CN112953894B - Multi-path request copying and distributing system and method - Google Patents

Multi-path request copying and distributing system and method Download PDF

Info

Publication number
CN112953894B
CN112953894B CN202110103777.0A CN202110103777A CN112953894B CN 112953894 B CN112953894 B CN 112953894B CN 202110103777 A CN202110103777 A CN 202110103777A CN 112953894 B CN112953894 B CN 112953894B
Authority
CN
China
Prior art keywords
request
master control
distribution module
instances
distribution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110103777.0A
Other languages
Chinese (zh)
Other versions
CN112953894A (en
Inventor
张为华
鲁云萍
张高迪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fudan University
Original Assignee
Fudan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fudan University filed Critical Fudan University
Priority to CN202110103777.0A priority Critical patent/CN112953894B/en
Publication of CN112953894A publication Critical patent/CN112953894A/en
Application granted granted Critical
Publication of CN112953894B publication Critical patent/CN112953894B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention belongs to the technical field of computer networks, and particularly relates to a multi-path request copying and distributing system and a multi-path request copying and distributing method. The system comprises a distribution module, a service instance and a master control module; the distribution module can judge different types of requests and carry out different settings, copying and distribution; the service instance not only processes the request, but also returns a processing log to the master control and returns a status code to the distribution component; and the master control component collects and compares the logs of the service instances, and if the attacked instances are judged, the new instances are deleted and redeployed. The invention also divides the request into a stateful type and a stateless type, and the stateful link is processed through the cache of the key value data table, so that the copy and distribution strategy has more flexible and wider use scenes. The invention can greatly enhance the safety and stability of the prior service instance.

Description

Multi-path request copying and distributing system and method
Technical Field
The invention belongs to the technical field of computer networks, particularly relates to a network communication mode, and particularly relates to a multi-path request copying and distributing system and a multi-path request copying and distributing method.
Background
Request forwarding is one of the basic requirements of modern network services, and is also the basis for realizing functions such as service proxy, load balancing and the like. When the method is applied to service agents, request forwarding can be used for multiple purposes, the most basic function is agent connection, and in addition, the method also comprises the functions of improving security, caching static resources, filtering content, controlling access and managing, and the like, and a plurality of security functions such as SQL injection and DDoS also need to be realized through request forwarding. When applied to load balancing, request forwarding also provides an inexpensive, effective and transparent method for expanding the bandwidth of network devices and servers, increasing the throughput, enhancing the network data processing capacity, and improving the flexibility and availability of the network by dispersing user requests to a plurality of service instances. Request forwarding plays an extremely important role in practical applications.
As shown in fig. 2, conventional request forwarding is one-to-one, and cannot improve stability and security of a service through redundancy characteristics of a distributed system, and cannot effectively cope with different network attacks.
Therefore, a concept called mimicry appears on the basis of request forwarding, multi-path copying and distribution of a request are realized on the basis of request forwarding, and multiple access requests of a user can be copied and distributed to different service instances; and returning the processing results of the multiple service instances and carrying out election judgment. The whole system can improve the safety and stability of access.
Due to the complexity of the requests, different requests may require different processing in actual use, or otherwise no friendly support for existing web services or the like. The system and the method (CN 110691133A) are applied to web service mimicry of network communication equipment, http request information irrelevant to login is copied, cookies in the http request information are replaced to be recorded cookies corresponding to an online web service executor, the replaced http request information is forwarded to the corresponding online web service executor, and http response information returned by the online web service executor is received.
Noun interpretation
proxy: the proxy is a network access mode, and the security and the performance of the network access service are enhanced through a proxy server and the like.
And cookie, a pass taken by the browser of the user by the server, which is stored locally by the user and used for distinguishing the client from the recorded client state.
session is a mechanism used by the server end to record the client state, which is stored in the server end, and the corresponding ID is generally stored in the cookie as an identification mark.
SQL injection, the web application program does not judge the legality of the data input by the user or filters the data badly, an attacker can add extra SQL sentences at the end of the query sentences defined in advance in the web application program, and illegal operation is realized under the condition that an administrator does not know the information.
DDoS, a distributed denial of service attack, floods a target server or its surrounding infrastructure through large-scale internet traffic to destroy the target server, service, or network normal traffic.
Disclosure of Invention
The invention aims to provide a request distribution system and a request distribution method, which can realize the stable and safe operation of user application service by jointly processing and replying a request through a plurality of redundant service instances.
The multi-path request replication and distribution system provided by the invention comprises a distribution module, a service instance and a master control module, as shown in figure 1. Wherein:
the distribution module comprises two main functions: on the first hand, when the request is accepted, the copy distribution module receives the access request of the user and copies a plurality of copies, as shown in fig. 3, modifies the corresponding destination mark to implement copy distribution, mainly including judging the request type, whether to obtain or submit, so as to perform different processes; because different service instances have different states under some conditions, such as session, which may be called stateful link, for stateful link, the copy distribution module needs to perform special processing, thereby ensuring the sustainability of the whole link. The invention generates a self-defined session at the distribution position, and combines the original sessions of a plurality of instances at the back end with the original sessions to form a one-to-many key value pair, and when a response message is returned to a user, the session of the message is changed to be self-defined; when the user request arrives, the request is copied into multiple copies, and the custom sessions are replaced by the corresponding instances respectively, as shown in fig. 4, the whole process can be regarded as that the distribution module is kept connected with multiple instances, and the user is kept connected with the distribution module. And in the second aspect, when the request is returned, the distribution module judges the response data and the status codes returned by the multiple instances, if the status is incorrect or the response data is different from other instances, the distribution module returns the correct results of most of the elections to the user, and informs the master control module to redeploy the corresponding error instances.
The service instance mainly packages the application of the user, and adds a state code and a message log function to indicate the running correctness of the service instance. The service instances respectively receive the request data copied and distributed by the distribution module; after processing, response data and a status code are returned to the distribution module, and the status code and a message processing log are returned to the master control module. When the service instances are started, corresponding configuration files can be generated, and the distribution module and the master control module can communicate with a plurality of service instances through the files.
The master control module comprises two functional parts. The first is a master control client which is a message communication component integrated in a user service instance and can collect message processing logs of the service instance and return the message processing logs to a master control server in the form of key value pairs (version number: the relevant logs of the request); the second is a master control server, which is a database of message queue type, and collects the message processing logs sent by the service instances, and compares the message logs, under the correct condition, the same request given by the copying and distributing module can generate the same message logs, the master control module can compare the logs, the logs have the version numbers of the logs, the log version numbers of the same requests of different instances correspond, if an instance has an error or is attacked, the master control module judges the error instance and redeployes the error instance.
The whole flow of the system is shown in fig. 1, and comprises the following 9 steps:
(1) the method comprises the steps that a request of a user for accessing a server is obtained by a distribution module agent, and the request processing stage of the distribution module is started;
(2) the distribution module processes the request, judges the type of the request, including submission or acquisition, and copies the request into multiple copies with different parameters when the request of different types is copied, and returns the multiple copies to the multiple background service instances respectively;
(3) the request of the distribution module is transmitted to a plurality of service instances;
(4) the service instance processes the access request of the user as usual, and at the moment, the service instance needs to generate a request processing log in a version number plus log mode;
(5) the service instance sends the log information to the master control module through a message communication means of the master control client;
(6) the master control block compares and judges request processing logs of a plurality of service instances;
(7) after the service instance finishes processing the request, corresponding response data is returned to the distribution module, and the response data comprises a self-defined health state code;
(8) the distribution module carries out certain comparison and judgment on the response, including the comparison of the state codes and the return of majority elections;
(9) the distribution module returns the processed response to the user.
The multi-path copy distribution of the invention is completed based on the distribution component, the plurality of service instances and the master control component.
In the invention, the multi-path distribution can judge different types of requests and carry out different settings, copying and distribution; the service instance can return a processing log to the master control and return a status code to the distribution component besides processing the request; and the master control component collects and compares the logs of the service instances, and deletes and redeployes a new instance if the attacked instance is judged. The invention also divides the request into a stateful mode and a stateless mode, and the stateful link is processed through the cache of the key value data table, so that the copy and distribution strategy has more flexible and wider use scenes.
Drawings
FIG. 1 is a block diagram of a multi-replication distribution system of the present invention.
Fig. 2 is a diagram of an implementation of normal forwarding.
Fig. 3 is a diagram of an implementation of the replication distribution of the present invention.
FIG. 4 is a diagram of a stateful link processing method of the present invention.
Detailed Description
The present invention may be installed and used under any operating system that supports the container. Configuring the application of a user into a container as a basic example, integrating a master control client and related functions of state judgment, starting a plurality of application example copies, and generating an application example configuration file; and starting a copying and distributing module, reading a configuration file generated by the service instance module to clarify communication addresses of a plurality of instances, accessing by a user through a uniform inlet provided by the copying and distributing module, obtaining an access request by the distributing module to copy and distribute to each instance copy, and performing state modification on a stateful link through a one-to-many key value data table. And the master control module collects the request processing log information of the service instance through a master control client integrated to the service instance, and redeployes the error instance. The whole replication distribution system can improve the stability and the safety of deployed applications.

Claims (2)

1. A multi-request replication distribution system is characterized by comprising a distribution module, a service instance and a master control module, wherein:
the distribution module comprises two functions:
on the first hand, when the request is received, the copy distribution module receives the access request of the user and copies a plurality of copies, modifies the corresponding target mark and realizes copy distribution; the method comprises the following steps of judging the request type: whether to acquire or submit, so as to perform different processing;
in the second aspect, when the request is returned, the distribution module judges the response data and the status codes returned by the multiple instances, if the status is incorrect or the response data is different from other instances, the distribution module returns the majority of correct results in the election to the user, and informs the master control module to redeploy the corresponding error instances;
the service instance is mainly used for packaging the application of a user and adding a state code and a message log function to indicate the running correctness of the service instance; the service instances respectively receive the request data copied and distributed by the distribution module; after processing, returning response data and a status code to the distribution module, and returning the status code and a message processing log to the master control module; when the service instances are started, generating a corresponding configuration file, and communicating the distribution module and the master control module with a plurality of service instances through the file;
the master control module comprises two functional parts:
the first is a master control client which is a message communication component integrated in a user service instance and is used for collecting message processing logs of the service instance and returning the message processing logs to a master control server in a key value pair mode;
the second is a master control server which is a database in the form of a message queue and is used for collecting message processing logs sent by service instances and comparing the message processing logs; under the correct condition, the same request given by the copying and distributing module generates the same message logs, the master control module compares the logs, the logs have the version numbers of the logs, the log version numbers of the same requests of different instances are corresponding, and if an error occurs or is attacked in one instance, the master control module judges the error instance and redeployes the error instance;
in the distribution module, when a request is received, because different service instances have different states under some conditions, for a stateful link session, the distribution module is copied to perform special processing, so that the sustainability of the whole link is ensured; specifically, a self-defined session is generated at a distribution position, original sessions of a plurality of instances at the rear end form a one-to-many key value pair with the self-defined session, and the session of the message is changed to be self-defined when a response message is returned to a user; when a user request arrives, the request is copied into a plurality of shares, and the custom sessions are replaced by the corresponding instances; the entire process is considered as the distribution module remaining connected to the plurality of instances, while the user remains connected to the distribution module.
2. The system-based multi-path request replication distribution method of claim 1, characterized by comprising the following steps:
(1) the method comprises the steps that a request of a user for accessing a server is obtained by a distribution module agent, and the request processing stage of the distribution module is started;
(2) the distribution module processes the request, judges the type of the request, including submission or acquisition, and copies the request into multiple copies with different parameters when the request of different types is copied, and returns the multiple copies to the multiple background service instances respectively;
(3) the request of the distribution module is transmitted to a plurality of service instances;
(4) the service instance processes the access request of the user as usual, and at the moment, the service instance needs to generate a request processing log in a version number plus log mode;
(5) the service instance sends the log information to the master control module through a message communication means of the master control client;
(6) the master control block compares and judges request processing logs of a plurality of service instances;
(7) after the service instance finishes processing the request, corresponding response data is returned to the distribution module, and the response data comprises a self-defined health state code;
(8) the distribution module carries out certain comparison and judgment on the response, including the comparison of the state codes and the return of majority elections;
(9) the distribution module returns the processed response to the user.
CN202110103777.0A 2021-01-26 2021-01-26 Multi-path request copying and distributing system and method Active CN112953894B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110103777.0A CN112953894B (en) 2021-01-26 2021-01-26 Multi-path request copying and distributing system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110103777.0A CN112953894B (en) 2021-01-26 2021-01-26 Multi-path request copying and distributing system and method

Publications (2)

Publication Number Publication Date
CN112953894A CN112953894A (en) 2021-06-11
CN112953894B true CN112953894B (en) 2022-05-20

Family

ID=76237011

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110103777.0A Active CN112953894B (en) 2021-01-26 2021-01-26 Multi-path request copying and distributing system and method

Country Status (1)

Country Link
CN (1) CN112953894B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1980243A (en) * 2005-10-28 2007-06-13 埃森哲全球服务有限公司 Service broker integration layer for supporting telecommunication client service requests
CN110691133A (en) * 2019-09-29 2020-01-14 河南信大网御科技有限公司 Web service mimicry system and method applied to network communication equipment
CN111683144A (en) * 2020-06-08 2020-09-18 北京字节跳动网络技术有限公司 Method and device for processing access request, computer equipment and storage medium
CN111796913A (en) * 2020-07-13 2020-10-20 郑州昂视信息科技有限公司 Lightweight virtualization implementation method and system for mimicry Web service
CN112242923A (en) * 2020-09-15 2021-01-19 中国人民解放军战略支援部队信息工程大学 System and method for realizing unified data management network function based on mimicry defense

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7590812B2 (en) * 2006-09-25 2009-09-15 International Business Machines Corporation Apparatus, system, and method for archiving a log
CN103067292B (en) * 2012-12-26 2016-12-28 华为技术有限公司 The load-balancing method of a kind of sing on web Socket transmission and device
CN103326896B (en) * 2013-06-07 2016-04-27 合一信息技术(北京)有限公司 The system and method for the information data that a kind of user of collection produces on the internet
CN105872082B (en) * 2016-05-18 2018-11-23 上海交通大学 Fine granularity resource response system based on container cluster load-balancing algorithm
CN109981659B (en) * 2019-03-29 2021-07-09 郑州工程技术学院 Network resource prefetching method and system based on data deduplication technology

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1980243A (en) * 2005-10-28 2007-06-13 埃森哲全球服务有限公司 Service broker integration layer for supporting telecommunication client service requests
CN110691133A (en) * 2019-09-29 2020-01-14 河南信大网御科技有限公司 Web service mimicry system and method applied to network communication equipment
CN111683144A (en) * 2020-06-08 2020-09-18 北京字节跳动网络技术有限公司 Method and device for processing access request, computer equipment and storage medium
CN111796913A (en) * 2020-07-13 2020-10-20 郑州昂视信息科技有限公司 Lightweight virtualization implementation method and system for mimicry Web service
CN112242923A (en) * 2020-09-15 2021-01-19 中国人民解放军战略支援部队信息工程大学 System and method for realizing unified data management network function based on mimicry defense

Also Published As

Publication number Publication date
CN112953894A (en) 2021-06-11

Similar Documents

Publication Publication Date Title
US10158620B2 (en) DNSSEC signing server
CN107395767B (en) Message pushing system and method based on long connection
US10212173B2 (en) Deterministic reproduction of client/server computer state or output sent to one or more client computers
CN110493352A (en) A kind of unified gateway service system and its method of servicing based on WEB middleware
Freedman Experiences with CoralCDN: A Five-Year Operational View.
EP2518970B1 (en) Dnssec inline signing
US8122102B2 (en) Content delivery network (CDN) content server request handling mechanism
US8769128B2 (en) Method for extranet security
WO2018121331A1 (en) Attack request determination method, apparatus and server
US20100005512A1 (en) System and method for validating requests in an identity metasystem
US7461262B1 (en) Methods and apparatus for providing security in a caching device
US20060224670A1 (en) File distribution method and client terminal implementing the same
MX2011003223A (en) Service provider access.
CN108985092A (en) Submit filter method, device, electronic equipment and the storage medium of request
CN114902612A (en) Edge network based account protection service
US20200210584A1 (en) Deterministic Reproduction of Client/Server Computer State or Output Sent to One or More Client Computers
US6839708B1 (en) Computer system having an authentication and/or authorization routing service and a CORBA-compliant interceptor for monitoring the same
CN112953894B (en) Multi-path request copying and distributing system and method
CN117131493A (en) Authority management system construction method, device, equipment and storage medium
WO2013101825A1 (en) Methods for identifying network traffic characteristics to correlate and manage one or more subsequent flows and devices thereof
US20030191717A1 (en) High performance server data delivery system and method
US20080120696A1 (en) Method and Product for Generating Network and Server Analytics
CN117118606A (en) Token-based access verification method, token-based access verification system and storage medium
GB2551423A (en) Methods for mitigating network attacks through client partitioning and devices thereof
Koesling et al. Adopting Trust Negotiations: To Negotiate or Not To Negotiate?

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant