protocol address is located when the verification is passed.
Further, on the basis of the fourth embodiment, the processing module 43 is further configured to:
and when the verification fails, sending the target data packet to a preset black hole route for processing.
Further, on the basis of the fourth embodiment, the apparatus further includes:
and the replacing module is used for replacing the target internet protocol address and the target port number in the target data packet with a preset internet protocol address and a preset port number through the cloud resource pool boundary gateway.
Further, on the basis of the fourth embodiment, the apparatus further includes:
a determining module, configured to determine, through the cloud resource pool border gateway, a correspondence between a channel identifier for transmitting the target data packet, a sequence number corresponding to the target data packet, a target internet protocol address, and a target port number;
and the forwarding module is used for sending the target data packet to an application server to be sent through the cloud resource pool border gateway.
Fig. 8 is a schematic structural diagram of a data processing apparatus according to a fifth embodiment of the present invention, and as shown in fig. 8, the data processing apparatus includes: a memory 51, a processor 52;
a memory 51; a memory 51 for storing instructions executable by the processor 52;
wherein the processor 52 is configured to execute the data processing method according to any of the above embodiments by the processor 52.
The memory 51 stores programs. In particular, the program may include program code comprising computer operating instructions. The memory 51 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The processor 52 may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement embodiments of the present invention.
Alternatively, in a specific implementation, if the memory 51 and the processor 52 are implemented independently, the memory 51 and the processor 52 may be connected to each other through a bus and perform communication with each other. The bus may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (enhanced Industry Standard Architecture) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 8, but this is not intended to represent only one bus or type of bus.
Alternatively, in a specific implementation, if the memory 51 and the processor 52 are integrated on a chip, the memory 51 and the processor 52 may complete the same communication through an internal interface.
The present invention also provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the computer-executable instructions are executed by a processor, the computer-executable instructions are used for implementing the data processing method according to any one of the above embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (12)

1. A data processing method, comprising:
acquiring and storing a network request packet sent by terminal equipment, wherein the network request packet comprises application process information, a target Internet protocol address and an application server identifier to be sent;
signing the network request packet through a preset security certificate to obtain a target data packet;
and when a preset trigger condition is met, sending the target data packet to a cloud resource pool where the target Internet protocol address is located.
2. The method according to claim 1, wherein the sending the target packet to a cloud resource pool where the target ip address is located when a preset trigger condition is met includes:
and if the message length of the currently acquired network request packet is detected to exceed a preset length threshold, sending the target data packet to a cloud resource pool where the target Internet protocol address is located.
3. The method according to claim 1, wherein the sending the target packet to a cloud resource pool where the target ip address is located when a preset trigger condition is met includes:
and if the time for acquiring the network request packet currently exceeds a preset time threshold, sending the target data packet to a cloud resource pool where the target Internet protocol address is located.
4. The method according to any one of claims 1-3, wherein the signing the network request packet through a preset security certificate comprises:
and signing the network request packet through a safety certificate in a preset sim module.
5. A data processing method is applied to a cloud resource pool, wherein the cloud resource pool comprises an edge inspection node and a cloud resource pool border gateway, and the method comprises the following steps:
acquiring a target data packet sent by a data processing device, wherein the target data packet is sent when a preset trigger condition is met after the data processing device signs a network request packet through a preset security certificate, and the network request packet comprises application process information, a target internet protocol address and an application server identifier to be sent;
verifying, by the edge check node, a signature of the target packet;
and when the verification is passed, sending the target data packet to a cloud resource pool boundary gateway where the target Internet protocol address is located.
6. The method of claim 5, wherein after verifying the signature of the target packet by the edge check node, further comprising:
and when the verification fails, sending the target data packet to a preset black hole route for processing.
7. The method according to any one of claims 5-6, further comprising:
and replacing the target internet protocol address and the target port number in the target data packet by a preset internet protocol address and a preset port number through the cloud resource pool boundary gateway.
8. The method according to any one of claims 5-6, wherein after sending the target packet to the cloud resource pool boundary gateway where the target internet protocol address is located, further comprising:
determining a corresponding relation among a channel identifier for transmitting the target data packet, a sequence number corresponding to the target data packet, a target internet protocol address and a target port number through the cloud resource pool boundary gateway;
and sending the target data packet to an application server to be sent through the cloud resource pool border gateway.
9. A data processing apparatus, comprising:
the system comprises an acquisition module, a sending module and a sending module, wherein the acquisition module is used for acquiring and storing a network request packet sent by terminal equipment, and the network request packet comprises application process information, a target Internet protocol address and an application server identifier to be sent;
the signature module is used for signing the network request packet through a preset security certificate to obtain a target data packet;
and the sending module is used for sending the target data packet to the cloud resource pool where the target internet protocol address is located when a preset trigger condition is met.
10. A cloud resource pool, comprising an edge check node and a cloud resource pool border gateway, the cloud resource pool comprising:
the data packet acquisition module is used for acquiring a target data packet sent by a data processing device, wherein the target data packet is sent when a preset trigger condition is met after the data processing device signs a network request packet through a preset security certificate, and the network request packet comprises application process information, a target internet protocol address and an application server identifier to be sent;
the verification module is used for verifying the signature of the target data packet through the edge check node;
and the processing module is used for sending the target data packet to the cloud resource pool boundary gateway where the target internet protocol address is located when the verification is passed.
11. A data processing apparatus, characterized by comprising: a memory, a processor;
a memory; a memory for storing the processor-executable instructions;
wherein the processor is configured to perform the data processing method of any one of claims 1-4 or 5-8 by the processor.
12. A computer-readable storage medium having computer-executable instructions stored thereon, which when executed by a processor, perform a data processing method as claimed in any one of claims 1-4 or 5-8.
CN202010279788.XA 2020-04-10 2020-04-10 Data processing method, device, equipment and computer readable storage medium Active CN111510300B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010279788.XA CN111510300B (en) 2020-04-10 2020-04-10 Data processing method, device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010279788.XA CN111510300B (en) 2020-04-10 2020-04-10 Data processing method, device, equipment and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN111510300A true CN111510300A (en) 2020-08-07
CN111510300B CN111510300B (en) 2023-04-18

Family

ID=71864790

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010279788.XA Active CN111510300B (en) 2020-04-10 2020-04-10 Data processing method, device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN111510300B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115514501A (en) * 2021-06-03 2022-12-23 中国移动通信集团四川有限公司 Method and device for blocking network attack

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010011206A (en) * 2008-06-27 2010-01-14 Mitsubishi Electric Corp Gateway device and packet filtering method
CN101635715A (en) * 2009-05-31 2010-01-27 北京飞天诚信科技有限公司 Method and system for improving network application safety
CN104980354A (en) * 2015-06-26 2015-10-14 中国科学院大学 Data transmission processing method and device
WO2015174100A1 (en) * 2014-05-14 2015-11-19 学校法人東京電機大学 Packet transfer device, packet transfer system, and packet transfer method
WO2016107339A1 (en) * 2014-12-30 2016-07-07 北京奇虎科技有限公司 Method and device for transmitting message in batch
WO2018049887A1 (en) * 2016-09-14 2018-03-22 广东欧珀移动通信有限公司 Data transmission processing method and terminal device
CN108965230A (en) * 2018-05-09 2018-12-07 深圳市中信网安认证有限公司 A kind of safety communicating method, system and terminal device
US20190245697A1 (en) * 2018-02-05 2019-08-08 Nokia Technologies Oy Securing blockchain access through a gateway

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010011206A (en) * 2008-06-27 2010-01-14 Mitsubishi Electric Corp Gateway device and packet filtering method
CN101635715A (en) * 2009-05-31 2010-01-27 北京飞天诚信科技有限公司 Method and system for improving network application safety
WO2015174100A1 (en) * 2014-05-14 2015-11-19 学校法人東京電機大学 Packet transfer device, packet transfer system, and packet transfer method
WO2016107339A1 (en) * 2014-12-30 2016-07-07 北京奇虎科技有限公司 Method and device for transmitting message in batch
CN104980354A (en) * 2015-06-26 2015-10-14 中国科学院大学 Data transmission processing method and device
WO2018049887A1 (en) * 2016-09-14 2018-03-22 广东欧珀移动通信有限公司 Data transmission processing method and terminal device
US20190245697A1 (en) * 2018-02-05 2019-08-08 Nokia Technologies Oy Securing blockchain access through a gateway
CN108965230A (en) * 2018-05-09 2018-12-07 深圳市中信网安认证有限公司 A kind of safety communicating method, system and terminal device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115514501A (en) * 2021-06-03 2022-12-23 中国移动通信集团四川有限公司 Method and device for blocking network attack

Also Published As

Publication number Publication date
CN111510300B (en) 2023-04-18

Similar Documents

Publication Publication Date Title
US11019383B2 (en) Internet anti-attack method and authentication server
CN110519265B (en) Method and device for defending attack
CN110784464B (en) Client verification method, device and system for flooding attack and electronic equipment
JP2018528679A (en) Device and method for establishing a connection in a load balancing system
US9749354B1 (en) Establishing and transferring connections
CN107465693B (en) Request message processing method and device
CN105635073B (en) Access control method and device and network access equipment
CN111953770B (en) Route forwarding method and device, route equipment and readable storage medium
CN107995233B (en) Method for establishing connection and corresponding equipment
CN112272164A (en) Message processing method and device
CN110798402B (en) Service message processing method, device, equipment and storage medium
CN105933298B (en) Apparatus and method for performing transmission control protocol handshaking
CN111510300B (en) Data processing method, device, equipment and computer readable storage medium
CN109818912B (en) Method and device for preventing flooding attack, load balancing equipment and storage medium
CN114281547B (en) Data message processing method and device, electronic equipment and storage medium
CN113507476A (en) Method, system, device and storage medium for defending against ARP spoofing attack
CN114697088A (en) Method and device for determining network attack and electronic equipment
CN113986578A (en) Message checking method and first equipment
CN113709136A (en) Access request verification method and device
CN108833418B (en) Method, device and system for defending attack
CN112202776A (en) Source station protection method and network equipment
CN113162922A (en) Client data acquisition method and device, storage medium and electronic equipment
CN113810330A (en) Method, device and storage medium for sending verification information
EP3902222A1 (en) Dr mode protection method and device
CN113489726B (en) Flow limiting method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant