CN114268669A - Access processing method and system - Google Patents
Access processing method and system Download PDFInfo
- Publication number
- CN114268669A CN114268669A CN202210190465.2A CN202210190465A CN114268669A CN 114268669 A CN114268669 A CN 114268669A CN 202210190465 A CN202210190465 A CN 202210190465A CN 114268669 A CN114268669 A CN 114268669A
- Authority
- CN
- China
- Prior art keywords
- icmp
- message
- address
- packet
- destination
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An access processing method and system are disclosed. The method comprises the following steps: screening a first IP message from various received IP messages, wherein the first IP message adopts an ICMP protocol; analyzing a source IP address, a destination IP address and an ICMP message from the first IP message, and constructing and sending a UDP message according to the source IP address, the destination IP address and the ICMP message, wherein the data part of the UDP message comprises the destination IP address and the ICMP message; obtaining a target IP address and an ICMP message from a data part of a received UDP message and constructing a second IP message according to the target IP address and the ICMP message, wherein the second IP message adopts an ICMP protocol and comprises the target IP address and the ICMP message; and sending the second IP message to the destination IP address. The method comprises the steps of converting an IP message of an ICMP protocol into a UDP message before a set communication path in the network communication from a source IP address to a destination IP address, and converting the UDP message into the IP message of the ICMP protocol after the set communication path, thereby solving the problem that the message of the ICMP protocol on the set communication path in the network communication from the source IP address to the destination IP address can not pass through.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an access processing system and method.
Background
Nowadays, due to the influence of objective factors such as epidemic situation, distance, urban traffic and the like, the working modes of people are changed silently, the office modes such as mobile office, remote office, cooperative office and the like are gradually increased, the change brings brand-new challenges to the safety of traditional IT infrastructure, the original boundary of an enterprise is broken, and the traditional hardware safety scheme cannot meet the safety protection requirements of the enterprise.
The cloud security access service is an integrated security management and control platform provided for enterprise users, and provides uniform security control for access through the internet and access to an internal network. However, because a Protocol on which the cloud security access service is based, for example, LwIP (Light Weight Internet Protocol), does not completely support ICMP (Internet Control Message Protocol), the security access service cannot correctly process all accesses based on the ICMP Protocol. .
Disclosure of Invention
In view of the above, the present disclosure provides an access processing method and system to solve the above problem.
According to a first aspect of the present disclosure, there is provided an access processing method including:
screening a first IP message from various received IP messages, wherein the first IP message is an IP message adopting an ICMP protocol;
analyzing a source IP address, a destination IP address and an ICMP message from the first IP message, and constructing and sending a UDP message according to the source IP address, the destination IP address and the ICMP message, wherein the data part of the UDP message comprises the destination IP address and the ICMP message;
obtaining the destination IP address and the ICMP message from the data part of the UDP message and constructing a second IP message according to the destination IP address and the ICMP message, wherein the second IP message adopts an ICMP protocol and comprises the destination IP address and the ICMP message; and
and sending the second IP message to the destination IP address.
In some embodiments, further comprising:
receiving an ICMP reply from the destination IP address;
constructing the UDP response from the ICMP response, a data portion of the UDP response including the ICMP response;
and acquiring an ICMP response from the UDP response and sending the ICMP response to the source IP address.
In some embodiments, further comprising: analyzing the value of at least one given field from the ICMP message, checking according to the value of the at least one given field, and discarding the ICMP message which fails to be checked.
In some embodiments, the filtering out the first IP packet from the received various IP packets comprises: and obtaining the value of at least one given field from each IP message, and determining whether the IP message is the first IP message according to the value of the at least one given field.
In some embodiments, the first IP packet and the second IP packet are ICMP echo request packets, and the ICMP response is an ICMP echo response packet.
According to a second aspect of the present disclosure, there is provided an access processing system comprising:
the IP packet filtering module is used for screening out a first IP message from various received IP messages, wherein the first IP message is an IP message adopting an ICMP protocol;
a data packet forwarding module, configured to parse a source IP address, a destination IP address, and an ICMP packet from the first IP packet, construct and send a UDP packet according to the source IP address, where a data portion of the UDP packet includes the destination IP address and the ICMP packet, obtain an ICMP response from the UDP response, and send the ICMP response to the source IP address;
a proxy gateway module, configured to obtain the destination IP address and the ICMP packet from the data portion of the UDP packet, construct a second IP packet according to the destination IP address and the ICMP packet, send the second IP packet to the destination IP address, receive the ICMP response from the destination IP address, construct the UDP response according to the ICMP response, and send the UDP response to the packet forwarding module, where the data portion of the UDP response includes the ICMP response.
In some embodiments, the packet forwarding module parses a value of at least one given field from the ICMP packet, checks the value of the at least one given field, and discards the ICMP packet that fails in the checking.
In some embodiments, the IP packet filtering module obtains a value of at least one given field from each IP packet, and determines whether the IP packet is the first IP packet according to the value of the at least one given field.
In some embodiments, the first IP packet and the second IP packet are ICMP echo request packets, and the ICMP response is an ICMP echo response packet.
In some embodiments, the proxy gateway module is a LwIP network proxy.
According to a third aspect of the present disclosure, there is provided an electronic device comprising a memory and a processor, the memory further storing computer instructions executable by the processor, the computer instructions, when executed, implementing any of the above-described access processing methods.
According to a fourth aspect of the present disclosure, there is provided a computer readable medium storing computer instructions executable by an electronic device, the computer instructions, when executed, implementing any of the above access processing methods.
According to the access processing method provided by the embodiment of the disclosure, before a communication path is set in network communication from a source IP address to a destination IP address, an IP message of an ICMP protocol is converted into a UDP message and the UDP message is sent, and after the communication path is set, the UDP message is converted into an IP message of the ICMP protocol again and the IP message is sent, so that the problem that the message of the ICMP protocol on the set communication path cannot pass through in the network communication from the source IP address to the destination IP address is solved. In particular, the method can be applied to the cloud security service mentioned in the background art to solve the problem that the protocol (e.g., LwIP) on which the cloud security access service is based does not completely support ICMP, so that it cannot properly process all accesses based on the ICMP protocol.
Drawings
The foregoing and other objects, features, and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which refers to the accompanying drawings in which:
FIG. 1 is a schematic diagram of a scenario of an access processing system provided by the present disclosure;
FIG. 2 is a schematic diagram of a software architecture of an access processing system provided in accordance with an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of an IP message;
FIG. 4 is a schematic diagram of constructing a UDP message based on the IP message of FIG. 3;
FIG. 5 is an interaction flow diagram of various modules of the access processing system provided by the present disclosure;
fig. 6 is an exemplary diagram of an ICMP response obtained by using a ping command based on the access processing system provided in the above embodiment;
FIG. 7 is a schematic diagram of a computing device.
Detailed Description
The present disclosure is described below based on examples, but the present disclosure is not limited to only these examples. In the following detailed description of the present disclosure, some specific details are set forth in detail. It will be apparent to those skilled in the art that the present disclosure may be practiced without these specific details. Well-known methods, procedures, and procedures have not been described in detail so as not to obscure the present disclosure. The figures are not necessarily drawn to scale.
Fig. 1 is a schematic view of a scenario of an access processing system provided by the present disclosure. As shown in fig. 1, terminal devices 104 and 103 remotely access a server 101 through a network 102 and a cloud security access service 105. The server 101 may be a single server or a cloud service center. A single server is a stand-alone physical server on which various systems are deployed. The cloud service center can integrate hardware and software resources of the entity server by using a virtualization technology, and deploys various systems on the basis of a virtualization layer.
Network 102 may include, but is not limited to: wired networks and wireless networks. The wired network includes: local area network, metropolitan area network and wide area network, the wireless network includes: bluetooth, WIFI, and other networks that enable wireless communication. Terminal devices 103 and 104 may include, but are not limited to, at least one of: computer equipment such as mobile phones, notebook computers, tablet computers, palm computers and desktop computers.
The cloud security access service 105 provides an integrated security management and control platform for enterprise users, and supports unified security control over intranet and internet access of companies. In some scenarios, users of the terminal devices 103 and 104 are developers working remotely on the basis of the internet 102, accessing various applications on the server 101 or infrastructure provided by the server 101 via the cloud security access service 105. In other scenarios, the users of the terminal devices 103 and 104 are staff members of the same company but different workplaces, and such staff members also need to access various applications on the server 101 or the infrastructure provided by the server 101 through the intranet 102 and the cloud security access service 105.
Fig. 2 is a schematic diagram of a software structure of an access processing system provided according to an embodiment of the present disclosure. The access processing system 200 shown in fig. 2 may be provided in the cloud security access service 105 as a part of functions provided by the cloud security access service 105 to solve a problem that the cloud security access service 105 does not support ICMP access.
As shown in the figure, the access processing system 200 includes an IP packet filtering module 201, a data packet forwarding module 202 and a proxy gateway module 203.
Various messages may be sent by applications on terminal devices 103 and 104 shown in fig. 1 via network 102 to IP messages on server 101.
The IP packet filtering module 201 is configured to receive various IP packets, and filter out IP packets belonging to the ICMP protocol. Referring to fig. 3, the IP packet includes: an IP header and a data portion. Wherein the IP header includes a protocol, a header checksum, a source IP address, and a destination IP address. The protocol indicates which protocol is used by the data carried by the message, so that the IP layer of the host of the destination IP address submits the data portion to a corresponding process for processing, for example, when the protocol field in the IP header is equal to 1, the message is an IP message belonging to the ICMP protocol, and at this time, the data portion of the message is an ICMP message. The header checksum is a check value for the IP header. The source IP address and the destination IP address are IP addresses of a source host and a destination host, respectively. The ICMP message includes an ICMP header and a data portion. Wherein the ICMP header includes: type, code, and ICMP checksum. The ellipses in the figure represent other fields that are not shown. The type in the ICMP header specifies the type of the ICMP message, for example, 8 indicates echo request (echo request), 0 indicates echo reply (echo reply), and the code is used to identify the code corresponding to the ICMP message. Which together with the type field identifies the detailed type of the ICMP message. The ICMP checksum is a checksum including the entire ICMP message.
Accordingly, the specific operations of the IP packet filtering module 201 include: for each IP packet, an IP header is obtained through parsing, and a value of at least one given field is obtained from the IP header, if the value meets expectations, the IP packet is determined to be a required IP packet, and the corresponding IP packet is sent to the data packet forwarding module 202, otherwise, the corresponding IP packet is sent to other modules, for example, other corresponding modules of the cloud security access service 105.
In some embodiments, the IP packet filtering module 201 may further check the IP packet determined to be needed by the data packet forwarding module 202, discard the IP packet if the IP packet fails to be checked, and send the IP packet to the data packet forwarding module 202 if the IP packet passes the check.
Referring to fig. 3, the checksum in the IP header is used to verify data of the IP header. Accordingly, the IP packet filtering module 201 may check each field in the IP header, and may check the IP header as a whole based on the checksum of the IP header and discard the IP packet when the check fails.
The packet forwarding module 202 is configured to parse a source IP address, a destination IP address, and an ICMP packet from the received IP packet, construct a UDP packet based on the source IP address, send the UDP packet to the proxy gateway module 203, receive a UDP response from the proxy gateway module 203, construct an ICMP response according to the UDP response, and send the ICMP response to the source IP address. The IP packet format has been described in detail above, and is not described herein again. As shown in fig. 4, the UDP packet sent by the packet forwarding module 202 to the proxy gateway module 203 includes a UDP header and a data portion, where the UDP header is filled by the packet forwarding module 202 according to actual conditions. The data portion includes a destination IP address (i.e., the destination IP address in fig. 3) and an ICMP message (i.e., the ICMP message in fig. 3). That is, the packet forwarding module 202 encapsulates the destination IP address and the ICMP packet parsed from the IP packet into the data portion of the UDP packet. Optionally, the UDP packet sent by the packet forwarding module 202 to the proxy gateway module 203 may also encapsulate the source IP address into the data portion of the UDP packet, so as to facilitate the transmission of the response packet.
In some embodiments, after acquiring the ICMP packet, the packet forwarding module 202 parses the ICMP packet to obtain an ICMP header and a data portion, acquires a value of the given field from the ICMP header, and checks whether the given field meets expectations. And if the check is not passed, constructing a UDP message based on the ICMP message, and discarding the ICMP message. In some cases, if the ICMP message is a loopback request message (the type field in the header of the ICMP message is echo request), it is further checked whether the data portion of the ICMP message is consistent with the checksum taken out from the ICMP header, which is because a network attacker often encapsulates illegal data into the data portion of the ICMP message of the loopback request, for example, the network attacker stores an illegally obtained password file into the ICMP message of the loopback request, so as to achieve the purpose of transferring the illegally obtained password file out.
The proxy gateway module 203 is configured to parse the received UDP message to obtain a destination IP address and an ICMP message, construct a new IP message belonging to the ICMP protocol based on the destination IP address, and send the newly constructed IP message belonging to the ICMP protocol to the destination IP address. Meanwhile, the proxy gateway module 203 receives the ICMP response from the destination IP address 301, constructs a UDP response according to the ICMP response, and sends the UDP response to the packet forwarding module 202, where a data portion of the UDP response includes the ICMP response, and the packet forwarding module 202 extracts the ICMP response from the UDP response and sends the ICMP response to the source IP address directly or sends the ICMP response to the source IP address via the IP packet filtering module.
It should be understood that, according to this embodiment, the packet forwarding module 202 converts the received IP packet of the ICMP protocol into a UDP packet, and the proxy gateway module 203 converts the UDP packet into an IP packet of the ICMP protocol, where the data of the two IP packets may be the same or different. In addition, the ICMP response in this embodiment refers to a response made to a received IP packet using the ICMP protocol, and as shown in fig. 3, the protocol field of the response should also be equal to 1, and the UDP response is a response made to a received UDP packet, which is a protocol used for UDP.
Fig. 5 is a flowchart of interaction between modules provided by an embodiment of the present disclosure. As shown in the above-mentioned figures,
step S501 is that the data packet forwarding module 202 receives the IP packet belonging to the ICMP protocol from the IP packet filtering module 201, and parses the source IP address, the destination IP address, and the ICMP packet from the IP packet filtering module.
Step S502 is that the packet forwarding module 202 encapsulates the destination IP address and the ICMP packet into the data portion of the UDP packet.
In step S503, the packet forwarding module 202 sends the UDP packet to the proxy gateway module 203.
Step S504 is that the proxy gateway module 203 extracts the destination IP address and the ICMP message therefrom and reconstructs an IP message belonging to the ICMP protocol.
Step S505 is that the proxy gateway module 203 sends the newly constructed IP packet according to the destination IP address.
Step S506 is for the proxy gateway module 203 to receive an ICMP response from the destination IP address. The ICMP response is an IP packet belonging to the ICMP protocol.
Step S507 is that the proxy gateway module 203 constructs a UDP response from the received ICMP response. Wherein the data portion of the UDP acknowledgement includes the ICMP acknowledgement.
Step S508 is that the proxy gateway module 203 sends the UDP acknowledgement to the packet forwarding module 202.
In step S509, the packet forwarding module 202 acquires an ICMP response from the UDP response.
Step S510 is that the packet forwarding module 202 sends out the ICMP response. The packet forwarding module 202 may send the ICMP response to the IP packet filtering module in fig. 2, where the ICMP response is sent to the source IP address, or send the ICMP response to the source IP address directly.
Referring to fig. 5, the access processing method provided by the embodiment of the present disclosure includes steps S501 to S505, which describe that an IP packet of the ICMP protocol is converted into a UDP packet and the UDP packet is sent before a communication path is set in the network communication from the source IP address to the destination IP address, and then the UDP packet is converted into an IP packet of the ICMP protocol and the IP packet is sent after the communication path is set, so that the problem that the packet of the ICMP protocol on the set communication path cannot pass through in the network communication from the source IP address to the destination IP address can be solved.
Further, the access processing method provided by the embodiment of the present disclosure may further include steps S506 to S510. These steps describe the process of sending a message reply from the destination IP address to the source IP address.
When incorporated into the cloud security service mentioned in the background, it can be appreciated that this approach may solve the problem that the protocol (e.g., LwIP) on which the cloud security access service is based does not fully support ICMP, thereby causing it to fail to properly handle all accesses based on the ICMP protocol.
In some application scenarios, a user may detect, through a ping or other common network diagnostic command, a network status such as whether a host of a destination IP address exists, whether the host is reachable, whether a route is available, and the like. However, the cloud security service does not support the ICMP echo request message to be transmitted to the upper layer application for processing, but the ICMP echo request message is directly responded by the cloud security service, that is, the ICMP echo request message is not sent to the host of the real destination IP address, but an ICMP response is locally generated and transmitted to the client, so that the common network diagnostic commands such as ping and the like cannot obtain correct diagnostic results. However, based on the above embodiment, ICMP link communication is realized, and a network diagnostic command such as ping, which is commonly used, can be normally used.
In some embodiments, the proxy gateway module 203 is based on a LwIP proxy gateway implementation in the cloud secure access service 105. The LwIP proxy gateway receives data at the TCP/IP layer and transmits data at the IP layer, so that the obtained proxy gateway module 203 can meet the requirement of a user for diagnosing a network by using commands such as ping and the like and can compensate the short board difference between the cloud security access service realized by the LwIP and the conventional VPN under the condition that the proxy gateway module has the advantages related to the LwIP lightweight protocol stack.
Fig. 6 is a diagram illustrating an ICMP response obtained by using a ping command based on the access processing system provided in the above embodiment. As shown in the figure, the network condition to the destination IP address 221.229.203.214 can be detected by the ping command.
FIG. 7 is a schematic diagram of a computing device. The computing device 600 may be used to deploy the access processing system provided by the embodiments of the disclosure, but the computing device 600 shown in fig. 7 is only one example and should not bring any limitations to the functionality or scope of use of the embodiments of the disclosure.
As shown in fig. 7, computing device 600 is embodied in the form of a general purpose computing device. Components of computing device 600 may include, but are not limited to: the at least one processing unit 610, the at least one memory unit 620, and a bus 630 that couples the various system components including the memory unit 620 and the processing unit 610.
Wherein the storage unit stores program code executable by the processing unit 610 to cause the processing unit 610 to perform the steps of the various exemplary embodiments of the present invention described in the description section of the above exemplary methods of the present specification. For example, the processing unit 610 may perform the various steps shown in fig. 5.
The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM) 6201 and/or a cache memory unit 6202, and may further include a read-only memory unit (ROM) 6203.
The memory unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer program medium having stored thereon computer readable instructions which, when executed by a processor of a computer, cause the computer to perform the method described in the above method embodiment.
According to an embodiment of the present disclosure, there is also provided a program product for implementing the method in the above method embodiment, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Moreover, although the steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that the steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
Claims (12)
1. An access processing method, comprising:
screening a first IP message from various received IP messages, wherein the first IP message adopts an ICMP protocol;
analyzing a source IP address, a destination IP address and an ICMP message from the first IP message, and constructing and sending a UDP message according to the source IP address, the destination IP address and the ICMP message, wherein the data part of the UDP message comprises the destination IP address and the ICMP message;
obtaining the destination IP address and the ICMP message from the data part of the UDP message and constructing a second IP message according to the destination IP address and the ICMP message, wherein the second IP message adopts an ICMP protocol and comprises the destination IP address and the ICMP message; and
and sending the second IP message to the destination IP address.
2. The access processing method of claim 1, further comprising:
receiving an ICMP reply from the destination IP address;
constructing the UDP response from the ICMP response, a data portion of the UDP response including the ICMP response;
and acquiring the ICMP response from the UDP response and sending the ICMP response to the source IP address.
3. The access processing method of claim 1, further comprising: analyzing the value of at least one given field from the ICMP message, checking according to the value of the at least one given field, and discarding the ICMP message which fails to be checked.
4. The access processing method of claim 1, wherein the filtering out the first IP packet from the received various IP packets comprises: and obtaining the value of at least one given field from each IP message, and determining whether the IP message is the first IP message according to the value of the at least one given field.
5. The access processing method according to claim 2, wherein the first IP packet and the second IP packet are ICMP echo request packets, and the ICMP response is an ICMP echo response packet.
6. An access processing system comprising:
the IP packet filtering module is used for screening out a first IP message from various received IP messages, wherein the first IP message adopts an ICMP protocol;
a data packet forwarding module, configured to parse a source IP address, a destination IP address, and an ICMP packet from the first IP packet, construct and send a UDP packet according to the source IP address, where a data portion of the UDP packet includes the destination IP address and the ICMP packet, obtain an ICMP response from the UDP response, and send the ICMP response to the source IP address;
and the proxy gateway module is used for obtaining the destination IP address and the ICMP message in the data part of the UDP message and constructing a second IP message according to the destination IP address and the ICMP message, the second IP message adopts an ICMP protocol and comprises the destination IP address and the ICMP message, the second IP message is sent to the destination IP address, the ICMP response is received from the destination IP address, the UDP response is constructed according to the ICMP response and sent to the data packet forwarding module, and the data part of the UDP response comprises the ICMP response.
7. The access processing system according to claim 6, wherein the packet forwarding module parses a value of at least one given field from the ICMP packet, checks the value of the at least one given field, and discards the ICMP packet that fails the check.
8. The access processing system of claim 6, wherein the IP packet filtering module obtains a value of at least one given field from each IP packet, and determines whether the IP packet is the first IP packet according to the value of the at least one given field.
9. The access processing system of claim 6, wherein the first and second IP messages are ICMP echo request messages and the ICMP reply is an ICMP echo reply message.
10. The access processing system of claim 6, wherein the proxy gateway module is a LwIP network proxy.
11. A computing device comprising a memory and a processor, the memory further storing computer instructions executable by the processor, the computer instructions when executed implementing the access processing method of any of claims 1 to 5.
12. A computer readable medium storing computer instructions executable by an electronic device, the computer instructions when executed implementing the access processing method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210190465.2A CN114268669A (en) | 2022-03-01 | 2022-03-01 | Access processing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210190465.2A CN114268669A (en) | 2022-03-01 | 2022-03-01 | Access processing method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114268669A true CN114268669A (en) | 2022-04-01 |
Family
ID=80833753
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210190465.2A Pending CN114268669A (en) | 2022-03-01 | 2022-03-01 | Access processing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114268669A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117478763A (en) * | 2023-12-28 | 2024-01-30 | 广州通则康威科技股份有限公司 | ICMP agent UDP data transmission method, system and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030061506A1 (en) * | 2001-04-05 | 2003-03-27 | Geoffrey Cooper | System and method for security policy |
| CN102469171A (en) * | 2010-11-10 | 2012-05-23 | 中国移动通信集团公司 | Method for realizing intercommunication of two terminal nodes in different IP domains, system and equipment thereof |
| WO2016045056A1 (en) * | 2014-09-25 | 2016-03-31 | 华为技术有限公司 | Switch and service request packet processing method |
| CN110691150A (en) * | 2019-09-29 | 2020-01-14 | 华南理工大学 | SDN-based IPv4 and IPv6 interconnection method and system |
| CN111788809A (en) * | 2018-11-23 | 2020-10-16 | 华为技术有限公司 | Message receiving and sending method and device |
| CN113194102A (en) * | 2021-05-19 | 2021-07-30 | 苏州瑞立思科技有限公司 | ICMP loopback message transmission method based on port |
-
2022
- 2022-03-01 CN CN202210190465.2A patent/CN114268669A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030061506A1 (en) * | 2001-04-05 | 2003-03-27 | Geoffrey Cooper | System and method for security policy |
| CN102469171A (en) * | 2010-11-10 | 2012-05-23 | 中国移动通信集团公司 | Method for realizing intercommunication of two terminal nodes in different IP domains, system and equipment thereof |
| WO2016045056A1 (en) * | 2014-09-25 | 2016-03-31 | 华为技术有限公司 | Switch and service request packet processing method |
| CN111788809A (en) * | 2018-11-23 | 2020-10-16 | 华为技术有限公司 | Message receiving and sending method and device |
| CN110691150A (en) * | 2019-09-29 | 2020-01-14 | 华南理工大学 | SDN-based IPv4 and IPv6 interconnection method and system |
| CN113194102A (en) * | 2021-05-19 | 2021-07-30 | 苏州瑞立思科技有限公司 | ICMP loopback message transmission method based on port |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117478763A (en) * | 2023-12-28 | 2024-01-30 | 广州通则康威科技股份有限公司 | ICMP agent UDP data transmission method, system and device |
| CN117478763B (en) * | 2023-12-28 | 2024-04-05 | 广州通则康威科技股份有限公司 | ICMP agent UDP data transmission method, system and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8875296B2 (en) | Methods and systems for providing a framework to test the security of computing system over a network | |
| US7975024B2 (en) | Virtual personal computer access over multiple network sites | |
| CN103873486B (en) | For the system and method for load balancing real time streaming protocol | |
| JP4912400B2 (en) | Immunization from known vulnerabilities in HTML browsers and extensions | |
| US11909845B2 (en) | Methods and systems for managing applications of a multi-access edge computing environment | |
| JP2021528749A (en) | Automatic packetless network reachability analysis | |
| CN106657180B (en) | Information transmission method and device for cloud service, terminal equipment and system | |
| US11226883B2 (en) | Secure method for managing a virtual test platform | |
| US20220027456A1 (en) | Rasp-based implementation using a security manager | |
| CN110049001A (en) | A kind of method, apparatus, storage medium and server for realizing WebService service | |
| US10057376B2 (en) | Remote desktop protocol client with virtual channel support implemented in a standards-based web browser | |
| WO2021057802A1 (en) | Das system management method and device, electronic device, and storage medium | |
| US8972543B1 (en) | Managing clients utilizing reverse transactions | |
| Kwon et al. | Protocol fuzzing to find security vulnerabilities of RabbitMQ | |
| CN114268669A (en) | Access processing method and system | |
| CN111712799A (en) | Automatic distribution of models for execution on non-edge devices and edge devices | |
| AU2018390863B2 (en) | Computer system and method for extracting dynamic content from websites | |
| CN116112384A (en) | Application flow integrated management method and device and electronic equipment | |
| CN110365778B (en) | Communication control method and device, electronic equipment and storage medium | |
| US11422845B2 (en) | Native cloud live traffic migration to counter suspected harmful traffic | |
| US8660143B2 (en) | Data packet interception system | |
| CN114650271B (en) | Global load DNS neighbor site learning method and device | |
| CN108322423A (en) | Service network system and the method and apparatus of transmission, reception information | |
| Tuovinen | Network monitoring with Raspberry Pi | |
| CN117614952A (en) | Service realization method and device based on edge cloud tunnel |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220401 |