CN112688969A - Intranet penetration method based on port multiplexing and TCP encryption technology - Google Patents
Intranet penetration method based on port multiplexing and TCP encryption technology Download PDFInfo
- Publication number
- CN112688969A CN112688969A CN202110271574.2A CN202110271574A CN112688969A CN 112688969 A CN112688969 A CN 112688969A CN 202110271574 A CN202110271574 A CN 202110271574A CN 112688969 A CN112688969 A CN 112688969A
- Authority
- CN
- China
- Prior art keywords
- client
- server
- port multiplexing
- tcp
- method based
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses an intranet penetration method based on port multiplexing and TCP encryption technologies, which comprises the following steps of: step 1: the server starts TCP monitoring of port multiplexing; step 2: a client A in the intranet is connected with a server in a port multiplexing mode; and step 3: a client B in other internal networks sends a request for connecting the client A to a server in a port multiplexing mode; and 4, step 4: the server sends the address of the client A to the client B; and 5: the client B receives the address of the client A and initiates TCP connection to realize communication; the server only consumes little flow when the client is connected, and after the clients of different internal networks are connected, the server does not need to participate in a public network at all, but directly carries out point-to-point communication between the client and the client; the method can effectively save the server flow, reduce the network penetration cost and improve the flow forwarding efficiency.
Description
Technical Field
The invention relates to the technical field of communication, in particular to an intranet penetration method based on port multiplexing and TCP encryption technologies.
Background
In recent years, with the rise of network services and the popularization of routers, the demand for access to internal networks has been increasing. Traditional network penetration generally employs a public network server for network traffic forwarding. When different intranet nodes communicate with each other, the essence is to send data to a public network server, and then the public network server forwards the data to a client of another intranet. The conventional network penetration method consumes a large amount of traffic of the public network server and has a high demand on the performance of the public network server if a plurality of network penetration accesses are involved.
The port multiplexing technology can enable a certain port to be connected with other sockets again under the condition of keeping connection and carry out data communication. However, the common port multiplexing technology exposes the multiplexed port to the network, which easily causes a vulnerability to be exploited by hackers, and causes security problems.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides an intranet penetration method based on port multiplexing and TCP encryption technologies, which does not consume server flow and occupy server resources.
The technical scheme adopted by the invention is as follows:
an intranet penetration method based on port multiplexing and TCP encryption technology comprises the following steps:
step 1: the server starts TCP monitoring of port multiplexing;
step 2: a client A in the intranet is connected with a server in a port multiplexing mode;
and step 3: a client B in other internal networks sends a request for connecting the client A to a server in a port multiplexing mode;
and 4, step 4: the server sends the address of the client A to the client B;
and 5: and the client B receives the address of the client A and initiates TCP connection to realize communication.
Further, the server in step 2 needs to determine whether the client a is a first connection server; if so, the server allocates the unique identifier to the client A, stores the unique identifier and sends the unique identifier to the client A; if the server is not connected for the first time, the client A sends the unique identifier to the server.
Further, the server in step 1 uses an asynchronous mode to enable port multiplexing TCP listening.
Further, the address of the client a in step 4 includes an IP address and a port.
Further, after the step 3 and before the step 4 is executed, it is necessary to determine whether the client a is already connected, and if the client a is already connected, the step 4 is not executed.
Further, after the step 5 is completed, the method further comprises the following steps:
the client B is disconnected, and the server takes over to wait for the next connection.
Further, the transmission data is encrypted in the communication process.
Further, the encryption mode of the encryption is one of the following encryption modes: DES, AES192, AES256, AES 512.
Further, the TCP snoop connection needs to be set to port multiplexing through a socket attribute.
Further, the unique identifier is a UUID.
The invention has the beneficial effects that:
(1) the server only consumes little flow when the client is connected, and after the clients of different internal networks are connected, the server does not need to participate in a public network at all, but directly carries out point-to-point communication between the client and the client;
(2) the invention can effectively save the server flow, reduce the network penetration cost and improve the flow forwarding efficiency;
(3) the client and the server communicate by using the locally configured encryption mode and the encryption key, so that a hacker can be prevented from attacking the operating system by using the multiplexing port, and the safety of the connected host is ensured.
Drawings
FIG. 1 is a schematic diagram of the system architecture employed in the method of the present invention.
FIG. 2 is a schematic flow chart of the method of the present invention.
Detailed Description
The invention is further described with reference to the following figures and specific embodiments.
As shown in fig. 2, an intranet penetration method based on port multiplexing and TCP encryption technology includes the following steps:
the system on which the method of the present invention is based is shown in fig. 1, and comprises two local area networks, wherein two internal networks are respectively provided with a client and a server in a public network.
Step 1: the server starts TCP monitoring of port multiplexing; the server is a server with a public network IP, and uses an asynchronous mode to start a TCP monitoring process of a socket of Linux. And sets the socket attribute to port multiplexing. And waiting for the clients of different networks to connect, selecting a formulated encryption mode according to the configuration file and setting a corresponding encryption key.
Step 2: a client A in the intranet is connected with a server in a port multiplexing mode;
and starting the client A by the nodes to be connected in the intranet, and connecting the client A with the server port in an asynchronous port multiplexing mode. And judging whether the stored UUID exists under the path of the local software, and if so, sending the UUID to the server. If the client is not indicated as being opened for the first time, the server is required to apply for a UUID for the mark of other client connection later. And selecting an encryption mode and an encryption key corresponding to the server according to the configuration file to perform data communication.
The server receives the connection from the intranet client A and reserves the communication socket. And the server decrypts according to the corresponding encryption mode and the key, acquires the external IP address and the port of the client A from the communication socket and stores the external IP address and the port into a host list to be connected of the server. Before storage, the server needs to judge whether the client sends the UUID, if the UUID sent by the client A is not received, the server considers that the client is the first software to be opened, and at the moment, the server distributes a unique UUID for the client A through a snowfly algorithm. And sends the secondary ID to the client a in a TCP manner. Note that when the server stores the information of the client a in the list of hosts to be connected, the UUID needs to be used as a key, which is convenient for later query when other clients are connected.
And the client A receives the message sent by the server, decrypts the message through the corresponding encryption key and the encryption mode to obtain the UUID and stores the UUID to the local. This UUID can then be sent directly to the server when the software is re-opened so that the server is no longer reassigned. The UUID is also a unique identifier for the client to connect to the client in other networks. This step is skipped if the device of the client has been previously turned on. If the decrypted valid information is not directly discarded, a hacker is prevented from attacking the system by using the multiplexing port.
And step 3: a client B in other internal networks sends a request for connecting the client A to a server in a port multiplexing mode;
in other intranet networks, the client B is started, an encryption mode and an encryption key corresponding to the server are selected, and an asynchronous port multiplexing mode is used for connecting the server ports. Similarly, after the process of step 2 is performed, the client B needs to send the UUID information of the client a that really needs to be connected to the server, and informs the server that the client B needs to directly connect to the client a. If the client B does not send the connection request, the client B is also the host to be connected, and then the server directly puts the client B into the host list to be connected.
And 4, step 4: the server sends the address of the client A to the client B; and after receiving the request which is sent by the client B and is directly connected with the client A, the server decrypts the request through a corresponding encryption mode and an encryption key. And searching the external IP and the port of the client A from the host list to be connected according to the sent UUID. If found, client A is exposed to the extranet IP and port is sent to client B and the data of client A, B in the to-connect host list is moved to the connected host list. At this point, the other clients can no longer connect directly to client a, since port multiplexing communication can only take effect for the last connection.
And 5: and the client B receives the address of the client A and initiates TCP connection to realize communication.
After the client B receives the IP of the client A exposed to the external network, the client B can be directly connected with the client A through the IP and the address of the client A exposed to the external network due to the adoption of the port multiplexing mode. At this time, the data transmission between the client A and the client B completely goes through the public network, and any participation of the server is not needed.
And after the client B and the client A finish data transmission, the client B actively disconnects. According to the port multiplexing principle, only the server and the client A are connected in a network at the moment, the server moves the information of the client A from the connected host list to the host list to be connected, and the server waits for other clients to be connected again.
The server only consumes little flow (less than 1 KB) when the clients are connected, and after the clients in different internal networks are connected, the server does not need to participate in a public network at all, but is in direct point-to-point communication between the clients. The method can effectively save the server flow, reduce the network penetration cost and improve the flow forwarding efficiency. Secondly, the client and the server of the invention both use the encryption mode of local configuration to communicate with the encryption key, thus effectively preventing hackers from attacking the operating system by using the multiplexing port and ensuring the security of the connected host.
Claims (10)
1. An intranet penetration method based on port multiplexing and TCP encryption technology is characterized by comprising the following steps:
step 1: the server starts TCP monitoring of port multiplexing;
step 2: a client A in the intranet is connected with a server in a port multiplexing mode;
and step 3: a client B in other internal networks sends a request for connecting the client A to a server in a port multiplexing mode;
and 4, step 4: the server sends the address of the client A to the client B;
and 5: and the client B receives the address of the client A and initiates TCP connection to realize communication.
2. The intranet penetration method based on port multiplexing and TCP encryption technology according to claim 1 and claim 1, wherein the server in step 2 needs to determine whether the client a is the first connection server; if so, the server allocates the unique identifier to the client A, stores the unique identifier and sends the unique identifier to the client A; if the server is not connected for the first time, the client A sends the unique identifier to the server.
3. The intranet penetration method based on port multiplexing and TCP encryption technology according to claim 1, wherein the server in step 1 uses an asynchronous method to enable TCP listening for port multiplexing.
4. The intranet penetration method based on port multiplexing and TCP encryption technology according to claim 1, wherein the address of the client a in step 4 comprises an IP address and a port.
5. The intranet penetration method based on port multiplexing and TCP encryption technology according to claim 1, wherein after step 3 and before performing step 4, it is necessary to determine whether the client a is connected, and if the client a is connected, step 4 is not performed.
6. The intranet penetration method based on port multiplexing and TCP encryption technology according to claim 1, wherein the step 5 further comprises the following steps after the step is completed:
the client B is disconnected, and the server takes over to wait for the next connection.
7. The intranet penetration method based on port multiplexing and TCP encryption technology according to claim 1, characterized in that the transmission data is encrypted in the communication process.
8. The intranet penetration method based on port multiplexing and TCP encryption technology according to claim 7, wherein the encryption mode is one of the following encryption modes: DES, AES192, AES256, AES 512.
9. The intranet penetration method based on port multiplexing and TCP encryption technology according to claim 1, wherein the TCP snoop connection needs to be set to port multiplexing through a socket attribute.
10. The intranet penetration method based on port multiplexing and TCP encryption technology according to claim 2, wherein the unique identifier is a UUID.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110271574.2A CN112688969A (en) | 2021-03-12 | 2021-03-12 | Intranet penetration method based on port multiplexing and TCP encryption technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110271574.2A CN112688969A (en) | 2021-03-12 | 2021-03-12 | Intranet penetration method based on port multiplexing and TCP encryption technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112688969A true CN112688969A (en) | 2021-04-20 |
Family
ID=75455529
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110271574.2A Pending CN112688969A (en) | 2021-03-12 | 2021-03-12 | Intranet penetration method based on port multiplexing and TCP encryption technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112688969A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1787513A (en) * | 2004-12-07 | 2006-06-14 | 上海鼎安信息技术有限公司 | System and method for safety remote access |
| CN101764742A (en) * | 2009-12-30 | 2010-06-30 | 福建星网锐捷网络有限公司 | Network resource visit control system and method |
| CN105763634A (en) * | 2016-04-14 | 2016-07-13 | 北京思特奇信息技术股份有限公司 | Service realization method and device based on TCP long connection |
| CN105959402A (en) * | 2016-06-21 | 2016-09-21 | 上海卓易云汇智能技术有限公司 | Method for solving network push |
| CN107205026A (en) * | 2017-05-22 | 2017-09-26 | 厦门市美亚柏科信息股份有限公司 | A kind of Point-to-Point Data Transmission method and system |
| CN109561087A (en) * | 2018-11-28 | 2019-04-02 | 南京中孚信息技术有限公司 | Method for penetrating through firewall and system |
-
2021
- 2021-03-12 CN CN202110271574.2A patent/CN112688969A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1787513A (en) * | 2004-12-07 | 2006-06-14 | 上海鼎安信息技术有限公司 | System and method for safety remote access |
| CN101764742A (en) * | 2009-12-30 | 2010-06-30 | 福建星网锐捷网络有限公司 | Network resource visit control system and method |
| CN105763634A (en) * | 2016-04-14 | 2016-07-13 | 北京思特奇信息技术股份有限公司 | Service realization method and device based on TCP long connection |
| CN105959402A (en) * | 2016-06-21 | 2016-09-21 | 上海卓易云汇智能技术有限公司 | Method for solving network push |
| CN107205026A (en) * | 2017-05-22 | 2017-09-26 | 厦门市美亚柏科信息股份有限公司 | A kind of Point-to-Point Data Transmission method and system |
| CN109561087A (en) * | 2018-11-28 | 2019-04-02 | 南京中孚信息技术有限公司 | Method for penetrating through firewall and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220116856A1 (en) | Method and device for enabling access of an unconfigured device to a network hotspot device | |
| US8549286B2 (en) | Method and system for forwarding data between private networks | |
| US11539747B2 (en) | Secure communication session resumption in a service function chain | |
| JP2005516544A (en) | Controlled multicast system and method of execution | |
| CA2419853A1 (en) | Location-independent packet routing and secure access in a short-range wireless networking environment | |
| WO2009021428A1 (en) | Secure protection device and method for message transfer | |
| US9509610B2 (en) | Forwarding packet in stacking system | |
| US8713663B2 (en) | Method for using extended security system, extended security system and devices | |
| WO2011032321A1 (en) | Data forwarding method, data processing method, system and device thereof | |
| WO2021008591A1 (en) | Data transmission method, device, and system | |
| CN111614596B (en) | Remote equipment control method and system based on IPv6 tunnel technology | |
| CN112671763A (en) | Data synchronization method and device under networking environment and computer equipment | |
| CN110909030B (en) | Information processing method and server cluster | |
| US20220091902A1 (en) | Database access method and apparatus, computing device, and computer program product | |
| WO2005076563A1 (en) | A method for the direct communication between the operation maintenance client-side and the remote devices | |
| JPH06318939A (en) | Cipher communication system | |
| CN112688969A (en) | Intranet penetration method based on port multiplexing and TCP encryption technology | |
| CN112235331A (en) | Data transmission processing method and equipment | |
| US20230208819A1 (en) | Inter-node privacy communication method and network node | |
| US20200410126A1 (en) | Database Access Method and Apparatus, Computing Device, and Computer Program Product | |
| CN111327628B (en) | Anonymous communication system based on SDN | |
| US12028378B2 (en) | Secure communication session resumption in a service function chain preliminary class | |
| US20060023727A1 (en) | Method and apparatus for anonymous data transfers | |
| CN116827684B (en) | DDoS attack defense method, system, equipment and storage medium | |
| CN115190168B (en) | Edge server management system and server cluster |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210420 |
|
| RJ01 | Rejection of invention patent application after publication |