CN114697380A - Redirection method, system, device and storage medium of access request - Google Patents
Redirection method, system, device and storage medium of access request Download PDFInfo
- Publication number
- CN114697380A CN114697380A CN202210243431.5A CN202210243431A CN114697380A CN 114697380 A CN114697380 A CN 114697380A CN 202210243431 A CN202210243431 A CN 202210243431A CN 114697380 A CN114697380 A CN 114697380A
- Authority
- CN
- China
- Prior art keywords
- terminal
- server
- message
- access
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/148—Migration or transfer of sessions
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The application discloses a method, a system, a device and a storage medium for redirecting an access request. The method comprises the following steps: an access server acquires a first message sent by a terminal; the admission server acquires target quintuple information in the first message and judges whether quintuple information which is the same as the target quintuple information is stored in the admission server or not; sending a forged second message and a redirection message to the terminal under the condition that the five-tuple information which is the same as the target five-tuple information is stored in the access server; the access server receives a third message sent by the terminal and establishes a connection relationship between the access server and the terminal; and the admission server receives an access request sent by the terminal based on the redirection message and sends an access result corresponding to the access request to the terminal. By the method and the device, the problem that the access request cannot be redirected under the condition that the target server does not respond to the access request in the related art is solved.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a method, system, apparatus, and storage medium for redirecting an access request.
Background
The network access control technology is the mainstream network security defense technology at present, effectively solves the security threat caused by the access of a non-secure terminal to a network by implementing security protection on the terminal, and rejects viruses, bugs, network attacks and the like, thereby comprehensively ensuring the security of equipment accessed to the network.
Common techniques for network admission control are policy routing admission, VLAN isolation admission, dot1x admission, ARP admission, mirror admission, etc. The mirror admission technology refers to that a switch in a network sends a data traffic mirror (i.e., copy) to an admission server, and the admission server monitors and examines the traffic and then executes the admission or blocking technology according to a policy, wherein the common mirror admission blocking technologies include TCP Reset, HTTP redirection, and the like.
In the existing method for controlling network access through the mirror image access technology, when redirecting an access request of a terminal, an access server needs to acquire a message transmission state when the terminal and the server perform TCP three-way handshake, and when the server sends a second message to the terminal, the access server sends a redirection message to the terminal, so that redirection of the access request of the terminal is performed. However, when the server accessed by the terminal does not exist, the second message cannot be sent to the terminal, so that the redirection message cannot be sent, and the redirection of the terminal access request cannot be implemented.
Aiming at the problem that the redirection of the access request cannot be carried out under the condition that the target server does not respond to the access request in the related art, an effective solution is not provided at present.
Disclosure of Invention
The application provides a method, a system, a device and a storage medium for redirecting an access request, which are used for solving the problem that the redirection of the access request cannot be carried out under the condition that a target server does not respond to the access request in the related art.
According to one aspect of the application, a method for redirecting an access request is provided. The method comprises the following steps: the method comprises the steps that an access server acquires a first message sent by a terminal, wherein the first message is first message information generated when the terminal requests to establish connection with a target server; the admission server acquires target quintuple information in the first message and judges whether quintuple information which is the same as the target quintuple information is stored in the admission server or not; sending a fake second message and a redirection message to the terminal under the condition that the access server stores quintuple information which is the same as the target quintuple information, wherein the fake second message is used for establishing the connection relation between the access server and the terminal, and the redirection message is used for re-determining the access address of the terminal; the access server receives a third message sent by the terminal and establishes a connection relation between the access server and the terminal, wherein the third message is a message responded by aiming at the second message; and the admission server receives an access request sent by the terminal based on the redirection message and sends an access result corresponding to the access request to the terminal.
Optionally, after determining whether the admission server stores quintuple information identical to the target quintuple information, the method further includes: and under the condition that the admission server does not store the quintuple information identical to the target quintuple information, storing the target quintuple information to the admission server.
Optionally, after determining whether the admission server stores quintuple information identical to the target quintuple information, the method further includes: under the condition that the five-tuple information which is the same as the target five-tuple information is not stored in the access server, the access server detects whether a second message sent to the terminal by the target server is received; and sending the redirection message to the terminal under the condition that the admission server detects the second message.
Optionally, after the admission server detects whether the target server sends the second packet to the terminal, the method further includes: under the condition that the access server does not detect the second message, the access server detects whether the first message sent by the terminal is received again; and under the condition that the admission server receives the first message again, executing the steps of acquiring the target quintuple information in the first message and judging whether the admission server stores the target quintuple information or not.
Optionally, after the admission server detects the second packet and sends the redirection packet to the terminal, the method further includes: after the connection relationship between the target server and the terminal is established, establishing the connection relationship between the access server and the terminal; and the admission server receives an access request sent by the terminal based on the redirection message and sends an access result corresponding to the access request to the terminal.
Optionally, in a case that the admission server stores quintuple information that is the same as the target quintuple information, before sending the forged second packet and the redirect packet to the terminal, the method further includes: under the condition that quintuple information which is the same as the target quintuple information is stored in the access server, acquiring first identification information corresponding to the target quintuple information which is the same as the target quintuple information, and acquiring second identification information corresponding to the target quintuple information from the first message; judging whether the first identification information is the same as the second identification information; under the condition that the first identification information is different from the second identification information, storing the target quintuple information and the second identification information to an admission server; and under the condition that the first identification information is the same as the second identification information, executing the steps of sending a forged second message and a redirected message to the terminal.
Optionally, after determining whether the admission server stores quintuple information identical to the target quintuple information, the method further includes: under the condition that the five-tuple information identical to the target five-tuple information is stored in the access server, the access server sends a forged second message to the terminal; the access server receives a third message sent by the terminal and establishes a connection relation between the access server and the terminal, wherein the third message is a message responded by aiming at the second message; the access server sends a redirection message to the terminal; and the admission server receives an access request sent by the terminal based on the redirection message and sends an access result corresponding to the access request to the terminal.
According to another aspect of the present application, a redirection system for access requests is provided. The system comprises: the terminal is used for requesting to establish a connection relation with the target server and sending an access request to the target server after establishing the connection relation with the target server; the access server is used for establishing the connection relationship of the terminal access server after the terminal establishes the connection relationship with the target server, and sending a redirection message to the terminal so as to redirect the access request, and the access server is also used for sending a fake response message to the terminal under the condition that the terminal does not establish the connection relationship with the target server so as to establish the connection relationship of the terminal access server, and sending the redirection message to the terminal so as to redirect the access request; and the target server is used for sending a response message to the terminal under the condition of receiving the message of the terminal requesting to establish the connection relationship so as to establish the connection relationship between the target server and the terminal.
According to another aspect of the present application, there is provided an apparatus for redirecting an access request. The device includes: the first obtaining unit is used for the access server to obtain a first message sent by the terminal, wherein the first message is first message information generated when the terminal requests to establish connection with a target server; a second obtaining unit, configured to obtain, by the admission server, target quintuple information in the first message, and determine whether quintuple information identical to the target quintuple information is stored in the admission server; a first sending unit, configured to send, to the terminal, a forged second message and a redirection message under a condition that the five tuple information identical to the target five tuple information is stored in the access server, where the forged second message is used to establish a connection relationship between the access server and the terminal, and the redirection message is used to re-determine an access address of the terminal; the first receiving unit is used for the access server to receive a third message sent by the terminal and establish a connection relation between the access server and the terminal, wherein the third message is a message responded by aiming at the second message; and the second receiving unit is used for the admission server to receive the access request sent by the terminal based on the redirection message and send an access result corresponding to the access request to the terminal.
According to another aspect of the embodiments of the present invention, there is also provided a computer storage medium for storing a program, where the program, when executed, controls a device on which the computer storage medium is located to execute a method for redirecting an access request.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including one or more processors and a memory; the memory has stored therein computer-readable instructions, and the processor is configured to execute the computer-readable instructions, wherein the computer-readable instructions are configured to execute a method for redirecting access requests.
Through the application, the following steps are adopted: the method comprises the steps that an access server obtains a first message sent by a terminal, wherein the first message is first message information generated when the terminal requests to establish connection with a target server; the admission server acquires target quintuple information in the first message and judges whether quintuple information which is the same as the target quintuple information is stored in the admission server or not; sending a fake second message and a redirection message to the terminal under the condition that the access server stores quintuple information which is the same as the target quintuple information, wherein the fake second message is used for establishing the connection relation between the access server and the terminal, and the redirection message is used for re-determining the access address of the terminal; the access server receives a third message sent by the terminal and establishes a connection relation between the access server and the terminal, wherein the third message is a message responded by aiming at the second message; and the admission server receives an access request sent by the terminal based on the redirection message and sends an access result corresponding to the access request to the terminal. The problem that the access request cannot be redirected under the condition that the target server does not respond to the access request in the related art is solved. Whether the server exists is determined by confirming whether quintuple information which is the same as the target quintuple information is stored in the access server, the server does not exist under the condition that the quintuple information which is the same as the target quintuple information is stored in the access server, a fake second message is sent to the terminal through the access server, TCP three-way handshake operation between the terminal and the access server is completed, redirection operation is carried out through the access server, and the effect of redirecting the access request under any condition is further achieved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application. In the drawings:
fig. 1 is a flowchart of a redirection method of an access request according to an embodiment of the present application;
fig. 2 is a flowchart of an optional redirection method for an access request according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a redirection system for access requests provided in accordance with an embodiment of the present application;
fig. 4 is a schematic diagram of a redirection device for an access request provided according to an embodiment of the present application;
fig. 5 is a schematic view of an electronic device according to an embodiment of the present application.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be used. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For convenience of description, some terms or expressions referred to in the embodiments of the present application are explained below:
the hypertext Transfer Protocol (HTTP) is an application layer Protocol for distributed, collaborative and hypermedia information systems, and is the most widely used network Transfer Protocol on the internet, and all WWW files must comply with this standard.
A quintuple: generally refers to a set of five quantities, source IP address, source port, destination IP address, destination port, and transport layer protocol number.
According to an embodiment of the application, a redirection method of an access request is provided.
Fig. 1 is a flowchart of a redirection method of an access request according to an embodiment of the present application. As shown in fig. 1, the method comprises the steps of:
step S102, the admission server obtains a first message sent by the terminal, wherein the first message is first message information generated when the terminal requests to establish connection with a target server.
Specifically, the admission server comprises an admission control server and is mainly used for performing user identity authentication, terminal security check, terminal behavior monitoring audit and other contents.
When the terminal performs data interaction with the target server, the terminal needs to be connected with the target server through a TCP three-way handshake protocol, and the data interaction between the terminal and the target server can be performed after the terminal is successfully connected.
When the TCP three-way handshake is performed for the first time, the terminal sends a first message to the target server, wherein the first message comprises an HTTP request and SYN (Synchronize Sequence Number), the first message is copied by the switch when passing through the switch, and the first message is sent to the access server, and at the moment, the access server performs security analysis on the HTTP request according to a preset security rule and generates an HTTP redirection message when an analysis result does not accord with the preset security rule.
Step S104, the admission server acquires the target quintuple information in the first message and judges whether the admission server stores quintuple information which is the same as the target quintuple information.
Specifically, after receiving the first message, the admission server needs to obtain a target quintuple corresponding to the HTTP request in the first message, and determines whether the target quintuple is stored in the admission server, and if the target quintuple is stored, it is verified that the first message corresponding to the HTTP request is not sent to the target server for the first time.
Optionally, in the redirection method for an access request provided in the embodiment of the present application, after determining whether the admission server stores quintuple information that is the same as the target quintuple information, the method further includes: and under the condition that the admission server does not store the quintuple information identical to the target quintuple information, storing the target quintuple information to the admission server.
Specifically, if the target quintuple is not stored in the admission server, it is verified that the first packet corresponding to the HTTP request is sent to the target server for the first time, and the quintuple corresponding to the first packet may be stored in the admission server. The embodiment lays a foundation for comparing the first message, so that whether the target server exists or not can be accurately determined.
And step S106, under the condition that the access server stores quintuple information which is the same as the target quintuple information, sending a forged second message and a redirection message to the terminal, wherein the forged second message is used for establishing the connection relation between the access server and the terminal, and the redirection message is used for re-determining the access address of the terminal.
Specifically, under the condition that the admission server stores quintuple information which is the same as the target quintuple information, the fact that the first message corresponding to the HTTP request is not sent to the target server for the first time can be shown that the server requested by the terminal does not exist, and at this time, the admission server can forge the admission server as the target server by returning a seq value corresponding to the first message, so that the connection between the terminal and the target server is changed into the connection between the terminal and the admission server.
Further, after the access server forges the target server, a forged second message of forged second handshake containing the seq value corresponding to the first message may be returned, and the redirection message is sent to the terminal, at this time, the terminal may buffer the redirection message into the TCP buffer after receiving the redirection message.
And step S108, the access server receives a third message sent by the terminal and establishes a connection relation between the access server and the terminal, wherein the third message is a message responded by aiming at the second message.
Specifically, after the terminal receives the forged second message and the redirected message, the third message is returned according to the content of the forged second message, so that the connection between the terminal and the access server is completed. And can carry out data interaction with the access server through the redirection message.
Step S110, the admission server receives the access request sent by the terminal based on the redirection message and sends the access result corresponding to the access request to the terminal.
Specifically, after the terminal is connected with the admission server, the terminal can perform an HTTP redirection request according to the redirection packet in the TCP cache, so as to directly access the admission server according to the HTTP redirection request, and obtain a request result corresponding to the HTTP redirection request from the admission server.
According to the redirection method for the access request, the first message sent by the terminal is obtained through the access server, wherein the first message is the first message information generated when the terminal requests to establish connection with the target server; the admission server acquires target quintuple information in the first message and judges whether quintuple information which is the same as the target quintuple information is stored in the admission server or not; sending a fake second message and a redirection message to the terminal under the condition that the access server stores quintuple information which is the same as the target quintuple information, wherein the fake second message is used for establishing the connection relation between the access server and the terminal, and the redirection message is used for re-determining the access address of the terminal; the access server receives a third message sent by the terminal and establishes a connection relation between the access server and the terminal, wherein the third message is a message responded by aiming at the second message; and the admission server receives an access request sent by the terminal based on the redirection message and sends an access result corresponding to the access request to the terminal. The problem that the access request cannot be redirected under the condition that the target server does not respond to the access request in the related art is solved. Whether the access server stores quintuple information which is the same as the target quintuple information or not is confirmed, whether the server exists or not is confirmed, the server does not exist under the condition that the access server stores the quintuple information which is the same as the target quintuple information, a fake second message is sent to the terminal through the access server, TCP three-time handshake operation between the terminal and the access server is completed, redirection operation is carried out through the access server, and then the effect that the access request can be redirected under any condition is achieved.
In order to reduce the storage amount in the TCP cache in the terminal, optionally, in the method for redirecting an access request provided in this embodiment of the present application, after determining whether five tuple information identical to the target five tuple information is stored in the admission server, the method further includes: under the condition that the five-tuple information identical to the target five-tuple information is stored in the access server, the access server sends a forged second message to the terminal; the access server receives a third message sent by the terminal and establishes a connection relation between the access server and the terminal, wherein the third message is a message responded by aiming at the second message; the access server sends a redirection message to the terminal; and the admission server receives an access request sent by the terminal based on the redirection message and sends an access result corresponding to the access request to the terminal.
Specifically, under the condition that the admission server stores quintuple information identical to the target quintuple information, the admission server can forge the admission server as the target server by returning the seq value corresponding to the first message, and only return a forged second message to the terminal. After the terminal receives the forged second message, the terminal cannot identify the source of the second message, so that whether the second message is the forged second message cannot be identified, the terminal can directly return a third message corresponding to the third handshake in the TCP three-way handshake, the admission server can be connected with the terminal after receiving the third message and return a redirection message to the terminal, and after receiving the slave directional message, the terminal can resend an HTTP redirection request according to the redirection message, so that the admission server is directly accessed according to the HTTP redirection request, and a request result corresponding to the HTTP redirection request is obtained from the admission server.
Optionally, in the redirection method for an access request provided in the embodiment of the present application, after determining whether the admission server stores quintuple information that is the same as the target quintuple information, the method further includes: under the condition that the five-tuple information which is the same as the target five-tuple information is not stored in the access server, the access server detects whether a second message sent to the terminal by the target server is received; and sending the redirection message to the terminal under the condition that the admission server detects the second message.
Specifically, under the condition that the access server does not store quintuple information which is the same as the target quintuple information, the access server stores the target quintuple information, and meanwhile, when the target server returns a second message of second handshake in TCP three-way handshake to the terminal, the exchange machine can copy the same second message and send the second message to the access server.
Optionally, in the redirection method for an access request provided in the embodiment of the present application, after the admission server detects whether the second packet sent by the target server to the terminal is received, the method further includes: under the condition that the access server does not detect the second message, the access server detects whether the first message sent by the terminal is received again; and under the condition that the admission server receives the first message again, executing the steps of acquiring the target quintuple information in the first message and judging whether the admission server stores the target quintuple information or not.
Specifically, under the condition that no quintuple information identical to the target quintuple information is stored in the admission server, the admission server stores the target quintuple information, and meanwhile, the admission server waits for the switch to send a second message of the second handshake of the TCP three-way handshake returned by the target server to the terminal. At this time, since the terminal cannot receive the second packet, the TCP three-way handshake cannot be completed, and therefore the terminal performs the TCP three-way handshake with the target server again according to the TCP retransmission principle. When the terminal sends the first message to the target server again, the switch copies the first message to the access server again, and then the step of judging whether the target quintuple information is stored in the access server is executed again.
It should be noted that, since the content of the first packet in the handshake is completely the same as the content of the first packet generated in the previous handshake, the corresponding quintuple is also completely the same, so that when the admission server determines the quintuple, since the same quintuple information is stored in the admission server, the operation of sending the forged second packet and the redirect packet to the terminal is performed. In this embodiment, the target server is determined to be absent by judging the quintuple of the retransmitted first packet, so that the target server and the admission server are prevented from successively transmitting the second packet of the three-way handshake with different seq values to the terminal, and after the terminal receives the second packet of the three-way handshake responded by the first server, the terminal adds 1 to the seq value of the second packet to serve as an ack value, and responds to the third packet of the three-way handshake. At this time, the target server and the admission server successively receive a third message with three-way handshake that seq and ack are equal to seq plus 1, the target server or the admission server executes logic judgment of the three-way handshake, and a TCP Reset message is sent to the terminal because the ack value does not meet the reason of seq plus 1, so that the connection for correctly establishing the three-way handshake is Reset, and the problem that redirection cannot be performed is caused.
Optionally, in the redirection method for an access request provided in the embodiment of the present application, after the admission server detects the second packet and sends the redirection packet to the terminal, the method further includes: after the connection relationship between the target server and the terminal is established, establishing the connection relationship between the access server and the terminal; and the admission server receives an access request sent by the terminal based on the redirection message and sends an access result corresponding to the access request to the terminal.
Specifically, under the condition that the target server exists, since the terminal and the target server have performed two message interactions, the TCP three-way handshake can be successfully performed, so that the terminal and the target server are connected. However, since the HTTP access request sent by the terminal does not comply with the preset security rule, the terminal needs to redirect the HTTP request to the access server through the redirection packet.
Because the operation of the TCP three-way handshake is not completed between the terminal and the admission server, the terminal and the admission server are not connected, and the connection between the terminal and the admission server needs to be established through the TCP three-way handshake first.
Optionally, in the redirection method for an access request provided in this embodiment of the present application, in a case that the admission server stores quintuple information that is the same as the target quintuple information, before sending the forged second packet and the redirection packet to the terminal, the method further includes: under the condition that quintuple information which is the same as the target quintuple information is stored in the access server, acquiring first identification information corresponding to the target quintuple information which is the same as the target quintuple information, and acquiring second identification information corresponding to the target quintuple information from the first message; judging whether the first identification information is the same as the second identification information; under the condition that the first identification information is different from the second identification information, storing the target quintuple information and the second identification information to an admission server; and under the condition that the first identification information is the same as the second identification information, executing the steps of sending a forged second message and a redirected message to the terminal.
Specifically, the first identification information may be a seq value in the first message, and the second identification information may be a seq value corresponding to a message that is the same as the first message five-tuple. Under the special condition that a port of a terminal is reused, the situation that quintuples corresponding to two different HTTP access requests are the same may occur, because the admission server can store the seq value of the first message in addition to the quintuple information of the first message, at this time, the seq value in the first message and the seq value corresponding to the stored message which is the same as the quintuple of the first message can be obtained for judgment, under the condition that the first identification information is different from the second identification information, the messages which are the same as the two quintuples can be determined to be different messages, under the condition that the first identification information is the same as the second identification information, the two messages can be determined to be the same messages, and the steps of sending the forged second message and the redirected message to the terminal are executed. According to the embodiment, the judgment accuracy of the message is improved by further determining the seq value in the message, so that the redirection accuracy of the access request is improved.
Fig. 2 is a flowchart of an optional redirection method for an access request according to an embodiment of the present application, as shown in fig. 2:
the terminal sends a first message for TCP three-way handshake to the target server, the first message is copied by the switch when passing through the switch, and the first message is sent to the access server, at the moment, the access server can perform security analysis on the HTTP request according to the preset security rule, and generates an HTTP redirection message under the condition that the analysis result does not accord with the preset security rule. After receiving the first message, the admission server also needs to obtain a target quintuple corresponding to the HTTP request in the first message, and determines whether the target quintuple is stored in the admission server, and meanwhile, under the condition that the target quintuple has been stored, may also determine whether the values of seq are the same, thereby determining whether the first message has been stored in the admission server.
Under the condition that the target quintuple is stored in the access server, the access server can forge the access server as the target server by returning the seq value corresponding to the first message, so that the connection between the terminal and the target server is changed into the connection between the terminal and the access server, and meanwhile, the redirection message is sent to the terminal. After the terminal and the admission server complete TCP three-way handshake connection establishment, the terminal can perform HTTP redirection request according to the redirection message, so that the terminal directly accesses the admission server according to the HTTP redirection request, and obtains a request result corresponding to the HTTP redirection request from the admission server.
And under the condition that the target quintuple is not stored in the access server, storing the target quintuple of the first message and the seq value to the access server, and simultaneously judging whether the access server receives a second message returned by the target server or not. Under the condition that the second message is not received, determining that the target server does not exist, waiting for receiving the first message sent again by the terminal according to the TCP retransmission principle again, and executing the operation of judging whether the target quintuple is stored in the access server again; and after the terminal is connected with the target server, the terminal can send an HTTP redirection request to the access server according to the redirection message and establishes connection with the access server through TCP three-way handshake, so that the access server is directly accessed according to the HTTP redirection request, and a request result corresponding to the HTTP redirection request is obtained from the access server.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
The embodiment of the present application further provides a redirection system for an access request, and it should be noted that the redirection system for an access request in the embodiment of the present application may be used to execute the redirection method for an access request provided in the embodiment of the present application. The following describes a redirection system for an access request provided in an embodiment of the present application.
Fig. 3 is a schematic diagram of a redirection system for access requests according to an embodiment of the present application, as shown in fig. 3, the system includes:
the terminal 31 is configured to request a connection relationship with the target server 33, and send an access request to the target server 33 after the connection relationship with the target server 33 is established.
Specifically, the terminal 31 is used for sending the access request, and needs to establish a connection relationship with the target server 33 before sending, so that the first message for establishing the connection relationship needs to be sent to the target server 33.
The admission server 32 is configured to establish a connection relationship between the terminal 31 and the target server 33, establish the connection relationship between the terminal 31 and the admission server 32, and send a redirection message to the terminal 31 to redirect the access request, and the admission server 32 is further configured to send a fake response message to the terminal 31 to establish a connection relationship between the terminal 31 and the admission server 32, and send a redirection message to the terminal 31 to redirect the access request when the terminal 31 does not establish a connection relationship with the target server 33.
Specifically, the admission server 32 may send a redirection packet to the terminal 31 in the presence of the target server 33, so that the terminal 31 may perform redirection access, or send a fake second packet to the terminal 31 in the absence of the target server 33, so that the terminal 31 is connected to the admission server 32, so that the terminal 31 may perform redirection access, and meanwhile, the occurrence of an abnormal situation caused by the admission server 32 and the target server 33 sending the second packet to the terminal 31 at the same time in the presence of the target server 33 is avoided.
And the target server 33 is used for sending a response message to the terminal 31 to establish the connection relationship between the target server 33 and the terminal 31 when receiving the message of the terminal 31 requesting to establish the connection relationship.
The redirection system for the access request provided by the embodiment of the application requests to establish a connection relationship with the target server 33 through the terminal 31, and sends the access request to the target server 33 after establishing the connection relationship with the target server 33; the admission server 32 establishes the connection relationship between the terminal 31 and the target server 33 after the connection relationship is established between the terminal 31 and the target server 33, and sends a redirection message to the terminal 31 to redirect the access request, and the admission server 32 is further configured to send a falsification response message to the terminal 31 to establish the connection relationship between the terminal 31 and the admission server 32 and send a redirection message to the terminal 31 to redirect the access request when the connection relationship between the terminal 31 and the target server 33 is not established; the target server 33, upon receiving the message of the terminal 31 requesting establishment of the connection relationship, transmits a response message to the terminal 31 to establish the connection relationship between the target server 33 and the terminal 31. The problem that the access request cannot be redirected under the condition that the target server does not respond to the access request in the related art is solved. Whether the access server stores quintuple information which is the same as the target quintuple information or not is confirmed, whether the server exists or not is confirmed, the server does not exist under the condition that the access server stores the quintuple information which is the same as the target quintuple information, a fake second message is sent to the terminal through the access server, TCP three-time handshake operation between the terminal and the access server is completed, redirection operation is carried out through the access server, and then the effect that the access request can be redirected under any condition is achieved.
The embodiment of the present application further provides a redirection device for an access request, and it should be noted that the redirection device for an access request according to the embodiment of the present application may be used to execute the redirection method for an access request provided by the embodiment of the present application. The following describes an apparatus for redirecting an access request provided in an embodiment of the present application.
Fig. 4 is a schematic diagram of an apparatus for redirecting an access request provided in an embodiment of the present application. As shown in fig. 4, the apparatus includes: a first acquiring unit 41, a second acquiring unit 42, a first transmitting unit 43, a first receiving unit 44, and a second receiving unit 45.
The first obtaining unit 41 is configured to obtain, by the admission server, a first packet sent by the terminal, where the first packet is first packet information generated when the terminal requests to establish a connection with the target server.
The second obtaining unit 42 is configured to obtain the target quintuple information in the first message by the admission server, and determine whether the admission server stores quintuple information that is the same as the target quintuple information.
A first sending unit 43, configured to send, to the terminal, a forged second message and a redirection message in a case that the access server stores quintuple information that is the same as the target quintuple information, where the forged second message is used to establish a connection relationship between the access server and the terminal, and the redirection message is used to re-determine an access address of the terminal.
The first receiving unit 44 is configured to receive, by the admission server, a third packet sent by the terminal, and establish a connection relationship between the admission server and the terminal, where the third packet is a packet responded to the second packet.
And a second receiving unit 45, configured to the admission server to receive an access request sent by the terminal based on the redirection packet, and send an access result corresponding to the access request to the terminal.
In the redirection apparatus for an access request provided in the embodiment of the present application, a first obtaining unit 41 is used to allow an access server to obtain a first message sent by a terminal, where the first message is first message information generated when the terminal requests to establish a connection with a target server; the second obtaining unit 42 obtains the target quintuple information in the first message, and determines whether the admission server stores quintuple information identical to the target quintuple information; the first sending unit 43 sends a fake second message and a redirection message to the terminal under the condition that the access server stores quintuple information which is the same as the target quintuple information, wherein the fake second message is used for establishing the connection relationship between the access server and the terminal, and the redirection message is used for re-determining the access address of the terminal; the first receiving unit 44 receives, by the admission server, a third packet sent by the terminal, and establishes a connection relationship between the admission server and the terminal, where the third packet is a packet responded to by the second packet; the second receiving unit 45 admits the server to receive the access request sent by the terminal based on the redirection packet, and sends an access result corresponding to the access request to the terminal. The problem that the access request cannot be redirected under the condition that the target server does not respond to the access request in the related art is solved. Whether the access server stores quintuple information which is the same as the target quintuple information or not is confirmed, whether the server exists or not is confirmed, the server does not exist under the condition that the access server stores the quintuple information which is the same as the target quintuple information, a fake second message is sent to the terminal through the access server, TCP three-time handshake operation between the terminal and the access server is completed, redirection operation is carried out through the access server, and then the effect that the access request can be redirected under any condition is achieved.
Optionally, in the redirection apparatus for an access request provided in the embodiment of the present application, the apparatus further includes: and the first storage unit is used for storing the target quintuple information to the admission server under the condition that the quintuple information which is the same as the target quintuple information is not stored in the admission server.
Optionally, in the redirection apparatus for an access request provided in the embodiment of the present application, the apparatus further includes: the first detection unit is used for detecting whether a second message sent to the terminal by the target server is received by the access server under the condition that the five-tuple information which is the same as the target five-tuple information is not stored in the access server; and the second sending unit is used for sending the redirection message to the terminal under the condition that the admission server detects the second message.
Optionally, in the redirection apparatus for an access request provided in the embodiment of the present application, the apparatus further includes: the second detection unit is used for detecting whether the access server receives the first message sent by the terminal again or not under the condition that the access server does not detect the second message; and the first execution unit is used for executing the steps of acquiring the target quintuple information in the first message and judging whether the target quintuple information is stored in the access server or not under the condition that the access server receives the first message again.
Optionally, in the redirection apparatus for an access request provided in the embodiment of the present application, the apparatus further includes: the first establishing unit is used for establishing the connection relationship between the access server and the terminal after the connection relationship between the target server and the terminal is established; and the third sending unit is used for the admission server to receive the access request sent by the terminal based on the redirection message and send an access result corresponding to the access request to the terminal.
Optionally, in the redirection apparatus for an access request provided in the embodiment of the present application, the apparatus further includes: a third obtaining unit, configured to obtain, when quintuple information that is the same as the target quintuple information is stored in the admission server, first identifier information corresponding to the target quintuple information that is the same as the target quintuple information, and obtain, from the first packet, second identifier information corresponding to the target quintuple information; a judging unit configured to judge whether the first identification information is the same as the second identification information; the second storage unit is used for storing the target quintuple information and the second identification information to the access server under the condition that the first identification information is different from the second identification information; and the second execution unit is used for executing the steps of sending the forged second message and the redirected message to the terminal under the condition that the first identification information is the same as the second identification information.
Optionally, in the redirection apparatus for an access request provided in the embodiment of the present application, the apparatus further includes: a fourth sending unit, configured to send, by the access server, a fake second packet to the terminal when the five tuple information identical to the target five tuple information is stored in the access server; a second establishing unit, configured to receive, by an access server, a third packet sent by a terminal, and establish a connection relationship between the access server and the terminal, where the third packet is a packet responded by the second packet; a fifth sending unit, configured to allow the server to send the redirection packet to the terminal; and the sixth sending unit is used for the admission server to receive the access request sent by the terminal based on the redirection message and send an access result corresponding to the access request to the terminal.
The redirection device of the access request includes a processor and a memory, and the first obtaining unit 41, the second obtaining unit 42, the first sending unit 43, the first receiving unit 44, the second receiving unit 45, and the like are all stored in the memory as program units, and the processor executes the program units stored in the memory to implement corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to be one or more than one, and the problem that the access request cannot be redirected under the condition that the target server does not respond to the access request in the related art is solved by adjusting the kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
An embodiment of the present invention provides a computer-readable storage medium, on which a program is stored, which, when executed by a processor, implements the method for redirecting an access request.
The embodiment of the invention provides a processor, which is used for running a program, wherein the redirection method of the access request is executed when the program runs.
As shown in fig. 5, an embodiment of the present invention provides an electronic device, where the electronic device 50 includes a processor, a memory, and a program stored in the memory and executable on the processor, and the processor executes the program to implement the following steps: the method comprises the steps that an access server acquires a first message sent by a terminal, wherein the first message is first message information generated when the terminal requests to establish connection with a target server; the admission server acquires target quintuple information in the first message and judges whether quintuple information which is the same as the target quintuple information is stored in the admission server or not; under the condition that the access server stores quintuple information which is the same as the target quintuple information, transmitting a forged second message and a redirection message to the terminal, wherein the forged second message is used for establishing the connection relationship between the access server and the terminal, and the redirection message is used for re-determining the access address of the terminal; the access server receives a third message sent by the terminal and establishes a connection relation between the access server and the terminal, wherein the third message is a message responded by aiming at the second message; and the admission server receives an access request sent by the terminal based on the redirection message and sends an access result corresponding to the access request to the terminal. The device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device: the method comprises the steps that an access server obtains a first message sent by a terminal, wherein the first message is first message information generated when the terminal requests to establish connection with a target server; the admission server acquires target quintuple information in the first message and judges whether quintuple information which is the same as the target quintuple information is stored in the admission server or not; sending a fake second message and a redirection message to the terminal under the condition that the access server stores quintuple information which is the same as the target quintuple information, wherein the fake second message is used for establishing the connection relation between the access server and the terminal, and the redirection message is used for re-determining the access address of the terminal; the access server receives a third message sent by the terminal and establishes a connection relation between the access server and the terminal, wherein the third message is a message responded by aiming at the second message; and the admission server receives an access request sent by the terminal based on the redirection message and sends an access result corresponding to the access request to the terminal.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (11)
1. A method for redirecting access requests, comprising:
an access server acquires a first message sent by a terminal, wherein the first message is first message information generated when the terminal requests to establish connection with a target server;
the admission server acquires target quintuple information in the first message and judges whether quintuple information which is the same as the target quintuple information is stored in the admission server or not;
sending a fake second message and a redirection message to the terminal under the condition that the access server stores quintuple information which is the same as the target quintuple information, wherein the fake second message is used for establishing the connection relationship between the access server and the terminal, and the redirection message is used for re-determining the access address of the terminal;
the access server receives a third message sent by the terminal and establishes a connection relationship between the access server and the terminal, wherein the third message is a message responded by aiming at the second message;
and the admission server receives an access request sent by the terminal based on the redirection message and sends an access result corresponding to the access request to the terminal.
2. The method according to claim 1, wherein after determining whether the admission server stores therein quintuple information identical to the target quintuple information, the method further comprises:
and under the condition that the admission server does not store the quintuple information which is the same as the target quintuple information, storing the target quintuple information to the admission server.
3. The method of claim 1, wherein after determining whether the admission server stores therein quintuple information identical to the target quintuple information, the method further comprises:
under the condition that the five-tuple information which is the same as the target five-tuple information is not stored in the access server, the access server detects whether a second message sent to the terminal by the target server is received;
and sending the redirection message to the terminal under the condition that the admission server detects the second message.
4. The method according to claim 3, wherein after the admission server detects whether the second packet sent by the target server to the terminal is received, the method further comprises:
under the condition that the access server does not detect the second message, the access server detects whether the first message sent by the terminal is received again;
and under the condition that the admission server receives the first message again, executing the steps of acquiring the target quintuple information in the first message and judging whether the target quintuple information is stored in the admission server or not.
5. The method according to claim 3, wherein after the admission server sends the redirect message to the terminal in a case where the second message is detected, the method further comprises:
after the connection relationship between the target server and the terminal is established, establishing the connection relationship between the access server and the terminal;
and the admission server receives an access request sent by the terminal based on the redirection message and sends an access result corresponding to the access request to the terminal.
6. The method according to claim 1, wherein in a case that the admission server stores therein quintuple information identical to the target quintuple information, before sending a fake second packet and a redirect packet to the terminal, the method further comprises:
under the condition that the admission server stores quintuple information which is the same as the target quintuple information, acquiring first identification information corresponding to the target quintuple information which is the same as the target quintuple information, and acquiring second identification information corresponding to the target quintuple information from the first message;
judging whether the first identification information is the same as the second identification information;
under the condition that the first identification information is different from the second identification information, storing the target five-tuple information and the second identification information to the admission server;
and under the condition that the first identification information is the same as the second identification information, executing the step of sending a forged second message and a redirected message to the terminal.
7. The method according to claim 1, wherein after determining whether the admission server stores therein quintuple information identical to the target quintuple information, the method further comprises:
under the condition that the five-tuple information which is the same as the target five-tuple information is stored in the access server, the access server sends the forged second message to the terminal;
the access server receives a third message sent by the terminal and establishes a connection relationship between the access server and the terminal, wherein the third message is a message responded by aiming at the second message;
the access server sends the redirection message to the terminal;
and the admission server receives an access request sent by the terminal based on the redirection message and sends an access result corresponding to the access request to the terminal.
8. A system for redirecting access requests, comprising:
the terminal is used for requesting to establish a connection relation with a target server and sending an access request to the target server after establishing the connection relation with the target server;
the access server is used for establishing the connection relationship of the access server of the terminal after the connection relationship is established between the terminal and the target server, and sending a redirection message to the terminal so as to redirect the access request, and the access server is also used for sending a fake response message to the terminal under the condition that the connection relationship between the terminal and the target server is not established, so as to establish the connection relationship between the terminal and the access server, and sending a redirection message to the terminal so as to redirect the access request;
and the target server is used for sending a response message to the terminal under the condition of receiving a message of the terminal requesting to establish the connection relation so as to establish the connection relation between the target server and the terminal.
9. An apparatus for redirecting an access request, comprising:
a first obtaining unit, configured to enable an access server to obtain a first packet sent by a terminal, where the first packet is first packet information generated when the terminal requests to establish a connection with a target server;
a second obtaining unit, configured to obtain, by the admission server, target quintuple information in the first message, and determine whether quintuple information identical to the target quintuple information is stored in the admission server;
a first sending unit, configured to send, to the terminal, a fake second packet and a redirection packet in a case that the access server stores quintuple information that is the same as the target quintuple information, where the fake second packet is used to establish a connection relationship between the access server and the terminal, and the redirection packet is used to re-determine an access address of the terminal;
a first receiving unit, configured to receive, by the admission server, a third packet sent by the terminal, and establish a connection relationship between the admission server and the terminal, where the third packet is a packet responded by the second packet;
and a second receiving unit, configured to receive, by the admission server, an access request sent by the terminal based on the redirection packet, and send an access result corresponding to the access request to the terminal.
10. A computer storage medium for storing a program, wherein the program when executed controls a device on which the computer storage medium is located to execute the method for redirecting an access request according to any one of claims 1 to 7.
11. An electronic device comprising one or more processors and memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of redirecting access requests of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210243431.5A CN114697380B (en) | 2022-03-11 | 2022-03-11 | Redirection method, system, device and storage medium for access request |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210243431.5A CN114697380B (en) | 2022-03-11 | 2022-03-11 | Redirection method, system, device and storage medium for access request |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114697380A true CN114697380A (en) | 2022-07-01 |
| CN114697380B CN114697380B (en) | 2023-07-14 |
Family
ID=82138437
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210243431.5A Active CN114697380B (en) | 2022-03-11 | 2022-03-11 | Redirection method, system, device and storage medium for access request |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114697380B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016150169A1 (en) * | 2015-03-25 | 2016-09-29 | 中兴通讯股份有限公司 | Secure communication method, gateway, network side server and system |
| CN106657082A (en) * | 2016-12-27 | 2017-05-10 | 杭州盈高科技有限公司 | Fast HTTP redirection method |
| CN111628983A (en) * | 2020-05-21 | 2020-09-04 | 网神信息技术(北京)股份有限公司 | Access control method, apparatus, computer device, medium, and program product |
| CN112368690A (en) * | 2018-04-26 | 2021-02-12 | 拉德沃有限公司 | Block chain based admission procedure for protected entities |
-
2022
- 2022-03-11 CN CN202210243431.5A patent/CN114697380B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016150169A1 (en) * | 2015-03-25 | 2016-09-29 | 中兴通讯股份有限公司 | Secure communication method, gateway, network side server and system |
| CN106657082A (en) * | 2016-12-27 | 2017-05-10 | 杭州盈高科技有限公司 | Fast HTTP redirection method |
| CN112368690A (en) * | 2018-04-26 | 2021-02-12 | 拉德沃有限公司 | Block chain based admission procedure for protected entities |
| CN111628983A (en) * | 2020-05-21 | 2020-09-04 | 网神信息技术(北京)股份有限公司 | Access control method, apparatus, computer device, medium, and program product |
Non-Patent Citations (1)
| Title |
|---|
| 吴亮亮: "基于VN的网络准入控制系统", 《中国优秀硕士学位论文全文数据库 信息科技辑》, no. 2016 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114697380B (en) | 2023-07-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12074852B1 (en) | Private network request forwarding | |
| US10965716B2 (en) | Hostname validation and policy evasion prevention | |
| US9491189B2 (en) | Revival and redirection of blocked connections for intention inspection in computer networks | |
| EP3075129B1 (en) | System for protection against ddos attacks | |
| EP2283670B1 (en) | Security message processing within constrained time | |
| US8468235B2 (en) | System for extranet security | |
| US9749354B1 (en) | Establishing and transferring connections | |
| CN108063714B (en) | Network request processing method and device | |
| WO2022247751A1 (en) | Method, system and apparatus for remotely accessing application, device, and storage medium | |
| CN110266678B (en) | Security attack detection method and device, computer equipment and storage medium | |
| EP3633948B1 (en) | Anti-attack method and device for server | |
| US20110016526A1 (en) | Method and apparatus for protecting application layer in computer network system | |
| CN107800723A (en) | CC attack guarding methods and equipment | |
| WO2023020606A1 (en) | Method, system and apparatus for hiding source station, and device and storage medium | |
| CN111988280A (en) | Server and request processing method | |
| US8214898B2 (en) | ICAP processing of partial content to identify security issues | |
| US20170220391A1 (en) | Method of distributing tasks between computer systems, computer network infrastructure and computer program product | |
| CN109818912B (en) | Method and device for preventing flooding attack, load balancing equipment and storage medium | |
| CN114697380A (en) | Redirection method, system, device and storage medium of access request | |
| CN114793171B (en) | Method and device for intercepting access request, storage medium and electronic device | |
| JP6623702B2 (en) | A network monitoring device and a virus detection method in the network monitoring device. | |
| CN112600861A (en) | Method and device for detecting network wall turning behavior | |
| KR100647274B1 (en) | Fire wall system of controlling http traffic and method of operating the system | |
| US11683327B2 (en) | Demand management of sender of network traffic flow | |
| CN117632535A (en) | Application program interface interception method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |