CN111800499A - Data transmission method and device and electronic equipment - Google Patents
Data transmission method and device and electronic equipment Download PDFInfo
- Publication number
- CN111800499A CN111800499A CN202010622416.2A CN202010622416A CN111800499A CN 111800499 A CN111800499 A CN 111800499A CN 202010622416 A CN202010622416 A CN 202010622416A CN 111800499 A CN111800499 A CN 111800499A
- Authority
- CN
- China
- Prior art keywords
- data packet
- sequence number
- client
- sent
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L1/00—Arrangements for detecting or preventing errors in the information received
- H04L1/12—Arrangements for detecting or preventing errors in the information received by using return channel
- H04L1/16—Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
- H04L1/1607—Details of the supervisory signal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The application discloses a data transmission method and device and electronic equipment which can be used in scenes including but not limited to big data, cloud computing, cloud service, cloud storage and the like, and relates to the technical field of communication. The scheme is as follows: receiving a first data packet sent by a client; under the condition that the first data packet is a first type data packet sent through a TCP protocol, performing multiple handshaking with the client to establish TCP connection; under the condition of establishing TCP connection with a client, performing handshake with a real server for multiple times to establish TCP connection; under the condition of receiving a second type of data packet sent by a client through a TCP (transmission control protocol), sending a first target data packet to a real server; the first target data packet comprises a second confirmation sequence number obtained after the first confirmation sequence number in the second type data packet is adjusted. Namely, the first target data packet is different from the first confirmation sequence number in the second type data packet sent by the client, and the first target data packet is transmitted to the real server, so that the safety of data transmission is improved.
Description
Technical Field
The present application relates to the field of communication technologies of computer technologies, and in particular, to a data transmission method and apparatus, and an electronic device.
Background
The data sent to the client by the RS (real Server) is not passed through a four-Layer Load balancing device ((Layer4 Load Balance, L4LB for short) any more, but is directly sent to the client, so that the forwarding pressure of the outgoing flow of L4LB can be reduced, the method is suitable for a scene that the outgoing flow is greater than the incoming flow, and the number of L4LB machines can be saved.
Disclosure of Invention
The embodiment of the application provides a data transmission method and device and electronic equipment which can be used in scenes including but not limited to big data, cloud computing, cloud service, cloud storage and the like.
In a first aspect, an embodiment of the present application provides a data transmission method applied to a load balancing device, including:
receiving a first data packet sent by a client;
under the condition that the first data packet is a first type data packet sent through a TCP protocol, performing multiple handshaking with the client to establish TCP connection;
under the condition of establishing TCP connection with the client, performing handshake with a real server for multiple times to establish TCP connection;
under the condition of receiving a second type of data packet sent by the client through a TCP protocol, sending a first target data packet to the real server;
and the first target data packet comprises a second confirmation sequence number obtained by adjusting the first confirmation sequence number in the second type of data packet.
In the data transmission method of the embodiment of the application, after receiving a first data packet sent by a client, if the first data packet is a first type data packet sent through a TCP protocol, a load balancing device establishes TCP connection with the client by performing multiple handshaking, and establishes TCP connection with a real server by performing multiple handshaking under the condition of establishing TCP connection with the client, so that a first target data packet is sent to the real server under the condition of receiving a second type data packet sent by the client through the TCP protocol. The second confirmation sequence number included in the first target data packet is obtained after the first confirmation sequence number in the second type data packet is adjusted, namely the first confirmation sequence number in the first target data packet is different from the first confirmation sequence number in the second type data packet sent by the client, the first target data packet is changed relative to the second type data packet confirmation sequence number, and the first target data packet is transmitted to the real server, so that the situation that the load balancer sends the second type data packet sent by the client to the real server to attack the real server can be reduced, and the safety of data transmission is improved.
In a second aspect, an embodiment of the present application provides a data transmission method, applied to a real server, including:
performing multiple handshaking with load balancing equipment to establish TCP connection, wherein the load balancing equipment receives a first data packet sent by a client, and establishes TCP connection with the client under the condition that the first data packet is a first type of data packet sent by a TCP protocol;
receiving a first target data packet sent by the load balancing device, wherein the first target data packet is a data packet sent by the load balancing device under the condition of receiving a second type of data packet sent by the client through a TCP protocol, and the first target data packet includes a second acknowledgement sequence number obtained after adjusting a first acknowledgement sequence number in the second type of data packet.
In the data transmission method of the embodiment of the application, multiple times of handshaking are carried out with the load balancing equipment to establish TCP connection, a first target data packet sent by the load balancing equipment is received, after the load balancing equipment receives the first data packet sent by the client, if the first data packet is a first type data packet sent through a TCP protocol, the load balancing equipment establishes TCP connection with the client through multiple times of handshaking, and multiple times of handshaking is carried out with a real server to establish TCP connection under the condition that the client establishes TCP connection, so that the first target data packet is sent to the real server under the condition that a second type data packet sent by the client through the TCP protocol is received, and the real server receives the first target data packet. Because the second acknowledgement sequence number included in the first target data packet is obtained after the first acknowledgement sequence number in the second type of data packet is adjusted, that is, the first acknowledgement sequence number in the first target data packet is different from the first acknowledgement sequence number in the second type of data packet sent by the client, and the first target data packet changes relative to the second type of data packet acknowledgement sequence number, the occurrence of the situation that the load balancer sends the second type of data packet sent by the client to the real server to attack the real server can be reduced, the real server receives the first target data packet from the load balancing device, and the safety of data transmission is improved.
In a third aspect, an embodiment of the present application provides a data transmission apparatus, which is applied to a load balancing device, and includes:
the first receiving module is used for receiving a first data packet sent by a client;
the first connection module is used for performing multi-time handshake with the client to establish TCP connection under the condition that the first data packet is a first type data packet sent through a TCP protocol;
the second connection module is used for performing multi-time handshake with a real server to establish TCP connection under the condition of establishing TCP connection with the client;
the first sending module is used for sending a first target data packet to the real server under the condition of receiving a second type of data packet sent by the client through a TCP (transmission control protocol);
and the first target data packet comprises a second confirmation sequence number obtained by adjusting the first confirmation sequence number in the second type of data packet.
In a fourth aspect, an embodiment of the present application provides a data transmission apparatus, which is applied to a real server, and the apparatus includes:
the third connection module is used for performing multiple handshaking with the load balancing equipment to establish TCP connection, wherein the load balancing equipment has received a first data packet sent by a client and has established TCP connection with the client under the condition that the first data packet is a first type of data packet sent by a TCP protocol;
a third receiving module, configured to receive a first target data packet sent by the load balancing device, where the first target data packet is a data packet sent by the load balancing device when receiving a second type of data packet sent by the client through a TCP protocol, and includes a second acknowledgement sequence number obtained after adjusting a first acknowledgement sequence number in the second type of data packet.
In a fifth aspect, an embodiment of the present application further provides an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the methods provided by the embodiments of the present application.
In a sixth aspect, an embodiment of the present application further provides a non-transitory computer readable storage medium storing computer instructions, wherein the computer instructions are configured to cause the computer to perform the method provided by the embodiments of the present application.
Drawings
The drawings are included to provide a better understanding of the present solution and are not intended to limit the present application. Wherein:
fig. 1 is a schematic flow chart of a data transmission method according to an embodiment of the present application;
fig. 2 is a second schematic flowchart of a data transmission method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a DSR forwarding mode;
FIG. 4 is one of the DSR data transmission schematics under the SYN Proxy mechanism of one embodiment provided herein;
FIG. 5 is a schematic diagram of a FULLNAT forwarding mode;
FIG. 6 is a schematic diagram of a kernel module hook in one embodiment provided herein;
FIG. 7 is a second DSR data transmission schematic of an embodiment provided herein;
FIG. 8 is a diagram of TCP data transmission with SYN Proxy turned off in DSR mode, according to one embodiment provided herein;
FIG. 9 is a diagram of TCP data transmission with SYN Proxy turned on in DSR mode, according to one embodiment provided herein;
FIG. 10 is a schematic diagram of UDP data transmission in DSR mode for one embodiment provided herein;
FIG. 11 is a third diagram of DSR data transmission according to one embodiment provided herein;
FIG. 12 is one of the block diagrams of a data transmission device according to an embodiment provided herein;
fig. 13 is a second block diagram of a data transmission device according to an embodiment of the present application;
fig. 14 is a block diagram of an electronic device for implementing the data transmission method according to the embodiment of the present application.
Detailed Description
The following description of the exemplary embodiments of the present application, taken in conjunction with the accompanying drawings, includes various details of the embodiments of the application for the understanding of the same, which are to be considered exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present application. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
As shown in fig. 1, according to an embodiment of the present application, a data transmission method is provided, which is applied to a Load Balance (LB), and includes:
step S101: and receiving a first data packet sent by the client.
Step S102: and under the condition that the first data packet is a first type data packet transmitted through a TCP protocol, performing multi-time handshake with the client to establish TCP connection.
TCP, Transmission Control Protocol, is a Transmission Control Protocol. The method includes the steps that a client side sends a first data packet to a balancing device, after the first data packet sent by the client side is received, the type of the first data packet needs to be judged, wherein the first type can be a synchronization Sequence number (SYN) type, the SYN packet is a handshake signal used when TCP establishes connection, and under the condition that the first data packet is the first type of data packet sent through a TCP protocol, the load balancing device conducts multiple times of handshake with the client side to establish TCP connection. As an example, the load balancing device establishes a TCP connection with multiple handshakes of the client when turning on a SYN Proxy (i.e., a TCP handshake Proxy) mechanism, which is a powerful means for defending against DDoS (distributed denial of Service) attacks. It should be noted that the load balancing device to which the data transmission method is applied may be a four-layer load balancing device.
In addition, as an example, after receiving a first packet sent by the client, in the process of establishing a TCP connection with the client by performing multiple handshakes in response to the first packet in the case that the first packet is a packet of a first type sent by a TCP protocol, the load balancing device may return a first SYN acknowledgement packet to the client in response to the first packet, that is, a one-time handshake, where an acknowledgement sequence number in the first SYN acknowledgement packet is an acknowledgement sequence number in the first packet plus one, and a sequence number in the first SYN acknowledgement packet may be used to indicate whether the load balancing device opens the SYN Proxy, for example, if the sequence number in the first SYN acknowledgement packet is non-zero, the sequence number in the first SYN acknowledgement packet may indicate that the load balancing device opens the SYN Proxy, and if the sequence number in the first SYN acknowledgement packet is zero, the sequence number in the first SYN acknowledgement packet may indicate that the load balancing device does not open the SYN Proxy, in this embodiment, when a SYN Proxy (TCP handshake Proxy) mechanism is started, the load balancing equipment performs multiple times of handshake with the client to establish TCP connection, namely, the sequence number in the first SYN acknowledgement packet is nonzero. After receiving the first SYN acknowledgement packet, the client sends an acknowledgement packet to the load balancing device in response to the first SYN acknowledgement packet to the real server, and the acknowledgement packet is also a handshake, the sequence number in the acknowledgement packet is the same as the result of adding one to the acknowledgement number in the first data packet, and the acknowledgement number in the acknowledgement packet is the result of adding one to the sequence number in the first SYN acknowledgement packet. It should be noted that the client sends the first SYN packet to the load balancing apparatus, which indicates a handshake.
Step S103: and under the condition of establishing the TCP connection with the client, performing multiple handshaking with the real server to establish the TCP connection.
After the load balancing device establishes the TCP connection with the client, it also needs to perform multiple handshakes with the formal server to establish the TCP connection, so as to facilitate the subsequent communication with the real server.
Step S104: and under the condition of receiving a second type of data packet sent by the client through the TCP, sending a first target data packet to the real server.
The load balancing device is used as an intermediate device between the client and the real server, TCP connection is established with the client, TCP connection is established with the real server, and the first target data packet can be generated and sent to the real server under the condition that the second type data packet sent by the client through a TCP protocol is received. It should be noted that the second type of data packet may be a data packet for transmitting data content, and the first destination data packet includes the data content in the second type of data packet. The first target data packet is packaged relative to the second type data packet, namely the second confirmation sequence number in the first target data packet is a result of adjusting the first confirmation sequence number in the second type data packet, so that the condition that the load balancer sends the second type data packet sent by the client to the real server to attack the real server can be reduced, and the safety of data transmission is improved.
It should be noted that the first packet further includes a client IP (Internet Protocol) address and a virtual IP address, and it can be understood that the virtual IP address is configured on the load balancing device in advance. The second type of data packet includes a client IP address and a virtual IP address, and the first target data packet includes an IP address of the load balancing device and an IP address of the real server, and it can be understood that, when the second type of data packet sent by the client through the TCP protocol is received, the load balancing device performs address conversion on the client IP address and the virtual IP address to obtain the IP address of the load balancing device and the IP address of the real server, and generates the first target data packet based on the IP address of the load balancing device and the IP address of the real server. In addition, the sequence number in the first destination packet is the same as the sequence number in the second type of packet, i.e. remains unchanged.
In the data transmission method of the embodiment of the application, after receiving a first data packet sent by a client, if the first data packet is a first type data packet sent through a TCP protocol, a load balancing device establishes TCP connection with the client by performing multiple handshaking, and establishes TCP connection with a real server by performing multiple handshaking under the condition of establishing TCP connection with the client, so that a first target data packet is sent to the real server under the condition of receiving a second type data packet sent by the client through the TCP protocol. The second confirmation sequence number included in the first target data packet is obtained after the first confirmation sequence number in the second type data packet is adjusted, namely the first confirmation sequence number in the first target data packet is different from the first confirmation sequence number in the second type data packet sent by the client, the first target data packet is changed relative to the second type data packet confirmation sequence number, and the first target data packet is transmitted to the real server, so that the situation that the load balancer sends the second type data packet sent by the client to the real server to attack the real server can be reduced, and the safety of data transmission is improved.
In one embodiment, in the case of establishing a TCP connection with a client, performing a multiple handshake with a real server to establish the TCP connection includes: under the condition of establishing TCP connection with the client, sending a second data packet of the first type to the real server; receiving a first confirmation packet returned by the real server; establishing TCP connection with the real server under the condition that the second confirmation packet is sent to the real server; the second acknowledgement sequence number in the first target data packet is the result of subtracting the target sequence number from the first acknowledgement sequence number in the second type data packet, and the target sequence number is the result of subtracting the fourth acknowledgement sequence number in the first acknowledgement packet from the third acknowledgement sequence number in the second data packet.
In the process of establishing a TCP connection with a real server, the load balancing device first sends a second data packet of a first type to the real server, where the second data packet is the same as the first data packet in type, for example, both are SYN packets, but the acknowledgement sequence numbers therein are different. After receiving the second data packet, the real server can return a first confirmation packet to the load balancing device, and after receiving the first confirmation packet sent by the real server, the load balancing device sends a second confirmation packet to the real server, so that a TCP connection with the real server is established, communication between the real servers is facilitated, and communication stability is improved. It should be noted that the third acknowledgement sequence number in the second data packet may be the same as the sequence number in the first SYN acknowledgement packet, and is used to indicate whether to turn on the SYN Proxy.
In addition, the second data packet includes an IP address of the load balancing device and an IP address of the real server, and the sequence number in the second data packet may be the same as the sequence number in the first data packet. The first confirmation packet comprises the IP address of the load balancing equipment and the IP address of the real server, and the confirmation sequence number in the first confirmation packet is the sequence number in the second data packet plus one. The second acknowledgement packet comprises the IP address of the load balancing device and the IP address of the real server, the sequence serial number in the second acknowledgement packet is the acknowledgement serial number in the first acknowledgement packet, and the acknowledgement serial number in the second acknowledgement packet is the sequence serial number in the first acknowledgement packet plus one.
In one embodiment, after performing multiple handshakes with the real server to establish the TCP connection, the method further includes:
under the condition of receiving a third type of data packet sent by a client through a TCP protocol, sending a second target data packet to a real server;
the second target data packet includes a sixth acknowledgement sequence number, and the sixth acknowledgement sequence number is different from a fifth acknowledgement sequence number in the third type of data packet.
After the load balancing device and the real server perform multiple handshakes to establish TCP connection, the load balancing device may perform TCP communication, for example, after receiving a second type of data packet sent by the client, the load balancing device generates a first target data packet and sends the first target data packet to the real server. In addition, after the TCP connection is established, the TCP connection may also be ended, for example, the client sends a third type of data packet to the load balancing device, where the third type of data packet may be an end data packet (i.e., a Fin packet (complete packet) or a RST packet (reset packet)), and in the case of receiving the third type of data packet sent by the client through the TCP protocol, a second target data packet is sent to the real server, where the second target data packet is of the same type as the third type of data packet, and the acknowledgement sequence number is changed, i.e., a sixth acknowledgement sequence number in the second target data packet is not the same as a fifth acknowledgement sequence number in the third type of data packet. And after receiving the second target data packet, the real server sends an end confirmation packet to the client to complete the disconnection of the TCP connection. In this embodiment, when a third type of data packet sent by the client via the TCP protocol is received, a second target data packet is sent to the real server, where a sixth acknowledgement sequence number in the second target data packet is different from a fifth acknowledgement sequence number in the third type of data packet, and there is a difference between the sixth acknowledgement sequence number and the fifth acknowledgement sequence number, so that an attack to the real server from the data packet sent by the client can be reduced, and data transmission security is improved.
In one embodiment, after receiving the first data packet sent by the client, the method further includes: and sending a third target data packet to the real server under the condition that the first data packet is a fourth type data packet sent by a User Datagram Protocol (UDP).
The third target data packet may include a client IP address, a virtual IP address, an IP address of the load balancing device, and an IP address of the real server, and the fourth type of data packet may include a client IP address and a virtual IP address. In this embodiment, since the communication is performed by the UDP protocol, compared to the TCP, the sequence number and the acknowledgement number, that is, the sequence number and the acknowledgement number are not adjusted, and the like, after receiving the first packet sent by the client, if the first packet is a fourth type packet sent by the UDP protocol, the third destination packet may be sent to the real server.
As shown in fig. 2, in an embodiment, there is further provided a data transmission method applied to a real server, the method including:
step S201: and performing multiple handshakes with the load balancing equipment to establish TCP connection.
The load balancing equipment receives a first data packet sent by a client, and establishes a TCP connection with the client under the condition that the first data packet is a first type data packet sent by a TCP protocol.
The method comprises the steps that a client side sends a first data packet to a balancing device, after the first data packet sent by the client side is received, the type of the first data packet needs to be judged, wherein the first type can be a SYN type, under the condition that the first data packet is a first type data packet sent through a TCP protocol, the load balancing device conducts multiple handshaking with the client side to establish TCP connection, and then the load balancing device conducts multiple handshaking with a real server to establish TCP connection. As an example, the load balancing device establishes a TCP connection with multiple handshakes of the client when turning on a SYN Proxy mechanism, which is a powerful means for defending against DDoS attacks. And then the load balancing equipment and the real server perform multiple times of handshaking to establish TCP connection.
Step S202: and receiving a first target data packet sent by the load balancing equipment.
The first target data packet is a data packet sent by the load balancing device under the condition of receiving a second type of data packet sent by the client through a TCP protocol, and the first target data packet comprises a second confirmation sequence number obtained after the first confirmation sequence number in the second type of data packet is adjusted. The load balancing equipment is used as intermediate equipment between the client and the real server, TCP connection is established with the client, TCP connection is established with the real server, a first target data packet can be generated and sent to the real server under the condition that a second type data packet sent by the client through a TCP protocol is received, and the real server receives the first target data packet sent by the load balancing equipment. It should be noted that the second type of data packet may be a data packet for transmitting data content, and the first destination data packet includes the data content in the second type of data packet. The first target data packet is packaged relative to the second type data packet, namely the second confirmation sequence number in the first target data packet is a result of adjusting the first confirmation sequence number in the second type data packet, so that the condition that the load balancer sends the second type data packet sent by the client to the real server to attack the real server can be reduced, and the safety of data transmission is improved.
It should be noted that the first data packet further includes a client IP address and a virtual IP address, and it can be understood that the virtual IP address is preconfigured on the load balancing device. The second type of data packet includes a client IP address and a virtual IP address, and the first target data packet includes an IP address of the load balancing device and an IP address of the real server, and it can be understood that, when the second type of data packet sent by the client through the TCP protocol is received, the load balancing device performs address conversion on the client IP address and the virtual IP address to obtain the IP address of the load balancing device and the IP address of the real server, and generates the first target data packet based on the IP address of the load balancing device and the IP address of the real server. In addition, the sequence number in the first destination packet is the same as the sequence number in the second type of packet, i.e. remains unchanged.
In the data transmission method of the embodiment of the application, multiple times of handshaking are carried out with the load balancing equipment to establish TCP connection, a first target data packet sent by the load balancing equipment is received, after the load balancing equipment receives the first data packet sent by the client, if the first data packet is a first type data packet sent through a TCP protocol, the load balancing equipment establishes TCP connection with the client through multiple times of handshaking, and multiple times of handshaking is carried out with a real server to establish TCP connection under the condition that the client establishes TCP connection, so that the first target data packet is sent to the real server under the condition that a second type data packet sent by the client through the TCP protocol is received, and the real server receives the first target data packet. Because the second acknowledgement sequence number included in the first target data packet is obtained after the first acknowledgement sequence number in the second type of data packet is adjusted, that is, the first acknowledgement sequence number in the first target data packet is different from the first acknowledgement sequence number in the second type of data packet sent by the client, and the first target data packet changes relative to the second type of data packet acknowledgement sequence number, the occurrence of the situation that the load balancer sends the second type of data packet sent by the client to the real server to attack the real server can be reduced, the real server receives the first target data packet from the load balancing device, and the safety of data transmission is improved.
In one embodiment, establishing a TCP connection with a load balancing device through multiple handshakes includes: receiving a second data packet of a first type sent by the load balancing equipment under the condition of establishing TCP connection with the client; sending a first acknowledgement packet to the load balancing device; and receiving a second confirmation packet sent by the load balancing equipment, and establishing TCP connection with the load balancing equipment. The second acknowledgement sequence number in the first target data packet is the result of subtracting the target sequence number from the first acknowledgement sequence number in the second type data packet, and the target sequence number is the result of subtracting the fourth acknowledgement sequence number in the first acknowledgement packet from the third acknowledgement sequence number in the second data packet.
In the process of establishing a TCP connection with the load balancing device, the load balancing device first sends a second data packet of a first type to the real server, where the second data packet is the same as the first data packet in type, for example, both are SYN packets, but the acknowledgement sequence numbers therein are different. After receiving the second data packet, the real server can return a first confirmation packet to the load balancing device, after receiving the first confirmation packet sent by the real server, the load balancing device sends a second confirmation packet to the real server, and the real server receives the second confirmation packet sent by the load balancing device. It should be noted that the third acknowledgement sequence number in the second data packet may be the same as the sequence number in the first SYN acknowledgement packet.
In addition, the second data packet includes an IP address of the load balancing device and an IP address of the real server, and the sequence number in the second data packet may be the same as the sequence number in the first data packet. The first confirmation packet comprises the IP address of the load balancing equipment and the IP address of the real server, and the confirmation sequence number in the first confirmation packet is the sequence number in the second data packet plus one. The second acknowledgement packet comprises the IP address of the load balancing device and the IP address of the real server, the sequence serial number in the second acknowledgement packet is the acknowledgement serial number in the first acknowledgement packet, and the acknowledgement serial number in the second acknowledgement packet is the sequence serial number in the first acknowledgement packet plus one.
In one embodiment, after performing multiple handshakes with the load balancing device to establish the TCP connection, the method further includes: acquiring a first data packet to be sent through a kernel module; generating a fourth target data packet through the kernel module, wherein the sequence number in the fourth target data packet is the sum of the sequence number in the first data packet to be sent and the target number; and sending the fourth target data packet to the client.
In the process that the real server sends a first data packet to be sent outwards, if the real server determines that a second data packet comprises a DSR zone bit, the DSR can be determined to be started, otherwise, the DSR is not started, if the DSR is determined to be started, whether a SYN Proxy is started is determined according to a first confirmation sequence number in the second data packet, if the SYN Proxy is started, the first data packet to be sent sinks to a kernel module, sequence number adjustment is carried out through the kernel module, a fourth target data packet is generated, the fourth target data packet is sent to the client side, and the sequence number in the fourth target data packet is the sum of the sequence number in the first data packet to be sent and the target sequence number. The acknowledgement sequence number in the fourth target data packet is the same as the acknowledgement sequence number in the first pending data packet. And if the DSR is not started, the real server directly sends the first data to be sent to the load balancing equipment, and the load balancing equipment carries out address conversion and forwards the address to the client. The first data packet to be sent can be obtained through the kernel module; and generating a fourth target data packet through the kernel module, and sending the fourth target data packet to the client, wherein the fourth target data packet does not pass through the load balancing equipment any more, so that the pressure of the load balancing equipment is reduced.
In one embodiment, after performing multiple handshakes with the load balancing device to establish the TCP connection, the method further includes:
receiving a second target data packet sent by the load balancing equipment, wherein the second target data packet is a data packet sent by the load balancing equipment when receiving a third type of data packet sent by a client through a TCP protocol;
the second target data packet includes a sixth acknowledgement sequence number, and the sixth acknowledgement sequence number is different from a fifth acknowledgement sequence number in the third type of data packet.
After the TCP connection is established, the TCP connection may also be ended, for example, the client sends a third type of data packet to the load balancing device, where the third type of data packet may be an end data packet (i.e., a Fin packet), and when receiving the third type of data packet sent by the client through the TCP protocol, the client sends a second target data packet to the real server, where the second target data packet is of the same type as the third type of data packet, and the acknowledgement sequence number is changed, that is, the sixth acknowledgement sequence number in the second target data packet is not the fifth acknowledgement sequence number in the third type of data packet. And after receiving the second target data packet, the real server sends an end confirmation packet to the client to complete the disconnection of the TCP connection. In this embodiment, the load balancer sends the second target data packet to the real server when receiving the third type of data packet sent by the client through the TCP protocol, and the real server receives the second target data packet sent by the load balancing device, where a sixth acknowledgement sequence number in the second target data packet is different from a fifth acknowledgement sequence number in the third type of data packet, so that there is a difference, which may reduce an attack on the real server from the data packet sent by the client, and improve data transmission security.
In one embodiment, the method further comprises:
and receiving a third target data packet sent by the load balancing equipment, wherein the third target data packet is a data packet sent to the real server by the load balancing equipment under the condition that the first data packet is a fourth type data packet sent by a UDP protocol.
The third target data packet may include a client IP address, a virtual IP address, an IP address of the load balancing device, and an IP address of the real server, and the fourth type of data packet may include a client IP address and a virtual IP address. In this embodiment, since the UDP protocol is used for communication, compared with the TCP, the sequence number and the acknowledgement number, that is, there is no adjustment of the sequence number and the acknowledgement number, and the like, after receiving the first data packet sent by the client, the load balancer sends a third target data packet to the real server when the first data packet is a fourth type data packet sent by the UDP protocol, and the real server only needs to receive the third target data packet sent by the load balancing device.
In one example, the IP address of the load balancing device in the third target packet may be translated into the client IP address (i.e., performing source address translation) by the kernel module and then transferred to the kernel in the real server.
In one embodiment, the method further comprises:
acquiring a second data packet to be sent through the kernel module;
generating a fifth target data packet through the kernel module;
and sending a fifth target data packet to the client through the UDP protocol.
During the process that the real server sends the second to-be-sent data packet to the outside, the real server determines whether to turn on the DSR by detecting the protocol number in the third target data packet, for example, if the protocol number is different from the first protocol number (for example, the protocol number of UDP, that is, 17), for example, a self-defined value, such as 199, indicates that the DSR is turned on, the second to-be-sent data packet sinks to the kernel module, the kernel module extracts the client IP address and the virtual IP address, generates a fifth target data packet, and sends the fifth target data packet to the client. The third target data packet includes the client IP address and the virtual IP address, the IP address of the load balancing device, and the IP address of the real server, and the kernel module may extract the client IP address and the virtual IP address from the third target data packet. A second data packet to be sent can be obtained through the kernel module; and generating a fifth target data packet through the kernel module, and sending the fifth target data packet to the client, wherein the fifth target data packet does not pass through the load balancing equipment any more, so that the pressure of the load balancing equipment is reduced. In an example, the second to-be-transmitted data packet includes an IP address of a real server and an IP address of a client, and the IP address of the real server in the second to-be-transmitted data packet may be converted into a virtual IP address (i.e., source address conversion) by the kernel module, so as to generate a fifth target data packet, and transmit the fifth target data packet to the client.
The data transmission process is described in detail below with an embodiment.
Taking the load balancing device as a four-layer balancing device (L4LB) as an example, the DSR forwarding mode, that is, the data sent by the Real Server (RS) to the client (client) no longer passes through L4LB, but is directly sent to the client, as shown in fig. 3. The forwarding pressure of the outgoing flow of the L4LB can be greatly reduced, the method is suitable for the scene that the outgoing flow is larger than the incoming flow, and the number of L4LB machines can be saved. However, the current DSR technical realistic schemes do not support SYN flood (SYN flood attack, which is a denial of service attack) defense capability, and RS needs to add all Virtual IP addresses (vip for short) to lo (loopback interface).
The data transmission scheme adopted by the application is a Full Network Address Translation (FULLNAT) + newttm forwarding mode. The fullmat forwarding mode is that incoming traffic passes through L4LB, L4LB performs SNAT (Source Address Translation) and DNAT (destination Address Translation) before being forwarded to RS, and outgoing traffic also passes through L4LB and performs SNAT and DNAT before being forwarded to client. The fullmat traffic forwarding model is shown in fig. 5. In fig. 5, cip, i.e., clientIP Address, is the IP Address of the client, vip is the virtual IP Address, bip, i.e., L4LB IP Address, is the IP Address of L4LB, and rip, i.e., RS IP Address, is the IP Address of the RS.
The newttm is deployed on the RS as a kernel module, and mainly plays a role of a bridge between the L4LB and the RS, and performs some necessary conversions when a data packet enters and exits from an RS kernel (kernel), wherein the conversions include acquisition of cip and vip, calculation and correction of parameter difference values, and the like. newttm has hook points, i.e. interception points, which are LOCAL IN and LOCAL OUT, respectively, IN both the ingress and egress directions, and intercepts packets, as shown IN fig. 6.
In the application, L4LB makes SNAT and DNAT for the incoming flow, transparently transmits DSR flag bit, whether SYN Proxy is turned on, and transparently transmits cip and vip to RS. And a newttm kernel module is installed in the RS, judges whether the DSR mode is adopted by the newttm kernel module, converts a source IP and a destination IP of outgoing flow into vip and cip, and bypasses L4LB to directly send the vip and cip to the client. The data flow in DSR mode is as shown in figure 7.
For a TCP service, in the data transmission process, in order to transmit cip and vip information to an RS and simultaneously inform the RS service that a DSR forwarding mode has been opened, the load balancing device places cip, vip, and DSR flag bits in a TCP option (i.e., a TCP header option field) of a TCP packet.
For example, in the case of closing SYN proxy, the TCP data transmission flow is as shown in fig. 8. Ko in fig. 8 is newttm, all incoming packets pass through L4LB, and L4LB does not reply to a SYN-ACK packet (SYN acknowledgement packet), i.e., the syncack in fig. 8, and the sequence number does not change. Outgoing data wraps are passed through L4LB directly to clients. In order to correctly maintain the TCP state machine of the LB and reduce the memory consumption of the L4LB, the SYN-ACK packet, the FIN packet and the RST packet replied by the RS can also be sent to the L4LB and then forwarded to the client.
The flow chart of DSR data transmission with SYN proxy turned on is shown in fig. 9. After receiving the SYN packet (i.e., SYN with sequence number seq of X in fig. 9) of the client, L4LB constructs a SYN-ACK packet (i.e., synch with sequence number Y in fig. 9) and returns it to the client, the client returns an ACK1 to L4LB, the three-way handshake is completed, and after the three-way handshake between the client and L4LB is successful, L4LB and RS establish TCP connection through the three-way handshake.
In the non-DSR mode, the processing of the incoming and outgoing packet sequence numbers in the SYN Proxy mode is performed by L4 LB. In DSR mode, the outbound packet does not pass through L4LB any more, so the sequence number processing of the outbound packet needs to be sunk to newttm. The value conversion of the acknowledgement sequence number (ack _ seq) of the inbound packet is done by L4LB and the value conversion of the outbound packet sequence number (seq) sent directly to the client is done by newttm. To properly maintain the TCP state machine of L4LB, reducing memory consumption of L4LB, FIN and RST packets may be sent to L4LB and forwarded to the client.
In order to allow newttm to correctly determine whether a SYN Proxy is opened for TCP connection in DSR mode, and to determine whether processing such as sequence number processing is required for outbound packets, L4LB utilizes the feature that ack _ seq field in TCP SYN packet is 0. In the SYN Proxy mode, the seq returned to the client by L4LB is stored in ack _ seq of the SYN packet sent from L4LB to RS, and the value of ack _ seq is recorded by newttm on RS and used for adjusting the sequence number when going out to NAT (Network Address Translation).
newttm determines whether the SYN packet (i.e., SYN with seq X and ack _ seq Y) transmitted from L4LB in fig. 9 is in the DSR mode or not, and then determines whether the SYN Proxy is on or off based on the value of ack _ seq in the SYN packet. If newttm determines that the value of ack _ seq in the SYN packet is 0, the connection is considered to be a closed SYN Proxy, and if newttm determines that the value of ack _ seq in the SYN packet is non-zero, the connection is considered to be an open SYN Proxy.
That is, newttm determines whether the option of the packet SYN transmitted by the load balancing apparatus via TCP has the DSR flag, and if so, processes the packet in DSR mode. And acquiring cip and vip, receiving a SYN packet to judge whether ack _ seq is 0, if the ack _ seq is 0, closing the SYNPorty mode, and if the ack _ seq is not 0, opening the SYN Proxy mode. In the mode of closing SYN Proxy, newttm outgoing data is directly transferred to the client through L4LB without converting sequence numbers. In order to maintain the TCP state machine of L4LB correctly and reduce the memory consumption of L4LB, the RS replies SYN-ACK, FIN and RST packets which are also sent to L4LB and forwarded to the client. In the mode of opening SYN Proxy, the SYN-ACK packet, FIN and RST packets replied by RS need to be sent to L4 LB. No sequence number conversion is carried out on SYN, SYN-ACK and ACK packets of three-way handshake, but corresponding delta values need to be calculated. Carrying out serial number conversion on outgoing data packets (data directly sent to the client) according to the previously calculated delta value; sequence number translation of incoming packets is done by L4 LB. For outgoing FIN and RST packets, they are sent directly to L4LB, and sequence number conversion is performed by L4 LB.
For UDP services, the data transfer procedure of the UDP support DSR is as shown in fig. 10 and 11. All incoming packets are forwarded to the RS via L4LB, and all outgoing packets of the RS are directly returned to the client. Compared with TCP, UDP has no sequence number and no option, as long as cip and vip transparent transmission is processed. The present application informs newttm (i.e., newttm. ko in figure 11) whether DSR mode is enabled by customizing a new four-layer protocol (not 17, such as 199). newttm extracts cip and vip correctly and sends outgoing traffic to client directly after NAT bypassing L4 LB. And after receiving the inbound packet, the newttm judges whether the four-layer protocol number is 199, if so, the four-layer protocol number is in a DSR mode, the self-defined four-layer protocol number is restored to be the UDP protocol number 17, the cip and the vip are obtained and stored, and all outbound traffic is directly forwarded to the client as NAT.
In the embodiment of the application, under the condition of the same outgoing bandwidth, the cost of the four-layer load balancing equipment can be reduced by half, the forwarding pressure of the downlink large bandwidth service on the four-layer load balancing equipment is reduced, and certain SYN flood defense capability can be ensured.
Referring to fig. 12, the present application provides an embodiment of a data transmission apparatus 1200 applied to a load balancing device, where the apparatus includes:
a first receiving module 1201, configured to receive a first data packet sent by a client;
the first connection module 1202 is configured to, when the first data packet is a first type of data packet sent by a TCP protocol, perform multiple handshaking with the client to establish a TCP connection;
a second connection module 1203, configured to perform multiple handshakes with a real server to establish a TCP connection when the TCP connection is established with the client;
a first sending module 1204, configured to send a first target data packet to the real server when receiving a data packet of a second type sent by the client via the TCP protocol;
the first target data packet comprises a second confirmation sequence number obtained by adjusting the first confirmation sequence number in the second type of data packet.
In one embodiment, the second connection module includes:
the second sending module is used for sending a second data packet of the first type to the real server under the condition of establishing TCP connection with the client;
the second receiving module is used for receiving a first confirmation packet returned by the real server;
the first connection submodule is used for establishing TCP connection with the real server under the condition that the second confirmation packet is sent to the real server;
the second acknowledgement sequence number in the first target data packet is the result of subtracting the target sequence number from the first acknowledgement sequence number in the second type data packet, and the target sequence number is the result of subtracting the fourth acknowledgement sequence number in the first acknowledgement packet from the third acknowledgement sequence number in the second data packet.
In one embodiment, the apparatus further comprises:
the third sending module is used for sending a second target data packet to the real server under the condition of receiving a third type data packet sent by the client through the TCP;
the second target data packet includes a sixth acknowledgement sequence number, and the sixth acknowledgement sequence number is different from a fifth acknowledgement sequence number in the third type of data packet.
In one embodiment, the apparatus further comprises:
and the fourth sending module is used for sending a third target data packet to the real server under the condition that the first data packet is a fourth type data packet sent by a UDP protocol.
As shown in fig. 13, in an embodiment, the present application further provides a data transmission apparatus 1300, applied to a real server, the apparatus including:
a third connection module 1301, configured to perform multiple handshaking with a load balancing device to establish a TCP connection, where the load balancing device has received a first data packet sent by a client, and has established a TCP connection with the client when the first data packet is a first type of data packet sent by a TCP protocol;
a third receiving module 1302, configured to receive a first target data packet sent by the load balancing device, where the first target data packet is a data packet sent by the load balancing device when receiving a second type of data packet sent by the client through a TCP protocol, and includes a second acknowledgement sequence number obtained after adjusting the first acknowledgement sequence number in the second type of data packet.
In one embodiment, a third connection module includes:
the fourth receiving module is used for receiving a second data packet of the first type sent by the load balancing equipment under the condition of establishing TCP connection with the client;
a fifth sending module, configured to send the first acknowledgement packet to the load balancing device;
the fifth receiving module is used for receiving the second acknowledgement packet sent by the load balancing equipment and establishing TCP connection with the load balancing equipment;
the second acknowledgement sequence number in the first target data packet is the result of subtracting the target sequence number from the first acknowledgement sequence number in the second type data packet, and the target sequence number is the result of subtracting the fourth acknowledgement sequence number in the first acknowledgement packet from the third acknowledgement sequence number in the second data packet.
In one embodiment, the apparatus further comprises:
the first acquisition module is used for acquiring a first data packet to be sent through the kernel module;
the first data packet generation module is used for generating a fourth target data packet through the kernel module, wherein the sequence serial number in the fourth target data packet is the sum of the sequence serial number in the first data packet to be sent and the target serial number;
and the sixth sending module is used for sending the fourth target data packet to the client.
In one embodiment, the apparatus further comprises:
a sixth receiving module, configured to receive a second target data packet sent by the load balancing device, where the second target data packet is a data packet sent by the load balancing device when receiving a third type of data packet sent by the client through a TCP protocol;
the second target data packet includes a sixth acknowledgement sequence number, and the sixth acknowledgement sequence number is different from a fifth acknowledgement sequence number in the third type of data packet.
In one embodiment, the apparatus further comprises:
a seventh receiving module, configured to receive a third target data packet sent by the load balancing device, where the third target data packet is a data packet sent by the load balancing device to the real server when the first data packet is a fourth type data packet sent by using a UDP protocol.
In one embodiment, the apparatus further comprises:
the second obtaining module is used for obtaining a second data packet to be sent through the kernel module;
the second data packet generating module is used for generating a fifth target data packet through the kernel module;
and the seventh sending module is used for sending the fifth target data packet to the client through the UDP protocol.
The data transmission device of each embodiment is a device for implementing the data transmission method of each embodiment, and the technical features and technical effects correspond to each other, and are not described herein again.
According to an embodiment of the present application, an electronic device and a readable storage medium are also provided.
Fig. 14 is a block diagram of an electronic device according to the data transmission method of the embodiment of the present application. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the present application that are described and/or claimed herein.
As shown in fig. 14, the electronic apparatus includes: one or more processors 1401, a memory 1402, and interfaces for connecting the various components, including a high-speed interface and a low-speed interface. The various components are interconnected using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions for execution within the electronic device, including instructions stored in or on the memory to display graphical information of a GUI on an external input/output apparatus (such as a display device coupled to the interface). In other embodiments, multiple processors and/or multiple buses may be used, along with multiple memories and multiple memories, as desired. Also, multiple electronic devices may be connected, with each device providing portions of the necessary operations (e.g., as a server array, a group of blade servers, or a multi-processor system). Fig. 14 illustrates an example of a processor 1401.
The memory 1402, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the data transmission method in the embodiment of the present application (for example, the first receiving module 1201, the first connecting module 1202, the second connecting module 1203, the first transmitting module 1204 shown in fig. 12, or the third connecting module 1301, the third receiving module 1302 in fig. 13). The processor 1401 executes various functional applications of the server and data processing by running non-transitory software programs, instructions, and modules stored in the memory 1402, that is, implements the data transmission method in the above-described method embodiments.
The memory 1402 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the electronic device displayed by the keyboard, and the like. Further, the memory 1402 may include high-speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 1402 may optionally include memory located remotely from processor 1401, which may be connected via a network to a keyboard-displayed electronic device. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The electronic device of the data transmission method may further include: an input device 1403 and an output device 1404. The processor 1401, the memory 1402, the input device 1403, and the output device 1404 may be connected by a bus or other means, as exemplified by the bus connection in fig. 14.
The input device 1403 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic device displayed by the keyboard, such as a touch screen, keypad, mouse, track pad, touch pad, pointer stick, one or more mouse buttons, track ball, joystick, or other input device. The output devices 804 may include a display device, auxiliary lighting devices (e.g., LEDs), and haptic feedback devices (e.g., vibrating motors), among others. The display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, and a plasma display. In some implementations, the display device can be a touch screen.
Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, application specific ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
These computing programs (also known as programs, software applications, or code) include machine instructions for a programmable processor, and may be implemented using procedural and/or object oriented programming languages, and/or assembly/machine languages. As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
According to the technical scheme of the embodiment of the application, after receiving a first data packet sent by a client, if the first data packet is a first type data packet sent through a TCP protocol, a load balancing device establishes TCP connection with the client through multiple times of handshaking, and establishes TCP connection with a real server through multiple times of handshaking under the condition of establishing TCP connection with the client, so that a first target data packet is sent to the real server under the condition of receiving a second type data packet sent by the client through the TCP protocol. The second confirmation sequence number included in the first target data packet is obtained after the first confirmation sequence number in the second type data packet is adjusted, namely the first confirmation sequence number in the first target data packet is different from the first confirmation sequence number in the second type data packet sent by the client, the first target data packet is changed relative to the second type data packet confirmation sequence number, and the first target data packet is transmitted to the real server, so that the situation that the load balancer sends the second type data packet sent by the client to the real server to attack the real server can be reduced, and the safety of data transmission is improved.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present application may be executed in parallel, sequentially, or in different orders, and the present invention is not limited thereto as long as the desired results of the technical solutions disclosed in the present application can be achieved.
The above-described embodiments should not be construed as limiting the scope of the present application. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (22)
1. A data transmission method is applied to load balancing equipment, and the method comprises the following steps:
receiving a first data packet sent by a client;
under the condition that the first data packet is a first type data packet sent through a TCP protocol, performing multiple handshaking with the client to establish TCP connection;
under the condition of establishing TCP connection with the client, performing handshake with a real server for multiple times to establish TCP connection;
under the condition of receiving a second type of data packet sent by the client through a TCP protocol, sending a first target data packet to the real server;
and the first target data packet comprises a second confirmation sequence number obtained by adjusting the first confirmation sequence number in the second type of data packet.
2. The method of claim 1, wherein the establishing the TCP connection with the real server by performing a multiple handshake with the client comprises:
under the condition of establishing TCP connection with the client, sending a second data packet of a first type to the real server;
receiving a first confirmation packet returned by the real server;
establishing a TCP connection with the real server under the condition that the second confirmation packet is sent to the real server;
the second acknowledgement sequence number in the first target data packet is a result of subtracting a target sequence number from the first acknowledgement sequence number in the second type of data packet, and the target sequence number is a result of subtracting a fourth acknowledgement sequence number in the first acknowledgement packet from a third acknowledgement sequence number in the second data packet.
3. The method of claim 1, wherein after the establishing the TCP connection with the real server by performing the multiple handshake, further comprising:
under the condition of receiving a third type of data packet sent by the client through a TCP protocol, sending a second target data packet to the real server;
and the second target data packet comprises a sixth acknowledgement sequence number, and the sixth acknowledgement sequence number is different from a fifth acknowledgement sequence number in the third type of data packet.
4. The method of claim 1, wherein after receiving the first data packet sent by the client, the method further comprises:
and sending a third target data packet to the real server under the condition that the first data packet is a fourth type data packet sent by a UDP protocol.
5. A data transmission method is applied to a real server, and comprises the following steps:
performing multiple handshaking with load balancing equipment to establish TCP connection, wherein the load balancing equipment receives a first data packet sent by a client, and establishes TCP connection with the client under the condition that the first data packet is a first type of data packet sent by a TCP protocol;
receiving a first target data packet sent by the load balancing device, wherein the first target data packet is a data packet sent by the load balancing device under the condition of receiving a second type of data packet sent by the client through a TCP protocol, and the first target data packet includes a second acknowledgement sequence number obtained after adjusting a first acknowledgement sequence number in the second type of data packet.
6. The method of claim 5, wherein the establishing a TCP connection with a load balancing device with a multiple handshake comprises:
receiving a second data packet of a first type sent by the load balancing equipment under the condition of establishing a TCP connection with the client;
sending a first acknowledgement packet to the load balancing device;
receiving a second acknowledgement packet sent by the load balancing equipment, and establishing TCP connection with the load balancing equipment;
the second acknowledgement sequence number in the first target data packet is a result of subtracting a target sequence number from the first acknowledgement sequence number in the second type of data packet, and the target sequence number is a result of subtracting a fourth acknowledgement sequence number in the first acknowledgement packet from a third acknowledgement sequence number in the second data packet.
7. The method of claim 6, wherein after establishing the TCP connection with the load balancing device via the multiple handshakes, further comprising:
acquiring a first data packet to be sent through a kernel module;
generating a fourth target data packet through a kernel module, wherein a sequence serial number in the fourth target data packet is the sum of a sequence serial number in the first data packet to be sent and the target serial number;
and sending the fourth target data packet to the client.
8. The method of claim 5, wherein after establishing the TCP connection with the load balancing device via the multiple handshakes, further comprising:
receiving a second target data packet sent by the load balancing device, wherein the second target data packet is a data packet sent by the load balancing device when receiving a third type of data packet sent by the client through a TCP protocol;
and the second target data packet comprises a sixth acknowledgement sequence number, and the sixth acknowledgement sequence number is different from a fifth acknowledgement sequence number in the third type of data packet.
9. The method of claim 5, wherein the method further comprises:
receiving a third target data packet sent by the load balancing device, where the third target data packet is a data packet sent by the load balancing device to the real server when the first data packet is a fourth type data packet sent by a UDP protocol.
10. The method of claim 5, wherein the method further comprises:
acquiring a second data packet to be sent through the kernel module;
generating a fifth target data packet through the kernel module;
and sending the fifth target data packet to the client through a UDP protocol.
11. A data transmission device is applied to load balancing equipment, and the device comprises:
the first receiving module is used for receiving a first data packet sent by a client;
the first connection module is used for performing multi-time handshake with the client to establish TCP connection under the condition that the first data packet is a first type data packet sent through a TCP protocol;
the second connection module is used for performing multi-time handshake with a real server to establish TCP connection under the condition of establishing TCP connection with the client;
the first sending module is used for sending a first target data packet to the real server under the condition of receiving a second type of data packet sent by the client through a TCP (transmission control protocol);
and the first target data packet comprises a second confirmation sequence number obtained by adjusting the first confirmation sequence number in the second type of data packet.
12. The apparatus of claim 11, wherein the second connection module comprises:
a second sending module, configured to send a second data packet of the first type to the real server when a TCP connection is established with the client;
the second receiving module is used for receiving the first confirmation packet returned by the real server;
the first connection submodule is used for establishing TCP connection with the real server under the condition that the second confirmation packet is sent to the real server;
the second acknowledgement sequence number in the first target data packet is a result of subtracting a target sequence number from the first acknowledgement sequence number in the second type of data packet, and the target sequence number is a result of subtracting a fourth acknowledgement sequence number in the first acknowledgement packet from a third acknowledgement sequence number in the second data packet.
13. The apparatus of claim 11, further comprising:
a third sending module, configured to send a second target data packet to the real server when receiving a third type of data packet sent by the client via a TCP protocol;
and the second target data packet comprises a sixth acknowledgement sequence number, and the sixth acknowledgement sequence number is different from a fifth acknowledgement sequence number in the third type of data packet.
14. The apparatus of claim 11, further comprising:
a fourth sending module, configured to send a third target data packet to the real server when the first data packet is a fourth type data packet sent through a UDP protocol.
15. A data transmission apparatus applied to a real server, the apparatus comprising:
the third connection module is used for performing multiple handshaking with the load balancing equipment to establish TCP connection, wherein the load balancing equipment has received a first data packet sent by a client and has established TCP connection with the client under the condition that the first data packet is a first type of data packet sent by a TCP protocol;
a third receiving module, configured to receive a first target data packet sent by the load balancing device, where the first target data packet is a data packet sent by the load balancing device when receiving a second type of data packet sent by the client through a TCP protocol, and includes a second acknowledgement sequence number obtained after adjusting a first acknowledgement sequence number in the second type of data packet.
16. The apparatus of claim 15, wherein the third connection module comprises:
a fourth receiving module, configured to receive a second data packet of the first type sent by the load balancing device when a TCP connection is established with the client;
a fifth sending module, configured to send a first acknowledgement packet to the load balancing device;
a fifth receiving module, configured to receive a second acknowledgement packet sent by the load balancing device, and establish a TCP connection with the load balancing device;
the second acknowledgement sequence number in the first target data packet is a result of subtracting a target sequence number from the first acknowledgement sequence number in the second type of data packet, and the target sequence number is a result of subtracting a fourth acknowledgement sequence number in the first acknowledgement packet from a third acknowledgement sequence number in the second data packet.
17. The apparatus of claim 16, further comprising:
the first acquisition module is used for acquiring a first data packet to be sent through the kernel module;
a first data packet generating module, configured to generate a fourth target data packet through a kernel module, where a sequence number in the fourth target data packet is a sum of a sequence number in the first data packet to be sent and the target number;
a sixth sending module, configured to send the fourth target data packet to the client.
18. The apparatus of claim 15, further comprising:
a sixth receiving module, configured to receive a second target data packet sent by the load balancing device, where the second target data packet is a data packet sent by the load balancing device when receiving a third type of data packet sent by the client through a TCP protocol;
and the second target data packet comprises a sixth acknowledgement sequence number, and the sixth acknowledgement sequence number is different from a fifth acknowledgement sequence number in the third type of data packet.
19. The apparatus of claim 15, wherein the apparatus further comprises:
a seventh receiving module, configured to receive a third target data packet sent by the load balancing device, where the third target data packet is a data packet sent by the load balancing device to the real server when the first data packet is a fourth type data packet sent by using a UDP protocol.
20. The apparatus of claim 15, wherein the apparatus further comprises:
the second obtaining module is used for obtaining a second data packet to be sent through the kernel module;
the second data packet generating module is used for generating a fifth target data packet through the kernel module;
a seventh sending module, configured to send the fifth target packet to the client through a UDP protocol.
21. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-10.
22. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010622416.2A CN111800499B (en) | 2020-06-30 | 2020-06-30 | Data transmission method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010622416.2A CN111800499B (en) | 2020-06-30 | 2020-06-30 | Data transmission method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111800499A true CN111800499A (en) | 2020-10-20 |
| CN111800499B CN111800499B (en) | 2022-04-15 |
Family
ID=72809934
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010622416.2A Active CN111800499B (en) | 2020-06-30 | 2020-06-30 | Data transmission method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111800499B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615701A (en) * | 2020-12-30 | 2021-04-06 | 展讯半导体(成都)有限公司 | Data processing method and device |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101547210A (en) * | 2009-05-14 | 2009-09-30 | 福建星网锐捷网络有限公司 | Method and device for processing TCP connection |
| US20120054316A1 (en) * | 2010-09-01 | 2012-03-01 | Canon Kabushiki Kaisha | Tcp multiplexing over a proxy |
| CN103081382A (en) * | 2010-09-01 | 2013-05-01 | 佳能株式会社 | Systems and methods for multiplexing network channels |
| US20140310391A1 (en) * | 2013-04-16 | 2014-10-16 | Amazon Technologies, Inc. | Multipath routing in a distributed load balancer |
| CN104219215A (en) * | 2013-06-05 | 2014-12-17 | 深圳市腾讯计算机系统有限公司 | Method, device, terminal, server and system for establishment of TCP (transmission control protocol) connection |
| CN106470238A (en) * | 2015-08-20 | 2017-03-01 | 阿里巴巴集团控股有限公司 | It is applied to the connection establishment method and device in server load balancing |
| CN107483574A (en) * | 2012-10-17 | 2017-12-15 | 阿里巴巴集团控股有限公司 | Data interaction system, method and device under a kind of load balancing |
| CN108111509A (en) * | 2017-12-19 | 2018-06-01 | 北京百度网讯科技有限公司 | Data transmission method |
| CN108418884A (en) * | 2018-03-09 | 2018-08-17 | 北京奇艺世纪科技有限公司 | A kind of method, apparatus and electronic equipment of transmission services data |
| CN109587275A (en) * | 2019-01-08 | 2019-04-05 | 网宿科技股份有限公司 | A kind of method for building up and proxy server of communication connection |
| CN110572438A (en) * | 2019-08-14 | 2019-12-13 | 北京天融信网络安全技术有限公司 | network connection establishing method, device, network equipment and storage medium |
| CN110708393A (en) * | 2019-10-21 | 2020-01-17 | 北京百度网讯科技有限公司 | Method, device and system for transmitting data |
-
2020
- 2020-06-30 CN CN202010622416.2A patent/CN111800499B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101547210A (en) * | 2009-05-14 | 2009-09-30 | 福建星网锐捷网络有限公司 | Method and device for processing TCP connection |
| US20120054316A1 (en) * | 2010-09-01 | 2012-03-01 | Canon Kabushiki Kaisha | Tcp multiplexing over a proxy |
| CN103081382A (en) * | 2010-09-01 | 2013-05-01 | 佳能株式会社 | Systems and methods for multiplexing network channels |
| CN107483574A (en) * | 2012-10-17 | 2017-12-15 | 阿里巴巴集团控股有限公司 | Data interaction system, method and device under a kind of load balancing |
| US20140310391A1 (en) * | 2013-04-16 | 2014-10-16 | Amazon Technologies, Inc. | Multipath routing in a distributed load balancer |
| CN104219215A (en) * | 2013-06-05 | 2014-12-17 | 深圳市腾讯计算机系统有限公司 | Method, device, terminal, server and system for establishment of TCP (transmission control protocol) connection |
| CN106470238A (en) * | 2015-08-20 | 2017-03-01 | 阿里巴巴集团控股有限公司 | It is applied to the connection establishment method and device in server load balancing |
| CN108111509A (en) * | 2017-12-19 | 2018-06-01 | 北京百度网讯科技有限公司 | Data transmission method |
| CN108418884A (en) * | 2018-03-09 | 2018-08-17 | 北京奇艺世纪科技有限公司 | A kind of method, apparatus and electronic equipment of transmission services data |
| CN109587275A (en) * | 2019-01-08 | 2019-04-05 | 网宿科技股份有限公司 | A kind of method for building up and proxy server of communication connection |
| CN110572438A (en) * | 2019-08-14 | 2019-12-13 | 北京天融信网络安全技术有限公司 | network connection establishing method, device, network equipment and storage medium |
| CN110708393A (en) * | 2019-10-21 | 2020-01-17 | 北京百度网讯科技有限公司 | Method, device and system for transmitting data |
Non-Patent Citations (1)
| Title |
|---|
| 刘云: "《基于轻量级检测和混合连接策略的SYN FLOOD防御方法》", 《计算机应用与软件》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615701A (en) * | 2020-12-30 | 2021-04-06 | 展讯半导体(成都)有限公司 | Data processing method and device |
| CN112615701B (en) * | 2020-12-30 | 2023-02-14 | 展讯半导体(成都)有限公司 | Data processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111800499B (en) | 2022-04-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3635939B1 (en) | Seamless mobility and session continuity with tcp mobility option | |
| CA2968964C (en) | Source ip address transparency systems and methods | |
| US9027129B1 (en) | Techniques for protecting against denial of service attacks | |
| CN102148767A (en) | Network address translation (NAT)-based data routing method and device | |
| US20070283429A1 (en) | Sequence number based TCP session proxy | |
| US20160380966A1 (en) | Media Relay Server | |
| US20030009559A1 (en) | Network system and method of distributing accesses to a plurality of server apparatus in the network system | |
| CN112671628B (en) | Business service providing method and system | |
| JP2004364141A (en) | Ip address conversion device and packet transfer device | |
| WO2010111193A1 (en) | Apparatus and method for accelerating streams through use of transparent proxy architecture | |
| WO2017209925A1 (en) | Flow modification including shared context | |
| WO2016210202A1 (en) | Media relay server | |
| CN112671938B (en) | Business service providing method and system and remote acceleration gateway | |
| US20150373135A1 (en) | Wide area network optimization | |
| KR101655715B1 (en) | Two-way real-time communication system utilizing http | |
| CN109088878A (en) | A kind of message processing method for resisting exhausted cloud guard system | |
| CN111800499B (en) | Data transmission method and device and electronic equipment | |
| JP6386166B2 (en) | Translation method and apparatus between IPv4 and IPv6 | |
| WO2023186109A1 (en) | Node access method and data transmission system | |
| CN103546389B (en) | Method, device and system for lowering STUN (simple traversal of user datagram protocol through network address translators) server load | |
| US10257087B2 (en) | Communication device and communication method | |
| CN115514828A (en) | Data transmission method and electronic equipment | |
| CN109981463B (en) | Information processing method, device, gateway and storage medium | |
| WO2016078235A1 (en) | Network translation realization method and apparatus for transiting to ipv6 on the basis of pant | |
| US10250559B2 (en) | Reversible mapping of network addresses in multiple network environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |