WO2021032126A1 - 一种数据处理方法及装置 - Google Patents
一种数据处理方法及装置 Download PDFInfo
- Publication number
- WO2021032126A1 WO2021032126A1 PCT/CN2020/110049 CN2020110049W WO2021032126A1 WO 2021032126 A1 WO2021032126 A1 WO 2021032126A1 CN 2020110049 W CN2020110049 W CN 2020110049W WO 2021032126 A1 WO2021032126 A1 WO 2021032126A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- key
- identifier
- terminal
- verifiable
- data packet
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
Definitions
- This application relates to the field of communications, and in particular to a data processing method and device.
- DDoS Distributed Denial of Service
- black hole technology or traffic cleaning technology is usually used to defend against DDoS attacks.
- network equipment uses black hole technology to direct both illegal traffic and legal traffic to black holes, and cannot distinguish between legal traffic and illegal traffic.
- traffic cleaning technology it takes a long time to distinguish legitimate traffic from illegal traffic. Therefore, how to quickly distinguish legitimate traffic from illegal traffic when defending against DDoS attacks is an urgent problem to be solved.
- This application provides a data processing method and device, which solves the problem of how to quickly distinguish legitimate traffic from illegal traffic when defending against DDoS attacks.
- this application provides a data processing method that can be applied to a terminal, or the method can be applied to a communication device that can support the terminal to implement the method.
- the communication device includes a chip system, and the method includes: A verifiable identifier and a first key; a first verification code is generated according to the first verifiable identifier and the first key, and when the first data packet is sent, the first verifiable identifier and the first verification code are included in the first In the packet.
- the data processing method provided by the embodiment of the present application allocates a verifiable identifier and a key corresponding to the verifiable identifier to a terminal that accesses the service supported by the target device, and the terminal carries the verifiable identifier and the verification code in the sent data packet,
- the network device can identify legal data packets and illegal data packets based on the verifiable identification and verification code, and only legal data packets will be forwarded.
- the data processing method provided in the embodiments of the present application can ensure that legitimate traffic (traffic sent by a registered terminal) is forwarded, and network equipment filters most of the DDoS attack traffic.
- the data processing method provided in the embodiments of the present application can reduce the delay in processing legitimate traffic caused by deep protocol analysis.
- generating the first verification code according to the first verifiable identifier and the first key includes: according to the first verifiable identifier and the first key, the first location locator, and the second location At least one of the locator and the dynamic parameter generates a first verification code, the first location locator is used to indicate the target device, the second location locator is used to indicate the first terminal, and the dynamic parameter is variable over time. Therefore, by increasing the complexity of the first verification code, the security level of the first verification code is improved, and the leakage of the first verification code is avoided.
- the static identification of the target device may be obtained, and the static identification of the target device includes the first position locator, so that the first terminal can generate the first verification code.
- the first verifiable identifier and the first verification code are set in the network layer protocol header or the transport layer protocol header included in the first data packet.
- the first verifiable identifier and the first verification code are set in the Internet Protocol (IP) address field in the network layer protocol header included in the first data packet.
- IP Internet Protocol
- the first verifiable identifier and the first verification code are set in the destination IP address field in the network layer protocol header included in the first data packet.
- the first verifiable identifier and the first verification code are set in the source IP address field in the network layer protocol header included in the first data packet. Therefore, since the first verifiable identifier can be embedded in the IP address, the network device can directly filter at the network layer, reducing the cost of defense against DDoS attacks, and does not rely on cross-domain cooperation.
- the destination IP address may refer to the destination IP address in the IPv6 datagram.
- the source IP address may refer to the source IP address in the IPv6 datagram.
- the destination IP address may refer to the destination IP address in the IPv4 datagram.
- the source IP address may refer to the source IP address in the IPv4 datagram.
- the first verifiable identifier and the first verification code are set in the next header field in the network layer protocol header included in the first data packet. Therefore, since the first verifiable identifier can be embedded in the next header field, the network device can directly filter at the network layer, reducing the cost of defense against DDoS attacks, and does not rely on cross-domain cooperation.
- the first verifiable identifier and the first verification code are set in optional fields in the network layer protocol header included in the first data packet.
- the first verifiable identifier and the first verification code are set in an option field in a Transmission Control Protocol (TCP) header included in the first data packet. Therefore, since the first verifiable identifier can be embedded in the TCP header, the network device can directly filter at the transport layer, reducing the cost of defense against DDoS attacks, and does not rely on cross-domain cooperation.
- TCP Transmission Control Protocol
- this application provides a data processing method, which can be applied to network equipment, or the method can be applied to a communication device that can support network equipment to implement the method.
- the communication device includes a chip system, and the method includes: After receiving the first data packet, obtain the first verifiable identifier and the first verification code included in the first data packet, and obtain the first key corresponding to the first verifiable identifier; and according to the first verifiable identifier and the first verification code; A key to generate a second verification code; determine whether the second verification code and the first verification code are the same, when the second verification code is the same as the first verification code, determine that the first data packet is legal; when the second verification code is the same as the first verification code When the verification codes are not the same, it is determined that the first data packet is illegal.
- the data processing method provided by the embodiment of the present application allocates a verifiable identifier and a key corresponding to the verifiable identifier to a terminal that accesses the service supported by the target device, and the terminal carries the verifiable identifier and the verification code in the sent data packet,
- the network device can identify legal data packets and illegal data packets based on the verifiable identification and verification code, and only legal data packets will be forwarded.
- the data processing method provided in the embodiments of the present application can ensure that legitimate traffic (traffic sent by a registered terminal) is forwarded, and network equipment filters most of the DDoS attack traffic.
- the data processing method provided in the embodiments of the present application can reduce the delay in processing legitimate traffic caused by deep protocol analysis.
- the method further includes: if it is determined that the first data packet is legal, forwarding the first data packet to the target device. Thus, the legitimate data packets reach the target device.
- obtaining the first key corresponding to the first verifiable identifier includes: generating the first key according to the first verifiable identifier and the second key, and the second key corresponds to the first key.
- the second key is used to derive the key of the registered terminal that can access the first service.
- the second key can be obtained in the following manner.
- the second key is obtained according to the first position locator
- the first data packet further includes a first position locator
- the first position locator is used to indicate the target device.
- the third key is obtained according to the first position locator, the second key is generated according to the third key and the first service identifier, or the second key is generated according to the third key and the first position locator.
- Two keys where the third key is used to derive the root key of the corresponding service, the first data packet also includes a first location locator and a first service identifier, the first location locator is used to indicate the target device, the first The service identifier is used to indicate the first service running on the target device. Since all services share the same root key, the mapping table that the network device needs to maintain is relatively small, and there is no need to maintain a correspondence entry for each service, and at the same time, the query overhead of the network device is reduced.
- generating the second verification code according to the first verifiable identifier and the first key includes: according to the first verifiable identifier and the first key, and the first location locator, the second At least one of the location locator and the dynamic parameter generates a second verification code.
- the first data packet also includes a first location locator and a second location locator.
- the first location locator is used to indicate the target device, and the second location locator is used for To indicate to the first terminal, the dynamic parameters are variable over time. Therefore, by increasing the complexity of the first verification code, the security level of the first verification code is improved, and the leakage of the first verification code is avoided.
- the method before receiving the first data packet, further includes: receiving a filtering request, the filtering request including the first location locator, the first service identifier, and the second key.
- the network device can verify the received data packet, filter out illegal data, and defend against DDoS attacks.
- the method further includes: determining that the traffic corresponding to the first verifiable identifier is greater than or equal to a threshold, and restricting the traffic of the first verifiable identifier.
- this application provides a key distribution method, which can be applied to a target device, or the method can be applied to a communication device that can support the target device to implement the method.
- the communication device includes a chip system, and the method includes : Obtain the first verifiable identification and the second key; generate the first key according to the first verifiable identification and the second key; send the first verifiable identification and the first key to the first terminal.
- the key distribution method provided by the embodiments of the present application allocates a verifiable identifier and a key corresponding to the verifiable identifier to a terminal that accesses a service supported by the target device, and the terminal carries the verifiable identifier and the verification code in the data packet sent , So that the network device can identify legal data packets and illegal data packets based on the verifiable identification and verification code, and only legal data packets will be forwarded.
- the key distribution method provided by the embodiments of the present application can ensure that legitimate traffic (traffic sent by a registered terminal) is forwarded, and the network device filters most of the DDoS attack traffic.
- the key distribution method provided in the embodiments of the present application can reduce the delay in processing legitimate traffic caused by deep protocol analysis.
- acquiring the first verifiable identifier includes: acquiring a first service identifier, and generating the first verifiable identifier according to the first service identifier and the first terminal identifier, where the first service identifier is used to indicate The first service running on the target device; the first terminal identifier is used to indicate the first terminal.
- obtaining the first verifiable identifier includes: generating the first verifiable identifier according to the first terminal identifier, where the first terminal identifier is used to indicate the first terminal.
- the method before acquiring the first verifiable identification and the first key, the method further includes: after receiving the registration request sent by the first terminal, allocating the first terminal identification to the first terminal.
- the present application also provides a communication device for implementing the method described in the first aspect.
- the communication device is a terminal or a communication device that supports the terminal to implement the method described in the first aspect.
- the communication device includes a chip system.
- the communication device includes: a receiving unit, a processing unit, and a sending unit.
- the receiving unit is configured to receive a first verifiable identifier and a first key;
- the processing unit is configured to generate a first verification code according to the first verifiable identifier and the first key;
- the sending unit is configured to Send a first data packet, the first data packet including a first verifiable identifier and a first verification code.
- the method for generating the first verification code according to the first verifiable identifier and the first key is the same as the corresponding description in the first aspect, and will not be repeated here.
- the present application also provides a communication device for implementing the method described in the second aspect.
- the communication device is a network device or a communication device that supports the network device to implement the method described in the second aspect.
- the communication device includes a chip system.
- the communication device includes: a receiving unit and a processing unit.
- the receiving unit is configured to receive a first data packet, where the first data packet includes a first verifiable identifier and a first verification code; the processing unit is configured to obtain a first key corresponding to the first verifiable identifier; The processing unit is further configured to generate a second verification code according to the first verifiable identifier and the first key; the processing unit is further configured to determine the first data packet when the second verification code and the first verification code are the same Legal; The processing unit is also used to determine that the first data packet is illegal when the second verification code is not the same as the first verification code.
- the communication device may further include a sending unit, configured to forward the first data packet to the target device if the network device determines that the first data packet is legal.
- the method for generating the second verification code is the same as the corresponding description in the second aspect, and will not be repeated here.
- the present application also provides a communication device for implementing the method described in the third aspect.
- the communication device is a target device or a communication device that supports the target device to implement the method described in the third aspect.
- the communication device includes a chip system.
- the communication device includes: a processing unit and a sending unit.
- the processing unit is configured to obtain a first verifiable identifier and a second key; the processing unit is further configured to generate a first key according to the first verifiable identifier and the second key; and the sending unit uses Yu sends the first verifiable identifier and the first key to the first terminal.
- the communication device may further include a receiving unit, configured to obtain a first service identifier and a registration request, where the first service identifier is used to indicate the first service running on the target device.
- the processing unit is configured to allocate a first terminal identifier to the first terminal, and the first terminal identifier is used to indicate the first terminal.
- the processing unit is caused to generate the first verifiable identifier according to the first service identifier and the first terminal identifier, or the processing unit generates the first verifiable identifier according to the first terminal identifier.
- the functional modules of the fourth aspect to the sixth aspect described above can be implemented by hardware, or implemented by hardware executing corresponding software.
- the hardware or software includes one or more modules corresponding to the above-mentioned functions.
- the transceiver is used to complete the functions of the receiving unit and the transmitting unit
- the processor is used to complete the function of the processing unit
- the memory is used for the processor to process the program instructions of the method of the present application.
- the processor, the transceiver, and the memory are connected through a bus and communicate with each other.
- the present application also provides a communication device for implementing the method described in the first aspect.
- the communication device is a terminal or a communication device that supports the terminal to implement the method described in the first aspect.
- the communication device includes a chip system.
- the communication device includes a processor, configured to implement the functions of the method described in the first aspect.
- the communication device may also include a memory for storing program instructions and data. The memory is coupled with the processor, and the processor can call and execute program instructions stored in the memory to implement the functions in the method described in the first aspect.
- the communication device may further include a communication interface, and the communication interface is used for the communication device to communicate with other devices. Exemplarily, if the communication device is a terminal, the other device is a network device.
- the communication device includes a transceiver and a processor.
- the transceiver is configured to receive the first verifiable identification and the first key;
- the processor is configured to generate a first verification code according to the first verifiable identification and the first key;
- the transceiver is also configured to send The first data packet, the first data packet includes a first verifiable identifier and a first verification code.
- the method for generating the first verification code according to the first verifiable identifier and the first key is the same as the corresponding description in the first aspect, and will not be repeated here.
- this application also provides a communication device for implementing the method described in the second aspect.
- the communication device is a network device or a communication device that supports the network device to implement the method described in the second aspect, for example, the communication device includes a chip system.
- the communication device includes a processor, configured to implement the functions of the method described in the second aspect.
- the communication device may also include a memory for storing program instructions and data. The memory is coupled with the processor, and the processor can call and execute program instructions stored in the memory to implement the functions in the method described in the second aspect.
- the communication device may further include a communication interface, and the communication interface is used for the communication device to communicate with other devices. Exemplarily, if the communication device is a network device, the other device is a terminal.
- the communication device includes a transceiver and a processor.
- the transceiver is configured to receive a first data packet, where the first data packet includes a first verifiable identifier and a first verification code;
- the processor is configured to obtain a first key corresponding to the first verifiable identifier;
- the processor is further configured to generate a second verification code according to the first verifiable identifier and the first key;
- the processor is further configured to determine the first data packet when the second verification code is the same as the first verification code Legal;
- the processor is further configured to determine that the first data packet is illegal when the second verification code and the first verification code are not the same.
- the transceiver is further configured to forward the first data packet to the target device if the network device determines that the first data packet is legal.
- the method for generating the second verification code is the same as the corresponding description in the second aspect, and will not be repeated here.
- this application also provides a communication device for implementing the method described in the third aspect.
- the communication device is a target device or a communication device that supports the target device to implement the method described in the third aspect, for example, the communication device includes a chip system.
- the communication device includes a processor, configured to implement the functions of the method described in the third aspect.
- the communication device may also include a memory for storing program instructions and data. The memory is coupled with the processor, and the processor can call and execute the program instructions stored in the memory to implement the functions in the method described in the third aspect.
- the communication device may further include a communication interface, and the communication interface is used for the communication device to communicate with other devices. Exemplarily, if the communication device is a target device, the other device is a terminal.
- the communication device includes a transceiver and a processor.
- the processor is configured to obtain a first verifiable identification and a second key; the processor is also configured to generate a first key according to the first verifiable identification and the second key; the transceiver is configured to use Yu sends the first verifiable identifier and the first key to the first terminal.
- the transceiver is further used to obtain a first service identifier and a registration request, where the first service identifier is used to indicate the first service running on the target device.
- the processor is configured to allocate a first terminal identifier to the first terminal, and the first terminal identifier is used to indicate the first terminal.
- the processor is caused to generate the first verifiable identifier according to the first service identifier and the first terminal identifier, or the processor generates the first verifiable identifier according to the first terminal identifier.
- the specific method is the same as the corresponding description in the third aspect, and will not be repeated here.
- the present application also provides a computer-readable storage medium, including: computer software instructions; when the computer software instructions run in a communication device, the communication device is caused to execute any one of the first to third aspects above The method described.
- this application also provides a computer program product containing instructions, which when the computer program product runs in a communication device, causes the communication device to execute the method described in any one of the first to third aspects above .
- the present application provides a chip system that includes a processor and may also include a memory for implementing the functions of the network device, terminal, or target device in the foregoing method.
- the chip system can be composed of chips, or can include chips and other discrete devices.
- the present application also provides a communication system.
- the communication system includes the terminal described in the fourth aspect or a communication device that supports the terminal to implement the method described in the first aspect, and the network device described in the fifth aspect or A communication device that supports network equipment to implement the method described in the second aspect, and the target device described in the sixth aspect or a communication device that supports the target device to implement the method described in the third aspect;
- the communication system includes the terminal described in the seventh aspect or the communication device that supports the terminal to implement the method described in the first aspect, and the network device described in the eighth aspect or the communication device that supports the network device to implement the method described in the second aspect, And the target device described in the ninth aspect or a communication device that supports the target device to implement the method described in the third aspect.
- the names of the terminal, network device, target device, and communication device do not limit the device itself. In actual implementation, these devices may appear under other names. As long as the function of each device is similar to that of this application, it falls within the scope of the claims of this application and equivalent technologies.
- Figure 1 is an example diagram of a DDoS attack provided by the prior art
- FIG. 2 is an example diagram of the architecture of a communication system provided by this application.
- Figure 3 is an example diagram of a key derivation provided by this application.
- Figure 4 is a flow chart of a data processing method provided by this application.
- FIG. 5 is a flowchart of another data processing method provided by this application.
- Fig. 6 is an example diagram of the structure of an IPv6 datagram provided by this application.
- FIG. 7 is an example diagram of the structure of a TCP datagram provided by this application.
- FIG. 8 is a diagram of an example composition of a communication device provided by this application.
- FIG. 9 is a diagram of an example composition of another communication device provided by this application.
- FIG. 10 is a schematic diagram of a communication scenario provided by this application.
- FIG. 11 is a schematic diagram of a communication scenario provided by this application.
- words such as “exemplary” or “for example” are used as examples, illustrations, or illustrations. Any embodiment or design solution described as “exemplary” or “for example” in the embodiments of the present application should not be construed as being more preferable or advantageous than other embodiments or design solutions. To be precise, words such as “exemplary” or “for example” are used to present related concepts in a specific manner.
- a DDoS attack refers to multiple attacker devices in different locations simultaneously launching attacks on one or more target devices, or one attacker device controls multiple devices located in different locations, and uses these devices to simultaneously attack the target devices.
- the attacker device sends a large number of data packets carrying false IP addresses to the target device, so that the target device maintains a large number of semi-connections or responds to a large number of unreachable data packets, resulting in target device resources Exhausted.
- the attacker device controls a large number of zombie devices and sends a large number of data packets to the target device, causing the target device's resources to be exhausted.
- This application provides a data processing method.
- the method includes: a first terminal receives a first verifiable identifier and a first key sent by a target device, and generates a first verification code according to the first verifiable identifier and the first key, and When sending the first data packet to the target device, the first terminal includes the first verifiable identifier and the first verification code in the first data packet.
- the first key is derived from the second key
- the second key is a key corresponding to the first service that the target device supports.
- the network device receives the first data packet sent by the first terminal, it obtains the first key corresponding to the first verifiable identifier, and generates a second verification code according to the first verifiable identifier and the first key. When the code is the same as the first verification code, it is determined that the first data packet is legal, and the first data packet is forwarded to the target device.
- the data processing method provided by the embodiment of the present application allocates a verifiable identifier and a key corresponding to the verifiable identifier to a terminal that accesses the service supported by the target device, and the terminal carries the verifiable identifier and the verification code in the sent data packet,
- the network device can identify legal data packets and illegal data packets based on the verifiable identification and verification code, and only legal data packets will be forwarded.
- the data processing method provided in the embodiments of the present application can ensure that legitimate traffic (traffic sent by a registered terminal) is forwarded, and network equipment filters most of the DDoS attack traffic.
- the data processing method provided in the embodiments of the present application can reduce the delay in processing legitimate traffic caused by deep protocol analysis.
- the verifiable identification can be embedded in the IP address of the target device, network devices can be filtered directly at the network layer, reducing the cost of defense against DDoS attacks, and not relying on cross-domain cooperation.
- the so-called target device can be understood as a protected device or a device that an attacker needs to attack.
- the target device in the embodiment of this application may be an application server, a router, or a device in the Internet of Things (IoT), etc., which is not limited in this application.
- the IoT device may be a fire alarm device or the like. If the fire alarm equipment is attacked, it will not be able to detect the fire and make an alarm, so that it will not be able to send out alarm messages, which will cause serious security threats.
- the target device is an application server for example.
- FIG. 2 shows an example diagram of the architecture of a communication system that can be applied to embodiments of the present application.
- the communication system includes at least one terminal 201, an Internet Service Provider (ISP) network, and a data center.
- ISP Internet Service Provider
- An ISP can be a telecom operator that provides comprehensive Internet access services, information services, and value-added services to users.
- the ISP network may include network equipment 202 (such as border routers and switches).
- the data center may include at least one application server 203.
- Multiple application servers can be independent and different physical devices, or they can integrate the functions of multiple application servers on the same physical device (such as multiple application servers within the jurisdiction of a cloud service provider), or Some application server functions are integrated on a physical device.
- Each application server can run one or more services (such as game services).
- the terminal 201 is connected to the network device 202 in a wireless or wired manner.
- the network device 202 will be connected in a wireless or wired manner.
- the network device 202 is connected to the application server 203 in a wireless or wired manner.
- the terminal device can be a fixed location or movable.
- FIG. 2 is only a schematic diagram, and the communication system may also include other devices, such as wireless relay devices and wireless backhaul devices, which are not shown in FIG. 2.
- the embodiments of the present application do not limit the number of terminals, network devices, and application servers included in the communication system.
- the terminal 201 may be a wireless terminal device capable of receiving base station scheduling and instruction information.
- the wireless terminal device may be a device that provides voice and/or data connectivity to the user, or a handheld device with wireless connection function, or a wireless terminal device that is connected to a wireless Other processing equipment for the modem.
- a wireless terminal device can communicate with one or more core networks or the Internet via a wireless access network (e.g., radio access network, RAN).
- the wireless terminal device can be a mobile terminal device, such as a mobile phone (or called a "cellular" phone). , Mobile phones), computers, and data cards, for example, may be portable, pocket-sized, handheld, computer-built or vehicle-mounted mobile devices, which exchange language and/or data with the wireless access network.
- Wireless terminal equipment can also be called system, subscriber unit, subscriber station, mobile station, mobile station (MS), remote station (remote station), access point ( access point, AP), remote terminal equipment (remote terminal), access terminal equipment (access terminal), user terminal equipment (user terminal), user agent (user agent), subscriber station (subscriber station, SS), user terminal equipment (customer premises equipment, CPE), terminal (terminal), user equipment (user equipment, UE), mobile terminal (mobile terminal, MT), etc.
- terminal devices can be wireless terminals in industrial control, wireless terminals in self-driving (self-driving), wireless terminals in remote medical surgery, and smart grid (smart grid) Wireless terminals in the transportation safety (transportation safety), wireless terminals in the smart city (smart city), wireless terminals in the smart home (smart home), etc.
- the application server 203 is configured to obtain an authenticated identifier (AID) and a key corresponding to the service, generate a key corresponding to the verifiable identifier according to the key corresponding to the verifiable identifier and the service, and send the verifiable identifier and key to the terminal 201
- the key corresponding to the verifiable identifier is used to identify the terminal accessing the service.
- the verifiable identification can also be understood as a type of terminal used to identify access services.
- the terminal 201 is configured to receive the verifiable identification and the key corresponding to the verifiable identification sent by the application server 203, generate a verification code according to the verifiable identification and the key corresponding to the verifiable identification, and carry the verification code in the data packet sent by the terminal 201 Verification logo and verification code.
- the network device 202 is used to receive the data packet sent by the terminal 201 and obtain the key corresponding to the verifiable identifier, determine that the data packet is legal according to the verification code, the verifiable identifier, and the key corresponding to the verifiable identifier, and forward the data to the application server package.
- the ISP network may further include a control center server 204, and the network device 202 is connected to the control center server 204 in a wireless or wired manner.
- the control center server 204 is configured to receive a filtering request sent by the application server 203.
- the filtering request may include the location locator of the application server 203, the service identification supported by the application server 203 and the key corresponding to the service.
- the control center server 204 issues the filtering request, the verifiable identifier and the related key to the network device 202, so that the network device 202 implements a filtering method based on the verifiable identifier and verification code.
- the data center may also include a monitor 205, a key management center 206, and a location locator distribution center 207.
- the monitor 205 is used to monitor whether the application server in the data center is subject to DDoS attacks. In some embodiments, when the application server suffers a DDoS attack, the monitor 205 may send a filtering request to the network device 202.
- the location locator allocation center 207 is used to allocate location locators (locators) to the application server.
- the location locator is used to indicate the application server.
- the location locator may be the location identifier of the application server. In other embodiments, the location locator may be the routing identifier of the application server.
- the key management center 206 is used to allocate a service ID and a key corresponding to the service ID to the application server.
- the key management center in the data center may maintain a service key correspondence for each service supported by the application server.
- the so-called service key correspondence may refer to the correspondence between a service identification (service identification, SID) and a master key (master key, MK) corresponding to the service identification.
- the service key correspondence can be presented in the form of a table.
- the key management center may store a service key relationship table, and the service key relationship table includes at least one service key corresponding relationship. For example, as shown in Table 1, the service key relationship is presented.
- Table 1 only illustrates the storage form of the service key relationship in the key management center in the form of a table, and does not limit the storage form of the service key relationship in the key management center.
- the service secret The storage form of the key relationship in the key management center may also be stored in other forms, which is not limited in the embodiment of the present application.
- the application server 203 may call the first unified software development kit (Software Development Kit, SDK) interface to obtain the service identifier and the master key corresponding to the service identifier from the key management center.
- the application server may call the second unified SDK interface according to the service identification and the master key corresponding to the service identification to generate the verifiable identification and terminal key (client key, CK) of the corresponding terminal in the service for the registered terminal.
- the terminal key may refer to the key corresponding to the verifiable identification.
- the master key is used to derive the key of the registered terminal that can access the service.
- the application server in the data center supports running n services.
- the master key corresponding to the first service is MK1.
- the application server 203 may derive the keys of m registered terminals that can access the first service according to MK1.
- the master key corresponding to the second service is MK2.
- the application server 203 may derive the keys of p registered terminals that can access the second service according to the MK2.
- the master key corresponding to the third service is MK3.
- the application server 203 can derive the keys of q registered terminals that can access the third service according to MK3.
- FIG. 4 is a flowchart of a data processing method provided by an embodiment of this application.
- the first terminal accesses the first service supported by the application server to run as an example for description.
- the method may include:
- the application server obtains a first verifiable identifier and a first key.
- the key management center stores the service key relationship of the first service, that is, the corresponding relationship between the first service identifier and the first key.
- the first service identifier is used to indicate the first service running on the application server.
- the first key is a key corresponding to the first service, and the first key is used to derive a key of a registered terminal that can access the first service.
- the first key may refer to MK.
- the application server may call the first unified SDK interface to send a request message to the key management center for requesting the service key correspondence of the first service.
- the application server receives the first service identifier and the first key fed back by the key management center.
- the first service identifier may be used by the application server to generate the first verifiable identifier.
- the so-called first verifiable identifier is used to identify the first terminal accessing the first service.
- the first terminal may be a terminal that has been registered on the application server and can access the first service.
- the first verifiable identifier may also be understood as a type of terminal used to identify access to the first service.
- the application server after the application server creates the first service, it can obtain the service key correspondence of the first service from the key management center, and first cache the first service identifier and the first key.
- the application server calls the second unified SDK interface according to the first service identifier and the first terminal identifier to generate the first verifiable identifier for the registered first terminal, or the application server calls according to the first terminal identifier
- the second unified SDK interface generates a first verifiable identifier for the registered first terminal.
- the application server obtains the service key correspondence of the first service from the key management center, and then calls the second unified SDK interface according to the first service identifier and the first terminal identifier Generate the first verifiable identifier for the registered first terminal, or call the second unified SDK interface according to the first terminal identifier to generate the first verifiable identifier for the registered first terminal.
- the implementation manner for the application server to obtain the first verifiable identifier may be the following description of S4011 to S4015, or the description of S4011 to S4014 and S4016.
- the first terminal sends a registration request to the application server.
- the application server receives the registration request sent by the first terminal.
- the registration request may include the first service identifier, which is used to request the application server to authorize the first terminal to access the first service.
- the application server allocates a first terminal identifier (client identifier, CID) to the first terminal.
- the application server After receiving the registration request sent by the first terminal, the application server allocates the first terminal identifier to the first terminal, where the first terminal identifier is used to indicate the first terminal.
- the application server obtains the first service identifier and the first key.
- the application server may call the first unified SDK interface to obtain the first service identifier and the first key from the key management center. For details, please refer to the above description, and will not repeat it.
- the application server generates a first verifiable identifier according to the first service identifier and the first terminal identifier.
- the application server may use a hash algorithm to generate the first verifiable identifier according to the first service identifier and the first terminal identifier.
- the hash algorithm can also be called a hash function.
- the so-called hash algorithm can refer to a function that changes an input message string of arbitrary length into a fixed-length output string.
- the application server generates a first verifiable identifier according to the first terminal identifier.
- the application server may use a hash algorithm to generate the first verifiable identification according to the first terminal identification.
- the verifiable identifier is used to identify the unique identifier of the first terminal accessing the first service. Therefore, the application server needs to refer to the verifiable identifiers that have been assigned to other terminals when the first verifiable identifier is used, so as to avoid confusion caused by assigning the same verifiable identifier to different terminals.
- the sequence of the steps of the data processing method provided in the embodiments of the present application can be adjusted appropriately, and the steps can also be increased or decreased according to the situation.
- the sequence between S4016 and S4014 can be interchanged, the first verifiable identification can be generated according to the first terminal identification, and then the first key can be obtained. Any person familiar with the technical field can easily think of a method of change within the technical scope disclosed in this application, which should be covered by the protection scope of this application, and therefore will not be repeated.
- the first key can be used by the application server to generate the second key.
- the second key is the key corresponding to the first terminal.
- the second key may refer to CK.
- the application server after the application server creates the first service, it can obtain the service key correspondence of the first service from the key management center, and first cache the first service identifier and the first key. After the first terminal completes the registration, the application server calls the SDK interface according to the first key to generate a second key for the registered first terminal.
- the application server obtains the service key correspondence of the first service from the key management center, and then calls the second unified SDK interface according to the first key to be the registered first terminal.
- a terminal generates the second key.
- the application server generates a second key according to the first verifiable identifier and the first key.
- the application server may use a hash algorithm to generate the second key based on the first verifiable identification and the first key.
- the application server sends the first verifiable identifier and the second key to the first terminal.
- the application server may send the first verifiable identification and the second key to the first terminal according to an application layer security protocol.
- an application layer security protocol may be used to ensure that the leakage of the first verifiable identification and the second key is avoided.
- the first terminal receives the first verifiable identifier and the second key.
- the first terminal receives the first verifiable identifier and the second key, and can cache the first verifiable identifier and the second key so that when the first terminal needs to send the first data packet, the A verifiable identifier and the first verification code are included in the first data packet.
- the first terminal generates a first verification code according to the first verifiable identifier and the second key.
- the first terminal may use a hash algorithm to generate the first verification code according to at least one of the first verifiable identifier, the second key, and the first position locator, the second position locator, and the dynamic parameter.
- the first terminal may use a hash algorithm to generate the first verification code according to the first verifiable identifier, the second key, and the first location locator.
- the first terminal may use a hash algorithm to generate the first verification code according to the first verifiable identifier, the second key, the first location locator and the dynamic parameters.
- the first terminal may use a hash algorithm to generate the first verification code according to the first verifiable identifier, the second key, the first location locator, and the second location locator.
- the first terminal may use a hash algorithm to generate the first verification code according to the first verifiable identifier, the second key, the first location locator, the second location locator, and the dynamic parameters.
- the first location locator is used to indicate an application server that supports running the first service.
- the first location locator may be a location identifier of an application server that supports running the first service.
- the first location locator may be a routing identifier of an application server that supports running the first service.
- the location locator distribution center may assign a location locator to each application server in the data center.
- the first terminal can access a domain name resolution (DNS) server, obtain the static identification of the application server, and access the first service run by the application server through the static identification of the application server.
- DNS domain name resolution
- the static identification of the application server includes the first location locator.
- the static identification of the application server may further include the first service identification.
- the second location locator is used to indicate the first terminal.
- the second location locator may be the location identifier of the first terminal.
- the second location locator may be the IP address of the first terminal.
- Dynamic parameters can be variable over time.
- the dynamic parameter may be time information.
- the first terminal sends a first data packet, where the first data packet includes a first verifiable identifier and a first verification code.
- the first verifiable identifier and the first verification code may be set in the network layer protocol header or the transport layer protocol header included in the first data packet.
- the first verifiable identifier and the first verification code may be set in the destination IP address included in the first data packet.
- the destination IP address may refer to the destination IP address in the IPv6 datagram.
- Exemplary, as shown in Figure 6, is an example diagram of the structure of an IPv6 datagram.
- the IPv6 datagram includes a basic header, N extended headers and a data part.
- the N extension headers and data parts can be referred to as payload or payload.
- the basic header includes version (version), traffic class (traffic class), flow label (flow label), payload length (payload length), next header (next header), hop limit (hop limit), source Address (source address) and destination address (destination address).
- version version
- traffic class traffic class
- flow label flow label
- payload length payload length
- next header next header
- hop limit hop limit
- source Address source address
- destination address destination address
- the destination address refers to the IP address of the receiver of the datagram, which occupies 128 bits.
- the first verifiable identifier and the first verification code may be set in the destination IP address in the IPv6 datagram.
- the destination IP address may refer to the destination IP address in the IPv4 datagram.
- the first verifiable identifier can be embedded in the IP address of the application server, network devices can be directly filtered at the network layer, reducing the cost of defending DDoS attacks, and does not rely on cross-domain cooperation, and does not rely on the upper layer (such as: application layer) analysis of data in the protocol.
- the first verifiable identifier and the first verification code may be set in the source IP address included in the first data packet.
- the source IP address may refer to the source IP address in the IPv6 datagram.
- the source IP address may refer to the source IP address in the IPv4 datagram.
- the first verifiable identifier and the first verification code may be set in the next header of the network layer protocol header included in the first data packet. Therefore, because the first verifiable identifier can be embedded in the next header field, network devices can directly filter at the network layer, reducing the cost of defense against DDoS attacks, and does not rely on cross-domain cooperation and does not rely on the upper layer (such as: Application layer) analysis of data in the protocol.
- the upper layer such as: Application layer
- the first verifiable identifier and the first verification code may be set in optional fields in the network layer protocol header included in the first data packet. Therefore, since the first verifiable identifier can be embedded in the optional field, the network device can directly filter at the network layer, reducing the cost of defense against DDoS attacks, and does not rely on cross-domain cooperation, and does not rely on the upper layer (such as: Application layer) analysis of data in the protocol.
- the upper layer such as: Application layer
- the first verifiable identifier and the first verification code can be set in optional fields in the TCP header.
- Exemplary is an example diagram of the structure of a TCP datagram.
- the TCP datagram is contained in the data part of the IP datagram.
- the TCP datagram includes the TCP header and the data part of the TCP datagram.
- the TCP header includes source port (source port), destination port (destination port), sequence number (sequence number), acknowledgment number (acknowledgment number), data offset (header length), reservation (resv), emergency (UGR), confirmation (ACK), push (PSH), reset (RST), synchronization (SYN), termination (FIN), window (window size), checksum (checksum), urgent pointer (urgent pointer) and options (options).
- the first verifiable identifier can be embedded in the next header field, network devices can directly filter at the network layer, reducing the cost of defense against DDoS attacks, and does not rely on cross-domain cooperation and does not rely on the upper layer (such as: Application layer) analysis of data in the protocol.
- the upper layer such as: Application layer
- the data packet sent by the first terminal to the application server may include the first verifiable identifier and the first verification code.
- the data packet sent by the first terminal to the application server may also include the first verifiable identifier and the first verification code.
- the first data packet may further include a first position locator and a second position locator.
- the first location locator can be set in the destination IP address in the IPv6 datagram.
- S407 The network device receives the first data packet.
- the network device obtains a second key corresponding to the first verifiable identifier.
- the network device After receiving the first data packet, the network device parses the first data packet to obtain a first verifiable identifier and a first verification code.
- the network device obtains the second key corresponding to the first verifiable identifier according to the description of S4081 and S4084 below.
- the network device obtains the second key corresponding to the first verifiable identifier according to the description of S4082 to S4084 below.
- the network device obtains the first key according to the first location locator.
- the first data packet includes a first location locator.
- the first location locator can be set in the destination address in the IPv6 datagram.
- the network device parses the first data packet to obtain the first location locator.
- the first location locator is used to indicate an application server that supports running the first service.
- the first location locator is used to indicate an application server that supports running the first service.
- the first location locator may be a location identifier of an application server that supports running the first service.
- the first location locator may be a routing identifier of an application server that supports running the first service.
- the network device may obtain the location locator and the key of the corresponding service from the data center in advance.
- the network device can maintain a corresponding relationship of the master key of the location locator.
- the so-called location locator master key correspondence relationship may refer to the correspondence relationship between the location locator and the master key corresponding to the service.
- the corresponding relationship of the location locator master key can be presented in the form of a table.
- the network device may store a location locator master key correspondence table, and the location locator master key correspondence table includes at least one location locator master key correspondence. For example, as shown in Table 2, the corresponding relationship of the master key of the location locator is presented.
- Table 2 only illustrates the storage form of the location locator master key correspondence in the network device in the form of a table, and does not limit the storage form of the location locator master key correspondence in the network device.
- the storage form of the location locator master key correspondence in the network device may also be stored in other forms, which is not limited in the embodiment of the present application.
- the network device After the network device obtains the first location locator, it can obtain the location locator master key correspondence relationship locally, query the location locator master key correspondence relationship, and obtain the first key corresponding to the first location locator.
- the first key is a key corresponding to the first service, and the first key is used to derive a key of a registered terminal that can access the first service.
- the network device obtains the third key according to the first location locator.
- the network device may obtain the location locator and the root key (RK) from the data center in advance.
- the root key is used to derive the key of the corresponding service.
- the network device can maintain a corresponding relationship between the location locator root keys.
- the so-called position locator root key correspondence may refer to the correspondence between the position locator and the root key.
- the location locator root key correspondence can be presented in the form of a table.
- the network device may store a location locator root key correspondence table, and the location locator root key correspondence table includes at least one location locator root key correspondence. For example, as shown in Table 3, the corresponding relationship between the location locator root keys is presented.
- Table 3 only illustrates the storage form of the location locator root key correspondence in the network device in the form of a table, and does not limit the storage form of the location locator root key correspondence in the network device.
- location positioning The storage form of the symbol root key correspondence in the network device may also be stored in other forms, which is not limited in the embodiment of the present application.
- the network device After the network device obtains the first location locator, it can obtain the location locator root key correspondence locally, query the location locator root key correspondence relationship, and obtain the third key corresponding to the first location locator.
- the third key is used to derive the key of the corresponding service.
- the third key may refer to the root key.
- mapping table that the network device needs to maintain is relatively small, and there is no need to maintain a correspondence entry for each service, and at the same time, the query overhead of the network device is reduced.
- the network device generates a first key according to the third key and the first service identifier.
- the network device may use a hash algorithm to generate the first key according to the third key and the first service identifier.
- the first data packet may include the first service identification.
- the first service identifier may be set in the destination IP address field.
- the first service identifier may be set in the next header field in the network layer protocol.
- the first service identifier may be set in the option field in the TCP header. This application is not limited.
- the network device parses the first data packet to obtain the first service identifier.
- the first service identifier is used to indicate the first service running on the application server.
- the network device generates a first key according to the third key and the first location locator.
- the network device may use a hash algorithm to generate the first key according to the third key and the first location locator.
- the first data packet may include a first position locator. After receiving the first data packet, the network device parses the first data packet to obtain the first location locator.
- the network device generates a second key according to the first verifiable identifier and the first key.
- the network device may use a hash algorithm to generate the second key based on the first verifiable identification and the first key.
- the network device may obtain the location locator and the key of the corresponding terminal from the data center in advance.
- the network device can maintain a position locator terminal key correspondence.
- the so-called location locator terminal key correspondence relationship may refer to the correspondence relationship between the location locator and the terminal key corresponding to the terminal.
- the location locator terminal key correspondence can be presented in the form of a table.
- the network device may store a location locator terminal key correspondence table, and the location locator terminal key correspondence table includes at least one location locator terminal key correspondence relationship. For example, as shown in Table 4, the corresponding relationship of the location locator terminal key is presented.
- Table 4 only illustrates the storage form of the location locator terminal key correspondence in the network device in the form of a table, and does not limit the storage form of the location locator terminal key correspondence in the network device.
- the storage form of the location locator terminal key correspondence in the network device may also be stored in other forms, which is not limited in this embodiment of the application.
- the network device After the network device obtains the first location locator, it can obtain the location locator terminal key correspondence from the local, and can query the location locator terminal key correspondence to obtain the second key corresponding to the first location locator.
- the network device generates a second verification code according to the first verifiable identifier and the second key.
- the network device may use a hash algorithm to generate the second verification code based on at least one of the first verifiable identifier, the second key, and the first location locator, the second location locator, and the dynamic parameter.
- the network device may use a hash algorithm to generate the second verification code based on the first verifiable identifier, the second key, and the first location locator.
- the first terminal may use a hash algorithm to generate the first verification code according to the first verifiable identifier, the second key, the first location locator and the dynamic parameters.
- the network device may use a hash algorithm to generate the second verification code according to the first verifiable identifier, the second key, the first location locator, and the second location locator.
- the network device may use a hash algorithm to generate the second verification code according to the first verifiable identifier, the second key, the first location locator, the second location locator, and the dynamic parameters.
- the first data packet includes a first position locator and a second position locator.
- the first location locator is used to indicate an application server that supports running the first service.
- the second location locator is used to indicate the first terminal.
- the second location locator may be the location identifier of the first terminal.
- the second location locator may refer to the IP address of the first terminal.
- Dynamic parameters are variable over time.
- the dynamic parameter may be time information. It should be noted that the dynamic parameters here are the same as those used when the first terminal uses the hash algorithm to generate the first verification code, so as to avoid verification failures caused by different dynamic parameters.
- S410 The network device judges whether the second verification code is the same as the first verification code.
- S411 When the second verification code is the same as the first verification code, S411 is executed. When the second verification code and the first verification code are not the same, S412 is executed.
- S411 The network device determines that the first data packet is legal. Go to S413.
- the network device determines that the first data packet is illegal.
- the network device determines that the first data packet is illegal, which may indicate that the network device may have received an illegal data packet (such as a DDoS attack data packet), and the network device discards the first data packet.
- an illegal data packet such as a DDoS attack data packet
- the network device can determine the second verification code and the first The verification code is the same. If the first terminal is a terminal that is not registered with the application server, if the first terminal has the first verifiable identifier, but the first terminal does not have the second key, the first terminal generates the first verification code according to the wrong key Just different from the second verification code, the network device can determine that the first data packet is illegal.
- S413 The network device forwards the first data packet to the application server.
- S414 The application server receives the first data packet sent by the network device.
- the network device may verify the data packet accessing the first service by default to determine whether the data packet is a legal data packet. When the data packet is a legal data packet, the legal data packet is forwarded. When the data packet is an illegal data packet, discard the illegal data packet.
- the network device may verify the data packet for accessing the first service according to the instruction to determine whether the data packet is legitimate data.
- the method may further include the following steps.
- S415 The network device receives the filtering request.
- the filtering request is used to instruct to verify the data packets accessing the first service to prevent DDoS attacks.
- the filtering request may include the first location locator, the first service identifier, and the first key.
- the data processing method provided by the embodiment of the present application allocates a verifiable identifier and a key corresponding to the verifiable identifier to a terminal that accesses the service supported by the application server, and the terminal carries the verifiable identifier and the verification code in the data packet sent,
- the network device can identify legal data packets and illegal data packets based on the verifiable identification and verification code, and only legal data packets will be forwarded.
- the data processing method provided in the embodiments of the present application can ensure that legitimate traffic (traffic sent by a registered terminal) is forwarded, and network equipment filters most of the DDoS attack traffic.
- the data processing method provided in the embodiments of the present application can reduce the delay in processing legal traffic caused by deep protocol analysis.
- the verifiable identifier can be embedded in the IP address of the application server, network devices can be filtered directly at the network layer, reducing the cost of defense against DDoS attacks, and not relying on cross-domain cooperation.
- the first terminal is a terminal that is not registered with the application server, the first verifiable identifier and the second key are leaked, and the first terminal possesses the first verifiable identifier and the correct second key. Then, the first verification code generated by the first terminal according to the first verifiable identifier and the correct second key is the same as the second verification code.
- the application server may be subject to a DDoS attack, and the network device can determine that when the traffic corresponding to the first verifiable identifier is greater than or equal to the threshold, verification code verification is not required, and the traffic of the first verifiable identifier is restricted. Thereby, a large number of data packets are prevented from being sent to the application server, and DDoS attacks are prevented.
- the methods provided in the embodiments of the present application are introduced from the perspective of network equipment, terminal, application server, and interaction between the network equipment, terminal, and application server.
- the network devices, terminals, and application servers include hardware structures and/or corresponding hardware structures that perform each function. Or software module.
- the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
- the embodiments of the present application can divide the network devices, terminals, and application servers into functional modules according to the above method examples.
- each functional module can be divided corresponding to each function, or two or more functions can be integrated into one processing module.
- the above-mentioned integrated modules can be implemented in the form of hardware or software functional modules. It should be noted that the division of modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
- FIG. 8 shows a possible composition example diagram of the communication device involved in the above and the embodiment, and the communication device can execute any of the method embodiments of this application.
- the communication device may include: a receiving unit 801, a processing unit 802, and a sending unit 803.
- the communication device is a terminal or a communication device that supports the terminal to implement the method provided in the embodiment, for example, the communication device may be a chip system.
- the receiving unit 801 is configured to support the communication device to execute the method described in the embodiment of the present application.
- the receiving unit 801 is configured to execute or support the communication device to execute S404 in the data processing method shown in FIG. 4 or S404 in the data processing method shown in FIG. 5.
- the processing unit 802 is configured to execute or support the communication device to execute S405 in the data processing method shown in FIG. 4 or S405 in the data processing method shown in FIG. 5.
- the sending unit 803 is configured to execute or support the communication device to execute S406 in the data processing method shown in FIG. 4 or S406 in the data processing method shown in FIG. 5.
- the communication device is a network device or a communication device that supports the network device to implement the method provided in the embodiment, for example, the communication device may be a chip system.
- the receiving unit 801 is configured to support the communication device to execute the method described in the embodiment of the present application.
- the receiving unit 801 is configured to execute or support the communication device to execute S407 in the data processing method shown in FIG. 4 and S407 and S415 in the data processing method shown in FIG. 5.
- the processing unit 802 is configured to execute or support the communication device to execute S408-S412 in the data processing method shown in FIG. 4 and FIG. 5, and S4081, S4082, S4083a, S4083b, S4084 in the data processing method shown in FIG. And S409 ⁇ S415.
- the sending unit 803 is configured to execute or support the communication device to execute S413 in the data processing method shown in FIG. 4 and S413 in the data processing method shown in FIG. 5.
- the communication device is an application server or a communication device that supports the application server to implement the method provided in the embodiment, for example, the communication device may be a chip system.
- the receiving unit 801 is configured to support the communication device to execute the method described in the embodiment of the present application.
- the receiving unit 801 is configured to execute or support the communication device to execute S401 and S414 in the data processing method shown in FIG. 4, or S4012, S4014 and S414 in the data processing method shown in FIG.
- the processing unit 802 is configured to execute or support the communication device to execute S402 in the data processing method shown in FIG. 4, or S4013, S4015, S4016, and S402 in the data processing method shown in FIG. 5.
- the sending unit 803 is configured to execute or support the communication device to execute S403 in the data processing method shown in FIG. 4 or S403 in the data processing method shown in FIG. 5.
- the communication device provided in the embodiment of the present application is used to execute the method of any of the foregoing embodiments, and therefore can achieve the same effect as the method of the foregoing embodiment.
- a communication device 900 provided by an embodiment of the application is used to implement the function of the network device in the foregoing method.
- the communication device 900 may be a network device or a device in a network device.
- the communication device 900 may be a chip system.
- the chip system may be composed of chips, or may include chips and other discrete devices.
- the communication device 900 is used to implement the function of the terminal in the foregoing method.
- the communication device 900 may be a terminal or a device in the terminal.
- the communication device 900 may be a chip system.
- the chip system may be composed of chips, or may include chips and other discrete devices.
- the communication device 900 is used to implement the function of the application server in the foregoing method.
- the communication device 900 may be an application server or a device in an application server.
- the communication device 900 may be a chip system.
- the chip system may be composed of chips, or may include chips and other discrete devices.
- the communication device 900 includes at least one processor 901, configured to implement the functions of a network device, a terminal, or an application server in the method provided in the embodiment of the present application.
- the processor 901 may be configured to generate a first verification code according to the first verifiable identifier and the first key, or generate the first key according to the first verifiable identifier and the second key, etc., for details, see method The detailed description in the example will not be repeated here.
- the communication device 900 may also include at least one memory 902 for storing program instructions and/or data.
- the memory 902 is coupled with the processor 901.
- the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units, or modules, and may be in electrical, mechanical or other forms, and is used for information exchange between devices, units or modules.
- the processor 901 may cooperate with the memory 902.
- the processor 901 may execute program instructions stored in the memory 902. At least one of the at least one memory may be included in the processor.
- the communication device 900 may further include a communication interface 903 for communicating with other devices through a transmission medium, so that the device used in the communication device 900 can communicate with other devices.
- the communication device is a network device
- the other device is a terminal.
- the communication device is a terminal
- the other device is a network device.
- the communication device is an application server.
- the processor 901 uses the communication interface 903 to send and receive data, and is used to implement the method executed by the network device, terminal, or application server described in the embodiment corresponding to FIG. 4 and FIG. 5.
- connection medium between the aforementioned communication interface 903, the processor 901, and the memory 902 is not limited in the embodiment of the present application.
- the communication interface 903, the processor 901, and the memory 902 are connected by a bus 904 in FIG. 9.
- the bus is represented by a thick line in FIG. 9.
- the connection mode between other components is only for schematic illustration. , Is not limited.
- the bus can be divided into address bus, data bus, control bus, etc. For ease of representation, only one thick line is used in FIG. 9, but it does not mean that there is only one bus or one type of bus.
- the processor may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, a discrete hardware component, and may implement or Perform the methods, steps, and logic block diagrams disclosed in the embodiments of the present application.
- the general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
- the memory may be a non-volatile memory, such as a hard disk drive (HDD) or a solid-state drive (SSD), etc., or a volatile memory (volatile memory), for example Random-access memory (random-access memory, RAM).
- the memory is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
- the memory in the embodiments of the present application may also be a circuit or any other device capable of realizing a storage function, for storing program instructions and/or data.
- the first verifiable identifier may also be a type identifier (typeID) of the first terminal, which is used to identify the type of the first terminal.
- the first verifiable identifier may also be a group identifier (grouID) of the first terminal, which is used to identify the group in which the first terminal is located.
- the first terminal may be assigned the type identifier of the first terminal or the group identifier of the first terminal.
- the group identification of the first terminal is an identification that distinguishes different departments in the enterprise.
- the group identifier of the first terminal is an identifier for distinguishing different levels of access to the application server.
- the application server can provide financial (such as banking, UnionPay, etc.) services and electronic game services.
- a user (such as an enterprise employee) can pass through a first network device (such as a network device 202 near the terminal 201) and a second network device (such as a network near the application server 203).
- the virtual private network (Virtual Private Network, VPN) between the devices 202) accesses the application server.
- VPN Virtual Private Network
- the first data packet sent by the first terminal includes a source address, a destination address, a first verifiable identifier, a first verification code, and data.
- the source address is the address IP IC of the first terminal.
- the destination address is the address IP s of the application server.
- the first verifiable identifier is the group identifier of the first terminal or the type identifier of the first terminal.
- the first verifiable identifier used when the first terminal uses the hash algorithm to generate the first verification code is the group identifier of the first terminal or the type identifier of the first terminal.
- the first network device verifies the first verification code included in the first data packet. If the verification of the first verification code is successful, the first data packet is encapsulated to obtain a second data packet.
- the second data packet includes an outer header and an inner header.
- the source address contained in the outer packet header is the address IP G1 of the first network device, and the destination address contained in the outer packet header is the address IP G2 of the second network device.
- the source address contained in the inner packet header is the address IP IC of the first terminal, and the destination address contained in the inner packet header is the address IP s of the application server. If the verification of the first verification code fails, the first data packet is discarded.
- the specific method of verifying the first verification code reference may be made to the above-mentioned embodiment, which will not be repeated.
- the second network device may decide to forward or discard the first data packet according to the group identification and access authority of the first terminal. In order to further filter out the traffic that does not meet the authority.
- an attacker can attack the application server by connecting to the corporate network within the enterprise, bypassing the inspection of illegally accessed devices.
- This embodiment can be applied to an enterprise network or a campus network.
- the VPN gateway side close to the terminal side filters out data packets containing the group identification and false type identification of the false terminal, thereby preventing internal intruders from connecting to the VPN on the access side.
- the gateway prevents illegal data packets from reaching the application server through the VPN tunnel. This ensures that the data packets arriving at the application server use the real terminal type identification or the terminal group identification, and illegal data packets are filtered out.
- a user can access the application server through a VPN between a first terminal (such as a terminal 201) and a network device (such as a network device 202 close to the terminal 201) .
- a VPN between a first terminal (such as a terminal 201) and a network device (such as a network device 202 close to the terminal 201) .
- a network device such as a network device 202 close to the terminal 201 .
- the first data packet sent by the first terminal includes an outer header and an inner header.
- the source address contained in the outer packet header is the address IP OC of the first terminal, and the destination address contained in the outer packet header is the address IP G1 of the first network device.
- the outer packet header also includes a first verifiable identifier and a first verification code.
- the source address contained in the inner packet header is the address IP IC of the first terminal, and the destination address contained in the inner packet header is the address IP s of the application server.
- the network device After receiving the first data packet, the network device verifies the first verification code. If the verification of the first verification code is successful, the outer header of the first data packet is stripped to obtain the second data packet, and the second data packet is forwarded. If the verification of the first verification code fails, the first data packet is discarded.
- the specific method of verifying the first verification code reference may be made to the above-mentioned embodiment, which will not be repeated.
- the disclosed device and method may be implemented in other ways.
- the device embodiments described above are merely illustrative.
- the division of the modules or units is only a logical function division.
- there may be other division methods for example, multiple units or components may be It can be combined or integrated into another device, or some features can be omitted or not implemented.
- the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
- the units described as separate parts may or may not be physically separate.
- the parts displayed as units may be one physical unit or multiple physical units, that is, they may be located in one place, or they may be distributed to multiple different places. . Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
- each unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
- the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
- the methods provided in the embodiments of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
- software When implemented by software, it can be implemented in the form of a computer program product in whole or in part.
- the computer program product includes one or more computer instructions.
- the computer may be a general-purpose computer, a special-purpose computer, a computer network, a network device, a terminal, or other programmable devices.
- the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center.
- the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center integrated with one or more available media.
- the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a digital video disc (digital video disc, DVD)), or a semiconductor medium (for example, SSD).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
公开了一种数据处理方法及装置,涉及通信领域,解决了如何在防御DDoS攻击时,快速地区别合法流量和非法流量的问题。该方法包括:通过为访问应用服务器支持运行的服务的终端分配可验证标识和该可验证标识对应的密钥,终端在发送的数据包中携带可验证标识和验证码,使得网络设备可以根据可验证标识和验证码对合法数据包和非法数据包进行识别,转发合法数据包。
Description
本申请要求于2019年08月19日提交国家知识产权局、申请号为201910766203.4、申请名称为“一种数据处理方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及通信领域,尤其涉及一种数据处理方法及装置。
目前,分布式拒绝服务(Distributed Denial of Service,DDoS)攻击依然是破坏网络可用性,造成网络安全问题的一个主要因素。传统技术中,通常采用黑洞技术或流量清洗技术防御DDoS攻击。但是,网络设备采用黑洞技术将非法流量和合法流量均导向黑洞,无法区分合法流量和非法流量。虽然,网络设备采用流量清洗技术可以区分合法流量和非法流量,但是区分合法流量和非法流量的时延较长。因此,如何在防御DDoS攻击时,快速地区别合法流量和非法流量是一个亟待解决的问题。
发明内容
本申请提供一种数据处理方法及装置,解决了如何在防御DDoS攻击时,快速地区别合法流量和非法流量的问题。
为达到上述目的,本申请采用如下技术方案:
第一方面,本申请提供了一种数据处理方法,该方法可应用于终端,或者该方法可应用于可以支持终端实现该方法的通信装置,例如该通信装置包括芯片系统,方法包括:接收第一可验证标识和第一密钥;根据第一可验证标识和第一密钥生成第一验证码,在发送第一数据包时,将第一可验证标识和第一验证码包含于第一数据包中。
本申请实施例提供的数据处理方法,通过为访问目标设备支持运行的服务的终端分配可验证标识和该可验证标识对应的密钥,终端在发送的数据包中携带可验证标识和验证码,使得网络设备可以根据可验证标识和验证码对合法数据包和非法数据包进行识别,只有合法数据包才会被转发。相对于黑洞技术,本申请实施例提供的数据处理方法能够确保合法流量(已注册终端发送的流量)被转发,网络设备过滤大部分的DDoS攻击流量。相对于流量清洗技术,本申请实施例提供的数据处理方法能够降低深层协议解析带来的处理合法流量的延迟。
在一种可能的实现方式中,根据第一可验证标识和第一密钥生成第一验证码,包括:根据第一可验证标识和第一密钥、以及第一位置定位符、第二位置定位符和动态参数中至少一个生成第一验证码,第一位置定位符用于指示目标设备,第二位置定位符用于指示第一终端,动态参数是随时间可变的。从而,通过增加第一验证码的复杂度,提升第一验证码的安全级别,避免泄漏第一验证码。
其中,在一些实施例中,可以获取目标设备的静态标识,目标设备的静态标识包括第一位置定位符,从而,以便于第一终端生成第一验证码。
在另一种可能的实现方式中,第一可验证标识和第一验证码设置于第一数据包包含的网络层协议头部中或传输层协议头部中。
在一些实施例中,第一可验证标识和第一验证码设置于第一数据包包含的网络层协议头部中的互联网协议(Internet Protocol,IP)地址字段内。例如,第一可验证标识和第一验证码设置于第一数据包包含的网络层协议头部中的目的IP地址字段内。又例如,第一可验证标识和第一验证码设置于第一数据包包含的网络层协议头部中的源IP地址字段内。从而,由于第一可验证标识可以内嵌在IP地址中,使得网络设备可以直接在网络层进行过滤,降低防御DDoS攻击的成本,不依赖于跨域协作。
需要说明的是,目的IP地址可以是指IPv6数据报中的目的IP地址。源IP地址可以是指IPv6数据报中的源IP地址。目的IP地址可以是指IPv4数据报中的目的IP地址。源IP地址可以是指IPv4数据报中的源IP地址。
在另一些实施例中,第一可验证标识和第一验证码设置于第一数据包包含的网络层协议头部中的下一个首部字段内。从而,由于第一可验证标识可以内嵌在下一个首部字段中,使得网络设备可以直接在网络层进行过滤,降低防御DDoS攻击的成本,不依赖于跨域协作。
在另一些实施例中,第一可验证标识和第一验证码设置于第一数据包包含的网络层协议头部中的可选字段内。
在另一些实施例中,第一可验证标识和第一验证码设置于第一数据包包含的传输控制协议(Transmission Control Protocol,TCP)头部中的选项字段内。从而,由于第一可验证标识可以内嵌在TCP首部中,使得网络设备可以直接在传输层进行过滤,降低防御DDoS攻击的成本,不依赖于跨域协作。
第二方面,本申请提供了一种数据处理方法,该方法可应用于网络设备,或者该方法可应用于可以支持网络设备实现该方法的通信装置,例如该通信装置包括芯片系统,方法包括:在接收到第一数据包后,获取第一数据包包括的第一可验证标识和第一验证码、以及获取第一可验证标识对应的第一密钥;并根据第一可验证标识和第一密钥生成第二验证码;判断第二验证码和第一验证码是否相同,当第二验证码和第一验证码相同时,确定第一数据包合法;当第二验证码和第一验证码不相同时,确定第一数据包不合法。
本申请实施例提供的数据处理方法,通过为访问目标设备支持运行的服务的终端分配可验证标识和该可验证标识对应的密钥,终端在发送的数据包中携带可验证标识和验证码,使得网络设备可以根据可验证标识和验证码对合法数据包和非法数据包进行识别,只有合法数据包才会被转发。相对于黑洞技术,本申请实施例提供的数据处理方法能够确保合法流量(已注册终端发送的流量)被转发,网络设备过滤大部分的DDoS攻击流量。相对于流量清洗技术,本申请实施例提供的数据处理方法能够降低深层协议解析带来的处理合法流量的延迟。
在一种可能的实现方式中,方法还包括:若确定第一数据包合法,向目标设备转发第一数据包。从而,使合法的数据包到达目标设备。
在另一种可能的实现方式中,获取第一可验证标识对应的第一密钥,包括:根据第一可验证标识和第二密钥生成第一密钥,第二密钥为对应第一服务的密钥,第二密 钥用于衍生可访问第一服务的已注册终端的密钥。
具体的,可以通过以下方式获取第二密钥。
在一些实施例中,根据第一位置定位符获取第二密钥,第一数据包还包括第一位置定位符,第一位置定位符用于指示目标设备。
在另一些实施例中,根据第一位置定位符获取第三密钥,根据第三密钥和第一服务标识生成第二密钥,或者,根据第三密钥和第一位置定位符生成第二密钥,其中,第三密钥用于衍生对应服务的根密钥,第一数据包还包括第一位置定位符和第一服务标识,第一位置定位符用于指示目标设备,第一服务标识用于指示在目标设备上运行的第一服务。由于所有的服务共享相同的根密钥,从而,网络设备需要维护的映射表比较小,不需要为每一个服务维护一个对应关系条目,同时,降低了网络设备的查询开销。
在另一种可能的实现方式中,根据第一可验证标识和第一密钥生成第二验证码,包括:根据第一可验证标识和第一密钥、以及第一位置定位符、第二位置定位符和动态参数中至少一个生成第二验证码,第一数据包还包括第一位置定位符和第二位置定位符,第一位置定位符用于指示目标设备,第二位置定位符用于指示第一终端,动态参数是随时间可变的。从而,通过增加第一验证码的复杂度,提升第一验证码的安全级别,避免泄漏第一验证码。
在另一种可能的实现方式中,在接收第一数据包之前,方法还包括:接收过滤请求,过滤请求包括第一位置定位符、第一服务标识和第二密钥。从而,使网络设备可以对接收到的数据包进行验证,过滤非法数据包括,防御DDoS攻击。
在另一种可能的实现方式中,方法还包括:确定对应第一可验证标识的流量大于或等于阈值,限制第一可验证标识的流量。从而,阻止大量的数据包发送至目标设备,防御DDoS攻击。
第三方面,本申请提供了一种密钥分发方法,该方法可应用于目标设备,或者该方法可应用于可以支持目标设备实现该方法的通信装置,例如该通信装置包括芯片系统,方法包括:获取第一可验证标识和第二密钥;根据第一可验证标识和第二密钥生成第一密钥;向第一终端发送第一可验证标识和第一密钥。
本申请实施例提供的密钥分发方法,通过为访问目标设备支持运行的服务的终端分配可验证标识和该可验证标识对应的密钥,终端在发送的数据包中携带可验证标识和验证码,使得网络设备可以根据可验证标识和验证码对合法数据包和非法数据包进行识别,只有合法数据包才会被转发。相对于黑洞技术,本申请实施例提供的密钥分发方法能够确保合法流量(已注册终端发送的流量)被转发,网络设备过滤大部分的DDoS攻击流量。相对于流量清洗技术,本申请实施例提供的密钥分发方法能够降低深层协议解析带来的处理合法流量的延迟。
在一种可能的实现方式中,获取第一可验证标识包括:获取第一服务标识,根据第一服务标识和第一终端标识生成第一可验证标识,其中,第一服务标识用于指示在目标设备上运行的第一服务;第一终端标识用于指示第一终端。
在另一种可能的实现方式中,获取第一可验证标识包括:根据第一终端标识生成第一可验证标识,第一终端标识用于指示第一终端。
在另一种可能的实现方式中,在获取第一可验证标识和第一密钥之前,方法还包括:接收到第一终端发送的注册请求后,为第一终端分配第一终端标识。
第四方面,本申请还提供了一种通信装置,用于实现上述第一方面描述的方法。通信装置为终端或支持终端实现该第一方面描述的方法的通信装置,例如该通信装置包括芯片系统。例如,该通信装置包括:接收单元、处理单元和发送单元。所述接收单元,用于接收第一可验证标识和第一密钥;所述处理单元,用于根据第一可验证标识和第一密钥生成第一验证码;所述发送单元,用于发送第一数据包,第一数据包包括第一可验证标识和第一验证码。
可选地,根据第一可验证标识和第一密钥生成第一验证码的方法同第一方面中相应的描述,这里不再赘述。
第五方面,本申请还提供了一种通信装置,用于实现上述第二方面描述的方法。通信装置为网络设备或支持网络设备实现该第二方面描述的方法的通信装置,例如该通信装置包括芯片系统。例如,通信装置包括:接收单元和处理单元。所述接收单元,用于接收第一数据包,第一数据包包括第一可验证标识和第一验证码;所述处理单元,用于获取第一可验证标识对应的第一密钥;所述处理单元,还用于根据第一可验证标识和第一密钥生成第二验证码;所述处理单元,还用于当第二验证码和第一验证码相同时,确定第一数据包合法;所述处理单元,还用于当第二验证码和第一验证码不相同时,确定第一数据包不合法。
可选地,通信装置还可以包括发送单元,用于若网络设备确定第一数据包合法,向目标设备转发第一数据包。
可选地,生成第二验证码的方法同第二方面中相应的描述,这里不再赘述。
第六方面,本申请还提供了一种通信装置,用于实现上述第三方面描述的方法。通信装置为目标设备或支持目标设备实现该第三方面描述的方法的通信装置,例如该通信装置包括芯片系统。例如,通信装置包括:处理单元和发送单元。所述处理单元,用于获取第一可验证标识和第二密钥;所述处理单元,还用于根据第一可验证标识和第二密钥生成第一密钥;所述发送单元,用于向第一终端发送第一可验证标识和第一密钥。
可选地,通信装置还可以包括接收单元,用于获取第一服务标识和注册请求,第一服务标识用于指示在目标设备上运行的第一服务。所述处理单元,用于为第一终端分配第一终端标识,第一终端标识用于指示第一终端。使得处理单元根据第一服务标识和第一终端标识生成第一可验证标识,或者,处理单元根据第一终端标识生成第一可验证标识。
需要说明的是,上述第四方面至第六方面的功能模块可以通过硬件实现,也可以通过硬件执行相应的软件实现。硬件或软件包括一个或多个与上述功能相对应的模块。例如,收发器,用于完成接收单元和发送单元的功能,处理器,用于完成处理单元的功能,存储器,用于处理器处理本申请的方法的程序指令。处理器、收发器和存储器通过总线连接并完成相互间的通信。具体的,可以参考第一方面所述的方法至第三方面所述的方法中的终端、网络设备和目标设备的行为的功能。
第七方面,本申请还提供了一种通信装置,用于实现上述第一方面描述的方法。 所述通信装置为终端或支持终端实现该第一方面描述的方法的通信装置,例如该通信装置包括芯片系统。例如所述通信装置包括处理器,用于实现上述第一方面描述的方法的功能。所述通信装置还可以包括存储器,用于存储程序指令和数据。所述存储器与所述处理器耦合,所述处理器可以调用并执行所述存储器中存储的程序指令,用于实现上述第一方面描述的方法中的功能。所述通信装置还可以包括通信接口,所述通信接口用于该通信装置与其它设备进行通信。示例性地,若所述通信装置为终端,该其它设备为网络设备。
在一种可能的设备中,该通信装置包括:收发器和处理器。所述收发器,用于接收第一可验证标识和第一密钥;处理器,用于根据第一可验证标识和第一密钥生成第一验证码;所述收发器,还用于发送第一数据包,第一数据包包括第一可验证标识和第一验证码。
可选地,根据第一可验证标识和第一密钥生成第一验证码的方法同第一方面中相应的描述,这里不再赘述。
第八方面,本申请还提供了一种通信装置,用于实现上述第二方面描述的方法。所述通信装置为网络设备或支持网络设备实现该第二方面描述的方法的通信装置,例如该通信装置包括芯片系统。例如所述通信装置包括处理器,用于实现上述第二方面描述的方法的功能。所述通信装置还可以包括存储器,用于存储程序指令和数据。所述存储器与所述处理器耦合,所述处理器可以调用并执行所述存储器中存储的程序指令,用于实现上述第二方面描述的方法中的功能。所述通信装置还可以包括通信接口,所述通信接口用于该通信装置与其它设备进行通信。示例性地,若所述通信装置为网络设备,该其它设备为终端。
在一种可能的设备中,该通信装置包括:收发器和处理器。所述收发器,用于接收第一数据包,第一数据包包括第一可验证标识和第一验证码;所述处理器,用于获取第一可验证标识对应的第一密钥;所述处理器,还用于根据第一可验证标识和第一密钥生成第二验证码;所述处理器,还用于当第二验证码和第一验证码相同时,确定第一数据包合法;所述处理器,还用于当第二验证码和第一验证码不相同时,确定第一数据包不合法。
可选地,收发器,还用于若网络设备确定第一数据包合法,向目标设备转发第一数据包。
可选地,生成第二验证码的方法同第二方面中相应的描述,这里不再赘述。
第九方面,本申请还提供了一种通信装置,用于实现上述第三方面描述的方法。所述通信装置为目标设备或支持目标设备实现该第三方面描述的方法的通信装置,例如该通信装置包括芯片系统。例如所述通信装置包括处理器,用于实现上述第三方面描述的方法的功能。所述通信装置还可以包括存储器,用于存储程序指令和数据。所述存储器与所述处理器耦合,所述处理器可以调用并执行所述存储器中存储的程序指令,用于实现上述第三方面描述的方法中的功能。所述通信装置还可以包括通信接口,所述通信接口用于该通信装置与其它设备进行通信。示例性地,若所述通信装置为目标设备,该其它设备为终端。
在一种可能的设备中,该通信装置包括:收发器和处理器。所述处理器,用于获 取第一可验证标识和第二密钥;所述处理器,还用于根据第一可验证标识和第二密钥生成第一密钥;所述收发器,用于向第一终端发送第一可验证标识和第一密钥。
可选地,收发器还用于获取第一服务标识和注册请求,第一服务标识用于指示在目标设备上运行的第一服务。所述处理器,用于为第一终端分配第一终端标识,第一终端标识用于指示第一终端。使得处理器根据第一服务标识和第一终端标识生成第一可验证标识,或者,处理器根据第一终端标识生成第一可验证标识。具体的方法同第三方面中相应的描述,这里不再赘述。
第十方面,本申请还提供了一种计算机可读存储介质,包括:计算机软件指令;当计算机软件指令在通信装置中运行时,使得通信装置执行上述第一方面至第三方面中任一方面所述的方法。
第十一方面,本申请还提供了一种包含指令的计算机程序产品,当计算机程序产品在通信装置中运行时,使得通信装置执行上述第一方面至第三方面中任一方面所述的方法。
第十二方面,本申请提供了一种芯片系统,该芯片系统包括处理器,还可以包括存储器,用于实现上述方法中网络设备、终端或目标设备的功能。该芯片系统可以由芯片构成,也可以包含芯片和其他分立器件。
第十三方面,本申请还提供了一种通信系统,所述通信系统包括第四方面描述的终端或支持终端实现该第一方面描述的方法的通信装置,以及第五方面描述的网络设备或支持网络设备实现该第二方面描述的方法的通信装置,以及第六方面描述的目标设备或支持目标设备实现该第三方面描述的方法的通信装置;
所述通信系统包括第七方面描述的终端或支持终端实现该第一方面描述的方法的通信装置,以及第八方面描述的网络设备或支持网络设备实现该第二方面描述的方法的通信装置,以及第九方面描述的目标设备或支持目标设备实现该第三方面描述的方法的通信装置。
另外,上述任意方面的设计方式所带来的技术效果可参见第一方面至第三方面中不同设计方式所带来的技术效果,此处不再赘述。
本申请中,终端、网络设备、目标设备和通信装置的名字对设备本身不构成限定,在实际实现中,这些设备可以以其他名称出现。只要各个设备的功能和本申请类似,属于本申请权利要求及其等同技术的范围之内。
图1为现有技术提供的一种DDoS攻击示例图;
图2为本申请提供的一种通信系统的架构示例图;
图3为本申请提供的一种密钥衍生示例图;
图4为本申请提供的一种数据处理方法流程图;
图5为本申请提供的另一种数据处理方法流程图;
图6为本申请提供的一种IPv6数据报的结构示例图;
图7为本申请提供的一种TCP数据报的结构示例图;
图8为本申请提供的一种通信装置的组成示例图;
图9为本申请提供的另一种通信装置的组成示例图;
图10为本申请提供的一种通信场景示意图;
图11为本申请提供的一种通信场景示意图。
本申请说明书和权利要求书及上述附图中的术语“第一”、“第二”和“第三”等是用于区别不同对象,而不是用于限定特定顺序。
在本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。
为了下述各实施例的描述清楚简洁,首先给出相关技术的简要介绍:
DDoS攻击是指处于不同位置的多个攻击者设备同时向一个或多个目标设备发动攻击,或者一个攻击者设备控制了位于不同位置的多台设备,利用这些设备对目标设备同时实施攻击。例如,如图1中的(a)所示,攻击者设备通过向目标设备发送大量携带虚假IP地址的数据包,使目标设备维持大量半连接或者响应大量不可达的数据包,造成目标设备资源耗尽。又例如,如图1中的(b)所示,攻击者设备通过控制大量的僵尸设备,集中向目标设备发送大量的数据包,致使目标设备资源耗尽。
本申请提供一种数据处理方法,该方法包括:第一终端接收目标设备发送的第一可验证标识和第一密钥,根据第一可验证标识和第一密钥生成第一验证码,在第一终端向目标设备发送第一数据包时,将第一可验证标识和第一验证码包含于第一数据包中。其中,第一密钥是根据第二密钥衍生得到的,第二密钥为对应目标设备支持运行的第一服务的密钥。在网络设备接收到第一终端发送的第一数据包后,获取第一可验证标识对应的第一密钥,根据第一可验证标识和第一密钥生成第二验证码,当第二验证码和第一验证码相同时,确定第一数据包合法,向目标设备转发第一数据包。
本申请实施例提供的数据处理方法,通过为访问目标设备支持运行的服务的终端分配可验证标识和该可验证标识对应的密钥,终端在发送的数据包中携带可验证标识和验证码,使得网络设备可以根据可验证标识和验证码对合法数据包和非法数据包进行识别,只有合法数据包才会被转发。相对于黑洞技术,本申请实施例提供的数据处理方法能够确保合法流量(已注册终端发送的流量)被转发,网络设备过滤大部分的DDoS攻击流量。相对于流量清洗技术,本申请实施例提供的数据处理方法能够降低深层协议解析带来的处理合法流量的延迟。另外,由于可验证标识可以内嵌在目标设备的IP地址中,使得网络设备可以直接在网络层进行过滤,降低防御DDoS攻击的成本,不依赖于跨域协作。
需要说明的是,所谓目标设备可以理解为是受保护的设备或攻击者需要攻击的设备。本申请的实施例中目标设备可以是应用服务器、路由器或物联网(Internet of Things,IoT)中的设备等,本申请对此不作限定。例如,IoT设备可以是消防报警设备等。如果消防报警设备遭受攻击,使其不能感应火灾进行报警,从而使其无法往外发送报警消息,带来严重的安全威胁。在下文中,以目标设备是应用服务器进行举例说明。
下面将结合附图对本申请实施例的实施方式进行详细描述。
图2示出的是可以应用于本申请实施例的通信系统的架构示例图。如图2所示, 该通信系统包括至少一个终端201、互联网服务提供商(Internet Service Provider,ISP)网络和数据中心。ISP可以是指向广大用户综合提供互联网接入业务、信息业务和增值业务的电信运营商。所述ISP网络可以包括网络设备202(如:边界路由器和交换机)等。所述数据中心可以包括至少一个应用服务器203。多个应用服务器可以是独立的不同的物理设备,也可以是将多个应用服务器的功能集成在同一个物理设备上(如:云服务提供商管辖范围内的多个应用服务器),还可以是一个物理设备上集成了部分应用服务器的功能。每个应用服务器上可以运行一个或多个服务(如:游戏服务)。服务也可称为应用。每个服务可以部署在多个应用服务器上,由多个应用服务器支持运行。终端201通过无线或有线的方式与网络设备202相连。网络设备202将通过无线或有线方式连接。网络设备202通过无线或有线方式与应用服务器203连接。终端设备可以是固定位置的,也可以是可移动的。图2只是示意图,该通信系统中还可以包括其它设备,如还可以包括无线中继设备和无线回传设备,在图2中未画出。本申请的实施例对该通信系统中包括的终端、网络设备和应用服务器的数量不做限定。
其中,终端201可以是能够接收基站调度和指示信息的无线终端设备,无线终端设备可以是指向用户提供语音和/或数据连通性的设备,或具有无线连接功能的手持式设备、或连接到无线调制解调器的其他处理设备。无线终端设备可以经无线接入网(如,radio access network,RAN)与一个或多个核心网或者互联网进行通信,无线终端设备可以是移动终端设备,如移动电话(或称为“蜂窝”电话,手机(mobile phone))、计算机和数据卡,例如,可以是便携式、袖珍式、手持式、计算机内置的或者车载的移动装置,它们与无线接入网交换语言和/或数据。例如,个人通信业务(personal communication service,PCS)电话、无绳电话、会话发起协议(SIP)话机、无线本地环路(wireless local loop,WLL)站、个人数字助理(personal digital assistant,PDA)、平板电脑(Pad)、带无线收发功能的电脑等设备。无线终端设备也可以称为系统、订户单元(subscriber unit)、订户站(subscriber station),移动站(mobile station)、移动台(mobile station,MS)、远程站(remote station)、接入点(access point,AP)、远程终端设备(remote terminal)、接入终端设备(access terminal)、用户终端设备(user terminal)、用户代理(user agent)、用户站(subscriber station,SS)、用户端设备(customer premises equipment,CPE)、终端(terminal)、用户设备(user equipment,UE)、移动终端(mobile terminal,MT)等。对于URLLC应用场景,终端设备可以为工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程手术(remote medical surgery)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等等。
应用服务器203用于获取可验证标识(authenticated identifier,AID)和服务对应的密钥,根据可验证标识和服务对应的密钥生成该可验证标识对应的密钥,向终端201发送可验证标识和该可验证标识对应的密钥。可验证标识用于识别访问服务的终端。可验证标识也可理解为用于识别访问服务的一类终端。
终端201用于接收应用服务器203发送的可验证标识和该可验证标识对应的密钥,根据可验证标识和该可验证标识对应的密钥生成验证码,在终端201发送的数据包中 携带可验证标识和验证码。
网络设备202用于接收终端201发送的数据包,并获取可验证标识对应的密钥,根据验证码、可验证标识和该可验证标识对应的密钥确定数据包合法,向应用服务器转发该数据包。
在一些实施例中,所述ISP网络还可以包括控制中心服务器204,网络设备202通过无线或有线方式与控制中心服务器204连接。控制中心服务器204用于接收应用服务器203发送过滤请求,过滤请求可以包括应用服务器203的位置定位符、应用服务器203支持运行的服务标识和服务对应的密钥。控制中心服务器204将过滤请求和可验证标识和相关密钥下发给网络设备202,使网络设备202实施基于可验证标识和验证码的过滤方式。
所述数据中心还可以包括监控器205、密钥管理中心206和位置定位符分配中心207。监控器205用于监控数据中心中的应用服务器是否遭受DDoS攻击。在一些实施例中,当应用服务器遭受DDoS攻击时,监控器205可以向网络设备202发送过滤请求。位置定位符分配中心207用于为应用服务器分配位置定位符(locator)。位置定位符用于指示应用服务器。在一些实施例中,位置定位符可以是应用服务器的位置标识。在另一些实施例中,位置定位符可以是应用服务器的路由标识。密钥管理中心206用于为应用服务器分配服务标识和与该服务标识对应的密钥。
在一些实施例中,数据中心中的密钥管理中心可以为应用服务器支持运行的每个服务维护一个服务密钥对应关系。所谓服务密钥对应关系可以是指服务标识(service identification,SID)和与该服务标识对应的主密钥(master key,MK)的对应关系。服务密钥对应关系可以以表格的形式呈现。密钥管理中心可以存储有服务密钥关系表,服务密钥关系表包括至少一个服务密钥对应关系。示例的,如表1所示,呈现了服务密钥关系。
表1 服务密钥关系
服务名 | 服务标识 | 主密钥 |
服务1 | SID1 | MK1 |
服务2 | SID2 | MK2 |
服务3 | SID3 | MK3 |
需要说明的是,表1只是以表格的形式示意服务密钥关系在密钥管理中心中的存储形式,并不是对服务密钥关系在密钥管理中心中的存储形式的限定,当然,服务密钥关系在密钥管理中心中的存储形式还可以以其他的形式存储,本申请实施例对此不做限定。
应用服务器203可以调用第一统一的软件开发工具包(Software Development Kit,SDK)接口从密钥管理中心获取服务标识和与该服务标识对应的主密钥。应用服务器可以根据服务标识和与该服务标识对应的主密钥调用第二统一SDK接口为已注册终端生成服务内对应终端的可验证标识和终端密钥(client key,CK)。终端密钥可以是指可验证标识对应的密钥。主密钥用于衍生可访问服务的已注册终端的密钥。示例的,如图3所示,数据中心中的应用服务器支持运行n个服务。对应第一服务的主密钥为MK1。应用服务器203可以根据MK1衍生m个可访问第一服务的已注册终端的密钥。 对应第二服务的主密钥为MK2。应用服务器203可以根据MK2衍生p个可访问第二服务的已注册终端的密钥。对应第三服务的主密钥为MK3。应用服务器203可以根据MK3衍生q个可访问第三服务的已注册终端的密钥。
接下来,对本申请提供的数据处理方法进行详细说明。图4为本申请实施例提供的一种数据处理方法流程图,这里以第一终端访问应用服务器支持运行的第一服务为例进行说明。如图4所示,该方法可以包括:
S401、应用服务器获取第一可验证标识和第一密钥。
在本实施例中,密钥管理中心存储有第一服务的服务密钥关系,即第一服务标识和第一密钥的对应关系。第一服务标识用于指示在应用服务器上运行的第一服务。第一密钥为对应第一服务的密钥,第一密钥用于衍生可访问第一服务的已注册终端的密钥。第一密钥可以是指MK。应用服务器可以调用第一统一的SDK接口向密钥管理中心发送请求消息,用于请求第一服务的服务密钥对应关系。应用服务器接收密钥管理中心反馈的第一服务标识和第一密钥。
第一服务标识可以用于应用服务器生成第一可验证标识。所谓第一可验证标识用于识别访问第一服务的第一终端。第一终端可以是在应用服务器上已注册、且可访问第一服务的终端。或者,第一可验证标识也可理解为用于识别访问第一服务的一类终端。
在一些实施例中,应用服务器在创建第一服务后,就可以从密钥管理中心获取第一服务的服务密钥对应关系,先缓存第一服务标识和第一密钥。在第一终端完成注册后,应用服务器根据第一服务标识和第一终端标识调用第二统一SDK接口为已注册的第一终端生成第一可验证标识,或者,应用服务器根据第一终端标识调用第二统一SDK接口为已注册的第一终端生成第一可验证标识。
在另一些实施例中,在第一终端完成注册后,应用服务器从密钥管理中心获取第一服务的服务密钥对应关系,再根据第一服务标识和第一终端标识调用第二统一SDK接口为已注册的第一终端生成第一可验证标识,或者,根据第一终端标识调用第二统一SDK接口为已注册的第一终端生成第一可验证标识。
示例的,如图5所示,应用服务器获取第一可验证标识的可实现方式可以如下S4011~S4015的阐述、或者S4011~S4014和S4016的阐述。
S4011、第一终端向应用服务器发送注册请求。
S4012、应用服务器接收第一终端发送的注册请求。
在一些实施例中,注册请求可以包括第一服务标识,用于请求应用服务器对第一终端访问第一服务进行授权。
S4013、应用服务器为第一终端分配第一终端标识(client identifier,CID)。
应用服务器接收到第一终端发送的注册请求后,为第一终端分配第一终端标识,第一终端标识用于指示第一终端。
S4014、应用服务器获取第一服务标识和第一密钥。
应用服务器可以调用第一统一的SDK接口从密钥管理中心获取第一服务标识和第一密钥。具体的可以参考上述阐述,不予赘述。
S4015、应用服务器根据第一服务标识和第一终端标识生成第一可验证标识。
在一些实施例中,应用服务器可以采用杂凑算法根据第一服务标识和第一终端标识生成第一可验证标识。杂凑算法又可称为哈希(hash)函数。所谓杂凑算法可以是指将任意长的输入消息串变化成固定长的输出串的一种函数。
S4016、应用服务器根据第一终端标识生成第一可验证标识。
在一些实施例中,应用服务器可以采用杂凑算法根据第一终端标识生成第一可验证标识。
需要说明的是,由于可验证标识用于识别访问第一服务的第一终端的唯一标识。因此,应用服务器在第一可验证标识时需要参考已经为其他终端已分配的可验证标识,避免为不同的终端分配相同的可验证标识产生的混淆。
需要说明的是,本申请实施例提供的数据处理方法步骤的先后顺序可以进行适当调整,步骤也可以根据情况进行相应增减。示例的,如S4016和S4014之间的前后顺序可以互换,即可先根据第一终端标识生成第一可验证标识,再获取第一密钥。任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化的方法,都应涵盖在本申请的保护范围之内,因此不再赘述。
第一密钥可以用于应用服务器生成第二密钥。第二密钥为对应第一终端的密钥。第二密钥可以是指CK。
在一些实施例中,应用服务器在创建第一服务后,就可以从密钥管理中心获取第一服务的服务密钥对应关系,先缓存第一服务标识和第一密钥。在第一终端完成注册后,应用服务器根据第一密钥调用SDK接口为已注册的第一终端生成第二密钥。
在另一些实施例中,在第一终端完成注册后,应用服务器从密钥管理中心获取第一服务的服务密钥对应关系,再根据第一密钥调用第二统一SDK接口为已注册的第一终端生成第二密钥。
S402、应用服务器根据第一可验证标识和第一密钥生成第二密钥。
在一些实施例中,应用服务器可以采用杂凑算法根据第一可验证标识和第一密钥生成第二密钥。
S403、应用服务器向第一终端发送第一可验证标识和第二密钥。
在一些实施例中,应用服务器可以根据应用层安全协议向第一终端发送第一可验证标识和第二密钥。从而,避免第一可验证标识和第二密钥泄漏。
S404、第一终端接收第一可验证标识和第二密钥。
在一些实施例中,第一终端接收到第一可验证标识和第二密钥,可以缓存第一可验证标识和第二密钥,以便于第一终端需要发送第一数据包时,将第一可验证标识和第一验证码包含于第一数据包中。
S405、第一终端根据第一可验证标识和第二密钥生成第一验证码。
在一些实施例中,第一终端可以采用杂凑算法根据第一可验证标识和第二密钥、以及第一位置定位符、第二位置定位符和动态参数中至少一个生成第一验证码。
例如,第一终端可以采用杂凑算法根据第一可验证标识、第二密钥和第一位置定位符生成第一验证码。
又例如,第一终端可以采用杂凑算法根据第一可验证标识、第二密钥、第一位置定位符和动态参数生成第一验证码。
又例如,第一终端可以采用杂凑算法根据第一可验证标识、第二密钥、第一位置定位符和第二位置定位符生成第一验证码。
又例如,第一终端可以采用杂凑算法根据第一可验证标识和第二密钥、以及第一位置定位符、第二位置定位符和动态参数生成第一验证码。
由于第一验证码绑定了源IP、目的IP,因此,可以缓减重放攻击,使得僵尸主机无法随意伪造源IP。
其中,第一位置定位符用于指示支持运行第一服务的应用服务器。在一些实施例中,第一位置定位符可以是支持运行第一服务的应用服务器的位置标识。在另一些实施例中,第一位置定位符可以是支持运行第一服务的应用服务器的路由标识。例如,位置定位符分配中心可以为数据中心中的每个应用服务器分配一个位置定位符。第一终端可以访问域名解析(Domain name resolution,DNS)服务器,获取应用服务器的静态标识,通过应用服务器的静态标识访问应用服务器运行的第一服务。应用服务器的静态标识包括第一位置定位符。在一些实施例中,应用服务器的静态标识还可以包括第一服务标识。
第二位置定位符用于指示第一终端。在一些实施例中,第二位置定位符可以是第一终端的位置标识。在另一些实施例中,第二位置定位符可以是第一终端的IP地址。
动态参数可以是随时间可变的。在一些实施例中,动态参数可以是时间信息。
S406、第一终端发送第一数据包,第一数据包包括第一可验证标识和第一验证码。
第一可验证标识和第一验证码可以设置于第一数据包包含的网络层协议头部中或传输层协议头部中。
在第一种可实现方式中,第一可验证标识和第一验证码可以设置于第一数据包包含的目的IP地址内。例如,目的IP地址可以是指IPv6数据报中的目的IP地址。
示例的,如图6所示,为IPv6数据报的结构示例图。IPv6数据报包括基本首部、N个扩展首部和数据部分。N个扩展首部和数据部分可以称为有效载荷(payload)或净负荷。其中,基本首部包括版本(version)、通信量类(traffic class)、流标号(flow label)、有效载荷长度(payload length)、下一个首部(next header)、跳数限制(hop limit)、源地址(source address)和目的地址(destination address)。关于IPv6数据报的各字段具体解释可以参考现有技术的阐述,不予赘述。
目的地址是指数据报的接收端的IP地址,占128bit。例如,第一可验证标识和第一验证码可以设置于IPv6数据报中的目的IP地址内。
又例如,目的IP地址可以是指IPv4数据报中的目的IP地址。
从而,由于第一可验证标识可以内嵌在应用服务器的IP地址中,使得网络设备可以直接在网络层进行过滤,降低防御DDoS攻击的成本,不依赖于跨域协作,不依赖于对上层(如:应用层)协议中的数据的解析。
在一些实施例中,第一可验证标识和第一验证码可以设置于第一数据包包含的源IP地址内。例如,源IP地址可以是指IPv6数据报中的源IP地址。又例如,源IP地址可以是指IPv4数据报中的源IP地址。
在第二种可实现方式中,第一可验证标识和第一验证码可以设置于第一数据包包含的网络层协议头部中的下一个首部内。从而,由于第一可验证标识可以内嵌在下一 个首部字段中,使得网络设备可以直接在网络层进行过滤,降低防御DDoS攻击的成本,不依赖于跨域协作,不依赖于对上层(如:应用层)协议中的数据的解析。
在第三种可实现方式中,第一可验证标识和第一验证码可以设置于第一数据包包含的网络层协议头部中的可选字段内。从而,由于第一可验证标识可以内嵌在可选字段中,使得网络设备可以直接在网络层进行过滤,降低防御DDoS攻击的成本,不依赖于跨域协作,不依赖于对上层(如:应用层)协议中的数据的解析。
在第四种可实现方式中,第一可验证标识和第一验证码可以设置于TCP首部中的可选字段中。示例的,如图7所示,为TCP数据报的结构示例图。TCP数据报包含于IP数据报的数据部分内。TCP数据报包括TCP首部和TCP数据报的数据部分。TCP首部包括源端口(source port)、目的端口(destination port)、序列号(sequence number)、确认号(acknowledgment number)、数据偏移(header length)、保留(resv)、紧急(UGR)、确认(ACK)、推送(PSH)、复位(RST)、同步(SYN)、终止(FIN)、窗口(window size)、检验和(checksum)、紧急指针(urgent pointer)和选项(options)。关于TCP数据报的各字段具体解释可以参考现有技术的阐述,不予赘述。
从而,由于第一可验证标识可以内嵌在下一个首部字段中,使得网络设备可以直接在网络层进行过滤,降低防御DDoS攻击的成本,不依赖于跨域协作,不依赖于对上层(如:应用层)协议中的数据的解析。
需要说明的是,在第一终端探测到访问应用服务器拥塞时,第一终端向应用服务器发送的数据包可以包括第一可验证标识和第一验证码。或者,在第一终端探测到访问应用服务器未拥塞时,第一终端向应用服务器发送的数据包也可以包括第一可验证标识和第一验证码。
在另一些实施例中,第一数据包还可以包括第一位置定位符和第二位置定位符。第一位置定位符可以设置于IPv6数据报中的目的IP地址内。
S407、网络设备接收第一数据包。
S408、网络设备获取第一可验证标识对应的第二密钥。
网络设备接收到第一数据包后,解析第一数据包得到第一可验证标识和第一验证码。
在第一种可实现方式中,如图5所示,网络设备根据如下S4081和S4084的阐述获取第一可验证标识对应的第二密钥。
在第二种可实现方式中,如图5所示,网络设备根据如下S4082~S4084的阐述获取第一可验证标识对应的第二密钥。
S4081、网络设备根据第一位置定位符获取第一密钥。
在一些实施例中,第一数据包包括第一位置定位符。第一位置定位符可以设置于IPv6数据报中的目的地址内。网络设备接收到第一数据包后,解析第一数据包得到第一位置定位符。第一位置定位符用于指示支持运行第一服务的应用服务器。第一位置定位符用于指示支持运行第一服务的应用服务器。在一些实施例中,第一位置定位符可以是支持运行第一服务的应用服务器的位置标识。在另一些实施例中,第一位置定位符可以是支持运行第一服务的应用服务器的路由标识。
网络设备可以预先从数据中心获取位置定位符和对应服务的密钥。网络设备可以 维护一个位置定位符主密钥对应关系。所谓位置定位符主密钥对应关系可以是指位置定位符和与服务对应的主密钥的对应关系。位置定位符主密钥对应关系可以以表格的形式呈现。网络设备可以存储有位置定位符主密钥对应关系表,位置定位符主密钥对应关系表包括至少一个位置定位符主密钥对应关系。示例的,如表2所示,呈现了位置定位符主密钥对应关系。
表2 位置定位符主密钥对应关系
位置定位符 | 主密钥 |
locator 1 | MK1 |
locator 2 | MK2 |
locator 3 | MK3 |
需要说明的是,表2只是以表格的形式示意位置定位符主密钥对应关系在网络设备中的存储形式,并不是对位置定位符主密钥对应关系在网络设备中的存储形式的限定,当然,位置定位符主密钥对应关系在网络设备中的存储形式还可以以其他的形式存储,本申请实施例对此不做限定。
在网络设备得到第一位置定位符后,可以从本地获取位置定位符主密钥对应关系,查询位置定位符主密钥对应关系,得到第一位置定位符对应的第一密钥。第一密钥为对应第一服务的密钥,第一密钥用于衍生可访问第一服务的已注册终端的密钥。
S4082、网络设备根据第一位置定位符获取第三密钥。
在一些实施例中,网络设备可以预先从数据中心获取位置定位符和根密钥(root key,RK)。根密钥用于衍生对应服务的密钥。网络设备可以为维护一个位置定位符根密钥对应关系。所谓位置定位符根密钥对应关系可以是指位置定位符和根密钥的对应关系。位置定位符根密钥对应关系可以以表格的形式呈现。网络设备可以存储有位置定位符根密钥对应关系表,位置定位符根密钥对应关系表包括至少一个位置定位符根密钥对应关系。示例的,如表3所示,呈现了位置定位符根密钥对应关系。
表3 位置定位符根密钥对应关系
需要说明的是,表3只是以表格的形式示意位置定位符根密钥对应关系在网络设备中的存储形式,并不是对位置定位符根密钥对应关系在网络设备中的存储形式的限定,当然,位置定位符根密钥对应关系在网络设备中的存储形式还可以以其他的形式存储,本申请实施例对此不做限定。
在网络设备得到第一位置定位符后,可以从本地获取位置定位符根密钥对应关系,查询位置定位符根密钥对应关系,得到第一位置定位符对应的第三密钥。第三密钥用于衍生对应服务的密钥。第三密钥可以是指根密钥。
由于所有的服务共享相同的根密钥,从而,网络设备需要维护的映射表比较小,不需要为每一个服务维护一个对应关系条目,同时,降低了网络设备的查询开销。
S4083a、网络设备根据第三密钥和第一服务标识生成第一密钥。
在一些实施例中,网络设备可以采用杂凑算法根据第三密钥和第一服务标识生成第一密钥。第一数据包可以包括第一服务标识。例如,第一服务标识可以设置于目的IP地址字段内。又例如,第一服务标识可以设置于网络层协议中的下一个首部字段内。又例如,第一服务标识可以设置于TCP首部中的选项字段内。本申请对此不予限定。网络设备接收到第一数据包后,解析第一数据包得到第一服务标识。第一服务标识用于指示在应用服务器上运行的第一服务。
S4083b、网络设备根据第三密钥和第一位置定位符生成第一密钥。
在一些实施例中,网络设备可以采用杂凑算法根据第三密钥和第一位置定位符生成第一密钥。第一数据包可以包括第一位置定位符。网络设备接收到第一数据包后,解析第一数据包得到第一位置定位符。
S4084、网络设备根据第一可验证标识和第一密钥生成第二密钥。
在一些实施例中,网络设备可以采用杂凑算法根据第一可验证标识和第一密钥生成第二密钥。
在第三种可实现方式中,网络设备可以预先从数据中心获取位置定位符和对应终端的密钥。网络设备可以维护一个位置定位符终端密钥对应关系。所谓位置定位符终端密钥对应关系可以是指位置定位符和与终端对应的终端密钥的对应关系。位置定位符终端密钥对应关系可以以表格的形式呈现。网络设备可以存储有位置定位符终端密钥对应关系表,位置定位符终端密钥对应关系表包括至少一个位置定位符终端密钥对应关系。示例的,如表4所示,呈现了位置定位符终端密钥对应关系。
表4 位置定位符终端密钥对应关系
位置定位符 | 终端密钥 |
locator 1 | CK1 |
locator 2 | CK2 |
locator 3 | CK3 |
需要说明的是,表4只是以表格的形式示意位置定位符终端密钥对应关系在网络设备中的存储形式,并不是对位置定位符终端密钥对应关系在网络设备中的存储形式的限定,当然,位置定位符终端密钥对应关系在网络设备中的存储形式还可以以其他的形式存储,本申请实施例对此不做限定。
在网络设备得到第一位置定位符后,可以从本地获取位置定位符终端密钥对应关系,可以查询位置定位符终端密钥对应关系,得到第一位置定位符对应的第二密钥。
S409、网络设备根据第一可验证标识和第二密钥生成第二验证码。
在一些实施例中,网络设备可以采用杂凑算法根据第一可验证标识和第二密钥、以及第一位置定位符、第二位置定位符和动态参数中至少一个生成第二验证码。
例如,网络设备可以采用杂凑算法根据第一可验证标识、第二密钥和第一位置定位符生成第二验证码。
又例如,第一终端可以采用杂凑算法根据第一可验证标识、第二密钥、第一位置定位符和动态参数生成第一验证码。
又例如,网络设备可以采用杂凑算法根据第一可验证标识、第二密钥、第一位置定位符和第二位置定位符生成第二验证码。
又例如,网络设备可以采用杂凑算法根据第一可验证标识和第二密钥、以及第一位置定位符、第二位置定位符和动态参数生成第二验证码。
其中,第一数据包包括第一位置定位符和第二位置定位符。第一位置定位符用于指示支持运行第一服务的应用服务器。第二位置定位符用于指示第一终端。在一些实施例中,第二位置定位符可以是第一终端的位置标识。在另一些实施例中,第二位置定位符可以是指第一终端的IP地址。网络设备接收到第一数据包后,解析第一数据包得到第一位置定位符和第二位置定位符。
动态参数是随时间可变的。在一些实施例中,动态参数可以是时间信息。需要说明的是,这里的动态参数与第一终端采用杂凑算法生成第一验证码时采用的动态参数相同,避免由于动态参数不同而造成的验证失败。
S410、网络设备判断第二验证码和第一验证码是否相同。
当第二验证码和第一验证码相同时,执行S411。当第二验证码和第一验证码不相同时,执行S412。
S411、网络设备确定第一数据包合法。执行S413。
S412、网络设备确定第一数据包不合法。
在一些实施例中,网络设备确定第一数据包不合法,可以表明网络设备可能接收到了非法数据包(如:DDoS攻击的数据包),则网络设备丢弃第一数据包。
需要说明的是,由于第一终端是已在应用服务器注册的合法的终端,第一终端拥有第一可验证标识和正确的第二密钥,因此,网络设备可以确定第二验证码和第一验证码相同。如果第一终端是一个未在应用服务器注册的终端,若第一终端拥有第一可验证标识,但是第一终端没有第二密钥,则第一终端根据错误的密钥生成的第一验证码就与第二验证码不同,则网络设备可以确定第一数据包不合法。
S413、网络设备向应用服务器转发第一数据包。
S414、应用服务器接收网络设备发送的第一数据包。
在一些实施例中,网络设备可以默认对访问第一服务的数据包进行验证,确定数据包是否是合法的数据包。当数据包是合法数据包时,转发合法的数据包。当数据包是非法数据包时,丢弃非法的数据包。
在另一些实施例中,网络设备可以根据指示对访问第一服务的数据包进行验证,确定数据包是否是合法数据。示例的,如图5所示,在网络设备接收第一数据包之前,该方法还可以包括以下步骤。
S415、网络设备接收过滤请求。
在一些实施例中,过滤请求用于指示对访问第一服务的数据包进行验证,防御DDoS攻击。过滤请求可以包括第一位置定位符、第一服务标识和第一密钥。
本申请实施例提供的数据处理方法,通过为访问应用服务器支持运行的服务的终端分配可验证标识和该可验证标识对应的密钥,终端在发送的数据包中携带可验证标识和验证码,使得网络设备可以根据可验证标识和验证码对合法数据包和非法数据包进行识别,只有合法数据包才会被转发。相对于黑洞技术,本申请实施例提供的数据处理方法能够确保合法流量(已注册终端发送的流量)被转发,网络设备过滤大部分的DDoS攻击流量。相对于流量清洗技术,本申请实施例提供的数据处理方法能够降 低深层协议解析带来的处理合法流量的延迟。另外,由于可验证标识可以内嵌在应用服务器的IP地址中,使得网络设备可以直接在网络层进行过滤,降低防御DDoS攻击的成本,不依赖于跨域协作。
在另一些实施例中,如果第一终端是未在应用服务器注册的终端,第一可验证标识和第二密钥泄漏了,第一终端拥有第一可验证标识和正确的第二密钥,则第一终端根据第一可验证标识和正确的第二密钥生成的第一验证码就与第二验证码相同。此时,应用服务器可能会遭受到DDoS攻击,则网络设备可以确定对应第一可验证标识的流量大于或等于阈值时,无需进行验证码的验证,限制第一可验证标识的流量。从而,阻止大量的数据包发送至应用服务器,防御DDoS攻击。
上述本申请提供的实施例中,分别从网络设备、终端、应用服务器,以及网络设备、终端和应用服务器之间交互的角度对本申请实施例提供的方法进行了介绍。可以理解的是,各个网元,例如网络设备、终端、应用服务器为了实现上述本申请实施例提供的方法中的各功能,网络设备、终端、应用服务器包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
本申请实施例可以根据上述方法示例对网络设备、终端、应用服务器进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。需要说明的是,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。
在采用对应各个功能划分各个功能模块的情况下,图8示出了上述和实施例中涉及的通信装置的一种可能的组成示例图,该通信装置能执行本申请各方法实施例中任一方法实施例中网络设备、终端或应用服务器所执行的步骤。如图8所示,该通信装置可以包括:接收单元801、处理单元802和发送单元803。
当所述通信装置为终端或支持终端实现实施例中提供的方法的通信装置,例如该通信装置可以是芯片系统。
其中,接收单元801,用于支持通信装置执行本申请实施例中描述的方法。例如,接收单元801,用于执行或用于支持通信装置执行图4所示的数据处理方法中的S404,或图5所示的数据处理方法中的S404。
处理单元802,用于执行或用于支持通信装置执行图4所示的数据处理方法中的S405,或图5所示的数据处理方法中的S405。
发送单元803,用于执行或用于支持通信装置执行图4所示的数据处理方法中的S406,或图5所示的数据处理方法中的S406。
当所述通信装置为网络设备或支持网络设备实现实施例中提供的方法的通信装置,例如该通信装置可以是芯片系统。
其中,接收单元801,用于支持通信装置执行本申请实施例中描述的方法。例如, 接收单元801,用于执行或用于支持通信装置执行图4所示的数据处理方法中的S407,图5所示的数据处理方法中的S407和S415。
处理单元802,用于执行或用于支持通信装置执行图4和图5所示的数据处理方法中的S408~S412,图5所示的数据处理方法中的S4081、S4082、S4083a、S4083b、S4084和S409~S415。
发送单元803,用于执行或用于支持通信装置执行图4所示的数据处理方法中的S413,图5所示的数据处理方法中的S413。
当所述通信装置为应用服务器或支持应用服务器实现实施例中提供的方法的通信装置,例如该通信装置可以是芯片系统。
其中,接收单元801,用于支持通信装置执行本申请实施例中描述的方法。例如,接收单元801,用于执行或用于支持通信装置执行图4所示的数据处理方法中的S401和S414,或图5所示的数据处理方法中的S4012、S4014和S414。
处理单元802,用于执行或用于支持通信装置执行图4所示的数据处理方法中的S402,或图5所示的数据处理方法中的S4013、S4015、S4016和S402。
发送单元803,用于执行或用于支持通信装置执行图4所示的数据处理方法中的S403,或图5所示的数据处理方法中的S403。
需要说明的是,上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能模块的功能描述,在此不再赘述。
本申请实施例提供的通信装置,用于执行上述任意实施例的方法,因此可以达到与上述实施例的方法相同的效果。
如图9所示为本申请实施例提供的通信装置900,用于实现上述方法中网络设备的功能。该通信装置900可以是网络设备,也可以是网络设备中的装置。其中,该通信装置900可以为芯片系统。本申请实施例中,芯片系统可以由芯片构成,也可以包含芯片和其他分立器件。或者,通信装置900用于实现上述方法中终端的功能。该通信装置900可以是终端,也可以是终端中的装置。其中,该通信装置900可以为芯片系统。本申请实施例中,芯片系统可以由芯片构成,也可以包含芯片和其他分立器件。或者,通信装置900用于实现上述方法中应用服务器的功能。该通信装置900可以是应用服务器,也可以是应用服务器中的装置。其中,该通信装置900可以为芯片系统。本申请实施例中,芯片系统可以由芯片构成,也可以包含芯片和其他分立器件。
通信装置900包括至少一个处理器901,用于实现本申请实施例提供的方法中网络设备、终端或应用服务器的功能。示例性地,处理器901可以用于根据第一可验证标识和第一密钥生成第一验证码,或者根据第一可验证标识和第二密钥生成第一密钥等等,具体参见方法示例中的详细描述,此处不做赘述。
通信装置900还可以包括至少一个存储器902,用于存储程序指令和/或数据。存储器902和处理器901耦合。本申请实施例中的耦合是装置、单元或模块之间的间接耦合或通信连接,可以是电性,机械或其它的形式,用于装置、单元或模块之间的信息交互。处理器901可能和存储器902协同操作。处理器901可能执行存储器902中存储的程序指令。所述至少一个存储器中的至少一个可以包括于处理器中。
通信装置900还可以包括通信接口903,用于通过传输介质和其它设备进行通信, 从而用于通信装置900中的装置可以和其它设备进行通信。示例性地,若通信装置为网络设备,该其它设备为终端。若通信装置为终端,该其它设备为网络设备。若通信装置为终端,该其它设备为应用服务器。处理器901利用通信接口903收发数据,并用于实现图4和图5对应的实施例中所述的网络设备、终端或应用服务器所执行的方法。
本申请实施例中不限定上述通信接口903、处理器901以及存储器902之间的具体连接介质。本申请实施例在图9中以通信接口903、处理器901以及存储器902之间通过总线904连接,总线在图9中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图9中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
在本申请实施例中,处理器可以是通用处理器、数字信号处理器、专用集成电路、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件,可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。
在本申请实施例中,存储器可以是非易失性存储器,比如硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)等,还可以是易失性存储器(volatile memory),例如随机存取存储器(random-access memory,RAM)。存储器是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。本申请实施例中的存储器还可以是电路或者其它任意能够实现存储功能的装置,用于存储程序指令和/或数据。
可选的,第一可验证标识还可以是第一终端的类型标识(typeID),用于识别第一终端的类型。或者,第一可验证标识还可以是第一终端的组标识(grouID),用于识别第一终端所在的组。在应用服务器接收到第一终端的注册请求后,可以为第一终端分配第一终端的类型标识或第一终端的组标识。例如,第一终端的组标识是企业内区分不同部门的标识。又如,第一终端的组标识是区分访问应用服务器的不同等级的标识。应用服务器可以提供金融(如银行,银联等)服务和电子游戏服务等。
在一些实施例中,如图10所示,用户(如:企业员工)可以通过第一网络设备(如:靠近终端201的网络设备202)和第二网络设备(如:靠近应用服务器203的网络设备202)间的虚拟专用网(Virtual Private Network,VPN)访问应用服务器。关于图10中的终端201、数据中心和ISP的解释可以参考上述图2中的解释,不予赘述。用户和应用服务器可以位于同一个区域或者不同的区域。
第一终端(如:终端201)发送的第一数据包包含源地址、目的地址、第一可验证标识、第一验证码和数据。源地址为第一终端的地址IP
IC。目的地址为应用服务器的地址IP
s。与上述实施例的区别在于,第一可验证标识是第一终端的组标识或第一终端的类型标识。第一终端采用杂凑算法生成第一验证码时使用的第一可验证标识是第一终端的组标识或第一终端的类型标识。生成第一验证码的具体的方法可以参考上述实施例,不予赘述。
另外,第一网络设备接收到第一数据包后,验证第一数据包包含的第一验证码。如果第一验证码验证成功,封装第一数据包得到第二数据包,第二数据包包含外层包头和内层包头。外层包头包含的源地址为第一网络设备的地址IP
G1,外层包头包含的目的地址为第二网络设备的地址IP
G2。内层包头包含的源地址为第一终端的地址IP
IC,内层包头包含的目的地址为应用服务器的地址IP
s。如果第一验证码验证失败,丢弃第一数据包。验证第一验证码的具体的方法可以参考上述实施例,不予赘述。
第二网络设备接收到验证成功的第一数据包后,可以根据第一终端的组标识以及访问权限决定转发或丢弃第一数据包。从而进一步过滤掉不满足权限的流量。
通常,攻击者可以通过在企业内部连接企业网络从而绕过检查非法访问的设备,对应用服务器发起攻击。本实施例可以应用在企业网或者园区网中,在靠近终端侧的VPN网关侧过滤掉包含虚假终端的组标识和虚假类型标识的数据包,从而防止内部的入侵者通过连接接入侧的VPN网关,阻止非法数据包通过VPN隧道到达应用服务器。从而确保到达应用服务器的数据包均使用了真实的终端的类型标识或终端的组标识,过滤掉非法的数据包。
在一些实施例中,如图11所示,用户(如:企业员工)可以通过第一终端(如:终端201)和网络设备(如:靠近终端201的网络设备202)间的VPN访问应用服务器。关于图11中的终端201、数据中心和ISP的解释可以参考上述图2中的解释,不予赘述。
与上述实施例的区别在于,第一终端发送的第一数据包包含外层包头和内层包头。外层包头包含的源地址为第一终端的地址IP
OC,外层包头包含的目的地址为第一网络设备的地址IP
G1。外层包头还包含第一可验证标识和第一验证码。内层包头包含的源地址为第一终端的地址IP
IC,内层包头包含的目的地址为应用服务器的地址IP
s。
网络设备接收到第一数据包后,验证第一验证码。如果第一验证码验证成功,剥掉第一数据包的外层包头,得到第二数据包,转发第二数据包。如果第一验证码验证失败,丢弃第一数据包。验证第一验证码的具体的方法可以参考上述实施例,不予赘述。
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。
在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块或单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个装置,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是一个物理单元或多个物理单元,即可以位于一个地方,或者也可以分布到多个不同地方。可以根据实际的需要选择其中的部分或者全部单元来实现本实施 例方案的目的。
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。
本申请实施例提供的方法中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本发明实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、网络设备、终端或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机可以存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,数字视频光盘(digital video disc,DVD))、或者半导体介质(例如,SSD)等。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。
Claims (38)
- 一种数据处理方法,其特征在于,包括:接收第一可验证标识和第一密钥;根据所述第一可验证标识和所述第一密钥生成第一验证码;发送第一数据包,所述第一数据包包括所述第一可验证标识和所述第一验证码。
- 根据权利要求1所述的方法,其特征在于,所述根据所述第一可验证标识和所述第一密钥生成第一验证码,包括:根据所述第一可验证标识和所述第一密钥、以及第一位置定位符、第二位置定位符和动态参数中至少一个生成所述第一验证码,所述第一位置定位符用于指示目标设备,所述第二位置定位符用于指示第一终端,所述动态参数是随时间可变的。
- 根据权利要求2所述的方法,其特征在于,所述方法还包括:获取所述目标设备的静态标识,所述目标设备的静态标识包括所述第一位置定位符。
- 根据权利要求1-3中任一项所述的方法,其特征在于,所述第一可验证标识和所述第一验证码设置于所述第一数据包包含的网络层协议头部中或传输层协议头部中。
- 根据权利要求4所述的方法,其特征在于,所述第一可验证标识和所述第一验证码设置于所述第一数据包包含的网络层协议头部中的下一个首部字段内或互联网协议IP地址字段内。
- 根据权利要求4所述的方法,其特征在于,所述第一可验证标识和所述第一验证码设置于所述第一数据包包含的传输控制协议TCP头部中的选项字段内。
- 一种数据处理方法,其特征在于,包括:接收第一数据包,所述第一数据包包括第一可验证标识和第一验证码;获取所述第一可验证标识对应的第一密钥;根据所述第一可验证标识和所述第一密钥生成第二验证码;当所述第二验证码和所述第一验证码相同时,确定所述第一数据包合法;当所述第二验证码和所述第一验证码不相同时,确定所述第一数据包不合法。
- 根据权利要求7所述的方法,其特征在于,所述方法还包括:若确定所述第一数据包合法,向目标设备转发所述第一数据包。
- 根据权利要求7或8所述的方法,其特征在于,所述获取所述第一可验证标识对应的第一密钥,包括:根据所述第一可验证标识和第二密钥生成所述第一密钥,所述第二密钥为对应第一服务的密钥,所述第二密钥用于衍生可访问所述第一服务的已注册终端的密钥。
- 根据权利要求9所述的方法,其特征在于,所述方法还包括:根据第一位置定位符获取所述第二密钥,所述第一数据包还包括所述第一位置定位符,所述第一位置定位符用于指示目标设备。
- 根据权利要求9所述的方法,其特征在于,所述方法还包括:根据第一位置定位符获取第三密钥,所述第三密钥用于衍生对应服务的密钥,所述第一数据包还包括所述第一位置定位符,所述第一位置定位符用于指示目标设备;根据所述第三密钥和第一服务标识生成所述第二密钥,所述第一数据包还包括所 述第一服务标识,所述第一服务标识用于指示在所述目标设备上运行的第一服务;或者,根据所述第三密钥和所述第一位置定位符生成所述第二密钥。
- 根据权利要求7-11中任一项所述的方法,其特征在于,所述根据所述第一可验证标识和所述第一密钥生成第二验证码,包括:根据所述第一可验证标识和所述第一密钥、以及第一位置定位符、第二位置定位符和动态参数中至少一个生成第二验证码,所述第一数据包还包括所述第一位置定位符和所述第二位置定位符,所述第一位置定位符用于指示目标设备,所述第二位置定位符用于指示第一终端,所述动态参数是随时间可变的。
- 根据权利要求7-12中任一项所述的方法,其特征在于,在所述接收第一数据包之前,所述方法还包括:接收过滤请求,所述过滤请求包括第一位置定位符、第一服务标识和第二密钥。
- 根据权利要求7-13中任一项所述的方法,其特征在于,所述方法还包括:确定对应所述第一可验证标识的流量大于或等于阈值,限制所述第一可验证标识的流量。
- 一种密钥分发方法,其特征在于,包括:获取第一可验证标识和第二密钥;根据所述第一可验证标识和所述第二密钥生成第一密钥;向第一终端发送所述第一可验证标识和所述第一密钥。
- 根据权利要求15所述的方法,其特征在于,所述获取第一可验证标识包括:获取第一服务标识,所述第一服务标识用于指示在目标设备上运行的第一服务;根据所述第一服务标识和第一终端标识生成所述第一可验证标识,所述第一终端标识用于指示所述第一终端。
- 根据权利要求15所述的方法,其特征在于,所述获取第一可验证标识包括:根据第一终端标识生成所述第一可验证标识,所述第一终端标识用于指示所述第一终端。
- 根据权利要求16或17所述的方法,其特征在于,在所述获取第一可验证标识和第一密钥之前,所述方法还包括:接收所述第一终端发送的注册请求;为所述第一终端分配所述第一终端标识。
- 一种通信装置,其特征在于,包括:接收单元,用于接收第一可验证标识和第一密钥;处理单元,用于根据所述第一可验证标识和所述第一密钥生成第一验证码;发送单元,用于发送第一数据包,所述第一数据包包括所述第一可验证标识和所述第一验证码。
- 根据权利要求19所述的装置,其特征在于,所述处理单元用于:根据所述第一可验证标识和所述第一密钥、以及第一位置定位符、第二位置定位符和动态参数中至少一个生成所述第一验证码,所述第一位置定位符用于指示目标设备,所述第二位置定位符用于指示第一终端,所述动态参数是随时间可变的。
- 根据权利要求20所述的装置,其特征在于,所述装置还包括:处理单元,用于获取所述目标设备的静态标识,所述目标设备的静态标识包括所述第一位置定位符。
- 根据权利要求19-21中任一项所述的装置,其特征在于,所述第一可验证标识和所述第一验证码设置于所述第一数据包包含的网络层协议头部中或传输层协议头部中。
- 根据权利要求22所述的装置,其特征在于,所述第一可验证标识和所述第一验证码设置于所述第一数据包包含的网络层协议头部中的下一个首部字段内或互联网协议IP地址字段内。
- 根据权利要求22所述的装置,其特征在于,所述第一可验证标识和所述第一验证码设置于所述第一数据包包含的传输控制协议TCP首部中的选项字段内。
- 一种通信装置,其特征在于,包括:接收单元,用于接收第一数据包,所述第一数据包包括第一可验证标识和第一验证码;处理单元,用于获取所述第一可验证标识对应的第一密钥;所述处理单元,还用于根据所述第一可验证标识和所述第一密钥生成第二验证码;所述处理单元,还用于当所述第二验证码和所述第一验证码相同时,确定所述第一数据包合法;所述处理单元,还用于当所述第二验证码和所述第一验证码不相同时,确定所述第一数据包不合法。
- 根据权利要求25所述的装置,其特征在于,所述装置还包括:发送单元,用于若确定所述第一数据包合法,向目标设备转发所述第一数据包。
- 根据权利要求25或26所述的装置,其特征在于,所述处理单元用于:根据所述第一可验证标识和第二密钥生成所述第一密钥,所述第二密钥为对应第一服务的密钥,所述第二密钥用于衍生可访问所述第一服务的已注册终端的密钥。
- 根据权利要求27所述的装置,其特征在于,所述处理单元还用于根据第一位置定位符获取所述第二密钥,所述第一数据包还包括所述第一位置定位符,所述第一位置定位符用于指示目标设备。
- 根据权利要求27所述的装置,其特征在于,所述处理单元还用于根据第一位置定位符获取第三密钥,所述第三密钥用于衍生对应服务的密钥,所述第一数据包还包括所述第一位置定位符,所述第一位置定位符用于指示目标设备;所述处理单元还用于根据所述第三密钥和第一服务标识生成所述第二密钥,所述第一数据包还包括所述第一服务标识,所述第一服务标识用于指示在所述目标设备上运行的第一服务;或者,根据所述第三密钥和所述第一位置定位符生成所述第二密钥。
- 根据权利要求25-29中任一项所述的装置,其特征在于,所述处理单元用于:根据所述第一可验证标识和所述第一密钥、以及第一位置定位符、第二位置定位符和动态参数中至少一个生成第二验证码,所述第一数据包还包括所述第一位置定位符和所述第二位置定位符,所述第一位置定位符用于指示目标设备,所述第二位置定位符用于指示第一终端,所述动态参数是随时间可变的。
- 根据权利要求25-30中任一项所述的装置,其特征在于,所述接收单元,还用于接收过滤请求,所述过滤请求包括第一位置定位符、第一服务标识和第二密钥。
- 根据权利要求25-31中任一项所述的装置,其特征在于,所述处理单元还用于确定对应所述第一可验证标识的流量大于或等于阈值,限制所述第一可验证标识的流量。
- 一种通信装置,其特征在于,包括:处理单元,用于获取第一可验证标识和第二密钥;所述处理单元,还用于根据所述第一可验证标识和所述第二密钥生成第一密钥;发送单元,用于向第一终端发送所述第一可验证标识和所述第一密钥。
- 根据权利要求33所述的装置,其特征在于,所述装置还包括:接收单元,用于获取第一服务标识,所述第一服务标识用于指示在目标设备上运行的第一服务;所述处理单元,用于根据所述第一服务标识和第一终端标识生成所述第一可验证标识,所述第一终端标识用于指示所述第一终端。
- 根据权利要求33所述的装置,其特征在于,所述处理单元,用于根据第一终端标识生成所述第一可验证标识,所述第一终端标识用于指示所述第一终端。
- 根据权利要求34或35所述的装置,其特征在于,所述装置还包括:接收单元,还用于接收所述第一终端发送的注册请求;所述处理单元,还用于为所述第一终端分配所述第一终端标识。
- 一种通信装置,其特征在于,包括:至少一个处理器、存储器和总线,其中,所述存储器用于存储计算机程序,使得所述计算机程序被所述至少一个处理器执行时实现如权利要求1-6中任一项所述的数据处理方法,或者如权利要求7-14中任一项所述的数据处理方法,或者如权利要求15-18中任一项所述的密钥分发方法。
- 一种计算机可读存储介质,其特征在于,包括:计算机软件指令;当所述计算机软件指令在计算机设备或内置在计算机设备的芯片中运行时,使得所述计算机设备执行如权利要求1-6中任一项所述的数据处理方法,或者如权利要求7-14中任一项所述的数据处理方法,或者如权利要求15-18中任一项所述的密钥分发方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP20853832.2A EP4013005A4 (en) | 2019-08-19 | 2020-08-19 | DATA PROCESSING METHOD AND DEVICE |
US17/675,275 US20220174085A1 (en) | 2019-08-19 | 2022-02-18 | Data Processing Method and Apparatus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910766203.4A CN112398800A (zh) | 2019-08-19 | 2019-08-19 | 一种数据处理方法及装置 |
CN201910766203.4 | 2019-08-19 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/675,275 Continuation US20220174085A1 (en) | 2019-08-19 | 2022-02-18 | Data Processing Method and Apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021032126A1 true WO2021032126A1 (zh) | 2021-02-25 |
Family
ID=74603607
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/110049 WO2021032126A1 (zh) | 2019-08-19 | 2020-08-19 | 一种数据处理方法及装置 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20220174085A1 (zh) |
EP (1) | EP4013005A4 (zh) |
CN (1) | CN112398800A (zh) |
WO (1) | WO2021032126A1 (zh) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3568784B1 (en) * | 2017-01-14 | 2022-08-03 | Hyprfire Pty Ltd | Method and system for detecting and mitigating a denial of service attack |
CN110324274B (zh) * | 2018-03-28 | 2022-05-31 | 华为技术有限公司 | 控制终端接入网络的方法及网元 |
CN113923668B (zh) * | 2021-10-11 | 2023-07-25 | 中国联合网络通信集团有限公司 | 识别网络攻击行为的方法、装置、芯片及可读存储介质 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106534070A (zh) * | 2016-10-09 | 2017-03-22 | 清华大学 | 一种抵御仿冒的低开销路由器标识生成方法 |
US20170237767A1 (en) * | 2016-02-12 | 2017-08-17 | Time Warner Cable Enterprises Llc | Apparatus and methods for mitigation of network attacks via dynamic re-routing |
CN109076399A (zh) * | 2016-05-09 | 2018-12-21 | 高通股份有限公司 | 流内分组优先化和数据相关的灵活qos策略 |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3263878B2 (ja) * | 1993-10-06 | 2002-03-11 | 日本電信電話株式会社 | 暗号通信システム |
US8543808B2 (en) * | 2006-08-24 | 2013-09-24 | Microsoft Corporation | Trusted intermediary for network data processing |
AU2013200916B2 (en) * | 2012-02-20 | 2014-09-11 | Kl Data Security Pty Ltd | Cryptographic Method and System |
EP3113443B1 (en) * | 2015-07-02 | 2020-08-26 | Telefonica Digital España, S.L.U. | Method, a system and computer program products for securely enabling in-network functionality over encrypted data sessions |
US9906561B2 (en) * | 2015-08-28 | 2018-02-27 | Nicira, Inc. | Performing logical segmentation based on remote device attributes |
US20170171170A1 (en) * | 2015-12-09 | 2017-06-15 | Xasp Security, Llc | Dynamic encryption systems |
CN107645478B (zh) * | 2016-07-22 | 2020-12-22 | 阿里巴巴集团控股有限公司 | 网络攻击防御系统、方法及装置 |
US10999318B2 (en) * | 2017-07-07 | 2021-05-04 | Uniken Inc. | Algorithmic packet-based defense against distributed denial of service |
WO2020049593A1 (en) * | 2018-09-07 | 2020-03-12 | Sling Media Pvt Ltd. | Security architecture for video streaming |
-
2019
- 2019-08-19 CN CN201910766203.4A patent/CN112398800A/zh active Pending
-
2020
- 2020-08-19 EP EP20853832.2A patent/EP4013005A4/en active Pending
- 2020-08-19 WO PCT/CN2020/110049 patent/WO2021032126A1/zh unknown
-
2022
- 2022-02-18 US US17/675,275 patent/US20220174085A1/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170237767A1 (en) * | 2016-02-12 | 2017-08-17 | Time Warner Cable Enterprises Llc | Apparatus and methods for mitigation of network attacks via dynamic re-routing |
CN109076399A (zh) * | 2016-05-09 | 2018-12-21 | 高通股份有限公司 | 流内分组优先化和数据相关的灵活qos策略 |
CN106534070A (zh) * | 2016-10-09 | 2017-03-22 | 清华大学 | 一种抵御仿冒的低开销路由器标识生成方法 |
Non-Patent Citations (1)
Title |
---|
See also references of EP4013005A4 |
Also Published As
Publication number | Publication date |
---|---|
EP4013005A1 (en) | 2022-06-15 |
CN112398800A (zh) | 2021-02-23 |
US20220174085A1 (en) | 2022-06-02 |
EP4013005A4 (en) | 2022-10-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021032126A1 (zh) | 一种数据处理方法及装置 | |
CN107409125B (zh) | 用于服务-用户平面方法的使用网络令牌的高效策略实施 | |
US10348686B2 (en) | Systems and methods for application-specific access to virtual private networks | |
US8559448B2 (en) | Method and apparatus for communication of data packets between local networks | |
US11888652B2 (en) | VXLAN implementation method, network device, and communications system | |
US20160308904A1 (en) | Integrative network management method and apparatus for supplying connection between networks based on policy | |
WO2016201990A1 (zh) | 防止无线网络中直径信令攻击的方法、装置和系统 | |
EP3720100A1 (en) | Service request processing method and device | |
WO2021244449A1 (zh) | 一种数据处理方法及装置 | |
CN110650075B (zh) | 基于vxlan的组策略实现方法、网络设备和组策略实现系统 | |
US11265244B2 (en) | Data transmission method, PNF SDN controller, VNF SDN controller, and data transmission system | |
WO2020224341A1 (zh) | 一种tls加密流量识别方法及装置 | |
US8819790B2 (en) | Cooperation method and system between send mechanism and IPSec protocol in IPV6 environment | |
EP3552367B1 (en) | Method and intermediate network node for managing tcp segment | |
WO2023000248A1 (en) | Authentication methods using zero-knowledge proof algorithms for user equipments and nodes implementing the authentication methods | |
EP3982598A1 (en) | Method and apparatus for sending and receiving message, and communication system | |
US20180097776A1 (en) | Network protection entity and method for protecting a communication network against fraud messages | |
WO2011157142A2 (zh) | 报文发送方法和装置 | |
CN108989271B (zh) | 一种家庭网关端口防攻击的方法和装置 | |
US20230336535A1 (en) | Method, device, and system for authentication and authorization with edge data network | |
WO2023179656A1 (zh) | 一种SRv6报文处理方法、装置、通信设备和存储介质 | |
CN116530119A (zh) | 保护无线网络中序列号的方法、设备和系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20853832 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2020853832 Country of ref document: EP Effective date: 20220309 |