WO2021057348A1 - Procédé et système de défense de la sécurité d'un serveur, dispositif de communication et support d'enregistrement - Google Patents

Procédé et système de défense de la sécurité d'un serveur, dispositif de communication et support d'enregistrement Download PDF

Info

Publication number
WO2021057348A1
WO2021057348A1 PCT/CN2020/110346 CN2020110346W WO2021057348A1 WO 2021057348 A1 WO2021057348 A1 WO 2021057348A1 CN 2020110346 W CN2020110346 W CN 2020110346W WO 2021057348 A1 WO2021057348 A1 WO 2021057348A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
identification
service
client
identity
Prior art date
Application number
PCT/CN2020/110346
Other languages
English (en)
Chinese (zh)
Inventor
郝振武
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2021057348A1 publication Critical patent/WO2021057348A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/565Conversion or adaptation of application format or content
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/563Data redirection of data network streams
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context

Definitions

  • the embodiment of the present invention relates to but not limited to the field of security technology, and specifically relates to but not limited to a server security defense method and system, communication equipment, and storage medium.
  • Moving Target Defense is a new type of network security protection idea.
  • MTD Moving Target Defense
  • the server security defense method and system, communication equipment, and storage medium provided by the embodiments of the present invention aim to solve one of the related technical problems at least to a certain extent, including: in the Internet, the IP address and service port of the server are The access terminal is open, causing the server to be vulnerable to attacks.
  • an embodiment of the present invention provides a server security defense method, which includes: a client sends a domain name resolution request to a domain name server, and the domain name server resolves the server domain name in the request information to the IP address of the identification management server, and then The IP address is returned to the client; the client sends a service request to the identity management server, the service request includes a service identity, the identity management server requests a dynamic identity from the identity gateway, and the identity gateway allocates dynamic identity information and returns it to the identity management server, and at the same time establishes a mapping Relationship, which identifies the management server returning a redirection response to the client;
  • the client sends a service request to the identification gateway, and the identification gateway converts the service request information according to the mapping relationship and sends it to the service server, and converts the received response information of the service server and sends it to the client.
  • the embodiment of the present invention also provides a server security defense system, including: a client, which is used to support the domain name resolution client function and service access function, uses the service identifier to initiate service requests, and is also used to support the service redirection function, that is, according to the service The redirection response returned by the server accesses the specified network resource;
  • the domain name server is used to resolve the domain name of the business server to the IP address of the identity management server; and select one or more identity from multiple identity management servers according to a preset strategy
  • the identification management server is used to receive the service request sent by the client, select the identification gateway according to the preset strategy, request the dynamic identification from the identification gateway, generate the redirection service identification, and return the redirection response to the client;
  • the identification gateway is used to generate a dynamic identification according to the request of the identification management server, establish the mapping relationship between the client IP address, the dynamic identification, and the business server identification, and forward the business request from the client and the response to the client according
  • An embodiment of the present invention also provides a communication device, including: a processor, a memory, and a communication bus; where the communication bus is used to implement connection and communication between the processor and the memory; where the processor is used to execute one or the other stored in the memory.
  • a communication device including: a processor, a memory, and a communication bus; where the communication bus is used to implement connection and communication between the processor and the memory; where the processor is used to execute one or the other stored in the memory.
  • the embodiment of the present invention also provides a computer-readable storage medium that stores one or more programs, where the one or more programs can be executed by one or more processors to implement the server security defense as described above Method steps.
  • FIG. 1 is a schematic structural diagram of a server security defense system provided by Embodiment 1 of the present invention
  • Embodiment 2 is a flowchart of a server security defense method provided by Embodiment 1 of the present invention
  • Embodiment 3 is a flowchart of a server security defense method provided by Embodiment 2 of the present invention.
  • Embodiment 4 is a flowchart of a server security defense method provided by Embodiment 3 of the present invention.
  • FIG. 5 is a schematic structural diagram of a service security defense system provided by Embodiment 4 of the present invention.
  • FIG. 6 is a flowchart of a server security defense method provided by Embodiment 4 of the present invention.
  • FIG. 7 is a schematic structural diagram of a communication device according to Embodiment 5 of the present invention.
  • an embodiment of the present invention provides a server security defense method for use in a server security defense network system.
  • the server security defense network system includes: a client 101, a domain name server 102, an identity management server 103, an identity gateway 104, and a business server 105.
  • the identification gateway 104 is located between the client 101 and the business server 105, that is, the client 101 and the business server 105 are divided into different security areas, where the business server 105 is located in a high-security zone, and the identification gateway 104 provides security protection for the business server 105. Prevent attacks from the client.
  • the client 101 is used to support the domain name resolution client function and service access function, use the service identifier to initiate service requests, and also support the service redirection function, that is, access the specified network resource according to the redirection response returned by the service server;
  • the server 102 is used to resolve the domain name of the business server 105 into the IP address of the identity management server 103; and select one or more identity management server IP addresses from multiple identity management servers according to a preset strategy;
  • the identity management server 103 uses After receiving the service request sent by the client 101, the identification gateway is selected according to the preset strategy, the dynamic identification is requested from the identification gateway, the redirection service identification is generated, and the redirection response is returned to the client;
  • the identification gateway 104 is used to manage the server according to the identification
  • the 103 request generates a dynamic identifier, establishes the mapping relationship between the client IP address, dynamic identifier, and service server identifier, and forwards the service request from the client and the response to the client according to the mapping relationship;
  • FIG. 2 includes the following steps:
  • S201 The client sends a domain name resolution request to the domain name server, and the domain name server resolves the domain name of the business server to the IP address of the identification management server, and returns it to the client.
  • the client sends a domain name resolution request to the domain name server, and the domain name server resolves the domain name of the business server in the request information to the IP address of the identification management server, and resolves the IP address of the identification management server obtained by the domain name server.
  • the identity management server may include one or more identity management servers. After receiving the domain name resolution request sent from the client, the domain name server selects at least one identity management server from a plurality of identity pipeline servers according to a preset policy The IP address is sent to the client.
  • the strategy includes: selecting the identity management server closest to the location of the client according to the location information of the client; or polling each identity management server; or, selecting the identity management server with a lighter load.
  • S202 The client sends a service request to the identity management server, the identity management server requests a dynamic identity from the identity gateway, and the identity gateway allocates dynamic identity information and returns it to the identity management server. At the same time, a mapping relationship is established, and the identity management server returns a redirection response to the client.
  • the identity management server when it sends a dynamic identity request to the identity gateway, it sends the client's IP address and the service server identity to the selected identity gateway.
  • the identification gateway allocates the dynamic identification, and establishes the mapping relationship between the client IP and the dynamic identification, or establishes the mapping relationship between the client IP, the dynamic identification, and the service server identification;
  • the dynamic identification is the identification of the gateway address and port, or the domain name and port of the gateway;
  • the business server identification is the IP address and port of the business server, or the domain name and port of the business server.
  • the identity management server replaces the host identity in the service identity with the dynamic identity or inserts the dynamic identity in it according to the service identity in the service request and the dynamic identity, and generates a redirection service identity, and the redirection service identity in the redirection response Information, instructing the client to send a service request to the identification gateway; wherein the host identification includes: the client's IP address, or, the client's IP address and the client's port.
  • S203 The client sends a service request to the identification gateway, and the identification gateway converts the service request information according to the mapping relationship and sends it to the service server, converts the received response information of the service server, and sends it to the client.
  • the identification gateway after receiving the service request, the identification gateway searches for the mapping relationship according to the source IP, destination IP, and destination port in the request message. If the corresponding mapping relationship is found, the service request is converted Send to the service server, otherwise, deny access, or lead to a predetermined system; wherein, the conversion of the service request includes: the identification gateway replaces the destination IP and port of the service request, that is, dynamic identification, with the service server in the mapping relationship Identifies the corresponding IP and port, and replaces the source IP and port of the response, that is, the service server identifier, with the IP and port corresponding to the dynamic identifier; said converting the service request further includes: identifying the gateway to convert the service identifier in the service request Replace the dynamic identifier of with the business server identifier.
  • a client sends a domain name resolution request to a domain name server, and the domain name server resolves the server domain name in the request information into an identification management server IP address, and returns the IP address to the client End;
  • the client sends a service request to the identity management server, the service request includes a service identity, the identity management server requests a dynamic identity from the identity gateway, and the identity gateway allocates dynamic identity information back to the identity management server, and establishes a mapping relationship to identify the management server Return a redirection response to the client;
  • the client sends a service request to the identification gateway, and the identification gateway converts the service request information according to the mapping relationship and sends it to the service server, and converts the received response information from the service server Send to the client, through the addition of the identity management server and the identity gateway, while ensuring the normal business of the server, by randomly changing the communication parameters of the server to the client service, increasing the difficulty of attacking the server, thereby improving the security and service availability of the server ,
  • FIG. 3 shows a server security defense method provided by an embodiment of the present invention, which includes the following steps:
  • the service identification represents the Internet service resources that users want to access. It is generally described by a uniform resource locator and consists of server identification and content identification, such as: www.example.com:80/news/top. xml, where "www.example.com:80" is the server identification, specifically including the server domain name (www.example.com) port (80), where the server domain name can also be identified by the server's IP address, if the default port is used, you can Omit the port; "/news/top.xml/" indicates the specific content provided by the business service, and the combination uniquely indicates the business that the user wants to access.
  • the client To access the service, the client must first perform a DNS resolution process to obtain the IP address corresponding to the server domain name (www.example.com), and then access the server according to the IP address to obtain the service specified by the service ID.
  • a server security defense method is provided.
  • the client uses the service identifier to access the service, including the following steps:
  • S301 The client sends a domain name resolution request to the domain name server;
  • the domain name server performs domain name resolution and returns a domain name query response
  • the response information returned by the domain name server to the client includes at least one IP address identifying the management server.
  • the IP address configured by the server domain name is not the real address of the server, but the IP address of the identity management server. If there are multiple identity management servers in the network, multiple identity management servers can be configured for
  • the domain name server selects the IP address of at least one identity management server from a plurality of identity management servers according to a preset strategy and returns it to the client; in the embodiment of the present invention, the specific strategy includes: selecting according to the location information of the client The identity management server closest to the client's location; or, poll each identity management server; or, select the identity management server with a lighter load.
  • S303 The client sends a service request to the identity management server according to the result of the domain name resolution
  • the service request includes the service identifier.
  • the destination IP is the IP address of the identity management server that is parsed in step 302, and the destination port is the default port or designated port of the service application.
  • the message includes the complete business identification.
  • the identity management server extracts the client IP address and the server identity, selects the identity gateway, and sends a dynamic identity request to the identity gateway;
  • the client IP address is extracted from the source IP address header of the service request IP packet, and the server ID is extracted from the service ID.
  • the identification management server selects at least one identification gateway from a plurality of identification gateways according to a preset strategy, and the specific strategy includes: selecting the identification gateway closest to the location of the client according to the location information of the client; or, Polling each identification gateway; or, select an identification gateway with a lighter load.
  • the identification gateway selects the dynamic identification from the dynamic identification pool, establishes the mapping relationship between the client IP, the dynamic identification, and the server identification, and returns the dynamic identification query response and the selected dynamic identification;
  • the dynamic identification pool is composed of an IP address + port number managed by the identification gateway, and a protocol type;
  • the dynamic identity pool is composed of the IP address managed by the identity, or IP address segment, plus the port range and protocol type to which each IP address belongs.
  • IP address or IP address in the IP address segment can ensure that IP data packets with these addresses as the destination address can be routed and forwarded by other network devices to the correct identification gateway.
  • the specific rules for dynamic identification selection are as follows: select the dynamic identification pool that is not used by all clients, or select the one that is not used by the user client, that is, it can be unique by the client IP and dynamic identification. To determine the mapping relationship.
  • an identity gateway manages the 10.10.10.1-10.10.10.10 address segment, and each IP address has a port range of 0-65535. For safety reasons, generally select a range other than commonly-known ports, such as 1023-65535. Through the IP addresses in the above IP segment plus more than 60,000 ports for each IP address, a sufficiently large dynamic identification pool is formed, so that the randomness of dynamic identification allocation can be ensured.
  • a client such as 20.20.20.20
  • the identity management server generates a redirect service identity, and returns a redirect response to the client;
  • the method for generating the redirect service identifier includes: replacing the service server identifier in the service identifier included in the request message in step 304 with a dynamic identifier, for example: the service identifier "www.example. com:80/news/top.xml”
  • the server identifier "www.example.com:80” is replaced with the dynamic identifier "10.10.10.10:5000" to generate the redirect service identifier "10.10.10.10:5000/news/top.xml” ".
  • S307 The client sends a service request to the identification gateway according to the redirected service identifier
  • the service request includes a redirect service identifier.
  • the destination IP and port in the IP packet in the service request correspond to the IP address and port in the dynamic identification, respectively.
  • the identification gateway extracts the client IP and the dynamic identification, searches for the mapping relationship, and performs a conversion operation. If the mapping relationship is not found, the service request is rejected or the service request is directed to the predetermined system;
  • the identification gateway extracts the client IP and dynamic identification, searches for the mapping relationship, and performs conversion operations based on the mapping relationship. If the mapping relationship is not found, it is considered illegal access, and the service request is rejected or the service request is directed to the predetermined system, such as The honeypot system further locates illegal access.
  • the specific conversion operation includes:
  • Operation 1 According to the server domain name in the server identifier in the mapping relationship, resolve the server's IP address; the specific resolution process can be through identifying the DNS data stored or cached locally by the gateway, or requesting the resolution result from the domain name server, such as "www.example.com” "Resolves to "30.30.30.30”;
  • Operation 2 Replace the dynamic identifier carried in the destination IP address and port of the service request IP packet with the IP address and port of the server, for example, convert 10.10.10.10:5000 to 30.30.30.30:80;
  • Operation 3 Restore the host ID or redirect service ID in the service request to the service ID.
  • the restoration method is to restore the ID gateway ID in the host ID to the service server ID, for example, “10.10.10.10:5000” to “www” .example.com:80”; or, restore the identification gateway ID in the redirected service ID to the service server ID, for example, restore "10.10.10.10:5000/news/top.xml” to "www.example.com: 80/news/top.xml".
  • the identification gateway may resolve the server domain name to the server's IP address in step S308, and the specific resolution process may be through identifying the DNS data stored or cached locally by the gateway, or requesting the resolution result from the domain name server , And replace the host domain name in the mapping relationship with the resolution result. For example, if the IP address corresponding to example.com is 30.30.30.30, the mapping relationship is expressed as (20.20.20.20, 10.10.10.10:5000, 30.30.30.30:80).
  • two server identifiers can be stored in the mapping relationship at the same time, such as (20.20.20.20, 10.10.10.10:5000, www.example.com:80, 30.30.30.30:80), Use 30.30.30.30:80 in operation one and www.example.com:80 in operation three to improve efficiency.
  • a conversion table can be further established, which contains client IP + port, dynamic identification, and server identification including the server IP.
  • the client port is the local port selected by the client when establishing a connection with the server, such as the client selection port Is 1000, then the following forwarding relationship table (20.20.20.20:1000, 10.10.10.10:5000, 30.30.30.30:80) is established, or the following forwarding relationship including the server identifier in the form of the host domain name (20.20.20.20:1000, 10.10 .10.10:5000, 30.30.30.30:80, www.example.com:80).
  • the identification gateway After the identification gateway receives the service request, it first searches the conversion table, if it finds it, then converts it according to the conversion table, otherwise it searches for the mapping relationship, and if it finds it, it builds the conversion table.
  • the client may select multiple ports to establish a connection with the server, perform different service requests, and identify the gateway to establish multiple corresponding conversion relationships, corresponding to the same mapping relationship, which is convenient for management.
  • the domain name server is different from the aforementioned domain name server. It saves the relationship between the server domain name and the server IP address. It is located in the security domain and serves specifically to identify the gateway. Unable to access, thus ensuring the security of the domain name server.
  • the destination address and port in the service response information are the client IP address and port
  • the source address and port are the server IP address and port.
  • the identification gateway performs a conversion operation, and according to the mapping relationship or the conversion relationship, the server IP address and port in the source address and port are replaced with the dynamically identified IP address and port, and then sent to the client.
  • mapping relationship or conversion relationship corresponding to the response is not checked, the access is denied, or the service request is directed to the predetermined system.
  • a client sends a domain name resolution request to a domain name server, and the client sends a service request to an identity management server based on the result of the domain name resolution, and the identity management server extracts the client IP address and server identity , Select the identification gateway, send a dynamic identification request to the identification gateway, the identification gateway selects the dynamic identification from the dynamic identification pool, establishes the mapping relationship between the client IP, the dynamic identification, and the server identification, and returns the dynamic identification query response and the selected dynamic identification , The identity management server generates a redirect service identity and returns a redirect response to the client.
  • the client sends a service request to the identity gateway according to the redirect service identity, and the identity gateway extracts the client IP and dynamic identity, finds the mapping relationship, and performs conversion Operation, if the mapping relationship is not found, the service request is rejected or the service request is directed to the predetermined system.
  • the service entrance accessed by the client is dynamically changed randomly, and each entrance can only be accessed by the designated client, thereby increasing the difficulty of hackers attacking the server and improving the security of the server.
  • Figure 4 shows a flowchart of a server security defense method provided by the present invention.
  • the client uses the service identifier to access the service, including the following steps:
  • S401 The client sends a domain name resolution request to the domain name server;
  • the domain name server performs domain name resolution and returns a domain name query response
  • the response information returned by the domain name server to the client includes at least one IP address identifying the management server.
  • the IP address configured by the server domain name is not the real address of the server, but the IP address of the identity management server. If there are multiple identity management servers in the network, multiple identity management servers can be configured for
  • the domain name server selects the IP address of at least one identity management server from a plurality of identity management servers according to a preset strategy and returns it to the client; in the embodiment of the present invention, the specific strategy includes: selecting according to the location information of the client The identity management server closest to the client's location; or, poll each identity management server; or, select the identity management server with a lighter load.
  • S403 The client sends a service request to the identity management server according to the result of the domain name resolution
  • the service request includes the service identifier.
  • the destination IP is the IP address of the identity management server that is parsed in step 302, and the destination port is the default port or designated port of the service application.
  • the message includes the complete business identification.
  • the identity management server extracts the client IP address and the server identity, selects the identity gateway, and sends a dynamic identity request to the identity gateway;
  • the client IP address is extracted from the source IP address header of the service request IP packet, and the server ID is extracted from the service ID.
  • the identification management server selects at least one identification gateway from a plurality of identification gateways according to a preset strategy, and the specific strategy includes: selecting the identification gateway closest to the location of the client according to the location information of the client; or, Polling each identification gateway; or, select an identification gateway with a lighter load.
  • the identification gateway selects a dynamic identification from the dynamic identification pool, establishes a mapping relationship between the client IP and the dynamic identification, acquires the corresponding identification gateway domain name, and returns a dynamic identification query response and the selected dynamic identification;
  • the dynamic identification pool is composed of an IP address + port number managed by the identification gateway, and a protocol type;
  • the dynamic identity pool is composed of the IP address managed by the identity, or IP address segment, plus the port range and protocol type to which each IP address belongs.
  • IP address or IP address in the IP address segment can ensure that IP data packets with these addresses as the destination address can be routed and forwarded by other network devices to the correct identification gateway.
  • the identification gateway manages 10 IP addresses 10.10.10.1-10.10.10.10, and the corresponding domain names are idg1, idg2,..., idg10.
  • the specific rules for dynamic identification selection are as follows: select the dynamic identification pool that is not used by all clients, or select the one that is not used by the user client, that is, it can be unique by the client IP and dynamic identification. To determine the mapping relationship.
  • the domain name of the corresponding identifier gateway is obtained at the same time. If the IP address is selected as 10.10.10.10, the domain name idg10 is obtained at the same time;
  • the identification gateway returns a dynamic identification query response.
  • the dynamic identification query response includes the dynamic identification including the domain name of the identification gateway selected in step S305, for example, idg10:5000.
  • the identity management server generates a redirection service identity according to the service identity and the dynamic identity, and returns a redirection response to the client;
  • the specific generation method includes: using the business server domain name as the secondary domain name of the identification gateway to construct a new domain name, the specific format is "server domain name” + ".” + "identification gateway domain name”, such as www.example.com.idg10 , The redirect service identifier at this time is "www.example.com.idg10:5000/news/top.xml".
  • S407 The client sends a domain name resolution request to the domain name server;
  • the request includes: the host domain name extracted from the redirect service identifier, for example: "www.example.com.idg10".
  • the domain name server performs domain name resolution and returns a domain name resolution response
  • the domain name resolution response includes the identification gateway IP address corresponding to the domain name.
  • the domain name server resolves "www.example.com.idg10" to 10.10.10.10, which is consistent with the dynamic IP generated by the identification gateway.
  • S409 The client sends a service request to the identity gateway according to the domain name resolution result
  • the request includes a redirect service identifier; at this time, the destination IP and port in the service request correspond to the identifier gateway IP address and port included in the dynamic identifier, respectively.
  • the identification gateway extracts the client IP address and the dynamic identification, searches for the mapping relationship, and performs the conversion operation;
  • the identification gateway extracts the client IP and dynamic identification, searches for the mapping relationship, and performs conversion operations based on the mapping relationship. If the mapping relationship is not found, it is considered illegal access, and the service request is rejected or the service request is directed to the predetermined system, such as The honeypot system further locates illegal access.
  • the specific conversion operation includes:
  • Operation 1 According to the server domain name in the server identifier in the mapping relationship, resolve the server's IP address; the specific resolution process can be through identifying the DNS data stored or cached locally by the gateway, or requesting the resolution result from the domain name server, such as "www.example.com” "Resolves to "30.30.30.30”;
  • Operation 2 Replace the dynamic identifier carried in the destination IP address and port of the service request IP packet with the IP address and port of the server, for example, convert 10.10.10.10:5000 to 30.30.30.30:80;
  • Operation 3 Restore the redirected service ID in the service request to the service ID.
  • the restoration method is to restore the ID gateway ID in the redirected service ID to the service server ID, for example, restore "www.example.com.idg10" to " www.example.com”.
  • S411 The service server returns a service response
  • the destination address and port in the service response information are the client IP address and port
  • the source address and port are the server IP address and port.
  • the identification gateway performs a conversion operation, and according to the mapping relationship or the conversion relationship, the server IP address and port in the source address and port are replaced with the dynamically identified IP address and port, and then sent to the client.
  • the server security defense method provided by the embodiment of the present invention dynamically changes the service entrances accessed by the client by randomly and dynamically, and each entrance can only be accessed by a designated client, thereby increasing the difficulty of hackers attacking the server and improving the server’s performance. safety.
  • Fig. 6 shows a flowchart of a server security defense method provided by an embodiment of the present invention, which is used in a server security defense system.
  • Fig. 5 which includes a client 501, a domain name server 502, an identification integrated gateway 503, and a business server. 504; where the identity integrated gateway 503 includes an identity management function 5031 and an identity gateway function 5032.
  • the method flow includes the following steps:
  • S601 The client sends a domain name query request to the domain name server;
  • the domain name server performs domain name resolution and returns a domain name query response
  • the response includes the IP address of one or more integrated gateways.
  • Multiple integrated gateways can be deployed in the network.
  • Each integrated gateway can be configured with multiple IP addresses plus the port range to which each IP address belongs to form a dynamic identifier. Pool.
  • the IP address configured by the server domain name in the domain name server is the IP address that identifies the integrated gateway, and one or more IP addresses can be configured according to the number of identified integrated gateways and the IP addresses managed by the identified integrated gateway; specific strategies Including: according to the location information of the client, selecting the identification gateway closest to the location of the client; or, polling each identification gateway; or, selecting the identification gateway with a lighter load.
  • S603 The client sends a service request to the identity integrated gateway according to the result of the domain name resolution, which includes the service identity;
  • the identity management function in the integrated identity gateway extracts the client identity and the service server identity, and requests a dynamic identity from the identity gateway function through an internal message;
  • the request includes the destination IP of the IP packet, that is, the IP address that identifies the integrated gateway selected by the client from the domain name resolution result.
  • S605 Identify the gateway function and select the dynamic identifier from the dynamic identifier pool, establish a mapping relationship between the client IP, the dynamic identifier, and the server identifier, and return the dynamic identifier or the port part of the dynamic identifier to the identifier management server;
  • the identity management function replaces the port in the server identity in the service identity with the port in the dynamic identity, generates a redirection service identity, and returns a redirection response to the client;
  • the identification gateway If the port 5000 is selected in step S505, the identification gateway generates the redirect service identification “www.example.com:5000/news/top.xml” according to the service identification “www.example.com:80/news/top.xml”.
  • S607 The client sends a service request to the integrated identification gateway according to the redirected service identifier
  • the service request includes a redirect service identifier.
  • the identification gateway function extracts the client IP and dynamic identification, searches for the mapping relationship, and performs conversion operations based on the mapping relationship. If the mapping relationship is not found, access is denied or the service request is directed to the predetermined system;
  • the destination address and port in the service response information are the client IP address and port
  • the source address and port are the server IP address and port.
  • the identification gateway function performs a conversion operation, and according to the mapping relationship or the conversion relationship, the server IP address and port in the source address and port are replaced with the dynamically identified IP address and port, and then sent to the client.
  • mapping relationship or conversion relationship corresponding to the response is not checked, the access is denied, or the service request is directed to the predetermined system.
  • a client sends a domain name query request to a domain name server, the domain name server performs domain name resolution, and returns a domain name query response, and the client sends a service request to the identity integrated gateway according to the result of domain name resolution
  • the identification management function in the integrated identification gateway extracts the client identification and the service server identification, requests the dynamic identification from the identification gateway function through internal messages, identifies the gateway function and selects the dynamic identification from the dynamic identification pool, and establishes the client IP
  • Dynamic identification the mapping relationship between the server identification, and the dynamic identification or the port part of the dynamic identification is returned to the identification management server
  • the identification management function replaces the port in the server identification in the service identification with the port in the dynamic identification, and generates Redirect the service ID and return a redirection response to the client.
  • the client sends a service request to the ID integrated gateway according to the redirected service ID; the ID gateway extracts the client IP and dynamic ID, finds the mapping relationship, and executes the conversion operation according to the mapping relationship If the mapping relationship is not found, the access is denied, or the service request is directed to the predetermined system, and the service server returns a service response.
  • the service entrance accessed by the client is dynamically changed randomly, and each entrance can only be accessed by the designated client, thereby increasing the difficulty of hackers attacking the server and improving the security of the server.
  • This embodiment also provides a communication device, as shown in FIG. 7, which includes a processor 71, a memory 72, and a communication bus 73, wherein:
  • the communication bus 73 is used to implement connection and communication between the processor 71 and the memory 72;
  • the processor 71 is configured to execute one or more computer programs stored in the memory 72 to implement at least one step in the server security defense method in the first embodiment and the fifth embodiment.
  • This embodiment also provides a computer-readable storage medium, which is included in any method or technology for storing information (such as computer-readable instructions, data structures, computer program modules, or other data). Volatile or non-volatile, removable or non-removable media.
  • Computer readable storage media include but are not limited to RAM (Random Access Memory), ROM (Read-Only Memory, read-only memory), EEPROM (Electrically Erasable Programmable read only memory, charged Erasable Programmable Read-Only Memory) ), flash memory or other memory technology, CD-ROM (Compact Disc Read-Only Memory), digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, magnetic disk storage or other magnetic storage devices, Or any other medium that can be used to store desired information and that can be accessed by a computer.
  • the computer-readable storage medium in this embodiment can be used to store one or more computer programs, and the stored one or more computer programs can be executed by a processor to implement the server security defense in the first embodiment and the fifth embodiment. At least one step of the method.
  • the client sends a domain name resolution request to the domain name server, and the domain name server resolves the server domain name in the request information into the identification management server IP And return the IP address to the client;
  • the client sends a service request to the identity management server, the service request includes a service identity, the identity management server requests a dynamic identity from the identity gateway, and the identity gateway allocates dynamic identity information and returns it to the identity management
  • the server establishes a mapping relationship at the same time, and the identification management server returns a redirection response to the client;
  • the client sends a service request to the identification gateway, and the identification gateway converts the service request information according to the mapping relationship and sends it to the service server, and
  • the response information received from the service server is converted and sent to the client.
  • the functional modules/units in the system, and the device can be implemented as software (which can be implemented by computer program code executable by a computing device. ), firmware, hardware and their appropriate combination.
  • the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, a physical component may have multiple functions, or a function or step may consist of several physical components. The components are executed cooperatively.
  • Some physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit .
  • communication media usually contain computer-readable instructions, data structures, computer program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery medium. Therefore, the present invention is not limited to any specific combination of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un système de défense de sécurité de serveur, un dispositif de communication, et un support d'enregistrement. Le procédé comprend : un client envoie une demande de résolution de nom de domaine à un serveur de nom de domaine, et le serveur de nom de domaine résout un nom de domaine de serveur compris dans des informations de demande à une adresse IP de serveur de gestion d'identifiant et le renvoie au client ; le client envoie une demande de service au serveur de gestion d'identifiant, la demande de service comprenant un identifiant de service, le serveur de gestion d'identifiant demande un identifiant dynamique à partir d'une passerelle d'identifiant, la passerelle d'identifiant attribue des informations d'identifiant dynamique et les renvoie au serveur de gestion d'identifiant, et établit une relation de mappage, et le serveur de gestion d'identifiant renvoie une réponse de redirection au client ; le client envoie la demande de service à la passerelle d'identifiant, et la passerelle d'identifiant convertit des informations de demande de service selon la relation de mappage et les envoie à un serveur de service, et convertit des informations de réponse reçues en provenance du serveur de service et les envoie au client. Dans certains processus d'implémentation, des paramètres de communication d'un serveur sont modifiés de manière aléatoire et dynamique pour protéger de manière proactive un serveur cible.
PCT/CN2020/110346 2019-09-25 2020-08-20 Procédé et système de défense de la sécurité d'un serveur, dispositif de communication et support d'enregistrement WO2021057348A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910913485.6 2019-09-25
CN201910913485.6A CN112565318A (zh) 2019-09-25 2019-09-25 一种服务器安全防御方法及系统、通信设备、存储介质

Publications (1)

Publication Number Publication Date
WO2021057348A1 true WO2021057348A1 (fr) 2021-04-01

Family

ID=75029483

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/110346 WO2021057348A1 (fr) 2019-09-25 2020-08-20 Procédé et système de défense de la sécurité d'un serveur, dispositif de communication et support d'enregistrement

Country Status (2)

Country Link
CN (1) CN112565318A (fr)
WO (1) WO2021057348A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115334150A (zh) * 2022-08-15 2022-11-11 北京分贝通科技有限公司 一种数据转发的方法、装置、系统、电子设备及介质

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113194076B (zh) * 2021-04-16 2023-04-21 中盈优创资讯科技有限公司 一种安全控制器及其实现方法
CN113873301A (zh) * 2021-09-22 2021-12-31 深圳市商汤科技有限公司 视频流的获取方法及装置、服务器和存储介质
CN113992382B (zh) * 2021-10-22 2024-04-05 北京京东振世信息技术有限公司 业务数据处理方法、装置、电子设备及存储介质
CN115396397B (zh) * 2022-04-13 2023-07-14 中国人民解放军国防科技大学 基于转发关系确定缓存域名系统服务范围的方法和装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102185859A (zh) * 2011-05-09 2011-09-14 北京艾普优计算机系统有限公司 计算机系统和数据交互方法
CN104378450A (zh) * 2013-08-12 2015-02-25 深圳市腾讯计算机系统有限公司 网络攻击的防护方法及装置
CN105391811A (zh) * 2014-08-29 2016-03-09 腾讯科技(深圳)有限公司 域名解析方法、应用服务器的访问方法及其终端
US10122630B1 (en) * 2014-08-15 2018-11-06 F5 Networks, Inc. Methods for network traffic presteering and devices thereof
CN109981803A (zh) * 2017-12-27 2019-07-05 中兴通讯股份有限公司 业务请求处理方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102185859A (zh) * 2011-05-09 2011-09-14 北京艾普优计算机系统有限公司 计算机系统和数据交互方法
CN104378450A (zh) * 2013-08-12 2015-02-25 深圳市腾讯计算机系统有限公司 网络攻击的防护方法及装置
US10122630B1 (en) * 2014-08-15 2018-11-06 F5 Networks, Inc. Methods for network traffic presteering and devices thereof
CN105391811A (zh) * 2014-08-29 2016-03-09 腾讯科技(深圳)有限公司 域名解析方法、应用服务器的访问方法及其终端
CN109981803A (zh) * 2017-12-27 2019-07-05 中兴通讯股份有限公司 业务请求处理方法及装置

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115334150A (zh) * 2022-08-15 2022-11-11 北京分贝通科技有限公司 一种数据转发的方法、装置、系统、电子设备及介质
CN115334150B (zh) * 2022-08-15 2024-01-19 北京分贝通科技有限公司 一种数据转发的方法、装置、系统、电子设备及介质

Also Published As

Publication number Publication date
CN112565318A (zh) 2021-03-26

Similar Documents

Publication Publication Date Title
WO2021057348A1 (fr) Procédé et système de défense de la sécurité d'un serveur, dispositif de communication et support d'enregistrement
US10356097B2 (en) Domain name system and method of operating using restricted channels
CN109983752B (zh) 带有编码dns级信息的网络地址
US9253158B2 (en) Remote access manager for virtual computing services
US9237147B2 (en) Remote access manager for virtual computing services
CN109981803B (zh) 业务请求处理方法及装置
US9712422B2 (en) Selection of service nodes for provision of services
US8566474B2 (en) Methods, systems, and computer readable media for providing dynamic origination-based routing key registration in a diameter network
US20170264590A1 (en) Preventing dns cache poisoning
US9973590B2 (en) User identity differentiated DNS resolution
US20220360989A1 (en) Methods, systems, and computer readable media for generating and using single-use oauth 2.0 access tokens for securing specific service-based architecture (sba) interfaces
US10594658B1 (en) Preventing a network protocol over an encrypted channel, and applications thereof
US10616128B2 (en) Method and system for identifying network resources
US20220361085A1 (en) Methods, systems, and computer readable media for hiding network function instance identifiers
EP4049425B1 (fr) Sécurité de courrier électronique dans un service de courrier électronique multi-tenant
US9252947B1 (en) Secure key distribution service
US11658995B1 (en) Methods for dynamically mitigating network attacks and devices thereof
WO2022135132A1 (fr) Procédé et appareil de traitement de service, dispositif électronique et support de stockage
US10659497B2 (en) Originator-based network restraint system for identity-oriented networks
EP3989509A1 (fr) Procédé de réalisation d'architecture collaborative dynamique, système, dispositif terminal et support de stockage
US11956302B1 (en) Internet protocol version 4-to-version 6 redirect for application function-specific user endpoint identifiers
WO2023216584A1 (fr) Procédé d'obtention d'identifiant de réseau sensible à l'application et dispositif associé
US20230179579A1 (en) Randomizing server-side addresses
Krähenbühl et al. Ubiquitous Secure Communication in a Future Internet Architecture
Ju et al. DHCP message authentication with an effective key management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20870038

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20870038

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 22/02/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 20870038

Country of ref document: EP

Kind code of ref document: A1