CN112532658B

CN112532658B - Cloud network escape event scanning method and device and computer readable storage medium

Info

Publication number: CN112532658B
Application number: CN202110181789.5A
Authority: CN
Inventors: 刘永钢; 董志强
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2021-02-08
Filing date: 2021-02-08
Publication date: 2021-05-07
Anticipated expiration: 2041-02-08
Also published as: CN112532658A

Abstract

The application provides a cloud network escape event method, a device, equipment and a storage medium; the method comprises the following steps: responding to a scanning request of a scanning initiator of a cloud network escape event, and performing network virtualization protocol traversal processing on a cloud platform to be detected so as to determine the type of a cloud computing network virtualization protocol used by the cloud platform; acquiring a tenant identification field of a cloud platform under the operation of a cloud computing network virtualization protocol and a traversal value range corresponding to the tenant identification; traversing the tenant identification in the traversal value range, and performing cloud platform bottom network data packet encapsulation and overlay network data packet encapsulation by using the value of the tenant identification to obtain and send a scanning data packet after encapsulation; and monitoring the response message receiving condition of the scanning initiator or the scanning message receiving condition of each scanning data packet receiver so as to judge whether the cloud network of the cloud platform has network escape. The method can find the potential network escape problem at the bottom layer of the cloud platform and improve the network security.

Description

Cloud network escape event scanning method and device and computer readable storage medium

Technical Field

The present application relates to the field of computer networks, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for scanning cloud network escape events.

Background

If the vulnerability and the problem exist, malicious or illegal tenants can break through the limitation of the cloud computing tenant network by using the vulnerability, access other tenants' networks and even the cloud platform underlying network without authorization, further attack is implemented, and serious influence is brought to the network security of other tenants and the cloud platform. Therefore, timely discovering of the problem of tenant network escape in the cloud platform is an important prerequisite for ensuring the security of the tenant network. In the related art, a network escape event existing in a network can be discovered through network scanning, so that vulnerabilities and problems in the network can be discovered.

The network scanning scheme adopted in the related art only aims at the traditional network, and can find the problem of network escape in the traditional network. However, due to the difference in architecture between the conventional network and the cloud platform network, if a network scanning scheme in the related art is still adopted, the network escape problem of the tenant in the cloud platform is scanned, which may cause the network escape problem possibly existing at the bottom layer of the cloud platform to be unable to be discovered, thereby affecting the network security of the tenant of the cloud platform.

Disclosure of Invention

The embodiment of the application provides a cloud network escape event scanning method, a cloud network escape event scanning device and a computer readable storage medium, which can trigger message processing flows and processing rules of a cloud platform bottom layer network layer when scanning a cloud network escape event, and can automatically find a network escape problem possibly existing in the cloud platform bottom layer by monitoring the response message or scanning message receiving condition of each scanning data packet, so that the discovery rate of the cloud platform network escape problem can be effectively improved, and the network security is improved.

The technical scheme of the embodiment of the application is realized as follows:

the embodiment of the application provides a cloud network escape event scanning method, which comprises the following steps:

responding to a scanning request of a scanning initiator of the cloud network escape event, and performing network virtualization protocol traversal processing on a cloud platform to be detected, which provides cloud computing network service, so as to determine the type of a cloud computing network virtualization protocol used by the cloud platform;

acquiring a tenant identification field of the cloud platform under the operation of the cloud computing network virtualization protocol, and determining a traversal value range corresponding to the tenant identification of the cloud platform according to the tenant identification field, wherein different types of cloud computing network virtualization protocols correspond to different tenant identification fields;

traversing the tenant identification according to the traversal value range corresponding to the tenant identification, and performing cloud platform underlying network data packet encapsulation and overlay network data packet encapsulation processing by using the value of the tenant identification aiming at the value of each tenant identification visited in the traversal process to obtain and send a scanning data packet after encapsulation processing;

and monitoring the response message receiving condition of the scanning initiator or the scanning message receiving condition of each scanning data packet receiver in the cloud platform so as to judge and output the scanning result of whether the cloud computing network of the cloud platform has a network escape event or not.

In some embodiments, the performing, by using the value of the tenant identifier, encapsulation processing on a cloud platform underlying network data packet and an overlay network data packet to obtain and send an encapsulated scan data packet includes: and traversing the source IP address and the destination IP address of the underlying network according to the private Internet Interconnection Protocol (IP) address range of the underlying network of the cloud platform, and packaging the data packet of the underlying network of the cloud platform and packaging and processing the data packet of the overlay network by using the source IP address value, the destination IP address value and the tenant identification value aiming at each group of source IP address value and destination IP address value accessed in the traversing process to obtain and send the packaged scanning data packet.

In some embodiments, the performing, by using the source IP address value, the destination IP address value, and the tenant identifier, cloud platform underlying network data packet encapsulation and overlay network data packet encapsulation processing to obtain and send an encapsulated scan data packet includes: encapsulating the underlying network data packet by using the source IP address value and the target IP address value to obtain an underlying network data packet; determining the IP address value of the virtual machine of the scanning initiator and the IP address value of the virtual machine of the scanning data packet receiver corresponding to the value of the tenant identification; performing overlay network data packet encapsulation on the underlying network data packet by using the value of the tenant identifier, the IP address value of the virtual machine of the scanning initiator and the IP address value of the virtual machine of the scanning data packet receiver to obtain an encapsulated scanning data packet; and sending the scanning data packet.

In some embodiments, the traversing the source IP address and the destination IP address of the underlying network according to the private internet protocol IP address range of the underlying network of the cloud platform includes: determining a network segment to be scanned from a private IP address range of a cloud platform bottom layer network; and sequentially traversing any two different IP address values in the network segment to be scanned to obtain a source IP address value and a target IP address value of the underlying network.

In some embodiments, the obtaining the tenant identification field of the cloud platform under the running of the cloud computing network virtualization protocol includes: under the condition that the cloud computing network virtualization protocol is a virtual extensible local area network (VXLAN) protocol, obtaining a VXLAN Network Identifier (VNI) field in a message format of the VXLAN protocol as a tenant identification field of the cloud platform under the operation of the VXLAN protocol; or, when the cloud computing network virtualization protocol is a generic routing encapsulation NVGRE protocol, obtaining a Key field representing a virtual network identifier in a message format of the NVGRE protocol, as a tenant identifier field of the cloud platform running in the NVGRE protocol.

In some embodiments, the monitoring response packet reception of the scan initiator or scan packet reception of each scan packet receiver in the cloud platform to determine and output a scan result of whether a network escape event exists in a cloud computing network of the cloud platform includes: determining that a network escape event exists in a cloud computing network of the cloud platform under the condition that it is monitored that the scanning initiator receives a response message for any scanning data packet or any scanning data packet receiver in the cloud platform receives a scanning data packet; and outputting a scanning result representing that the cloud computing network of the cloud platform has a network escape event.

In some embodiments, the monitoring a response packet receiving condition of the scan initiator or a scan packet receiving condition of each scan packet receiver in the cloud platform to determine and output a scan result of whether a network escape event exists in a cloud computing network of the cloud platform further includes: counting the number of response messages received by the scanning initiator and the number of scanning data packet receivers receiving the scanning data packets to determine the number of network escape events occurring in the cloud computing network of the cloud platform; and outputting the number of the network escape events.

An embodiment of the present application provides a cloud network escape event scanning device, including:

the cloud platform detection system comprises a first determination module, a second determination module and a third determination module, wherein the first determination module is used for responding to a scanning request of a scanning initiator of the cloud network escape event, and performing network virtualization protocol traversal processing on a cloud platform to be detected, which provides cloud computing network service, so as to determine the type of a cloud computing network virtualization protocol used by the cloud platform;

the second determining module is used for acquiring a tenant identification field of the cloud platform under the operation of the cloud computing network virtualization protocol, and determining a traversal value range corresponding to the tenant identification of the cloud platform according to the tenant identification field, wherein different types of cloud computing network virtualization protocols correspond to different tenant identification fields;

the encapsulation module is used for performing traversal processing on the tenant identification according to a traversal value range corresponding to the tenant identification, and performing cloud platform bottom network data packet encapsulation and overlay network data packet encapsulation processing by using the value of the tenant identification aiming at the value of each tenant identification visited in the traversal process to obtain and send a scanning data packet after encapsulation processing;

and the monitoring module is used for monitoring the response message receiving condition of the scanning initiator or the scanning message receiving condition of each scanning data packet receiver in the cloud platform so as to judge and output the scanning result of whether the cloud computing network of the cloud platform has a network escape event.

In some embodiments, the encapsulation module is further configured to: and traversing the source IP address and the destination IP address of the underlying network according to the private IP address range of the underlying network of the cloud platform, and packaging the data packet of the underlying network of the cloud platform and packaging and processing the data packet of the overlay network by using the source IP address value, the destination IP address value and the value of the tenant identification aiming at each group of source IP address value and destination IP address value accessed in the traversing process to obtain and send the packaged scanning data packet.

In some embodiments, the encapsulation module is further configured to: encapsulating the underlying network data packet by using the source IP address value and the target IP address value to obtain an underlying network data packet; determining the IP address value of the virtual machine of the scanning initiator and the IP address value of the virtual machine of the scanning data packet receiver corresponding to the value of the tenant identification; performing overlay network data packet encapsulation on the underlying network data packet by using the value of the tenant identifier, the IP address value of the virtual machine of the scanning initiator and the IP address value of the virtual machine of the scanning data packet receiver to obtain an encapsulated scanning data packet; and sending the scanning data packet.

In some embodiments, the encapsulation module is further configured to: determining a network segment to be scanned from a private IP address range of a cloud platform bottom layer network; and sequentially traversing any two different IP address values in the network segment to be scanned to obtain a source IP address value and a target IP address value of the underlying network.

In some embodiments, the second determination module is further configured to: under the condition that the cloud computing network virtualization protocol is a VXLAN protocol, obtaining a VNI field in a message format of the VXLAN protocol as a tenant identification field of the cloud platform under the operation of the VXLAN protocol; or, when the cloud computing network virtualization protocol is the NVGRE protocol, obtaining a Key field in a message format of the NVGRE protocol, which represents a virtual network identifier, as a tenant identifier field of the cloud platform running in the NVGRE protocol.

In some embodiments, the monitoring module is further to: determining that a network escape event exists in a cloud computing network of the cloud platform under the condition that it is monitored that the scanning initiator receives a response message for any scanning data packet or any scanning data packet receiver in the cloud platform receives a scanning data packet; and outputting a scanning result representing that the cloud computing network of the cloud platform has a network escape event.

In some embodiments, the monitoring module is further to: counting the number of response messages received by the scanning initiator and the number of scanning data packet receivers receiving the scanning data packets to determine the number of network escape events occurring in the cloud computing network of the cloud platform; and outputting the number of the network escape events.

An embodiment of the present application provides a cloud network escape event scanning device, including: a memory for storing executable instructions; and the processor is used for realizing the method provided by the embodiment of the application when executing the executable instructions stored in the memory.

Embodiments of the present application provide a computer-readable storage medium, which stores executable instructions for causing a processor to implement the method provided by the embodiments of the present application when the processor executes the executable instructions.

The embodiment of the application has the following beneficial effects:

firstly, performing network virtualization protocol traversal processing on a cloud platform to be detected to determine the type of a cloud computing network virtualization protocol used by the cloud platform; secondly, determining a traversal value range corresponding to the tenant identification of the cloud platform according to the tenant identification field of the cloud platform under the operation of the cloud computing network virtualization protocol; then, traversing the tenant identification according to the traversal value range, and performing cloud platform bottom network data packet encapsulation and overlay network data packet encapsulation by using the value of the tenant identification to obtain and send a scanning data packet after encapsulation; and finally, judging and outputting whether a network escape event exists in the cloud computing network of the cloud platform or not by monitoring the response message receiving condition of the scanning initiator or the scanning message receiving condition of each scanning data packet receiver in the cloud platform. Therefore, when the cloud network escape event is scanned, the message processing flow and the processing rule of the bottom layer network layer of the cloud platform can be triggered, the possible network escape problem of the bottom layer of the cloud platform can be automatically found by monitoring the response message or the receiving condition of the scanning message of each scanning data packet, the discovery rate of the network escape problem of the cloud platform can be effectively improved, and the network security is improved. In addition, the bidirectional network escape problem in the cloud computing network can be found by monitoring the receiving condition of the response message of the scanning data packet, and the unidirectional network escape problem in the cloud computing network can be found by monitoring the receiving condition of the scanning data packet, so that the discovery rate of the network escape problem can be further improved.

Drawings

Fig. 1 is a schematic diagram of an alternative architecture of a network scanning system according to an embodiment of the present application;

fig. 2 is an alternative structural schematic diagram of a cloud network escape event scanning device according to an embodiment of the present application;

fig. 3 is an alternative flowchart of a cloud network escape event scanning method according to an embodiment of the present disclosure;

fig. 4 is an alternative flowchart of a cloud network escape event scanning method according to an embodiment of the present disclosure;

fig. 5 is an alternative flowchart of a cloud network escape event scanning method according to an embodiment of the present disclosure;

fig. 6A is an alternative schematic flow chart of a cloud network escape event scanning method according to an embodiment of the present application;

fig. 6B is a schematic diagram of a message encapsulation format of the VXLAN protocol;

FIG. 6C is a schematic diagram illustrating the GRE usage in the NVGRE protocol;

fig. 6D is a schematic diagram of a GRE packet encapsulation format in the NVGRE protocol.

Detailed Description

In order to make the objectives, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the attached drawings, the described embodiments should not be considered as limiting the present application, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.

Where similar language of "first/second" appears in the specification, the following description is added, and where reference is made to the term "first \ second \ third" merely to distinguish between similar items and not to imply a particular ordering with respect to the items, it is to be understood that "first \ second \ third" may be interchanged with a particular sequence or order as permitted, to enable the embodiments of the application described herein to be performed in an order other than that illustrated or described herein.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the application.

Before further detailed description of the embodiments of the present application, terms and expressions referred to in the embodiments of the present application will be described, and the terms and expressions referred to in the embodiments of the present application will be used for the following explanation.

1) NVO 3: cross three-Layer Network Virtualization over Layer 3;

2) VPC: private networks (Virtual Private Cloud);

3) network escape: in the cloud computing network, the data of the current tenant is unexpectedly forwarded from the VPC of the current tenant to the VPCs of other tenants or an underlying network (underwlay) layer of the cloud computing network;

4) underlay: the underlying network is a physical infrastructure for establishing an overlay network;

5) overlay: overlay Network, which is a Software Defined Network (SDN);

6) virtual eXtensible Local Area Network (VXLAN): one of NVO3 standard technologies defined by The Internet Engineering Task Force (IETF) adopts a network virtualization technology of a packet encapsulation mode for encapsulating ethernet frames of a two-Layer network (Layer 2, L2) into a User Datagram Protocol (UDP) (i.e., L2 over L4, or MAC-in-UDP);

7) general Routing Encapsulation (NVGRE): network virtualization techniques using generic routing protocol encapsulation.

In order to better understand the cloud network escape event scanning method provided in the embodiment of the present application, a network scanning scheme in the related art is first described below.

In the related art, the network scanning technology is mainly directed to network scanning of a conventional network, and is not combined with the technology of an Underlay layer (for example, NVO3 related technology). When the network scanning technology is adopted to scan the cloud computing virtualization network, the scanning data packet cannot trigger the processing flow and the processing rule of protocols such as NVO3 and the like on the Underlay layer, and can be directly discarded or forwarded on the Overlay layer, so that the problem of network escape possibly existing on the bottom layer of the cloud platform cannot be found.

The embodiment of the application provides a cloud network escape event scanning method, a cloud network escape event scanning device and a computer readable storage medium, which can trigger message processing flows and processing rules of a cloud platform bottom layer network layer when scanning a cloud network escape event, and can automatically find a network escape problem possibly existing in the cloud platform bottom layer by monitoring the response message or scanning message receiving condition of each scanning data packet, so that the discovery rate of the cloud platform network escape problem can be effectively improved, and the network security is improved. An exemplary application of the cloud network escape event scanning device provided in the embodiment of the present application is described below, and the cloud network escape event scanning device provided in the embodiment of the present application may be implemented as various types of user terminals such as a notebook computer, a tablet computer, a desktop computer, a set-top box, a mobile device (e.g., a mobile phone, a portable music player, a personal digital assistant, a dedicated messaging device, and a portable game device), and may also be implemented as a server. In the following, an exemplary application will be explained when the cloud network escape event scanning device is implemented as a server.

Referring to fig. 1, fig. 1 is an alternative architecture diagram of a network scanning system 100 provided in this embodiment of the present application, which may implement scanning of a cloud platform network escape problem, a cloud network escape event scanning device 200 connects at least one scanned device (illustratively, a scanned device 400-1 and a scanned device 400-2) through a network 300, and the network 300 may be a wide area network or a local area network, or a combination of the two, and may include one or more of a gateway, a router, an SDN controller, and the like.

The cloud network escape event scanning device 200 is configured to: responding to a scanning request of a scanning initiator of a cloud network escape event, and performing network virtualization protocol traversal processing on a cloud platform to be detected, which provides cloud computing network service, so as to determine the type of a cloud computing network virtualization protocol used by the cloud platform; acquiring a tenant identification field of the cloud platform under the operation of the cloud computing network virtualization protocol, and determining a traversal value range corresponding to the tenant identification of the cloud platform according to the tenant identification field, wherein different types of cloud computing network virtualization protocols correspond to different tenant identification fields; traversing the tenant identification according to the traversal value range corresponding to the tenant identification, and performing cloud platform underlying network data packet encapsulation and overlay network data packet encapsulation processing by using the value of the tenant identification aiming at the value of each tenant identification visited in the traversal process to obtain and send a scanning data packet after encapsulation processing; and monitoring the response message receiving condition of the scanning initiator or the scanning message receiving condition of each scanning data packet receiver in the cloud platform so as to judge and output the scanning result of whether the cloud computing network of the cloud platform has a network escape event or not. In implementation, the cloud network escape event scanning device 200 sends a scanning data packet through the network 300, and a processing flow and a processing rule of the cloud platform underlying network layer may be triggered on a gateway, a router, an SDN controller, or other devices in the network 300.

The scanned device is used for: opening at least one service port by running service; and through monitoring and recording the receiving condition of the scanning message of the service port, judging whether a network escape event exists between the tenant of the scanning device and the tenant of the scanned device in an auxiliary manner.

In some embodiments, the cloud network escape event scanning device 200 may be a stand-alone physical server, or may be a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, web services, cloud communications, middleware services, domain name services, security services, CDNs, and big data and artificial intelligence platforms. The cloud network escape event scanning device 200 and the scanned device may be directly or indirectly connected through wired or wireless communication, which is not limited in the embodiment of the present invention.

In addition, the network scanning system according To the embodiment of the present application may also be a distributed system applied To a blockchain system, where the distributed system may be a distributed node formed by a plurality of nodes and clients, the nodes may be any type of computing device in an access network, such as a server, a user terminal, and the like, a Peer-To-Peer (P2P) network is formed between the nodes, and a cloud network escape event scanning device implemented as a server may be a node on a blockchain.

Referring to fig. 2, fig. 2 is a schematic structural diagram of a cloud network escape event scanning device 200 according to an embodiment of the present application, where the cloud network escape event scanning device 200 shown in fig. 2 includes: at least one processor 210, memory 250, at least one network interface 220, and a user interface 230. The various components in the cloud network escape event scanning device 200 are coupled together by a bus system 240. It is understood that the bus system 240 is used to enable communications among the components. The bus system 240 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 240 in fig. 2.

The Processor 210 may be an integrated circuit chip having Signal processing capabilities, such as a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like, wherein the general purpose Processor may be a microprocessor or any conventional Processor, or the like.

The user interface 230 includes one or more output devices 231, including one or more speakers and/or one or more visual display screens, that enable the presentation of media content. The user interface 230 also includes one or more input devices 232, including user interface components that facilitate user input, such as a keyboard, mouse, microphone, touch screen display, camera, other input buttons and controls.

The memory 250 may be removable, non-removable, or a combination thereof. Exemplary hardware devices include solid state memory, hard disk drives, optical disk drives, and the like. Memory 250 optionally includes one or more storage devices physically located remotely from processor 210.

The memory 250 includes volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read Only Memory (ROM), and the volatile Memory may be a Random Access Memory (RAM). The memory 250 described in embodiments herein is intended to comprise any suitable type of memory.

In some embodiments, memory 250 is capable of storing data, examples of which include programs, modules, and data structures, or a subset or superset thereof, to support various operations, as exemplified below.

An operating system 251 including system programs for processing various basic system services and performing hardware-related tasks, such as a framework layer, a core library layer, a driver layer, etc., for implementing various basic services and processing hardware-based tasks;

a network communication module 252 for communicating to other computing devices via one or more (wired or wireless) network interfaces 220, exemplary network interfaces 220 including: bluetooth, wireless compatibility authentication (WiFi), and Universal Serial Bus (USB), etc.;

a presentation module 253 to enable presentation of information (e.g., a user interface for operating peripherals and displaying content and information) via one or more output devices 231 (e.g., a display screen, speakers, etc.) associated with the user interface 230;

an input processing module 254 for detecting one or more user inputs or interactions from one of the one or more input devices 232 and translating the detected inputs or interactions.

In some embodiments, the cloud network escape event scanning apparatus provided in the embodiments of the present application may be implemented in software, and fig. 2 illustrates the cloud network escape event scanning apparatus 255 stored in the memory 250, which may be software in the form of programs and plug-ins, and includes the following software modules: a first determining module 2551, a second determining module 2552, an encapsulating module 2553 and a monitoring module 2554, which are logical and thus can be arbitrarily combined or further split depending on the functionality implemented.

The functions of the respective modules will be explained below.

In other embodiments, the cloud network escape event scanning Device provided in this embodiment may be implemented in hardware, and for example, the cloud network escape event scanning Device provided in this embodiment may be a processor in the form of a hardware decoding processor, which is programmed to execute the piece of storage method provided in this embodiment, for example, the processor in the form of the hardware decoding processor may be one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field Programmable Gate Arrays (FPGAs), or other electronic components.

The cloud network escape event scanning method provided by the embodiment of the present application will be described below with reference to an exemplary application and implementation of the server provided by the embodiment of the present application.

Referring to fig. 3, fig. 3 is an optional flowchart of a cloud network escape event scanning method provided in the embodiment of the present application, and will be described below with reference to the steps shown in fig. 3, where an execution subject of the following steps may be the foregoing server or terminal.

In step S101, in response to a scan request of a scan initiator of a cloud network escape event, performing network virtualization protocol traversal processing on a cloud platform to be detected that provides cloud computing network services, so as to determine a type of a cloud computing network virtualization protocol used by the cloud platform.

Here, the scan initiator of the cloud network escape event is a terminal or a server that initiates the cloud network escape event scan, and may be an execution subject of the cloud network escape event scan method, or may be another terminal or server.

The cloud platform to be detected may be any suitable platform providing cloud computing network services. The type of the cloud computing network virtualization protocol used by the cloud platform is the type of the network virtualization protocol run by the cloud computing network supporting the cloud platform. The cloud platform to be detected can be subjected to traversal processing according to at least one type of cloud computing network virtualization protocol, so that the type of the cloud computing network virtualization protocol used by the cloud platform to be detected can be determined. For example, for each type of cloud computing network virtualization protocol in at least one type of cloud computing network virtualization protocol, a message may be sent in the cloud platform using the cloud computing network virtualization protocol, and whether the cloud platform uses the cloud computing network virtualization protocol may be determined by monitoring whether the message is sent successfully, so as to determine the type of the cloud computing network virtualization protocol used by the cloud platform. At least one type of cloud computing network virtualization protocol for performing traversal processing of the network virtualization protocol may be a network protocol that can trigger a message processing flow and a processing rule of an underlying network layer, which is selected according to an actual situation, and includes, but is not limited to, a network protocol based on technologies such as NVO3, such as a VXLAN protocol, an NVGRE protocol, or a Stateless Transport Tunnel (STT) protocol. In implementation, at least one type of cloud computing network virtualization protocol for performing network virtualization protocol traversal processing may be configured by a user or may be default by the system.

In step S102, a tenant identification field of the cloud platform under the operation of the cloud computing network virtualization protocol is obtained, and a traversal value range corresponding to a tenant identification of the cloud platform is determined according to the tenant identification field, wherein different types of cloud computing network virtualization protocols correspond to different tenant identification fields.

Here, the tenant identification field is a field used for transmitting a value of the tenant identification in the cloud computing network virtualization protocol, and different types of cloud computing network virtualization protocols may correspond to different tenant identification fields.

And the traversal value range corresponding to the tenant identification of the cloud platform is the value range of the tenant identification of the cloud platform under the operation of the cloud computing network virtualization protocol. In cloud computing network virtualization protocols, in generalThe bit number that each field can occupy in the message can be agreed, and the traversal value range corresponding to the tenant identification of the cloud platform can be determined according to the bit number that the tenant identification field occupies in the message. For example, when the number of bits occupied by the tenant identity field in the packet is 16 bits, the traversal value range corresponding to the tenant identity may be 0-2¹⁶-1; when the bit number occupied by the tenant identification field in the message is 32 bits, the traversal value range corresponding to the tenant identification can be 0-2³²-1。

In step S103, traversing the tenant identifier according to the traversal value range corresponding to the tenant identifier, and for the value of each tenant identifier accessed in the traversal process, performing cloud platform underlying network data packet encapsulation and overlay network data packet encapsulation by using the value of the tenant identifier to obtain and send a scan data packet after encapsulation.

Here, the cloud platform underlying network packet encapsulation and overlay network packet encapsulation process may access the value of each tenant identity within the traversal value range during the traversal process. And aiming at the value of each tenant identification, cloud platform bottom network data packet encapsulation and overlay network data packet encapsulation can be carried out, and a scanning data packet after encapsulation is obtained and sent. In the process of encapsulating the cloud platform underlying network data packet and encapsulating the overlay network data packet, the value of the tenant identifier accessed currently can be encapsulated into the tenant identifier field.

The message formats of the underlying network layer and the overlay network layer in different cloud computing network virtualization protocols can be different. During implementation, the message format of the underlying network layer and the message format of the overlay network layer can be determined according to the cloud computing network virtualization protocol, so that the cloud platform underlying network data packet is packaged according to the message format of the underlying network layer, the overlay network data packet is packaged according to the message format of the overlay network layer, and the packaged scanning data packet is obtained. When the cloud platform underlying network data packet is packaged, only the packet header can be packaged, no load is carried in the scanning data packet, and a specific scanning packet can be packaged and can be carried in the scanning data packet.

When transmitting the scan packet, the scan packet may be transmitted immediately after obtaining the scan packet, or a plurality of scan packets may be transmitted in a batch after obtaining a plurality of scan packets, and this is not limited here.

In step S104, a response packet receiving condition of the scan initiator or a scan packet receiving condition of each scan packet receiver in the cloud platform is monitored to determine and output a scan result of whether a network escape event exists in the cloud computing network of the cloud platform.

Here, whether a network escape event exists in the cloud computing network of the cloud platform may be determined by monitoring a response condition of each transmitted scan packet or a reception condition at a receiving side. In implementation, whether a network escape event exists in the cloud computing network of the cloud platform can be judged according to response message receiving conditions counted by a scanning initiator of the cloud network escape event or scanning message receiving conditions reported by each scanning data packet receiver in the cloud platform respectively, and a scanning result of whether the network escape event exists is output.

The response message receiving condition counted by the scan initiator may include whether the scan initiator receives a response message of a scan data packet. In implementation, at a scanning initiator of the cloud network escape event, whether the cloud computing network of the cloud platform has the network escape event or not can be judged by counting the number of the received response messages. For example, if the number of the received response messages is greater than 0, it may be determined that a network escape event exists in the cloud computing network of the cloud platform; if the number of the received response messages is 0, it can be determined that no network escape event is found in the cloud computing network of the cloud platform.

The receiving condition of the response packet of the scan initiator may also include whether the response packet of the scan packet received by the scan initiator is a packet representing that the scan packet is successfully sent. In implementation, at a scanning initiator of a cloud network escape event, whether the cloud computing network of the cloud platform has the network escape event or not can be judged by counting the number of messages representing successful sending of scanning data packets in the received response messages. For example, if the number of successfully sent messages representing the scanning data packet is greater than 0, it can be determined that a network escape event exists in the cloud computing network of the cloud platform; if the number of the messages representing that the scanning data packet is successfully sent is 0, it can be determined that no network escape event is found in the cloud computing network of the cloud platform.

Each scanning data packet receiver can report the receiving condition of the scanning message, and whether a network escape event exists in the cloud computing network of the cloud platform can be judged according to the monitored receiving condition of the scanning message reported by each scanning data packet receiver. The scan packet receiving condition reported by each scan packet receiver in the cloud platform may include whether each scan packet receiver receives a scan packet. In implementation, whether a network escape event exists in the cloud network of the cloud platform can be judged by counting the number of receivers of the scanning data packets receiving the scanning messages. For example, if the number of scanning packet receivers receiving the scanning packet is greater than 0, it may be determined that a network escape event exists in the cloud computing network of the cloud platform; if the number of the scanning data packet receivers receiving the scanning message is 0, it can be determined that no network escape event is found in the cloud computing network of the cloud platform.

The scan results may be output in any suitable manner, including but not limited to by one or more of text messages, pictures, voice, indicator lights, and the like. For example, a text message "abnormal" can be output to represent that a network escape event exists in the cloud computing network of the cloud platform, and a text message "normal" can be output to represent that a network escape event is not found in the cloud computing network of the cloud platform; a network escape event can also be represented in the cloud computing network of the cloud platform by sending a voice alarm, and the network escape event is not found in the cloud computing network of the cloud platform by not sending the voice alarm; the network escape event can also be displayed in the cloud computing network with the red indicator light representing the cloud platform, and the network escape event is not found in the cloud computing network with the green indicator light representing the cloud platform.

In some embodiments, the obtaining of the tenant identification field of the cloud platform under the operation of the cloud computing network virtualization protocol in step S102 may be implemented by the following step S121 or step S122:

in step S121, when the cloud computing network virtualization protocol is a VXLAN protocol, acquiring a VNI field in a message format of the VXLAN protocol as a tenant identification field of the cloud platform in the operation of the VXLAN protocol;

here, if the cloud computing network virtualization protocol is a VXLAN protocol, a VNI field in a message format of the VXLAN protocol may be used as the tenant identification field.

In step S122, when the cloud computing network virtualization protocol is the NVGRE protocol, a Key field representing a virtual network identifier in a message format of the NVGRE protocol is obtained as a tenant identifier field of the cloud platform running in the NVGRE protocol.

Here, if the cloud computing network virtualization protocol is the NVGRE protocol, a Key field for representing the virtual network identifier in the message format of the NVGRE protocol may be used as the tenant identifier field.

In the embodiment of the application, firstly, the network virtualization protocol traversal processing is carried out on the cloud platform to be detected, and the type of the cloud computing network virtualization protocol used by the cloud platform is determined; secondly, determining a traversal value range corresponding to the tenant identification of the cloud platform according to the tenant identification field of the cloud platform under the operation of the cloud computing network virtualization protocol; then, traversing the tenant identification according to the traversal value range, and performing cloud platform bottom network data packet encapsulation and overlay network data packet encapsulation by using the value of the tenant identification to obtain and send a scanning data packet after encapsulation; and finally, judging and outputting whether a network escape event exists in the cloud computing network of the cloud platform or not by monitoring the response message receiving condition of the scanning initiator or the scanning message receiving condition of each scanning data packet receiver in the cloud platform. Therefore, when the cloud network escape event is scanned, the message processing flow and the processing rule of the bottom layer network layer of the cloud platform can be triggered, the possible network escape problem of the bottom layer of the cloud platform can be automatically found by monitoring the response message or the receiving condition of the scanning message of each scanning data packet, the discovery rate of the network escape problem of the cloud platform can be effectively improved, and the network security is improved. In addition, the bidirectional network escape problem in the cloud computing network can be found by monitoring the receiving condition of the response message of the scanning data packet, and the unidirectional network escape problem in the cloud computing network can be found by monitoring the receiving condition of the scanning data packet, so that the discovery rate of the network escape problem can be further improved.

Referring to fig. 4, fig. 4 is an optional flowchart of a cloud network escape event scanning method according to an embodiment of the present application. The following will be described with reference to each step, and the execution subject of the following steps may be the foregoing server or terminal.

Here, in step S103, the encapsulating process of the cloud platform underlying network data packet and the encapsulating process of the overlay network data packet are performed by using the value of the tenant identifier, so as to obtain and send the scan data packet after the encapsulating process, which may be implemented by the following step S401:

in step S401, a source IP address and a destination IP address of the underlying network are traversed according to a private IP address range of the underlying network of the cloud platform, and for each set of source IP address value and destination IP address value accessed in the traversal process, the source IP address value, the destination IP address value, and the tenant identifier value are used to perform cloud platform underlying network data packet encapsulation and overlay network data packet encapsulation, so as to obtain and send an encapsulated scan data packet.

Here, the private Internet Protocol (IP) address is an IP address reserved in the network for allocation in the lan, and may include A, B, C three types of IP addresses, where the range of the type a IP address includes 10.0.0.0 to 10.255.255.255 segments, the range of the type B IP address includes 172.16.0.0 to 172.31.255.255, and the range of the type C IP address includes 192.168.0.0 to 192.168.255.255. The private IP address range of the cloud platform underlying network may include a value range of all or part of the private IP address segment, which is not limited herein.

When the source IP address and the destination IP address of the underlying network are traversed according to the private IP address range of the underlying network of the cloud platform, all IP addresses in the private IP address range can be traversed, and traversing can also be carried out only on the basis of the private IP address in a specific network segment in the underlying network of the cloud platform. Through traversal processing, any two different IP address values accessed in the traversal process can be respectively used as a set of source IP address value and a set of destination IP address value. And for each group of source IP address values and destination IP address values, carrying out cloud platform bottom network data packet encapsulation and overlay network data packet encapsulation processing to obtain and send an encapsulated scanning data packet. In the process of encapsulating the cloud platform underlying network data packet and encapsulating the overlay network data packet, according to a message format of a cloud computing network virtualization protocol used by a current cloud platform, a source IP address value and a destination IP address value of a current access are respectively encapsulated into a source IP address field and a destination IP address field of the cloud platform underlying network layer, and a value of a tenant identification of the current access is encapsulated into a tenant identification field.

It should be noted that, for each group of source IP address values and destination IP address values, all ports of the network may be traversed to obtain scan packets corresponding to each port, or only a specific port may be subjected to packet encapsulation, which is not limited herein.

In some embodiments, the performing, by using the source IP address value, the destination IP address value, and the tenant identifier value in step S401, cloud platform underlying network data packet encapsulation and overlay network data packet encapsulation processing to obtain and send an encapsulated scan data packet may be implemented by steps S411 to S414 as follows:

in step S411, encapsulating the underlying network data packet by using the source IP address value and the destination IP address value to obtain an underlying network data packet;

here, the packet formats of the underlying network packets in different cloud computing network virtualization protocols may be different. During implementation, the message format of the underlying network data packet can be determined according to the message format of the cloud computing network virtualization protocol, so that the underlying network data packet is packaged based on the message format of the underlying network data packet. Because the underlying network data packet is data transmitted in the underlying network, the underlying network data packet includes an IP address header of the underlying network layer. When encapsulating the underlying network data packet, the source IP address value may be encapsulated into a source IP address field in an IP address header of the underlying network layer, and the destination IP address value may be encapsulated into a destination IP address field in an IP address header of the underlying network layer.

In step S412, determining an IP address value of the virtual machine of the scan packet receiver corresponding to the IP address value of the virtual machine of the scan initiator and the value of the tenant identifier;

here, the virtual machine of the scan initiator is a virtual machine that transmits a scan packet. In implementation, the IP address value of the virtual machine may be determined in any suitable manner, which is not limited in the embodiment of the present application. For example, the IP address value of the virtual machine may be determined by reading the network configuration information of the virtual machine, or may be determined by user configuration.

The virtual machine of the scanned data packet receiver corresponding to the value of the tenant identifier is a virtual machine owned by the tenant corresponding to the value of the tenant identifier and used for receiving the scanned data packet corresponding to the tenant identifier. In implementation, at least one virtual machine owned by a tenant corresponding to the value of the tenant identity may be determined according to tenant management information of the current cloud platform, and the virtual machine used for receiving the scan data packet corresponding to the tenant identity may be a virtual machine randomly determined from the at least one virtual machine owned by the tenant or a virtual machine designated by a user. After determining the virtual machine of the scanned data packet receiver corresponding to the value of the tenant identifier, the IP address value of the virtual machine may be determined in any suitable manner, which is not limited in the embodiment of the present application. For example, the IP address value of the virtual machine may be determined by reading the network configuration information of the virtual machine, or may be determined by user configuration.

In step S413, performing overlay network packet encapsulation on the underlying network packet by using the value of the tenant identifier, the IP address value of the virtual machine of the scan initiator, and the IP address value of the virtual machine of the scan packet receiver, to obtain an encapsulated scan packet;

here, when encapsulating the overlay network packet for the underlying network packet, it is necessary to encapsulate a packet header of the overlay network layer for the underlying network packet, so as to obtain a scan packet after encapsulation processing. The message formats of message headers covering network layers in different cloud computing network virtualization protocols are different. In implementation, the message format of the message header of the overlay network layer can be determined according to the message format of the cloud computing network virtualization protocol, so that overlay network data packet encapsulation is performed based on the message format of the message header of the overlay network layer. The message format of the overlay network layer message header may include a tenant identification field and an overlay network layer IP address header, and the overlay network layer IP address header may include an overlay network layer source IP address field and an overlay network layer destination IP address field. When the overlay network data packet is encapsulated, the value of the tenant identifier may be encapsulated into a tenant identifier field, the IP address value of the virtual machine of the scan initiator is encapsulated into a source IP address field in an IP address header of the overlay network layer, and the IP address value of the virtual machine of the scan data packet receiver is encapsulated into a destination IP address field in the IP address header of the overlay network layer.

In step S414, the scan packet is transmitted.

Here, the scan packet after the encapsulation process may be transmitted to a virtual machine of a scan packet receiver.

In some embodiments, the traversing the source IP address and the destination IP address of the underlying network according to the private IP address range of the underlying network of the cloud platform in step S401 above may be implemented by steps S421 to S423 as follows:

in step S421, a network segment to be scanned is determined from a private IP address range of the cloud platform underlying network;

the network segment to be scanned is a network segment which needs to be subjected to network scanning in a private IP address range of a cloud platform underlying network, and can be a network segment corresponding to key services in a cloud platform, a network segment with high security risk and a randomly selected network segment. In implementation, a user may set a network segment to be scanned according to actual needs, or a system may dynamically determine the network segment to be scanned according to monitored states of services, security risks, and the like of each network segment, which is not limited in this embodiment of the present application.

In step S422, any two different IP address values in the network segment to be scanned are sequentially traversed to obtain a source IP address value and a destination IP address value of the underlying network.

Here, each IP address value in the network segment to be scanned may be combined pairwise to obtain each set of source IP address value and destination IP address value to be scanned, and each set of source IP address value and destination IP address value may be sequentially traversed to obtain a source IP address value and a destination IP address value of the underlying network.

In the embodiment of the application, for the value of each tenant identifier accessed in the traversal process, the source IP address and the destination IP address of the underlying network are traversed according to the private IP address range of the underlying network of the cloud platform, and for each group of source IP address value and destination IP address value accessed in the traversal process, the source IP address value, the destination IP address value and the value of the tenant identifier are used for carrying out cloud platform underlying network data packet encapsulation and overlay network data packet encapsulation processing, so that the scanning data packet after encapsulation processing is obtained and sent. Therefore, different scanning data packets can be respectively packaged and sent based on each group of source IP address values and destination IP address values in the private IP address range of the cloud platform bottom layer network, so that the problem of network escape possibly existing between different source IP address values and destination IP address values in the private IP address range of the cloud platform bottom layer network can be found, and the network scanning safety is improved. Furthermore, the private IP address in the network segment to be scanned in the private IP address range of the cloud platform bottom layer network can be traversed, and the scanning data packet can be packaged and sent, so that the network scanning efficiency is improved.

Referring to fig. 5, fig. 5 is an optional flowchart of a cloud network escape event scanning method according to an embodiment of the present application. The following will be described with reference to each step, and the execution subject of the following steps may be the foregoing server or terminal.

Here, step S104 may be realized by steps S501 to S502 as follows:

in step S501, when it is monitored that the scan initiator receives a response packet for any one of the scan data packets or that any one of the scan data packet receivers in the cloud platform receives a scan data packet, it is determined that a network escape event exists in the cloud computing network of the cloud platform;

here, for each sent scanning data packet, it may be monitored whether a scanning initiator of the cloud network escape event receives a response packet for the scanning data packet, and if a response packet corresponding to any scanning data packet is received, it may be determined that a network escape event exists in the cloud computing network of the cloud platform.

And for each sent scanning data packet, the receiving condition of the scanning message of the receiver of the scanning data packet can be obtained, and if any receiver of the scanning data packet receives the scanning data packet, the cloud computing network of the cloud platform can be determined to have a network escape event.

In step S502, a scanning result representing that a network escape event exists in the cloud computing network of the cloud platform is output.

Here, the scan result of the network escape event existing in the cloud computing network of the cloud platform may be output in any suitable manner, including but not limited to one or more of text information, pictures, voice, indicator lights, and the like. For example, text information representing that a network escape event exists in the cloud computing network of the cloud platform may be output, a voice alarm representing that the network escape event exists in the cloud computing network of the cloud platform may also be output, and an indicator lamp representing that the network escape event exists in the cloud computing network of the cloud platform may also be turned on.

In some embodiments, in step S104, the following steps S511 to S512 may also be performed: in step S511, the number of response packets received by the scanning initiator and the number of scanning packet receivers receiving the scanning packets are counted to determine the number of network escape events occurring in the cloud computing network of the cloud platform; in step S512, the number of network escape events is output.

In the embodiment of the application, when it is monitored that a scanning initiator receives a response message for any one of the scanning data packets or any one of scanning data packet receivers in a cloud platform receives a scanning data packet, it is determined that a network escape event exists in a cloud computing network of the cloud platform. In this way, the network escape problem existing in the cloud computing network can be quickly discovered. Furthermore, the number of network escape events can be determined and output by counting the number of response messages received by the scanning initiator and the number of scanning data packet receivers receiving the scanning data packets, so that the statistical information of the network escape events in the cloud platform can be provided, the problem influence surface estimation and the problem troubleshooting are facilitated, and the operation and maintenance efficiency is improved.

Next, an exemplary application of the embodiment of the present application in a practical application scenario will be described. Taking discovery of a cloud computing tenant network escape problem as an example, the embodiment of the application provides a cloud network escape event scanning method which can be used in various cloud computing networks applying NVO3 technologies such as VXLAN, NVGRE and the like, such as public cloud, private cloud, industry cloud and the like, and tries to discover a possible tenant network escape problem. If the devices such as the gateway, the router, the SDN controller and the like have defects or configuration problems in development and implementation, the scanning data packet is forwarded to the bottom layer of other tenant networks or cloud platforms, and network escape is triggered. The cloud network escape event scanning method provided by the embodiment of the application is combined with the characteristics of the NVO3 technology used by the cloud computing virtualization network, the processing flow and the processing rule of the NVO3 related protocol can be triggered on a gateway, a router, an SDN controller and other devices, and the network escape problem existing in the cloud computing network can be effectively discovered by traversing the private network IP and the full port. In implementation, the cloud network escape event scanning method provided by the embodiment of the present application can be applied to specific safety tool products such as scanning tools and scanners.

Referring to fig. 6A, fig. 6A is a schematic flow chart illustrating an implementation process of a cloud network escape event scanning method provided in an embodiment of the present application, where the method may be executed by a virtual machine initiating network scanning in a current cloud platform, where the virtual machine may be a virtual machine of any tenant in the current cloud platform, and the method includes the following steps:

step S601, traversing at least one NVO3 protocol to be scanned to obtain a current scanning protocol;

here, because the NVO3 protocol is more, the VXLAN protocol and NVGRE protocol are the most typical and most widely used. The at least one NVO3 protocol to be scanned may include, but is not limited to, VXLAN protocol, NVGRE protocol, or other NVO3 protocol. In the case of not determining the NVO3 protocol used by the detected current cloud platform, a traversal mode needs to be adopted to ensure the integrity of the scanning.

Step S602, determining a tenant identification field of the current scanning protocol;

here, after the current scanning protocol is selected, the scanning process of the current scanning protocol may be entered. The tenant identity field of different NVO3 protocols is different, but is generally a 24-bit to 32-bit field, the value of the tenant identity field is 0 to 4294967296, and the values of different tenant identity fields correspond to different tenants.

Step S603, determining a numerical range of the tenant identification;

here, after determining the tenant identity field of the current scanning protocol, the numerical range of the tenant identity to be traversed may be determined according to the value range of the tenant identity field. The value range of the tenant can be determined by operation and maintenance personnel of the network platform according to the value range of the tenant actually existing in the current network.

Referring to fig. 6B, fig. 6B is a schematic diagram of a packet encapsulation format of a VXLAN protocol, and in the packet encapsulation format 10 of the VXLAN protocol, a VXLAN Network Identifier (VNI) 11 generally represents a different tenant or a different tenant VPC. The VNI 11 field is 24 bits in length and has a value in the range of 0 to 16777216. Thus, if the current scanning protocol is VXLAN protocol, the tenant identity field may be a VNI field, and the value of the tenant identity field may range from 0 to 16777216 during traversal.

General Routing Encapsulation (GRE) is mainly used in the NVGRE protocol. Referring to fig. 6C and fig. 6D, fig. 6C is a schematic diagram of a usage principle of GRE in NVGRE protocol, where a GRE header 22 may be added before an original data packet 21 to obtain a GRE encapsulation packet 20. Fig. 6D is a schematic diagram of a message encapsulation format of a GRE in an NVGRE protocol, where in a GRE header 30 of an NVGRE message, an optional field Key 31 is generally used as a user identifier in implementation. Key 31 has a field length of 32 bits and a value ranging from 0 to 4294967296. Thus, if the current scanning protocol is NVGRE protocol, the tenant identity field may be a Key field, and the value of the tenant identity field may range from 0 to 4294967296 during traversal.

Step S604, traversing each tenant identification in the tenant identification numerical range to obtain the current tenant identification;

here, after determining the tenant identity value range, traversal through the tenant identities may be started.

Step S605, packaging the current tenant identification to the tenant identification field in the current scanning protocol; here, the current tenant identity may be filled in the tenant identity field for scan packet encapsulation.

Step S606, traversing each private source and destination IP pair in the current cloud platform to obtain the current private source and destination IP pair;

step S607, encapsulating the current private source and destination IP pair at the Underlay layer of the current scanning protocol;

here, the encapsulation of the data packet includes both the Underlay layer encapsulation and the Overlay layer encapsulation. Since the source and destination IP of the Underlay layer is unknown but the private IP is commonly used, it is possible to traverse the combination of all source and destination private IP in the underlying network. If other information is supported or in order to improve the scanning efficiency, a network segment with higher network escape risk can be selected or a part of network segments can be randomly selected for traversal.

Step S608, encapsulating the IP of the virtual machine which initiates scanning and the IP of the virtual machine which is scanned on an Overlay layer of the current scanning protocol to obtain a scanning data packet; the scanned virtual machine is a virtual machine in a tenant corresponding to the current tenant identification;

here, the encapsulation of the Overlay layer may directly set the source IP and the destination IP as the IP of the virtual machine initiating the network scanning and the IP of the scanned virtual machine, respectively, and the port scanning may adopt any suitable scanning manner.

Step S609, sending a scanning data packet to the scanned virtual machine;

step S610, judging a scanning result by monitoring the request response condition of the scanning data packet;

here, the monitoring request response situation mainly includes two kinds: one is that a response message is received on a virtual machine initiating network scanning, and the situation indicates that the cloud computing network can completely escape and complete two-way communication can be established; the other is that the scanned virtual machine receives the scanning message, but the virtual machine initiating the scanning cannot receive the response message, which indicates that the cloud computing network can escape in one direction, but is limited by network policy, routing policy, vulnerability details and the like, and cannot achieve complete two-way communication. The scanning result is in accordance with any one of the above, so that the problem of network escape of the current cloud platform can be determined.

Step S611, judging whether all private source and destination IP pairs in the current cloud platform are traversed; if not, go to step S612; if yes, go to step S613;

step S612, selecting a next private source destination IP pair of the current private source destination IP pair as a new current private source destination IP pair; returning to the step S607;

step S613, judging whether a network escape problem exists between the virtual machine initiating network scanning and the tenant corresponding to the current tenant identification by counting the scanning results aiming at the IP pairs of the private sources;

step S614, judging whether all the tenant identifications in the tenant identification numerical range are traversed; if yes, go to step S616; if not, go to step S615;

step S615, selecting the next tenant identification of the current tenant identification as a new current tenant identification; returning to the step S605;

step S616, judging whether a network escape problem based on the current scanning protocol exists or not by counting the scanning results aiming at each tenant identification;

step S617, determining whether all NVO3 protocols to be scanned have been traversed; if not, go to step S618; if yes, go to step S619;

step 618, selecting the next NVO3 protocol of the current scanning protocol as a new current scanning protocol;

step S619, through counting the scanning results aiming at all NVO3 protocols, whether the current cloud platform has the network escape problem is judged.

The cloud network escape event scanning method provided by the embodiment of the present application is further described below by taking network scanning between two tenants in a cloud platform as an example. Taking an a tenant and a B tenant as an example, the a tenant and the B tenant are respectively different tenants of a cloud platform to be detected, a virtual machine is respectively deployed for each tenant, and different VPC IPs are respectively configured for each virtual machine. The virtual machine of the tenant A deploys a scanning tool realized based on the cloud network escape event scanning method provided by the embodiment of the application, and is used for scanning whether a data packet of the tenant A can be forwarded to virtual machines of other tenants, the virtual machine of the tenant B deploys a service (such as a Web service or other services) and opens a service port, and meanwhile, the virtual machine of the tenant B needs to monitor and record an access request of the port, so that the virtual machine of the tenant B is used for finally assisting in judging whether an escape problem exists between the tenant A and the tenant B.

The main body is divided into two parts when network scanning is carried out: the first part is to traverse based on different NVO3 protocols, and scan tasks are performed by traversing different NVO3 protocols one by one; and in the second part, by combining the characteristics of the selected NVO3 protocol, traversing the tenant identification field corresponding to the NVO3 protocol, and performing network scanning on the virtual machines of different tenants. When network scanning is initiated for the virtual machine of the B tenant, traversal is also performed on the source and destination IP of the Underlay, and meanwhile, the IP of the virtual machine of the A tenant and the IP of the virtual machine of the B tenant are filled in the Overlay encapsulation respectively to serve as the source IP and the destination IP. Here, the protocol traversal is performed only when the NVO3 protocol used by the cloud platform is not determined, and if the NVO3 protocol used by the current cloud platform is definitely known, the NVO3 protocol can be directly specified to be used for improving the scanning efficiency, and a scanning task for the protocol is started.

If the virtual machine of the a tenant receives a response from the virtual machine of the B tenant after sending the scan message, or the virtual machine of the a tenant does not receive a response from the virtual machine of the B tenant after sending the scan message, but the scan message from the virtual machine of the a tenant can be received on the virtual machine of the B tenant, it can be determined that a network escape problem exists between the a tenant and the B tenant.

Compared with a cloud network escape event scanning method in the related technology, the cloud network escape event scanning method provided by the embodiment of the application adapts to an NVO3 protocol on one hand, attempts to find cloud computing network escape under specific scenes such as exception conditions, logic design bugs and implementation bugs possibly existing in the bottom layer of a cloud platform in a mode of traversing tenant identifications, and attempts to enable a scanning end virtual machine and a scanned end virtual machine in an Overlay to be capable of detecting received scanning messages or scanning responses in a mode of private IP traversal of an Underlay layer on the other hand, so that detection of network escape problems of the cloud platform can be completed under the condition that privileges such as operation and maintenance or development of the bottom layer of the cloud platform are not needed. The discovery of the network escape problem can facilitate the cloud service provider to repair the network vulnerability, effectively avoid the network escape problem being utilized by malicious tenants, directly or indirectly attack other tenants, steal data of other tenants, and damage service of other tenants, so as to reduce the influence on other tenants. In addition, malicious tenants can be effectively prevented from attacking the cloud platform by using a network escape problem, sensitive user data and operation and maintenance data on the platform are stolen, and normal service of the cloud platform is damaged, so that normal and safe operation of the cloud platform is guaranteed.

Continuing with the exemplary structure of the cloud network escape event scanning device 255 implemented as software modules provided in the embodiments of the present application, in some embodiments, as shown in fig. 2, the software modules stored in the cloud network escape event scanning device 255 of the memory 250 may include:

a first determining module 2551, configured to perform network virtualization protocol traversal processing on a cloud platform to be detected, which provides cloud computing network services, in response to a scan request of a scan initiator of a cloud network escape event, so as to determine a type of a cloud computing network virtualization protocol used by the cloud platform;

a second determining module 2552, configured to obtain a tenant identity field of the cloud platform in the operation of the cloud computing network virtualization protocol, and determine a traversal value range corresponding to a tenant identity of the cloud platform according to the tenant identity field, where different types of cloud computing network virtualization protocols correspond to different tenant identity fields;

the encapsulation module 2553 is configured to perform traversal processing on the tenant identifier according to a traversal value range corresponding to the tenant identifier, and perform encapsulation processing on a cloud platform underlying network data packet and encapsulation processing on a coverage network data packet by using a value of the tenant identifier for a value of each tenant identifier accessed in the traversal process, so as to obtain and send an encapsulated scan data packet;

a monitoring module 2554, configured to monitor a response packet receiving condition of the scan initiator or a scan packet receiving condition of each scan packet receiver in the cloud platform, so as to determine and output a scan result of whether a network escape event exists in the cloud computing network of the cloud platform.

In some embodiments, the encapsulation module is further configured to: determining a network segment to be scanned from a private IP address range of a cloud platform bottom layer network; combining every two IP address values in the network segment to be scanned to obtain each group of source IP address values and destination IP address values to be scanned; and sequentially traversing each group of source IP address values and destination IP address values to obtain the source IP address values and the destination IP address values of the underlying network.

Embodiments of the present application provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and executes the computer instructions, so that the computer device executes the cloud network escape event scanning method described in this embodiment of the present application.

Embodiments of the present application provide a computer-readable storage medium storing executable instructions, which when executed by a processor, will cause the processor to perform the cloud network escape event scanning method provided by embodiments of the present application, for example, the method shown in fig. 3.

In some embodiments, the computer-readable storage medium may be memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash, magnetic surface memory, optical disk, or CD-ROM; or may be various devices including one or any combination of the above memories.

In some embodiments, executable instructions may be written in any form of programming language (including compiled or interpreted languages), in the form of programs, software modules, scripts or code, and may be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.

By way of example, executable instructions may correspond, but do not necessarily have to correspond, to files in a file system, and may be stored in a portion of a file that holds other programs or data, such as in one or more scripts in a hypertext Markup Language (HTML) document, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).

By way of example, executable instructions may be deployed to be executed on one computing device or on multiple computing devices at one site or distributed across multiple sites and interconnected by a communication network.

In summary, by the embodiment of the application, when the cloud network escape event is scanned, the message processing flow and the processing rule of the cloud platform bottom layer network layer can be triggered, and the network escape problem possibly existing in the cloud platform bottom layer can be automatically discovered by monitoring the response message or the receiving condition of the scanning message of each scanning data packet, so that the discovery rate of the cloud platform network escape problem can be effectively improved.

The above description is only an example of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, and improvement made within the spirit and scope of the present application are included in the protection scope of the present application.

Claims

1. A cloud network escape event scanning method is characterized by comprising the following steps:

monitoring the response message receiving condition of the scanning initiator or the scanning data packet receiving condition of each scanning data packet receiver in the cloud platform to judge whether a network escape event exists in the cloud computing network of the cloud platform, and outputting the scanning result of whether the network escape event exists in the cloud computing network of the cloud platform.

2. The method according to claim 1, wherein the performing encapsulation processing on an underlying network data packet and an overlay network data packet of a cloud platform by using the value of the tenant identifier to obtain and send an encapsulated scan data packet includes:

and traversing the source IP address and the destination IP address of the underlying network according to the private Internet Interconnection Protocol (IP) address range of the underlying network of the cloud platform, and packaging the data packet of the underlying network of the cloud platform and packaging and processing the data packet of the overlay network by using the source IP address value, the destination IP address value and the tenant identification value aiming at each group of source IP address value and destination IP address value accessed in the traversing process to obtain and send the packaged scanning data packet.

3. The method according to claim 2, wherein the performing cloud platform underlying network packet encapsulation and overlay network packet encapsulation processing by using the source IP address value, the destination IP address value, and the tenant identifier value to obtain and send an encapsulated scan packet includes:

encapsulating the underlying network data packet by using the source IP address value and the target IP address value to obtain an underlying network data packet;

determining the IP address value of the virtual machine of the scanning initiator and the IP address value of the virtual machine of the scanning data packet receiver corresponding to the value of the tenant identification;

encapsulating a message header covering a network layer for the underlying network data packet by using the value of the tenant identifier, the IP address value of the virtual machine of the scanning initiator and the IP address value of the virtual machine of the scanning data packet receiver to obtain an encapsulated scanning data packet;

and sending the scanning data packet.

4. The method of claim 2, wherein traversing the source IP address and the destination IP address of the underlying network according to the private internet protocol IP address range of the underlying network of the cloud platform comprises:

determining a network segment to be scanned from a private IP address range of a cloud platform bottom layer network;

and sequentially traversing any two different IP address values in the network segment to be scanned to obtain a source IP address value and a target IP address value of the underlying network.

5. The method according to any one of claims 1 to 4, wherein the obtaining the tenant identification field of the cloud platform under the operation of the cloud computing network virtualization protocol comprises:

under the condition that the cloud computing network virtualization protocol is a virtual extensible local area network (VXLAN) protocol, obtaining a VXLAN Network Identifier (VNI) field in a message format of the VXLAN protocol as a tenant identification field of the cloud platform under the operation of the VXLAN protocol;

or, when the cloud computing network virtualization protocol is a generic routing encapsulation NVGRE protocol, obtaining a Key field representing a virtual network identifier in a message format of the NVGRE protocol, as a tenant identifier field of the cloud platform running in the NVGRE protocol.

6. The method according to any one of claims 1 to 4, wherein the monitoring of the response packet reception condition of the scan initiator or the scan packet reception condition of each scan packet receiver in the cloud platform to determine whether a network escape event exists in the cloud computing network of the cloud platform and output a scan result of whether a network escape event exists in the cloud computing network of the cloud platform comprises:

determining that a network escape event exists in a cloud computing network of the cloud platform under the condition that it is monitored that the scanning initiator receives a response message for any scanning data packet or any scanning data packet receiver in the cloud platform receives a scanning data packet;

and outputting a scanning result representing that the cloud computing network of the cloud platform has a network escape event.

7. The method of claim 6, further comprising:

under the condition that a network escape event exists in the cloud computing network of the cloud platform, counting the number of response messages received by the scanning initiator and the number of scanning data packet receivers receiving the scanning data packets to determine the number of the network escape events occurring in the cloud computing network of the cloud platform;

and outputting the number of the network escape events.

8. A cloud network escape event scanning apparatus, comprising:

and the monitoring module is used for monitoring the response message receiving condition of the scanning initiator or the scanning data packet receiving condition of each scanning data packet receiver in the cloud platform so as to judge whether a network escape event exists in the cloud computing network of the cloud platform and output the scanning result of whether the network escape event exists in the cloud computing network of the cloud platform.

9. A cloud network escape event scanning device, comprising:

a memory for storing executable instructions;

a processor for implementing the method of any one of claims 1 to 7 when executing executable instructions stored in the memory.

10. A computer-readable storage medium having stored thereon executable instructions for, when executed by a processor, implementing the method of any one of claims 1 to 7.