CN113726867B - Message processing method, device and system - Google Patents

Message processing method, device and system Download PDF

Info

Publication number
CN113726867B
CN113726867B CN202110986375.XA CN202110986375A CN113726867B CN 113726867 B CN113726867 B CN 113726867B CN 202110986375 A CN202110986375 A CN 202110986375A CN 113726867 B CN113726867 B CN 113726867B
Authority
CN
China
Prior art keywords
user request
request message
message
tcp
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110986375.XA
Other languages
Chinese (zh)
Other versions
CN113726867A (en
Inventor
汪庆权
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202110986375.XA priority Critical patent/CN113726867B/en
Publication of CN113726867A publication Critical patent/CN113726867A/en
Application granted granted Critical
Publication of CN113726867B publication Critical patent/CN113726867B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/121Timestamp

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure relates to a method, apparatus, system, electronic device, and computer readable medium for processing a message. The method comprises the following steps: acquiring a user request message from a client; analyzing the user request message to obtain a target IP and a four-layer protocol; when the target IP and the four-layer protocol meet a preset strategy, analyzing TCP information of the user request message; when the TCP information comprises a time stamp option, replacing a type value of the time stamp option with a preset value; and forwarding the modified user request message to a server. The message processing method, the device, the system, the electronic equipment and the computer readable medium solve the problem that the TCP request with the timestamp and the server cannot establish the TCP connection in the NAT scene, and each server does not need to be modified.

Description

Message processing method, device and system
Technical Field
The present disclosure relates to the field of computer information processing, and in particular, to a method, an apparatus, a system, an electronic device, and a computer readable medium for processing a message.
Background
NAT english is known collectively as "Network Address Translation", chinese means "network address translation", which is an IETF (INTERNET ENGINEERING TASK Force ) standard, allowing an entire organization to appear on the Internet at a public IP (Internet Protocol) address. As its name suggests, it is a technique that translates an internal private network address (IP address) into a legitimate network IP address. NAT can effectively solve the problem of insufficient public network address to a certain extent.
NAT functions are typically integrated into routers, firewalls, ISDN routers, or separate NAT devices. When the server opens tcp_ timestamps and tcp_tw_recycle options simultaneously, the socket in the TIME-WAIT state can be recovered more quickly after the server opens simultaneously. But because of the existence of source NAT, especially the opening of source NAT access servers on server-side protection walls, load balancing, etc., it may trigger the per-host PAWS (Protect AGAINST WRAPPED Sequencenumbers, prevent sequence number duplication) mechanism of Linux. Therefore, TCP connection cannot be established between the client and the server, and normal access of the user to the network is affected.
Thus, there is a need for a new message processing method, apparatus, system, electronic device, and computer readable medium.
The above information disclosed in the background section is only for enhancement of understanding of the background of the disclosure and therefore it may include information that does not form the prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the disclosure provides a method, an apparatus, a system, an electronic device, and a computer readable medium for processing a message, which solve the problem that a TCP request with a timestamp and a server cannot establish a TCP connection in a NAT scene, without modifying each server. In addition, as the characteristic only aims at the server to be protected, not all server messages are processed, the burden of network equipment can be reduced to the greatest extent.
According to an aspect of the present disclosure, a method for processing a message is provided, which may be used for a network device, and the method includes: acquiring a user request message from a client; analyzing the user request message to obtain a target IP and a four-layer protocol; when the target IP and the four-layer protocol meet a preset strategy, analyzing TCP information of the user request message; when the TCP information comprises a time stamp option, replacing a type value of the time stamp option with a preset value; and forwarding the modified user request message to a server.
In an exemplary embodiment of the present disclosure, when the destination IP and the four-layer protocol meet a preset policy, analyzing TCP information of the user request packet includes: determining whether the user request message is a TCP message based on the four-layer protocol; when the user request message is a TCP message, determining timestamp protection information based on the destination IP; and when the target IP starts a timestamp protection mechanism and the user request message is a TCPSYN type message, analyzing TCP information of the user request message.
In an exemplary embodiment of the present disclosure, before parsing the TCP information of the user request packet, the method further includes: and analyzing the TCP layer of the user request message.
In an exemplary embodiment of the present disclosure, forwarding the modified user request message to a server includes: and recalculating the modified message information of the user request message.
In an exemplary embodiment of the present disclosure, recalculating the modified message information of the user request message includes: recalculating the TCP checksum of the modified user request message; and recalculating the IP checksum of the modified user request message.
According to an aspect of the present disclosure, a method for processing a message is provided, which may be used for a server, and the method includes: acquiring a user request message forwarded by network equipment; when the user request message is a TCPSYN type message, analyzing the user request message; extracting the timestamp option of the parsed user request message; when the time stamp option is a preset value, the time stamp option information of the user request message is ignored; and processing the user request message.
In one exemplary embodiment of the present disclosure, there is provided: when the time stamp option is not a preset value, performing time stamp detection on the numerical value in the time stamp option; and discarding the user request message when the value in the timestamp selection is not an increment value.
In an exemplary embodiment of the present disclosure, further comprising: and starting a timestamp protection mechanism of the server.
According to an aspect of the present disclosure, a message processing apparatus is provided, which may be used for a network device, and the apparatus includes: the message module is used for acquiring a user request message from the client; the analysis module is used for analyzing the user request message to obtain a target IP and a four-layer protocol; the policy module is used for analyzing the TCP information of the user request message when the target IP and the four-layer protocol meet a preset policy; a replacing module, configured to replace, when the TCP message includes a timestamp option, a type value of the timestamp option with a preset value; and the forwarding module is used for forwarding the modified user request message to a server.
According to an aspect of the present disclosure, a message processing apparatus is provided, which may be used for a server, and the apparatus includes: the acquisition module is used for acquiring a user request message forwarded by the network equipment; the judging module is used for analyzing the user request message when the user request message is a TCPSYN type message; the extraction module is used for extracting the timestamp options of the parsed user request message; the neglect module is used for neglecting the time stamp option information of the user request message when the time stamp option is a preset value; and the processing module is used for processing the user request message.
According to an aspect of the present disclosure, a message processing system is provided, the system including: the client is used for sending a user request message; the network equipment, the user obtains the user request message from customer end; analyzing the user request message to obtain a target IP and a four-layer protocol; when the target IP and the four-layer protocol meet a preset strategy, analyzing TCP information of the user request message; when the TCP information comprises a time stamp option, replacing a type value of the time stamp option with a preset value; forwarding the modified user request message to a server; the server is used for acquiring the user request message forwarded by the network equipment; when the user request message is a TCPSYN type message, analyzing the user request message; extracting the timestamp option of the parsed user request message, and ignoring the timestamp option information of the user request message when the timestamp option is a preset value; and processing the user request message.
According to an aspect of the present disclosure, there is provided an electronic device including: one or more processors; a storage means for storing one or more programs; when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the methods as described above.
According to an aspect of the present disclosure, a computer-readable medium is presented, on which a computer program is stored, which program, when being executed by a processor, implements a method as described above.
According to the message processing method, the device, the system, the electronic equipment and the computer readable medium, a user request message from a client is obtained; analyzing the user request message to obtain a target IP and a four-layer protocol; when the target IP and the four-layer protocol meet a preset strategy, analyzing TCP information of the user request message; when the TCP information comprises a time stamp option, replacing a type value of the time stamp option with a preset value; the mode of forwarding the modified user request message to the server solves the problem that the TCP request with the timestamp and the server cannot establish TCP connection in the NAT scene, and each server does not need to be modified. In addition, as the characteristic only aims at the server to be protected, not all server messages are processed, the burden of network equipment can be reduced to the greatest extent.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely examples of the present disclosure and other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.
Fig. 1 is a system block diagram illustrating a method and apparatus for processing a message according to an exemplary embodiment.
Fig. 2 is a flow chart illustrating a method of message processing according to an exemplary embodiment.
Fig. 3 is a flow chart illustrating a method of message processing according to another exemplary embodiment.
Fig. 4 is a flow chart illustrating a method of message processing according to another exemplary embodiment.
Fig. 5 is a block diagram illustrating a message processing apparatus according to an example embodiment.
Fig. 6 is a block diagram of a message processing apparatus according to another exemplary embodiment.
Fig. 7 is a block diagram of an electronic device, according to an example embodiment.
Fig. 8 is a block diagram of a computer-readable medium shown according to an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments can be embodied in many forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the disclosed aspects may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, systems, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another element. Accordingly, a first component discussed below could be termed a second component without departing from the teachings of the concepts of the present disclosure. As used herein, the term "and/or" includes any one of the associated listed items and all combinations of one or more.
Those skilled in the art will appreciate that the drawings are schematic representations of example embodiments and that the modules or flows in the drawings are not necessarily required to practice the present disclosure, and therefore, should not be taken to limit the scope of the present disclosure.
As described in the background section, NAT is an internal address used in an internal network of a lan, and when an internal node is to communicate with an external network, the internal address is replaced with a public address at a gateway (which may be understood as an outlet, say, like a courtyard door), so that the NAT is normally used on an external public network (Internet), and the NAT can enable multiple computers to share an Internet connection, which well solves the problem of shortage of public IP addresses. By the method, the computer in the whole local area network can be accessed to the Internet only by applying a legal IP address. At this point, the NAT shields the internal network, and all internal network computers are not visible to the public network, while the internal network computer user is generally unaware of the existence of the NAT.
NAT functions are typically integrated into routers, firewalls, ISDN routers, or separate NAT devices. When the server opens tcp_ timestamps and tcp_tw_recycle options simultaneously, the socket in the TIME-WAIT state can be recovered more quickly after the server opens simultaneously.
The inventors of the present disclosure have found that since the source NAT is present, and in particular, the source NAT is opened on a server's security wall, load balancing, etc., to access the server, it may trigger the perhost's PAWS (protection AGAINST WRAPPED Sequencenumbers, prevent sequence number duplication) mechanism of Linux. This mechanism requires that the timestamp value of all TCP packets from the same host IP be incremented. When a timestamp value is received, which is smaller than the corresponding value recorded by the server, it is considered an expired data packet, and then it is discarded. Thus, when a plurality of clients are subjected to the same NAT conversion and data flows from different clients are intersected with the same IP at the server, if the initiated TCP three-way handshake SYN message carries a time stamp option, if the tcp_tw_recycle option is started, the server can perform time stamp detection, and if the time stamp value is not increased, the data flows are discarded, and the TCP connection can be failed to be established. This can result in the client and server failing to establish a TCP connection, affecting the user's normal access to the network.
In order to ensure normal access in the linux system, for each server, only a tcp_timestamp option is started, and a tcp_tw_recycle option is not started, so that the problem that a client and a server cannot establish TCP connection in a NAT scene is solved. However, the existing scheme has the disadvantage that the configuration is modified on each linux server, and if many servers are involved, such as a server load balancing scenario, there may be hundreds or thousands of servers, and the modification workload is very large.
In the message processing method disclosed by the invention, the TCP timestamp option of the configuration server is only required to be modified on network equipment (such as a firewall and load balancing equipment), and the problem that the client and the server cannot establish TCP connection in the NAT scene can be solved without modification on each linux server, and the performance of the server is basically not influenced. The specific technical contents of the present disclosure will be described in detail below with the aid of specific examples.
Fig. 1 is a system block diagram illustrating a method and apparatus for processing a message according to an exemplary embodiment.
As shown in fig. 1, the system architecture 10 may include terminal devices 101, 102, 103, a network 104, a network device 105, and a server 106. The network 104 is the medium used to provide communication links between the terminal devices 101, 102, 103 and the network device 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the network device 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc., may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 106 may be a server providing various services, such as a background management server providing support for websites or applications browsed by the user using the terminal devices 101, 102, 103. The background management server can analyze and other data of the received product information inquiry request and feed back the processing result to the terminal equipment.
The guard 105 is located between the terminal devices 101, 102, 103 and the server 106, and the user filters the message data between the terminal devices 101, 102, 103 and the server 106 to protect the server 106 from traffic attacks.
The network device 105 may, for example, obtain user request messages from the terminal devices 101, 102, 103; the network device 105 may, for example, parse the user request message to obtain a destination IP and a four-layer protocol; the network device 105 may, for example, parse the TCP information of the user request message when the destination IP and the four-layer protocol satisfy a preset policy; network device 105 may, for example, replace a type value of a timestamp option with a preset value when the timestamp option is included in the TCP message; the network device 105 may, for example, forward the modified user request message to a server.
The network device 105 may be an entity device, or may be formed of a plurality of devices, for example, it should be noted that the method for processing a message provided in the embodiment of the disclosure may be executed by the network device 105, and accordingly, the message processing apparatus may be disposed in the network device 105. The web page end for data browsing and the request end for business inquiry are generally located in the terminal devices 101, 102 and 103.
Fig. 2 is a flow chart illustrating a method of message processing according to an exemplary embodiment. The message processing method 20 may be used for a network device, and at least includes steps S202 to S210.
As shown in fig. 2, in S202, a user request message from a client is acquired.
In S204, the user request message is parsed to obtain the destination IP and the four-layer protocol.
In S206, when the destination IP and the four-layer protocol meet a preset policy, the TCP information of the user request packet is parsed. Comprising the following steps: determining whether the user request message is a TCP message based on the four-layer protocol; when the user request message is a TCP message, determining timestamp protection information based on the destination IP; and when the target IP starts a timestamp protection mechanism and the user request message is a TCPSYN type message, analyzing TCP information of the user request message.
In S208, when a timestamp option is included in the TCP message, a type value of the timestamp option is replaced with a preset value.
The format of the TCP message may be as follows:
Kind Length Info
1 byte 1 Byte 2 Bytes
Wherein the first field of the option, kined, illustrates the type of option, is a mandatory option, the other TCP option has no last two fields, contains only a kined field of 1 byte, the second field length (if any) specifies the total length of the option, the length comprises the kined field and the 2 bytes occupied by the length field, and the third field info (if any) is specific information of the option.
There are 7 common TCP options, such as kine=0, the end of options table (EOP) option, one segment only used once. Put at the end for padding, indicating that there are no more messages already, application data at the beginning of the next 32-bit word; kine=1, no Operation (NOP) option, without special meaning, is typically used to stuff the total length of the TCP option to an integer multiple of 4 bytes; kine=2, maximum segment length (MSS) option TCP connection initialization, both parties use the option to negotiate a maximum segment length; kine=8, a timestamp option that provides a more accurate method of calculating the loop time (RoundTripTime, RTT) between two communicating parties, thereby providing important information for TCP flow control. The timestamp option takes 10 bytes = ind (1 byte) +length (1 byte) +info (8 bytes), where ind = 8, length = 10, info consists of two values of timestamp and timestampecho, each 4 bytes long.
In the embodiment of the disclosure, the TCPSYN message is detected, if the timestamp is carried, the option type of the timestamp has a kine value of 8, which is replaced by 250, and the rest is unchanged. The 250 option type is that the current TCP protocol is not used, but other options can be used, so long as the options are not used by the TCP protocol, the optional supporting options can be configured to prevent the following TCP protocol from using the options, and the options have conflict to cause problems.
In one embodiment, the TCP timestamp option kine is replaced by 8 by 250 by default, alternatively, other TCP unused option types may be configured.
In S210, the modified user request packet is forwarded to a server. Comprising the following steps: and recalculating the modified message information of the user request message.
The recalculating the modified message information of the user request message comprises the following steps: recalculating the TCP checksum of the modified user request message; and recalculating the IP checksum of the modified user request message.
According to the message processing method disclosed by the invention, a user request message from a client is obtained; analyzing the user request message to obtain a target IP and a four-layer protocol; when the target IP and the four-layer protocol meet a preset strategy, analyzing TCP information of the user request message; when the TCP information comprises a time stamp option, replacing a type value of the time stamp option with a preset value; the mode of forwarding the modified user request message to the server solves the problem that the TCP request with the timestamp and the server cannot establish TCP connection in the NAT scene, and each server does not need to be modified. In addition, as the characteristic only aims at the server to be protected, not all server messages are processed, the burden of network equipment can be reduced to the greatest extent.
The message processing method of the present disclosure provides a solution, by configuring NAT timestamp protection characteristics for a server to be protected, the NAT timestamp protection characteristics can be integrated on a protection wall or load balancing device, for a TCP syn message carrying a timestamp, a timestamp option is modified to an option not used by a TCP protocol, then a TCP header and an IP header checksum are recalculated, after the server receives the option, the server analyzes the TCP option, and since the option is not used, the server cannot identify the option, and automatically ignores the option, so that connection can be normally established with the server.
It should be clearly understood that this disclosure describes how to make and use particular examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
Fig. 3 is a flow chart illustrating a method of message processing according to another exemplary embodiment. The process 30 shown in fig. 3 is a detailed description of S206 "parse the TCP information of the user request packet when the destination IP and the four-layer protocol satisfy the preset policy" in the process shown in fig. 2.
As shown in fig. 3, in S302, it is determined whether the user request packet is a TCP packet based on the four-layer protocol. After receiving the request message of the user, the network equipment analyzes the message, extracts the destination IP address and the four-layer protocol, and detects whether the message is a TCP message.
In S304, when the user request packet is a TCP packet, timestamp protection information is determined based on the destination IP. If the message is a TCP message, further detecting whether the target IP address starts NAT timestamp protection, if so, detecting whether the message is a TCP handshake SYN message, and if not, not modifying the substitution.
In S306, when the destination IP turns on a timestamp protection mechanism and the user request message is a TCP syn type message, a TCP layer of the user request message is parsed.
If the message is a TCP SYN message, TCP layer analysis is carried out, TCP options are analyzed, whether the message carries TCP timestamp options is checked, and if the message does not carry TCP timestamp options, the kine value does not need to be modified and replaced. If the TCP timestamp option is carried, the timestamp option type ind value is replaced by 250 from 8, and the option length and info are unchanged. And then recalculate the TCP checksum of the data packet, and finally recalculate the IP checksum, and after modification, forward the message to the server.
In S308, the TCP information of the user request packet is parsed.
In the message processing method disclosed by the invention, the NAT timestamp characteristic is configured for the server to be protected, aiming at the TCPSYN message carrying the timestamp, the timestamp option type is modified to the unused option type of the TCP protocol, then the TCP header and the IP header checksum are recalculated, after the server receives the option, the server analyzes the TCP option, and the type of the option can be automatically ignored because the server is the unused option type, so that the connection can be normally established with the server, the problem that the TCP request probability with the timestamp and the server can not establish TCP connection under the NAT scene is solved, and each server does not need to be modified.
In the message processing method disclosed by the invention, NAT timestamp characteristics only aim at servers needing to be protected, but not all server messages are processed, so that the burden of network equipment is reduced to the greatest extent.
Fig. 4 is a flow chart illustrating a method of message processing according to another exemplary embodiment. The process 40 shown in fig. 4 is applicable to a server and includes at least steps S402 to S410.
As shown in fig. 4, in S402, a user request packet forwarded from a network device is acquired.
In one embodiment, further comprising: and starting a timestamp protection mechanism of the server. And configuring NAT timestamp protection characteristics for the server to be protected, and performing timestamp detection on the TCPSYN message for checking the access server.
In S404, when the user request message is a TCPSYN type message, the user request message is parsed.
In S406, the timestamp option of the parsed user request message is extracted.
In S408, when the timestamp option is a preset value, timestamp option information of the user request message is ignored. Further, the user request message is processed.
When the server receives the TCPSYN message for analysis, the option type with the kine of 250 is found to be not supported, and the value of the option type can be automatically ignored, so that the server side is prevented from checking the timestamp paws, and the connection is discarded.
In S410, when the timestamp option is not a preset value, timestamp detection is performed on the numerical value in the timestamp option. Further, when the value in the timestamp selection is not an increment value, discarding the user request message.
More specifically, after receiving a message with a timestamp value smaller than the corresponding value recorded by the server, the server considers the message as an expired data packet, and discards the expired data packet.
In the message processing method disclosed by the disclosure, NAT timestamp characteristics are configured for a server to be protected, for a TCPSYN message carrying a timestamp, timestamp options are modified for options which are not used by a TCP protocol, then TCP header and IP header checksums are recalculated, after the server receives the options, the server analyzes the TCP options, and the options can be automatically ignored because the server is the unused options and cannot be identified, so that connection can be normally established with the server.
The method solves the problems that under the NAT scene, the TCP request probability with the timestamp and the servers can not establish TCP connection, and each server does not need to be modified. In addition, as the characteristic is only aimed at the server to be protected, not all server messages are processed, and the burden of network equipment is reduced to the greatest extent.
Those skilled in the art will appreciate that all or part of the steps implementing the above described embodiments are implemented as a computer program executed by a CPU. The above-described functions defined by the above-described methods provided by the present disclosure are performed when the computer program is executed by a CPU. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic disk or an optical disk, etc.
Furthermore, it should be noted that the above-described figures are merely illustrative of the processes involved in the method according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
The following are device embodiments of the present disclosure that may be used to perform method embodiments of the present disclosure. For details not disclosed in the embodiments of the apparatus of the present disclosure, please refer to the embodiments of the method of the present disclosure.
Fig. 5 is a block diagram illustrating a message processing apparatus according to an example embodiment. As shown in fig. 5, the message processing apparatus 50 includes: message module 502, parsing module 504, policy module 506. Replacement module 508, forwarding module 510.
The message module 502 is configured to obtain a user request message from a client;
the parsing module 504 is configured to parse the user request packet to obtain a destination IP and a four-layer protocol;
The policy module 506 is configured to parse TCP information of the user request packet when the destination IP and the four-layer protocol satisfy a preset policy; policy module 506 is further configured to determine whether the user request packet is a TCP packet based on the four-layer protocol; when the user request message is a TCP message, determining timestamp protection information based on the destination IP; and when the target IP starts a timestamp protection mechanism and the user request message is a TCPSYN type message, analyzing TCP information of the user request message.
The replacing module 508 is configured to replace, when the TCP message includes a timestamp option, a type value of the timestamp option with a preset value;
the forwarding module 510 is configured to forward the modified user request packet to a server. The forwarding module 510 is further configured to recalculate the modified message information of the user request message.
Fig. 6 is a block diagram of a message processing apparatus according to another exemplary embodiment. As shown in fig. 6, the message processing apparatus 60 includes: the system comprises an acquisition module 602, a judgment module 604, an extraction module 606, a ignoring module 608 and a processing module 610.
The obtaining module 602 is configured to obtain a user request packet forwarded by a network device;
The judging module 604 is configured to parse the user request message when the user request message is a TCPSYN type message;
The extracting module 606 is configured to extract the timestamp option of the parsed user request message;
The ignoring module 608 is configured to ignore timestamp option information of the user request packet when the timestamp option is a preset value;
the processing module 610 is configured to process the user request packet.
According to the message processing device disclosed by the disclosure, a user request message from a client is obtained; analyzing the user request message to obtain a target IP and a four-layer protocol; when the target IP and the four-layer protocol meet a preset strategy, analyzing TCP information of the user request message; when the TCP information comprises a time stamp option, replacing a type value of the time stamp option with a preset value; the mode of forwarding the modified user request message to the server solves the problem that the TCP request with the timestamp and the server cannot establish TCP connection in the NAT scene, and each server does not need to be modified. In addition, as the characteristic only aims at the server to be protected, not all server messages are processed, the burden of network equipment can be reduced to the greatest extent.
Fig. 7 is a block diagram of an electronic device, according to an example embodiment.
An electronic device 700 according to such an embodiment of the present disclosure is described below with reference to fig. 7. The electronic device 700 shown in fig. 7 is merely an example and should not be construed to limit the functionality and scope of use of embodiments of the present disclosure in any way.
As shown in fig. 7, the electronic device 700 is embodied in the form of a general purpose computing device. Components of electronic device 700 may include, but are not limited to: at least one processing unit 710, at least one memory unit 720, a bus 730 connecting the different system components (including the memory unit 720 and the processing unit 710), a display unit 740, and the like.
Wherein the storage unit stores program code that is executable by the processing unit 710 such that the processing unit 710 performs steps described in the present specification according to various exemplary embodiments of the present disclosure. For example, the processing unit 710 may perform the steps as shown in fig. 2,3, and 4.
The memory unit 720 may include readable media in the form of volatile memory units, such as Random Access Memory (RAM) 7201 and/or cache memory 7202, and may further include Read Only Memory (ROM) 7203.
The storage unit 720 may also include a program/utility 7204 having a set (at least one) of program modules 7205, such program modules 7205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 730 may be a bus representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 700 may also communicate with one or more external devices 700' (e.g., keyboard, pointing device, bluetooth device, etc.), devices that enable a user to interact with the electronic device 700, and/or any devices (e.g., routers, modems, etc.) with which the electronic device 700 can communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 750. Also, electronic device 700 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, through network adapter 760. Network adapter 760 may communicate with other modules of electronic device 700 via bus 730. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 700, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, as shown in fig. 8, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, or a network device, etc.) to perform the above-described method according to the embodiments of the present disclosure.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable storage medium may also be any readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The computer-readable medium carries one or more programs, which when executed by one of the devices, cause the computer-readable medium to perform the functions of: acquiring a user request message from a client; analyzing the user request message to obtain a target IP and a four-layer protocol; when the target IP and the four-layer protocol meet a preset strategy, analyzing TCP information of the user request message; when the TCP information comprises a time stamp option, replacing a type value of the time stamp option with a preset value; and forwarding the modified user request message to a server.
Those skilled in the art will appreciate that the modules may be distributed throughout several devices as described in the embodiments, and that corresponding variations may be implemented in one or more devices that are unique to the embodiments. The modules of the above embodiments may be combined into one module, or may be further split into a plurality of sub-modules.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or in combination with the necessary hardware. Thus, the technical solutions according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and include several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that this disclosure is not limited to the particular arrangements, instrumentalities and methods of implementation described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (6)

1. A method for processing a message, comprising:
acquiring a user request message from a client;
analyzing the user request message to obtain a target IP and a four-layer protocol;
when the destination IP and the four-layer protocol meet a preset strategy, analyzing the TCP information of the user request message, wherein the method comprises the following steps: determining whether the user request message is a TCP message based on the four-layer protocol, determining whether a server starts a time stamp protection mechanism based on the destination IP when the user request message is the TCP message, and analyzing TCP information of the user request message when the destination IP starts the time stamp protection mechanism and the user request message is a TCPSYN type message;
When the TCP information comprises a time stamp option, replacing a type value of the time stamp option with a preset value, so that a server determined by the destination IP does not need to be modified;
Forwarding the modified user request message to a server so that the server processes the user request message after obtaining the user request message forwarded by the network equipment, wherein the method comprises the following steps: analyzing the user request message, extracting the timestamp option of the analyzed user request message, and ignoring the timestamp option information of the user request message when the timestamp option is a preset value.
2. The method of claim 1, further comprising, prior to parsing the TCP message of the user request message:
And analyzing the TCP layer of the user request message.
3. The method of claim 1, wherein forwarding the modified user request message to a server comprises:
And recalculating the modified message information of the user request message.
4. The method of claim 3, wherein recalculating the modified message information for the user request message comprises:
recalculating the TCP checksum of the modified user request message;
and recalculating the IP checksum of the modified user request message.
5. The method of claim 1, wherein the processing of the user request message by the server comprises:
When the time stamp option is not a preset value, performing time stamp detection on the numerical value in the time stamp option;
And discarding the user request message when the value in the timestamp selection is not an increment value.
6. A message processing apparatus, comprising:
the message module is used for acquiring a user request message from the client;
the analysis module is used for analyzing the user request message to obtain a target IP and a four-layer protocol;
The policy module is configured to parse TCP information of the user request packet when the destination IP and the four-layer protocol meet a preset policy, and includes: determining whether the user request message is a TCP message based on the four-layer protocol, determining whether a server starts a time stamp protection mechanism based on the destination IP when the user request message is the TCP message, and analyzing TCP information of the user request message when the destination IP starts the time stamp protection mechanism and the user request message is a TCPSYN type message;
the replacing module is used for replacing the type value of the timestamp option with a preset value when the timestamp option is included in the TCP information, so that a server determined by the destination IP does not need to be modified;
The forwarding module is configured to forward the modified user request packet to a server, so that the server processes the user request packet after obtaining the user request packet forwarded by the network device, and includes: analyzing the user request message, extracting the timestamp option of the analyzed user request message, and ignoring the timestamp option information of the user request message when the timestamp option is a preset value.
CN202110986375.XA 2021-08-26 2021-08-26 Message processing method, device and system Active CN113726867B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110986375.XA CN113726867B (en) 2021-08-26 2021-08-26 Message processing method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110986375.XA CN113726867B (en) 2021-08-26 2021-08-26 Message processing method, device and system

Publications (2)

Publication Number Publication Date
CN113726867A CN113726867A (en) 2021-11-30
CN113726867B true CN113726867B (en) 2024-04-30

Family

ID=78678134

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110986375.XA Active CN113726867B (en) 2021-08-26 2021-08-26 Message processing method, device and system

Country Status (1)

Country Link
CN (1) CN113726867B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217429A (en) * 2008-01-18 2008-07-09 清华大学 A determination method of the initiation relationship within TCP messages based on TCP timestamp options
CN102377620A (en) * 2011-12-09 2012-03-14 浙江大学 Method for detecting broadband private connection based on open system interconnection (OSI) transmission layer timestamp
CN105207846A (en) * 2015-09-17 2015-12-30 新浪网技术(中国)有限公司 TCP stack delay statistical method, device and system
CN105939396A (en) * 2015-06-17 2016-09-14 杭州迪普科技有限公司 Message modification method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10038693B2 (en) * 2013-05-03 2018-07-31 A10 Networks, Inc. Facilitating secure network traffic by an application delivery controller
US9560126B2 (en) * 2013-05-06 2017-01-31 Alcatel Lucent Stateless load balancing of connections
US10547699B2 (en) * 2013-11-21 2020-01-28 Xandr Inc. Methods and apparatus for statistical mobile device identification
US10630568B2 (en) * 2018-09-07 2020-04-21 Qualcomm Incorporated Transmission control protocol timestamp rewriting

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217429A (en) * 2008-01-18 2008-07-09 清华大学 A determination method of the initiation relationship within TCP messages based on TCP timestamp options
CN102377620A (en) * 2011-12-09 2012-03-14 浙江大学 Method for detecting broadband private connection based on open system interconnection (OSI) transmission layer timestamp
CN105939396A (en) * 2015-06-17 2016-09-14 杭州迪普科技有限公司 Message modification method and device
CN105207846A (en) * 2015-09-17 2015-12-30 新浪网技术(中国)有限公司 TCP stack delay statistical method, device and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
An Efficient High-Throughput and Low-Latency SYN Flood Defender for High-Speed Networks;DUC-Minh Ngo et al.;Secuity and Communication Networks;20181224;全文 *
基于TCP选项域的信息隐藏算法研究;邹昕光;孙圣和;;计算机工程与设计;20060628(第12期);全文 *

Also Published As

Publication number Publication date
CN113726867A (en) 2021-11-30

Similar Documents

Publication Publication Date Title
CN111131037B (en) Data transmission method, device, medium and electronic equipment based on virtual gateway
US11362998B2 (en) Reduction and acceleration of a deterministic finite automaton
US11836253B2 (en) Malicious file detection method, device, and system
CN108259425A (en) The determining method, apparatus and server of query-attack
US10178068B2 (en) Translating network attributes of packets in a multi-tenant environment
CN105430011A (en) Method and device for detecting distributed denial of service attack
CN103475746A (en) Terminal service method and apparatus
CN112187491A (en) Server management method, device and equipment
WO2016086755A1 (en) Packet processing method and transparent proxy server
CN107995321A (en) A kind of VPN client acts on behalf of the method and device of DNS
CN113595927A (en) Method and device for processing mirror flow in bypass mode
US10367785B2 (en) Software defined traffic modification system
CN113923008B (en) Malicious website interception method, device, equipment and storage medium
CN107911496A (en) A kind of VPN service terminal acts on behalf of the method and device of DNS
CN113873057A (en) Data processing method and device
CN113726867B (en) Message processing method, device and system
CN111225038B (en) Server access method and device
CN102724068B (en) Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network
CN114143079B (en) Verification device and method for packet filtering strategy
CN114817923A (en) Method and device for generating intrusion detection rule, computer equipment and storage medium
CN114157640A (en) Method, controller and proxy device for block chain communication system
CN113179251A (en) Front-end file processing method, device, equipment and machine-readable storage medium
CN108667769B (en) Domain name tracing method and device
CN115037793B (en) User datagram protocol data processing method and device and electronic equipment
CN115174367B (en) Service system boundary determining method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant