CN114070878A - Network connection processing method and device - Google Patents
Network connection processing method and device Download PDFInfo
- Publication number
- CN114070878A CN114070878A CN202210037507.9A CN202210037507A CN114070878A CN 114070878 A CN114070878 A CN 114070878A CN 202210037507 A CN202210037507 A CN 202210037507A CN 114070878 A CN114070878 A CN 114070878A
- Authority
- CN
- China
- Prior art keywords
- sending end
- authentication information
- connection
- credible
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
An embodiment of the present specification provides a network connection processing method and an apparatus, where the network connection processing method is applied to a receiving end, and includes: receiving a connection establishment request sent by a sending end; selecting different connection establishment strategies to establish a connection relation with the sending end according to whether the connection establishment request carries identity authentication information or not; the identity authentication information is determined by the sending end and the receiving end according to a preset transmission control protocol. Specifically, the network connection processing method can select different connection establishment strategies by judging whether the connection establishment request sent by the sending end carries the authentication information predefined by the sending end and the receiving end or not, so that the connection relationship can be established quickly and safely with the sending end, the technical problem of network delay caused by online inquiry on the security of the ip address of the sending end is solved, and the user experience is improved.
Description
Technical Field
The embodiment of the specification relates to the technical field of communication, in particular to a network connection processing method.
Background
With the content and application of the network becoming richer and richer, the amount of information and value become higher and higher, and the events and frequency of network intrusion also increase gradually.
In the prior art, when a receiving end receives a network connection request sent by a sending end, the receiving end performs online query on the security of the IP address of the sending end by acquiring the IP address of the sending end so as to intercept unsafe network connection; however, the query action itself consumes a certain time, and each network connection request is connected after performing online query, which greatly increases network delay and makes user experience poor.
Disclosure of Invention
In view of this, the embodiments of the present disclosure provide a network connection processing method. One or more embodiments of the present specification also relate to a network connection processing apparatus, a computing device, a computer-readable storage medium, and a computer program, so as to solve the technical deficiencies in the prior art.
According to a first aspect of the embodiments of the present specification, there is provided a network connection processing method, applied to a receiving end, including:
receiving a connection establishment request sent by a sending end;
selecting different connection establishment strategies to establish a connection relation with the sending end according to whether the connection establishment request carries identity authentication information or not;
the identity authentication information is determined by the sending end and the receiving end according to a preset transmission control protocol.
According to a second aspect of the embodiments of the present specification, there is provided a network connection processing apparatus, applied to a receiving end, including:
a request receiving module configured to receive a connection establishment request sent by a sending end;
the connection establishing module is configured to select different connection establishing strategies to establish a connection relation with the sending end according to whether the connection establishing request carries identity authentication information or not;
the identity authentication information is determined by the sending end and the receiving end according to a preset transmission control protocol.
According to a third aspect of embodiments herein, there is provided a computing device comprising:
a memory and a processor;
the memory is configured to store computer-executable instructions and the processor is configured to execute the computer-executable instructions, which when executed by the processor implement the steps of the network connection processing method described above.
According to a fourth aspect of embodiments herein, there is provided a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement the steps of the above-described network connection processing method.
According to a fifth aspect of embodiments herein, there is provided a computer program, wherein when the computer program is executed in a computer, the computer is caused to execute the steps of the network connection processing method described above.
An embodiment of the present specification implements a network connection processing method and apparatus, where the network connection processing method is applied to a receiving end, and includes: receiving a connection establishment request sent by a sending end; selecting different connection establishment strategies to establish a connection relation with the sending end according to whether the connection establishment request carries identity authentication information or not; the identity authentication information is determined by the sending end and the receiving end according to a preset transmission control protocol.
Specifically, the network connection processing method can select different connection establishment strategies by judging whether the connection establishment request sent by the sending end carries the authentication information predefined by the sending end and the receiving end or not, so that the connection relationship can be established quickly and safely with the sending end, the technical problem of network delay caused by online inquiry on the safety of the IP address of the sending end is solved, and the user experience is improved.
Drawings
Fig. 1 is a schematic diagram of a specific application scenario of a network connection processing method according to an embodiment of the present specification;
fig. 2 is a flowchart of a network connection processing method according to an embodiment of the present specification;
fig. 3 is a flowchart illustrating an interaction processing procedure of a network connection processing method according to an embodiment of the present specification;
fig. 4 is a schematic structural diagram of a network connection processing apparatus according to an embodiment of the present disclosure;
fig. 5 is a block diagram of a computing device according to an embodiment of the present disclosure.
Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present description. This description may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein, as those skilled in the art will be able to make and use the present disclosure without departing from the spirit and scope of the present disclosure.
The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in one or more embodiments of the present specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present specification refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It will be understood that, although the terms first, second, etc. may be used herein in one or more embodiments to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first can also be referred to as a second and, similarly, a second can also be referred to as a first without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
First, the noun terms to which one or more embodiments of the present specification relate are explained.
tcp: transmission Control Protocol, a connection-oriented, reliable transport layer communication Protocol based on byte streams.
IP: internet Protocol, internetworking Protocol, is a network layer Protocol in the tcp/IP system.
k8 s: known as kubernets, a container scheduling system.
pod: k8s schedules the minimum unit of container; a pod protecting one or more containers, wherein the containers share a network space, and the pod at least comprises a main container, a main service and a plurality of service containers; i.e., pod is a group of containers, and container refers to a container alone.
A container: is an environment for running application programs without depending on an operating system. A container is only a special process running on a host, and an operating system kernel of the same host is used among a plurality of containers.
syn packet: the first packet of a tcp connection; when two computers are engaged in a session over a tcp connection, the connection must first be initialized and the packet that accomplishes this task is called syn. A syn packet simply indicates that another computer is ready for a session and only the computer that issued the service request sends the syn packet.
sidecar vessel: a pod contains one or more vessels, in addition to the main vessel, the vessel responsible for the assistance of the work, called sidecar vessel.
acl: access control list, which is a packet filtering based access control technique that can filter packets on an interface, allow them to pass or drop according to set conditions.
tcp-fast-open: is a tcp protocol extension to accelerate data interaction for successive tcp connections; the principle is as follows: in the process of tcp three-way handshake, when a user accesses the server for the first time, a SYN packet is sent, and the server generates Cookie (encrypted) according to the user IP and sends the Cookie and SYN-ACK back to the Client; when the Client subsequently reconnects, carrying the tcp Cookie in the SYN packet; if the Server is verified to be legal, the data can be directly sent before the user replies an ACK (acknowledgement message); otherwise, the normal three-way handshake is carried out.
Iptables: packet filtering firewall, which provides two functions: 1. hijacking of tcp-syn packets; 2. severing a particular tcp connection; the embodiments herein use the ipset component of the iptables.
identity-acl: access control based on the identity of the application; conventional acl is based on ip/port/protocol number for access control.
In the present specification, a network connection processing method is provided, and the present specification relates to a network connection processing apparatus, a computing device, a computer-readable storage medium, and a computer program, which are described in detail one by one in the following embodiments.
In specific implementation, the network connection processing method can be applied to identity authentication service in a remote office scene, for example, in an office integrated protection scene.
In an office integrated protection scene, the network connection method can provide uniform security management capability for mobile office and branch mechanism internet access of enterprises, such as zero-trust intranet access control: the self-developed HTTPS encryption transmission protocol supports end-to-end (TCP) and end-to-application (HTTP/HTTPS) minimum authority access control based on dynamic identity authentication, and has the characteristics of quicker access, more efficient operation and maintenance, more convenient deployment, higher system safety and the like compared with the traditional VPN access.
Referring to fig. 1, fig. 1 is a schematic diagram illustrating a specific application scenario of a network connection processing method according to an embodiment of the present disclosure.
Fig. 1 includes a sender 102 and a receiver 104, wherein the sender 102 and the receiver 104 can be understood as a pod in the case that the network connection processing method is applied to a container scheduling system (e.g., k8 s).
Taking the sender 102 and the receiver 104 as pod, the sender 102 and the receiver 104 are both disposed with a main container and a secure sidecar container.
In specific implementation, after a tcp handshake is initiated by a main container of a sending end 102, a tcp-syn packet of the tcp handshake is intercepted by an Iptables of the sending end 102 and sent to a secure sidecar container, and the secure sidecar container uses a public tcp-fast-open protocol, and a segment of custom identity is inserted into the tcp-syn packet and then sent to a receiving end 104.
The receiving end 104 receives the tcp-syn packet, firstly, the tcp-syn packet is intercepted by the Iptables of the receiving end 104 and sent to the secure sidecar container, the secure sidecar container verifies the self-defined identity inserted in the tcp-syn packet and makes identity-acl, the tcp-syn packet is sent to the main container after the verification is passed, the handshake between the sending end 102 and the receiving end 104 is completed, and namely, the network connection relationship between the sending end 102 and the receiving end 104 is established.
In practical applications, a general firewall is made acl based on IP/port/protocol; however, in the scenario that the pod is quickly created or destroyed and the IP is quickly multiplexed, acl cannot be made based on the IP, so acl based on the identity of the application, called identity-acl, is required.
The principle of identity-acl provided by the embodiments of the present description is as follows: based on the tcf-fast-open (tfo for short), the identity of a tcp-syn packet is inserted at a tcp sending end, and identity-acl is performed at a tcp receiving end.
Specifically, tcp-fast-open is a supplementary protocol to tcp.
The common tcp uses three-way handshake to establish connection and then sends data, the handshake process consumes certain time, and the new speed is influenced in large-scale use. A cookie is negotiated in the tcp for the first time by the tcp-fast-open, and when the two parties reestablish tcp connection next time, the cookie can be carried, so that data can be carried in the tcp-syn packet, that is, the data can be sent in the handshake packet, and the tcp transmission flow is accelerated.
In the embodiment of the specification, a piece of information (namely a cookie and an application identity, such as an application name and the like) is directly inserted into a tcp-syn packet at a tcp sender based on the tfo protocol. Because the cookie is not negotiated, the tcp receiving end does not have the cookie information, at this time, the tcp will roll back to the normal tcp, the tcp-syn packet is only used for establishing tcp handshake, and the data in the tcp-syn packet will be discarded; i.e. the information inserted into the tcp-syn packet, will not affect the original tcp function.
After the identity is successfully inserted into the tcp-syn packet at the tcp sending end, the identity is carried in the data packet sent to the tcp receiving end subsequently, and the tcp receiving end verifies the identity inserted into the tcp-syn packet according to the previous negotiation information, so that identity-acl is completed.
In another case, when the sending end 102 cannot deploy the secure sidecar container, or when some machines cannot obtain the protection of the secure sidecar container for some reason (for example, the secure sidecar container is not created yet or the secure sidecar container cannot work normally due to restart) within a certain period of time, the receiving end 104 may directly release the tcp-syn packet after receiving the tcp-syn packet of the sending end 102, and complete the handshake between the sending end 102 and the receiving end 104_ handshake; meanwhile, the application identity of the tcp-syn packet, i.e. the source IP address of the sender 102, is asynchronously queried, and the query result is cached locally. If the query result is that the source IP address of the sending end 102 is not authentic, the handshake that the sending end 102 and the receiving end 104_ have been established can be directly cut off; at this time, although the tcp is already established and performs a certain data transmission, the security effect is still good as long as the cut-off is timely.
Meanwhile, the query result is cached locally, and when the sender 102 initiates tcp connection to the receiver 104 again, even if identity information is not carried in the tcp-syn packet, the query result cached locally can be hit, so that identity-acl is performed.
In the embodiment of the present description, under the condition that an identity is inserted in a tcp-syn packet sent by a sending end, security verification can be performed on the tcp-syn packet through the inserted identity, so that security of tcp connection is ensured; or, when the identity is not inserted in the tcp-syn packet sent by the sending end, the security of the source IP address of the sending end is asynchronously inquired through the source IP address of the sending end while the tcp connection is performed, and the keeping or cutting of the tcp connection is determined according to the inquiry result, thereby ensuring the security of the tcp connection.
Referring to fig. 2, fig. 2 is a flowchart illustrating a network connection processing method according to an embodiment of the present disclosure, which is applied to a receiving end and specifically includes the following steps.
Step 202: and receiving a connection establishment request sent by a sending end.
As in the above-described embodiment, in the case where the network connection processing method is applied to a container scheduling system (e.g., k8 s), the sender 102 and the receiver 104 can be understood as one pod.
The connection establishment request may be understood as a tcp connection request or a tcp handshake request.
The receiving end is used as an execution main body to receive the connection establishment request sent by the sending end, and the following steps can be understood as follows: and the receiving end receives a tcp connection request or a tcp handshake request sent by the sending end.
Step 204: and selecting different connection establishment strategies to establish a connection relation with the sending end according to whether the connection establishment request carries identity authentication information or not.
The identity authentication information is determined by the sending end and the receiving end according to a preset transmission control protocol.
Specifically, the authentication information may be understood as information directly inserted in a tcp-syn packet at a tcp sender based on the tfo protocol (i.e., a cookie and an application identity, such as an application name, etc.) in the above embodiment.
The preset transmission control protocol can be understood as tcp-fast-open protocol; in practical application, the preset transmission control protocol may also be another protocol, and both protocols for the authentication information between the sending end and the receiving end may be implemented, that is, the sending end and the receiving end may implement agreement for the authentication information in advance based on the preset transmission protocol, that is, the sending end inserts the authentication information agreed with the receiving end when subsequently sending a tcp connection request, and the receiving end considers that the authentication information is authentic and safe after receiving the tcp connection request.
In practical applications, before receiving the connection establishment request sent by the sending end, the method further includes:
receiving a connection establishment request sent by a sending end for the first time, wherein the connection establishment request carries sending end attribute information inserted according to a preset transmission control protocol;
and generating authentication information according to the attribute information of the sending end, and returning the authentication information to the sending end.
The sender attribute information includes, but is not limited to, a cookie and an application identity of the sender, such as an application name.
Specifically, the sender initiates tcp handshake to the receiver for the first time, and based on tfo protocol, the sender attribute information (i.e. cookie and application identity, such as application name, etc.) is directly inserted into the tcp-syn packet of the sender. The receiving end generates the authentication information aiming at the sending end according to the attribute information of the sending end and returns the authentication information to the sending end, namely, the negotiation of the sending end and the receiving end aiming at the authentication information is completed based on tfo protocol.
The sending end successfully receives the identity authentication information, the identity is carried in the data packet sent to the receiving end subsequently, and the receiving end authenticates the identity inserted in the tcp-syn packet according to the previous negotiation information, so that identity-acl is completed; the trustworthiness and security of tcp connections is guaranteed.
In specific implementation, the receiving end selects different connection establishment strategies to establish a connection relation with the sending end according to whether the connection establishment request carries identity authentication information or not; namely, under the condition that the receiving end determines that the connection establishment request sent by the sending end carries identity authentication information, one connection establishment strategy is selected to establish a connection relation with the sending end; and the receiving end selects another connection establishment strategy to establish a connection relation with the sending end under the condition of determining that the connection establishment request sent by the sending end does not carry the identity authentication information.
First, a case where the connection establishment request sent by the sending end does not carry authentication information will be described. The specific implementation mode is as follows:
the selecting different connection establishment strategies to establish the connection relationship with the sending end according to whether the connection establishment request carries identity authentication information or not comprises the following steps:
and under the condition that the connection establishing request is determined not to carry identity authentication information, selecting a first connection establishing strategy to establish a connection relation with the sending end.
Specifically, after receiving a connection establishment request sent by a sending end, a receiving end selects a first connection establishment strategy to establish a connection relationship with the sending end under the condition that the connection establishment request is determined not to carry authentication information, so as to ensure the credibility and the safety of the connection relationship.
In practical application, the specific implementation manner of establishing the connection relationship with the sending end according to the first connection establishment policy is as follows:
the selecting a first connection establishment strategy and establishing a connection relationship with the sending end includes:
and establishing a connection relation with the sending end, asynchronously inquiring whether the sending end is credible, and determining and caching an inquiry result.
Specifically, after receiving a connection establishment request sent by a sending end, a receiving end directly releases a data packet (such as the tcp-syn packet) sent by the sending end under the condition that the connection establishment request does not carry identity authentication information, namely, the receiving end directly establishes a connection relationship with the sending end; and meanwhile, asynchronously inquiring whether the sending end is credible or not, and determining and caching the inquiry result.
In the embodiment of the present description, under the condition that the connection establishment request sent by the sending end does not carry the authentication information, the receiving end establishes a connection with the sending end and simultaneously asynchronously queries the identity of the sending end, and then asynchronously intercepts the connection relationship with potential safety hazards based on the query result, so as to ensure the credibility and the safety of the tcp connection.
In addition, the query result is cached, so that even if the request still does not carry the authentication information under the condition that the receiving end receives the tcp connection request sent by the sending end again, whether tcp connection is performed with the request or the tcp connection is rejected can be quickly and accurately determined based on the cached query result. The specific implementation mode is as follows:
after determining and caching the query result, the method further comprises:
and maintaining the connection relation established with the sending end under the condition that the sending end is determined to be credible according to the query result.
Specifically, the receiving end continues to maintain the connection relation established with the sending end under the condition that the sending end is determined to be credible according to the query result; network delay caused by carrying out credibility query of a sending end and then carrying out tcp connection is avoided.
And the receiving end needs to break the connection relation established with the sending end under the condition that the sending end is determined to be not trusted according to the query result so as to ensure the safety of the data. The specific implementation mode is as follows:
after determining and caching the query result, the method further comprises:
and under the condition that the sending end is determined to be not trusted according to the query result, disconnecting the connection relation established with the sending end.
In practical application, although the receiving end still establishes a connection relation with the sending end under the condition that the connection establishment request does not carry the identity authentication information, the receiving end asynchronously inquires the credible condition of the sending end while establishing the connection relation with the sending end; after the identity of a syn packet of a first tcp connection sent by a sending end is inquired, the syn packet is found to have no identity authentication information, the recorded data packet information (source IP address) is used for supplementing to inquire identity-acl, and if the inquiry result is to intercept the tcp connection, the first tcp connection which is established is directly sent out a command to cut off the tcp connection; although this tcp is already established and transmitted, the security effect is still good as long as the cut-off is timely.
Specifically, whether a sending end is trusted or not can be asynchronously inquired in two ways, wherein the first way is to determine the trusted condition of the sending end by directly inquiring whether a source IP address of the sending end is trusted or not; the second method is that the identity authentication information of the sending end is firstly determined through the source IP address of the sending end, and the credibility condition of the sending end is determined by inquiring whether the identity authentication information of the sending end is credible or not. First, the first case is taken as an example, and detailed description is given below on whether the asynchronous query sender is trusted.
For example, the asynchronous query whether the source IP address of the sender is trusted may be implemented by a trusted address mapping list. The specific implementation mode is as follows:
the asynchronous query whether the sending end is trusted includes:
asynchronously determining a source IP address of the sending end;
matching the source IP address of the sending end with a credible IP address in a credible address mapping list;
and determining whether the source IP address of the sending end is credible according to the matching result.
Specifically, a plurality of trusted IP addresses are recorded in the trusted address mapping list.
In the embodiment of the present specification, a matching result between a source IP address of a sending end and a trusted IP address in a trusted address mapping list may be queried through the trusted address mapping list, and then, the source IP address of the sending end may be determined quickly and accurately according to the matching result, where the source IP address of the sending end is trusted or untrusted. The specific implementation mode is as follows:
the determining whether the source IP address of the sending end is credible according to the matching result includes:
determining that the source IP address of the sending end is credible under the condition that a credible IP address matched with the source IP address of the sending end exists in the credible address mapping list according to the matching result; and
and determining that the source IP address of the sending end is not credible under the condition that the credible IP address matched with the source IP address of the sending end does not exist in the credible address mapping list according to the matching result.
In practical application, because all the trusted IP addresses of the trusted sending end are stored in the trusted address mapping list, the source IP address of the sending end can be determined to be trusted under the condition that the trusted IP address corresponding to the source IP address of the sending end can be found in the trusted address mapping list; and under the condition that the trusted IP address corresponding to the source IP address of the sending end cannot be found in the trusted address mapping list, determining that the source IP address of the sending end is not trusted. By the method, the credibility and the safety of the sending end can be rapidly verified so as to ensure the stability of tcp connection; the query result determination mode through the trusted address mapping list is faster than online query, and network delay is reduced.
First, the second case is taken as an example, and details are described below on whether the asynchronous query sender is trusted.
The asynchronous query whether the sending end is trusted includes:
asynchronously determining a source IP address of the sending end;
determining the identity authentication information of the sending end according to the source IP address;
matching the authentication information with trusted authentication information in an access control list;
and determining whether the identity authentication information of the sending end is credible according to the matching result.
Specifically, the access control list is stored locally, and a plurality of pieces of trusted authentication information are recorded.
In the embodiment of the present specification, a matching result between the authentication information of the sending end and the trusted authentication information may be queried through a local access control list, and subsequently, the matching result may be quickly and accurately determined, where the authentication information of the sending end is trusted or untrusted. The specific implementation mode is as follows:
the determining whether the identity authentication information of the sending end is credible according to the matching result includes:
determining that the identity authentication information of the sending end is credible under the condition that credible identity authentication information matched with the identity authentication information of the sending end exists in the access control list according to the matching result; and
and determining that the identity authentication information of the sending end is not credible under the condition that the credible identity authentication information matched with the identity authentication information of the sending end does not exist in the access control list according to the matching result.
In practical application, since all the trusted authentication information of the trusted sending end is stored in the access control list, the authentication information of the sending end can be determined to be trusted under the condition that the trusted authentication information corresponding to the authentication information of the sending end can be found in the access control list; and under the condition that the credible authentication information corresponding to the authentication information of the sending end cannot be found in the access control list, determining that the authentication information of the sending end is not credible. By the method, the credibility and the safety of the sending end can be rapidly verified so as to ensure the stability of tcp connection; the query result determination mode through the access control list is faster than online query, and network delay is reduced.
After the query result of the sending end is cached, under the condition that the connection establishment request without the authentication information of the sending end is received again, whether the sending end has potential safety hazard can be rapidly judged from the cache, and whether the tcp connection is established with the sending end or not is determined. The specific implementation mode is as follows:
after determining and caching the query result, the method further comprises:
receiving a connection establishment request sent again by the sending end;
determining whether the sending end is credible or not from the cache under the condition that the retransmitted connection request is determined not to carry identity authentication information;
and determining whether to establish a connection relationship with the sending end again according to the query result of whether the sending end is credible or not determined from the cache.
Specifically, after caching the source IP address of the sending end or the query result of the authentication information determined according to the trusted address mapping list or the access control list to the local, the receiving end receives the connection establishment request sent by the sending end again, and can search whether the receiving end is trusted or not from the local cache under the condition that the connection establishment request still does not carry the authentication information, and judge whether to establish the connection relationship with the sending end again according to the query result.
That is, when the sending end is found in the local cache to be untrustworthy, the request for establishing the connection relationship of the sending end can be determined to be rejected; and under the condition that the sending end is found to be credible in the local cache, the connection relation with the sending end can be established again.
Next, a description is given of a case where the connection establishment request sent by the sending end carries authentication information. The specific implementation mode is as follows:
the selecting different connection establishment strategies to establish the connection relationship with the sending end according to whether the connection establishment request carries identity authentication information or not comprises the following steps:
and under the condition that the connection establishment request is determined to carry identity authentication information, selecting a second connection establishment strategy to establish a connection relation with the sending end.
Specifically, the receiving end selects the second connection establishment policy to establish the connection relationship with the transmitting end when determining that the connection establishment request sent by the transmitting end carries the authentication information (i.e., the authentication information is inserted in the syn packet). The specific implementation mode is as follows:
the selecting a second connection establishment strategy and establishing a connection relationship with the sending end includes:
authenticating the sending end according to the identity verification information and carrying out access control based on identity;
and establishing a connection relation with the sending end under the condition that the identity authentication information of the sending end is determined to be credible.
In practical application, when determining that the connection establishment request sent by the sending end carries authentication information (i.e., the authentication information is inserted in the syn packet), the receiving end performs authentication and access control based on identity on the sending end according to the authentication information (for example, the authentication information inserted in the syn packet is matched with trusted authentication information in a local access control list), and establishes a connection relationship with the sending end when determining that the authentication information of the sending end is trusted. That is, when the receiving end determines that the connection establishment request sent by the sending end carries the authentication information (i.e., the authentication information is inserted in the syn packet), the receiving end firstly authenticates the sending end, if the information carried in the syn packet is authenticated to be real, and signs a signature, and then matches the authentication information inserted in the syn packet with the trusted authentication information in the local access control list, so as to determine the trusted condition of the authentication information of the sending end, and when the authentication information of the sending end is trusted, establishes a connection relationship with the sending end.
In the embodiment of the present specification, the network connection processing method may select different connection establishment policies by determining whether a connection establishment request sent by a sending end carries authentication information predefined by the sending end and a receiving end, so as to implement quick and safe establishment of a connection relationship with the sending end, solve the technical problem of network delay caused by online query on the security of an ip address of the sending end, and improve user experience.
That is, the network connection processing method provided in the embodiments of the present specification can implement asynchronous identity query: for a common data packet (syn packet) which does not carry identity authentication information, firstly releasing flow (establishing a connection relation), then asynchronously inquiring the identity of a sending end, and caching an inquiry result in the local; and asynchronously intercepting traffic: for the released tcp, if the identity is queried and the identity-acl is identified as interception and then the tcp (connection relation) is cut off, the identity query speed is fast, so that the release time of the tcp is short and the overall security effect is still good; the stability and the safety of network connection are improved through the asynchronous query identity and the asynchronous traffic interception function.
The following will further describe the network connection processing method by taking the application of the network connection processing method provided in this specification to tcp connection of a container scheduling system as an example, with reference to fig. 3. Fig. 3 shows a flowchart of an interaction processing procedure of a network connection processing method according to an embodiment of the present specification, which specifically includes the following steps.
Step 302: and the transmitting end transmits tcp handshake to the receiving end, namely transmits tcp-syn packet.
Step 304: the sending end judges whether the tcp-syn packet is intercepted by the security sidecar container, if so, step 306 is executed, and if not, step 310 is executed.
In particular implementation, when the secure sidecar container is down, it may happen that the tcp-syn packet is not intercepted by the secure sidecar container.
Step 306: and the safety sidecar container of the sending end inserts the identity authentication information into the tcp-syn packet and sends the tcp-syn packet to the receiving end.
Step 308: and the receiving end receives the tcp-syn packet, the tcp-syn packet is intercepted by a security sidecar container, the identity authentication information inserted in the tcp-syn packet is verified and identified-acl is carried out, the data packet is released after the verification is passed, and the tcp handshake with the transmitting end is completed.
Step 310: and the transmitting end transmits the tcp-syn packet to the receiving end.
Step 312: and the receiving end receives the tcp-syn packet and directly releases the tcp-syn packet, namely, the tcp-syn packet is subjected to tcp handshake with the transmitting end.
Step 314: and the receiving end asynchronously inquires the application identity of the src-ip in the tcp-syn packet and caches the inquiry result locally.
Step 316: and the receiving end intercepts the tcp connection under the condition that the application identity of the src-ip is determined to be not authentic according to the query result, namely, the established tcp connection is directly sent out to cut off the tcp connection.
Step 318: and the receiving end receives the syn packet connected with the tcp of the sending end again under the condition that the application identity of the src-ip is determined to be credible according to the query result, and hits the current cache for identity-acl under the condition that the syn packet does not carry identity authentication information.
The network connection processing method provided by the embodiment of the present specification can implement asynchronous identity query: for a common data packet (syn packet) which does not carry identity authentication information, firstly releasing flow (establishing a connection relation), then asynchronously inquiring the identity of a sending end, and caching an inquiry result in the local; and asynchronously intercepting traffic: for the released tcp, if the identity is queried and the identity-acl is identified as interception and then the tcp (connection relation) is cut off, the identity query speed is fast, so that the release time of the tcp is short and the overall security effect is still good; the stability and the safety of network connection are improved through the asynchronous query identity and the asynchronous traffic interception function.
Corresponding to the above method embodiment, the present specification further provides an embodiment of a network connection processing apparatus, and fig. 4 shows a schematic structural diagram of a network connection processing apparatus provided in an embodiment of the present specification. As shown in fig. 4, the apparatus includes:
a request receiving module 402 configured to receive a connection establishment request sent by a sending end;
a connection establishing module 404, configured to select different connection establishing policies to establish a connection relationship with the sending end according to whether the connection establishing request carries identity authentication information;
the identity authentication information is determined by the sending end and the receiving end according to a preset transmission control protocol.
Optionally, the connection establishing module 404 is further configured to:
and under the condition that the connection establishing request is determined not to carry identity authentication information, selecting a first connection establishing strategy to establish a connection relation with the sending end.
Optionally, the connection establishing module 404 is further configured to:
and establishing a connection relation with the sending end, asynchronously inquiring whether the sending end is credible, and determining and caching an inquiry result.
Optionally, the apparatus further comprises:
a first relationship determination module configured to:
and maintaining the connection relation established with the sending end under the condition that the sending end is determined to be credible according to the query result.
Optionally, the apparatus further comprises:
a second relationship determination module configured to:
and under the condition that the sending end is determined to be not trusted according to the query result, disconnecting the connection relation established with the sending end.
Optionally, the connection establishing module 404 is further configured to:
asynchronously determining a source IP address of the sending end;
matching the source IP address of the sending end with a credible IP address in a credible address mapping list;
and determining whether the source IP address of the sending end is credible according to the matching result.
Optionally, the connection establishing module 404 is further configured to:
determining that the source IP address of the sending end is credible under the condition that a credible IP address matched with the source IP address of the sending end exists in the credible address mapping list according to the matching result; and
and determining that the source IP address of the sending end is not credible under the condition that the credible IP address matched with the source IP address of the sending end does not exist in the credible address mapping list according to the matching result.
Optionally, the connection establishing module 404 is further configured to:
asynchronously determining a source IP address of the sending end;
determining the identity authentication information of the sending end according to the source IP address;
matching the authentication information with trusted authentication information in an access control list;
and determining whether the identity authentication information of the sending end is credible according to the matching result.
Optionally, the connection establishing module 404 is further configured to:
determining that the identity authentication information of the sending end is credible under the condition that credible identity authentication information matched with the identity authentication information of the sending end exists in the access control list according to the matching result; and
and determining that the identity authentication information of the sending end is not credible under the condition that the credible identity authentication information matched with the identity authentication information of the sending end does not exist in the access control list according to the matching result.
Optionally, the apparatus further comprises:
a connection relationship determination module configured to:
receiving a connection establishment request sent again by the sending end;
determining whether the sending end is credible or not from the cache under the condition that the retransmitted connection request is determined not to carry identity authentication information;
and determining whether to establish a connection relationship with the sending end again according to the query result of whether the sending end is credible or not determined from the cache.
Optionally, the connection establishing module 404 is further configured to:
and under the condition that the connection establishment request is determined to carry identity authentication information, selecting a second connection establishment strategy to establish a connection relation with the sending end.
Optionally, the connection establishing module 404 is further configured to:
authenticating the sending end according to the identity verification information and carrying out access control based on identity;
and establishing a connection relation with the sending end under the condition that the identity authentication information of the sending end is determined to be credible.
Optionally, the apparatus further comprises:
an authentication information determination module configured to:
receiving a connection establishment request sent by a sending end for the first time, wherein the connection establishment request carries sending end attribute information inserted according to a preset transmission control protocol;
and generating authentication information according to the attribute information of the sending end, and returning the authentication information to the sending end.
In the embodiment of the present specification, the network connection processing apparatus may select different connection establishment policies by determining whether a connection establishment request sent by a sending end carries authentication information predefined by the sending end and a receiving end, so as to implement quick and secure establishment of a connection relationship with the sending end, solve the technical problem of network delay caused by online query on security of an IP address of the sending end, and improve user experience.
The foregoing is a schematic diagram of a network connection processing apparatus according to this embodiment. It should be noted that the technical solution of the network connection processing apparatus and the technical solution of the network connection processing method belong to the same concept, and details that are not described in detail in the technical solution of the network connection processing apparatus can be referred to the description of the technical solution of the network connection processing method.
FIG. 5 illustrates a block diagram of a computing device 500 provided in accordance with one embodiment of the present description. The components of the computing device 500 include, but are not limited to, a memory 510 and a processor 520. Processor 520 is coupled to memory 510 via bus 530, and database 550 is used to store data.
Computing device 500 also includes access device 540, access device 540 enabling computing device 500 to communicate via one or more networks 560. Examples of such networks include the Public Switched Telephone Network (PSTN), a Local Area Network (LAN), a Wide Area Network (WAN), a Personal Area Network (PAN), or a combination of communication networks such as the internet. The access device 540 may include one or more of any type of network interface, e.g., a Network Interface Card (NIC), wired or wireless, such as an IEEE802.11 Wireless Local Area Network (WLAN) wireless interface, a worldwide interoperability for microwave access (Wi-MAX) interface, an ethernet interface, a Universal Serial Bus (USB) interface, a cellular network interface, a bluetooth interface, a Near Field Communication (NFC) interface, and so forth.
In one embodiment of the present description, the above-described components of computing device 500, as well as other components not shown in FIG. 5, may also be connected to each other, such as by a bus. It should be understood that the block diagram of the computing device architecture shown in FIG. 5 is for purposes of example only and is not limiting as to the scope of the present description. Those skilled in the art may add or replace other components as desired.
Computing device 500 may be any type of stationary or mobile computing device, including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), mobile phone (e.g., smartphone), wearable computing device (e.g., smartwatch, smartglasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or PC. Computing device 500 may also be a mobile or stationary server.
Wherein the processor 520 is configured to execute computer-executable instructions that, when executed by the processor, implement the steps of the network connection processing method described above.
The above is an illustrative scheme of a computing device of the present embodiment. It should be noted that the technical solution of the computing device and the technical solution of the network connection processing method belong to the same concept, and details that are not described in detail in the technical solution of the computing device can be referred to the description of the technical solution of the network connection processing method.
An embodiment of the present specification further provides a computer-readable storage medium storing computer-executable instructions, which when executed by a processor implement the steps of the network connection processing method.
The above is an illustrative scheme of a computer-readable storage medium of the present embodiment. It should be noted that the technical solution of the storage medium belongs to the same concept as the technical solution of the network connection processing method, and details that are not described in detail in the technical solution of the storage medium can be referred to the description of the technical solution of the network connection processing method.
An embodiment of the present specification further provides a computer program, wherein when the computer program is executed in a computer, the computer is caused to execute the steps of the network connection processing method.
The above is an illustrative scheme of a computer program of the present embodiment. It should be noted that the technical solution of the computer program and the technical solution of the network connection processing method belong to the same concept, and details that are not described in detail in the technical solution of the computer program can be referred to the description of the technical solution of the network connection processing method.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The computer instructions comprise computer program code which may be in the form of source code, object code, an executable file or some intermediate form, or the like. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
It should be noted that, for the sake of simplicity, the foregoing method embodiments are described as a series of acts, but those skilled in the art should understand that the present embodiment is not limited by the described acts, because some steps may be performed in other sequences or simultaneously according to the present embodiment. Further, those skilled in the art should also appreciate that the embodiments described in this specification are preferred embodiments and that acts and modules referred to are not necessarily required for an embodiment of the specification.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The preferred embodiments of the present specification disclosed above are intended only to aid in the description of the specification. Alternative embodiments are not exhaustive and do not limit the invention to the precise embodiments described. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the embodiments and the practical application, to thereby enable others skilled in the art to best understand and utilize the embodiments. The specification is limited only by the claims and their full scope and equivalents.
Claims (14)
1. A network connection processing method is applied to a receiving end and comprises the following steps:
receiving a connection establishment request sent by a sending end;
selecting different connection establishment strategies to establish a connection relation with the sending end according to whether the connection establishment request carries identity authentication information or not;
the identity authentication information is determined by the sending end and the receiving end according to a preset transmission control protocol.
2. The network connection processing method according to claim 1, wherein selecting different connection establishment policies to establish a connection relationship with the sending end according to whether the connection establishment request carries authentication information includes:
and under the condition that the connection establishing request is determined not to carry identity authentication information, selecting a first connection establishing strategy to establish a connection relation with the sending end.
3. The network connection processing method according to claim 2, wherein the selecting a first connection establishment policy and establishing a connection relationship with the sending end includes:
and establishing a connection relation with the sending end, asynchronously inquiring whether the sending end is credible, and determining and caching an inquiry result.
4. The network connection processing method of claim 3, after determining and caching the query result, further comprising:
and under the condition that the sending end is determined to be not trusted according to the query result, disconnecting the connection relation established with the sending end.
5. The network connection processing method of claim 3, wherein the asynchronously querying whether the sender is trusted comprises:
asynchronously determining a source IP address of the sending end;
matching the source IP address of the sending end with a credible IP address in a credible address mapping list;
and determining whether the source IP address of the sending end is credible according to the matching result.
6. The network connection processing method of claim 5, wherein the determining whether the source IP address of the sender is trusted according to the matching result comprises:
determining that the source IP address of the sending end is credible under the condition that a credible IP address matched with the source IP address of the sending end exists in the credible address mapping list according to the matching result; and
and determining that the source IP address of the sending end is not credible under the condition that the credible IP address matched with the source IP address of the sending end does not exist in the credible address mapping list according to the matching result.
7. The network connection processing method of claim 3, wherein the asynchronously querying whether the sender is trusted comprises:
asynchronously determining a source IP address of the sending end;
determining the identity authentication information of the sending end according to the source IP address;
matching the authentication information with trusted authentication information in an access control list;
and determining whether the identity authentication information of the sending end is credible according to the matching result.
8. The network connection processing method according to claim 7, wherein the determining whether the authentication information of the sender is trusted according to the matching result includes:
determining that the identity authentication information of the sending end is credible under the condition that credible identity authentication information matched with the identity authentication information of the sending end exists in the access control list according to the matching result; and
and determining that the identity authentication information of the sending end is not credible under the condition that the credible identity authentication information matched with the identity authentication information of the sending end does not exist in the access control list according to the matching result.
9. The network connection processing method of claim 3, after determining and caching the query result, further comprising:
receiving a connection establishment request sent again by the sending end;
determining whether the sending end is credible or not from the cache under the condition that the retransmitted connection request is determined not to carry identity authentication information;
and determining whether to establish a connection relationship with the sending end again according to the query result of whether the sending end is credible or not determined from the cache.
10. The network connection processing method according to claim 1, wherein selecting different connection establishment policies to establish a connection relationship with the sending end according to whether the connection establishment request carries authentication information includes:
and under the condition that the connection establishment request is determined to carry identity authentication information, selecting a second connection establishment strategy to establish a connection relation with the sending end.
11. The network connection processing method according to claim 10, wherein the selecting a second connection establishment policy to establish a connection relationship with the sending end includes:
authenticating the sending end according to the identity verification information and carrying out access control based on identity;
and establishing a connection relation with the sending end under the condition that the identity authentication information of the sending end is determined to be credible.
12. A network connection processing device applied to a receiving end comprises:
a request receiving module configured to receive a connection establishment request sent by a sending end;
the connection establishing module is configured to select different connection establishing strategies to establish a connection relation with the sending end according to whether the connection establishing request carries identity authentication information or not;
the identity authentication information is determined by the sending end and the receiving end according to a preset transmission control protocol.
13. A computing device, comprising:
a memory and a processor;
the memory is configured to store computer-executable instructions and the processor is configured to execute the computer-executable instructions, which when executed by the processor implement the steps of the network connection processing method of any one of claims 1 to 11.
14. A computer-readable storage medium storing computer-executable instructions which, when executed by a processor, implement the steps of the network connection processing method of any one of claims 1 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210037507.9A CN114070878B (en) | 2022-01-13 | 2022-01-13 | Network connection processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210037507.9A CN114070878B (en) | 2022-01-13 | 2022-01-13 | Network connection processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114070878A true CN114070878A (en) | 2022-02-18 |
| CN114070878B CN114070878B (en) | 2022-06-24 |
Family
ID=80231098
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210037507.9A Active CN114070878B (en) | 2022-01-13 | 2022-01-13 | Network connection processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114070878B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101414912A (en) * | 2008-11-28 | 2009-04-22 | 中国民生银行股份有限公司 | Identification verification method, apparatus and system |
| CN103347016A (en) * | 2013-06-28 | 2013-10-09 | 天津汉柏汉安信息技术有限公司 | Attack defense method |
| CN105656875A (en) * | 2015-10-21 | 2016-06-08 | 乐卡汽车智能科技(北京)有限公司 | Main stream connection building method and device based on MPTCP (Multi-Path Transmission Control Protocol) |
| CN106161147A (en) * | 2015-03-31 | 2016-11-23 | 腾讯科技(深圳)有限公司 | Set up the method and device that network connects |
| EP3148156A1 (en) * | 2014-05-21 | 2017-03-29 | ZTE Corporation | Sending method and apparatus and computer storage medium of notification message |
| CN108809933A (en) * | 2018-04-12 | 2018-11-13 | 北京奇艺世纪科技有限公司 | A kind of auth method, device and electronic equipment |
| CN108881103A (en) * | 2017-05-08 | 2018-11-23 | 腾讯科技(深圳)有限公司 | A kind of method and device accessing network |
| CN110324296A (en) * | 2018-03-30 | 2019-10-11 | 武汉斗鱼网络科技有限公司 | A kind of barrage server connection method, device, client |
| US20210203760A1 (en) * | 2019-12-31 | 2021-07-01 | Cloudflare, Inc. | Transparent Proxy Conversion of Transmission Control Protocol (TCP) Fast Open Connection |
| CN113612851A (en) * | 2021-08-11 | 2021-11-05 | 山石网科通信技术股份有限公司 | Remote connection method and device, storage medium and processor |
-
2022
- 2022-01-13 CN CN202210037507.9A patent/CN114070878B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101414912A (en) * | 2008-11-28 | 2009-04-22 | 中国民生银行股份有限公司 | Identification verification method, apparatus and system |
| CN103347016A (en) * | 2013-06-28 | 2013-10-09 | 天津汉柏汉安信息技术有限公司 | Attack defense method |
| EP3148156A1 (en) * | 2014-05-21 | 2017-03-29 | ZTE Corporation | Sending method and apparatus and computer storage medium of notification message |
| US20170126828A1 (en) * | 2014-05-21 | 2017-05-04 | Zte Corporation | Sending Method and Apparatus and Computer Storage Medium of Notification Message |
| CN106161147A (en) * | 2015-03-31 | 2016-11-23 | 腾讯科技(深圳)有限公司 | Set up the method and device that network connects |
| CN105656875A (en) * | 2015-10-21 | 2016-06-08 | 乐卡汽车智能科技(北京)有限公司 | Main stream connection building method and device based on MPTCP (Multi-Path Transmission Control Protocol) |
| WO2017067160A1 (en) * | 2015-10-21 | 2017-04-27 | 乐视控股(北京)有限公司 | Main stream connection establishment method and device based on mptcp |
| CN108881103A (en) * | 2017-05-08 | 2018-11-23 | 腾讯科技(深圳)有限公司 | A kind of method and device accessing network |
| CN110324296A (en) * | 2018-03-30 | 2019-10-11 | 武汉斗鱼网络科技有限公司 | A kind of barrage server connection method, device, client |
| CN108809933A (en) * | 2018-04-12 | 2018-11-13 | 北京奇艺世纪科技有限公司 | A kind of auth method, device and electronic equipment |
| US20210203760A1 (en) * | 2019-12-31 | 2021-07-01 | Cloudflare, Inc. | Transparent Proxy Conversion of Transmission Control Protocol (TCP) Fast Open Connection |
| CN113612851A (en) * | 2021-08-11 | 2021-11-05 | 山石网科通信技术股份有限公司 | Remote connection method and device, storage medium and processor |
Non-Patent Citations (2)
| Title |
|---|
| 邹波: "cookie思想在TCP与SCTP中的应用", 《电脑知识与技术》 * |
| 韩立明: "基于IP缓存的SYN Flooding防御技术", 《河南科技》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114070878B (en) | 2022-06-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210029039A1 (en) | Apparatus, systems, and methods utilizing dispersive networking | |
| EP2850770B1 (en) | Transport layer security traffic control using service name identification | |
| JP4245838B2 (en) | Method and system for managing secure client-server transactions | |
| US8418242B2 (en) | Method, system, and device for negotiating SA on IPv6 network | |
| US20190140823A1 (en) | Method for Detecting Encrypted Content, and Device | |
| US9338165B2 (en) | Common internet file system proxy authentication of multiple servers | |
| US11277381B2 (en) | Multi-channel based just-in-time firewall control | |
| US9413727B2 (en) | Method and apparatus for content filtering on SPDY connections | |
| EP3633949B1 (en) | Method and system for performing ssl handshake | |
| US8381281B2 (en) | Authenticating a remote host to a firewall | |
| WO2017067160A1 (en) | Main stream connection establishment method and device based on mptcp | |
| US10554689B2 (en) | Secure communication session resumption in a service function chain | |
| US10560433B2 (en) | Vertical cloud service | |
| CN113824791A (en) | Access control method, device, equipment and readable storage medium | |
| US10958625B1 (en) | Methods for secure access to services behind a firewall and devices thereof | |
| JP2005501354A (en) | Method and system for providing web services with multiple web domains via a single IP address | |
| CN114070878B (en) | Network connection processing method and device | |
| CN112688948B (en) | Object processing method and device | |
| US10992741B2 (en) | System and method for providing a configuration file to client devices | |
| CN109040225B (en) | Dynamic port desktop access management method and system | |
| WO2019242053A1 (en) | Protection method and system for http flood attack | |
| US20220210197A1 (en) | Low latency cloud-assisted network security with local cache | |
| CN113872933B (en) | Method, system, device, equipment and storage medium for hiding source station | |
| CN109587163B (en) | Protection method and device in DR mode | |
| KR20080083418A (en) | Wire/wireless network access authentication method using challenge message based on chap and system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40067492 Country of ref document: HK |