[go: up one dir, main page]

CN111510300A - Data processing method, device, equipment and computer readable storage medium - Google Patents

Data processing method, device, equipment and computer readable storage medium Download PDF

Info

Publication number
CN111510300A
CN111510300A CN202010279788.XA CN202010279788A CN111510300A CN 111510300 A CN111510300 A CN 111510300A CN 202010279788 A CN202010279788 A CN 202010279788A CN 111510300 A CN111510300 A CN 111510300A
Authority
CN
China
Prior art keywords
resource pool
data packet
target
target data
cloud resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010279788.XA
Other languages
Chinese (zh)
Other versions
CN111510300B (en
Inventor
李朝霞
李松悟
房秉毅
杨绍光
张辉
时文丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Unicom Cloud Data Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Unicom Cloud Data Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, Unicom Cloud Data Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202010279788.XA priority Critical patent/CN111510300B/en
Publication of CN111510300A publication Critical patent/CN111510300A/en
Application granted granted Critical
Publication of CN111510300B publication Critical patent/CN111510300B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供一种数据处理方法、装置、设备及计算机可读存储介质,方法包括:获取并存储终端设备发送的网络请求包;通过预设的安全证书对网络请求包进行签名,获得目标数据包;当满足预设的触发条件时,将目标数据包发送至目标互联网协议地址所在的云资源池。通过当获取到的终端设备发送的网络请求包满足预设的触发条件时,再对网络请求包进行传输,从而能够避免频繁地向云资源池发送请求。此外,通过在传输网络请求包之前,对该网络请求包进行签名操作,从而后续云资源池能够根据该签名对目标数据包进行验证操作,进而能够有效地避免服务端受到DDOS攻击,且对交换机的规格需求较低。

Figure 202010279788

The present invention provides a data processing method, device, device and computer-readable storage medium. The method includes: acquiring and storing a network request packet sent by a terminal device; signing the network request packet with a preset security certificate to obtain a target data packet ; When the preset trigger condition is met, send the target data packet to the cloud resource pool where the target Internet Protocol address is located. By transmitting the network request packet when the acquired network request packet sent by the terminal device satisfies the preset trigger condition, it is possible to avoid frequently sending requests to the cloud resource pool. In addition, by performing a signature operation on the network request packet before transmitting the network request packet, the subsequent cloud resource pool can verify the target data packet according to the signature, thereby effectively avoiding the DDOS attack on the server and preventing the switch from being attacked. specification requirements are low.

Figure 202010279788

Description

数据处理方法、装置、设备及计算机可读存储介质Data processing method, apparatus, device, and computer-readable storage medium

技术领域technical field

本发明涉及互联网领域,尤其涉及一种数据处理方法、装置、设备及计算机可读存储介质。The present invention relates to the field of the Internet, and in particular, to a data processing method, apparatus, device, and computer-readable storage medium.

背景技术Background technique

在现在的大多应用中,为了维持客户端与服务端的高效通信,都需要保持客户端的长在线,例如,需要实时对页面显示数据进行刷新的地图应用、游戏应用等,均需要保持客户端长在线。但是长在线应用在和服务端交互的过程中,需要频繁的发送心跳消息。从而导致发向服务端的请求增多,容易被仿,从而服务端遭受分布式拒绝服务攻击(Distributed Denial of Service,简称DDoS)。此外,还会导致网络流量增加,容易造成网络拥塞,普通的根据ip地址多次发送请求包判定方式又会造成误杀的技术问题。In most current applications, in order to maintain efficient communication between the client and the server, it is necessary to keep the client online for a long time. For example, map applications and game applications that need to refresh the page display data in real time need to keep the client online for a long time. . However, in the process of interacting with the server, the long-lived application needs to send heartbeat messages frequently. As a result, the number of requests sent to the server increases, which is easy to be imitated, and the server suffers from a Distributed Denial of Service (DDoS) attack. In addition, it will also lead to an increase in network traffic, which is likely to cause network congestion, and the common way of determining by sending request packets multiple times based on the IP address will cause technical problems of manslaughter.

为了解决上述问题,现有技术中一般对于来自于同一个ip地址的同步请求进行丢弃,以达到清洗流量,减少对于服务器的大流量清洗目的,保障服务器的服务稳定正常。In order to solve the above problem, in the prior art, the synchronization request from the same IP address is generally discarded, so as to achieve the purpose of cleaning traffic, reducing the large-traffic cleaning of the server, and ensuring the stability and normality of the server's service.

但是,上述方法只能在核心交换机上进行拦截,并不能真正减少网络中的流量,而且对于入口交换机的压力较大,需要云计算的服务器的互联网内容提供商周边配备高规格的交换机。However, the above method can only be intercepted on the core switch, and cannot really reduce the traffic in the network, and the pressure on the ingress switch is relatively large, and the Internet content providers that require cloud computing servers are equipped with high-standard switches.

发明内容SUMMARY OF THE INVENTION

本发明提供一种数据处理方法、装置、设备及计算机可读存储介质,用于解决现有的数据处理方法对设备要求较高,且无法有效较少网络中流量的技术问题。The present invention provides a data processing method, device, device and computer-readable storage medium, which are used to solve the technical problem that the existing data processing method has high requirements on equipment and cannot effectively reduce traffic in the network.

本发明的第一个方面是提供一种数据处理方法,包括:A first aspect of the present invention is to provide a data processing method, comprising:

获取并存储终端设备发送的网络请求包,所述网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识;Obtaining and storing a network request packet sent by the terminal device, where the network request packet includes application process information, target Internet Protocol address, and the identifier of the application server to be sent;

通过预设的安全证书对所述网络请求包进行签名,获得目标数据包;Sign the network request package by using the preset security certificate to obtain the target data package;

当满足预设的触发条件时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。When a preset trigger condition is satisfied, the target data packet is sent to the cloud resource pool where the target Internet Protocol address is located.

在一种可能的设计中,所述当满足预设的触发条件时,通过预设的安全证书对所述网络请求包进行签名,获得目标数据包,包括:In a possible design, when a preset trigger condition is met, the network request packet is signed by a preset security certificate to obtain a target data packet, including:

若检测到当前获取的网络请求包的报文长度超过预设的长度阈值时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。If it is detected that the packet length of the currently obtained network request packet exceeds a preset length threshold, the target data packet is sent to the cloud resource pool where the target Internet Protocol address is located.

在一种可能的设计中,所述当满足预设的触发条件时,通过预设的安全证书对所述网络请求包进行签名,获得目标数据包,包括:In a possible design, when a preset trigger condition is met, the network request packet is signed by a preset security certificate to obtain a target data packet, including:

若当前获取网络请求包的时间超过预设的时间阈值时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。If the current time for obtaining the network request packet exceeds a preset time threshold, the target data packet is sent to the cloud resource pool where the target Internet Protocol address is located.

在一种可能的设计中,所述通过预设的安全证书对所述网络请求包进行签名,包括:In a possible design, signing the network request package with a preset security certificate includes:

通过预设的sim模块中的安全证书对所述网络请求包进行签名。The network request package is signed by the security certificate in the preset sim module.

本发明的第二个方面是提供一种数据处理方法,应用于云资源池,所述云资源池包括边缘检查节点以及云资源池边界网关,所述方法包括:A second aspect of the present invention is to provide a data processing method, which is applied to a cloud resource pool, the cloud resource pool includes an edge check node and a cloud resource pool border gateway, and the method includes:

获取数据处理装置发送的目标数据包,所述目标数据包是所述数据处理装置通过预设的安全证书对网络请求包签名后,在满足预设的触发条件时发送的,其中,所述网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识;Obtain a target data packet sent by the data processing device, where the target data packet is sent when a preset trigger condition is satisfied after the data processing device signs the network request packet with a preset security certificate, wherein the network The request packet includes application process information, target internet protocol address and the identifier of the application server to be sent;

通过所述边缘检查节点验证所述目标数据包的签名;Verify the signature of the target data packet by the edge check node;

当验证通过时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池边界网关。When the verification is passed, the target data packet is sent to the border gateway of the cloud resource pool where the target Internet Protocol address is located.

在一种可能的设计中,所述通过所述边缘检查节点验证所述目标数据包的签名之后,还包括:In a possible design, after verifying the signature of the target data packet by the edge checking node, the method further includes:

当验证不通过时,将所述目标数据包发送至预设的黑洞路由进行处理。When the verification fails, the target data packet is sent to a preset black hole route for processing.

在一种可能的设计中,所述将所述目标数据包发送至所述目标互联网协议地址所在的云资源池边界网关之后,还包括:In a possible design, after the sending the target data packet to the cloud resource pool border gateway where the target Internet Protocol address is located, the method further includes:

通过所述云资源池边界网关将所述目标数据包中的目标互联网协议地址以及目标端口号替换为预设的互联网协议地址以及端口号。The target internet protocol address and target port number in the target data packet are replaced by the preset internet protocol address and port number through the cloud resource pool border gateway.

在一种可能的设计中,所述将所述目标数据包发送至所述目标互联网协议地址所在的云资源池边界网关之后,还包括:In a possible design, after the sending the target data packet to the cloud resource pool border gateway where the target Internet Protocol address is located, the method further includes:

通过所述云资源池边界网关确定传输所述目标数据包的通道标识、目标数据包对应的序列号、目标互联网协议地址以及目标端口号之间的对应关系;Determine the correspondence between the channel identifier for transmitting the target data packet, the sequence number corresponding to the target data packet, the target Internet Protocol address, and the target port number through the cloud resource pool border gateway;

通过所述云资源池边界网关将所述目标数据包发送至待发送应用服务器。The target data packet is sent to the application server to be sent through the cloud resource pool border gateway.

本发明的第三个方面是提供一种数据处理装置,包括:A third aspect of the present invention provides a data processing device, comprising:

获取模块,用于获取并存储终端设备发送的网络请求包,所述网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识;an acquisition module, configured to acquire and store a network request packet sent by the terminal device, where the network request packet includes application process information, a target Internet Protocol address and an application server identifier to be sent;

签名模块,用于通过预设的安全证书对所述网络请求包进行签名,获得目标数据包;a signature module, configured to sign the network request package through a preset security certificate to obtain a target data package;

发送模块,用于当满足预设的触发条件时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。A sending module, configured to send the target data packet to the cloud resource pool where the target Internet Protocol address is located when a preset trigger condition is met.

本发明的第四个方面是提供一种云资源池,所述云资源池包括边缘检查节点以及云资源池边界网关,所述云资源池包括:A fourth aspect of the present invention is to provide a cloud resource pool, the cloud resource pool includes an edge inspection node and a cloud resource pool border gateway, and the cloud resource pool includes:

数据包获取模块,用于获取数据处理装置发送的目标数据包,所述目标数据包是所述数据处理装置通过预设的安全证书对网络请求包签名后,在满足预设的触发条件时发送的,其中,所述网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识;A data packet acquisition module, configured to acquire a target data packet sent by the data processing device, where the target data packet is sent when a preset trigger condition is met after the data processing device signs the network request packet with a preset security certificate , wherein the network request packet includes application process information, target Internet Protocol address and the identifier of the application server to be sent;

验证模块,用于通过所述边缘检查节点验证所述目标数据包的签名;a verification module, configured to verify the signature of the target data packet through the edge check node;

处理模块,用于当验证通过时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池边界网关。A processing module, configured to send the target data packet to the cloud resource pool border gateway where the target Internet Protocol address is located when the verification is passed.

本发明的第五个方面是提供一种数据处理设备,包括:存储器,处理器;A fifth aspect of the present invention is to provide a data processing device, comprising: a memory, and a processor;

存储器;用于存储所述处理器可执行指令的存储器;memory; memory for storing instructions executable by the processor;

其中,所述处理器被配置为由所述处理器执行如第一方面或第二方面所述的数据处理方法。Wherein, the processor is configured to execute the data processing method according to the first aspect or the second aspect by the processor.

本发明的第六个方面是提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机执行指令,所述计算机执行指令被处理器执行时用于实现如第一方面或第二方面所述的数据处理方法。A sixth aspect of the present invention is to provide a computer-readable storage medium, wherein computer-executable instructions are stored in the computer-readable storage medium, and when the computer-executable instructions are executed by a processor, are used to implement the first aspect or the first aspect. The data processing method described in the second aspect.

本发明提供的数据处理方法、装置、设备及计算机可读存储介质,通过当获取到的终端设备发送的网络请求包满足预设的触发条件时,再对网络请求包进行传输,从而能够避免频繁地向云资源池发送请求。此外,通过在传输网络请求包之前,对该网络请求包进行签名操作,从而后续云资源池能够根据该签名对目标数据包进行验证操作,进而能够有效地避免服务端受到DDOS攻击,且对交换机的规格需求较低。The data processing method, device, device and computer-readable storage medium provided by the present invention can avoid frequent network request packets by transmitting the network request packets when the acquired network request packets sent by the terminal equipment meet the preset trigger conditions. Send a request to the cloud resource pool. In addition, by performing a signature operation on the network request packet before transmitting the network request packet, the subsequent cloud resource pool can verify the target data packet according to the signature, thereby effectively avoiding the DDOS attack on the server and preventing the switch from being attacked. specification requirements are low.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,还可以根据这些附图获得其他的附图。In order to illustrate the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are For some embodiments of the present invention, those of ordinary skill in the art can also obtain other drawings according to these drawings.

图1为本发明基于的系统架构示意图;1 is a schematic diagram of a system architecture on which the present invention is based;

图2为本发明实施例一提供的数据处理方法的流程示意图;2 is a schematic flowchart of a data processing method provided in Embodiment 1 of the present invention;

图3为本发明实施例提供的应用场景示意图;3 is a schematic diagram of an application scenario provided by an embodiment of the present invention;

图4为本发明实施例提供的数据处理装置结构图;4 is a structural diagram of a data processing apparatus provided by an embodiment of the present invention;

图5为本发明实施例二提供的数据处理方法的流程示意图;5 is a schematic flowchart of a data processing method according to Embodiment 2 of the present invention;

图6为本发明实施例三提供的数据处理装置的结构示意图;6 is a schematic structural diagram of a data processing apparatus according to Embodiment 3 of the present invention;

图7为本发明实施例四提供的云资源池的结构示意图;7 is a schematic structural diagram of a cloud resource pool according to Embodiment 4 of the present invention;

图8为本发明实施例五提供的数据处理设备的结构示意图。FIG. 8 is a schematic structural diagram of a data processing device according to Embodiment 5 of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments These are some embodiments of the present invention, but not all embodiments. All other embodiments obtained based on the embodiments of the present invention belong to the protection scope of the present invention.

名词解释:Glossary:

DDOS:分布式拒绝服务(Distributed Denial of Service)攻击指借助于客户/服务器技术,将多个计算机联合起来作为攻击平台,对一个或多个目标发动DDoS攻击,从而成倍地提高拒绝服务攻击的威力。通常,攻击者使用一个偷窃帐号将DDoS主控程序安装在一个计算机上,在一个设定的时间主控程序将与大量代理程序通讯,代理程序已经被安装在网络上的许多计算机上。代理程序收到指令时就发动攻击。利用客户/服务器技术,主控程序能在几秒钟内激活成百上千次代理程序的运行。DDOS: Distributed Denial of Service attack refers to the use of client/server technology to combine multiple computers as an attack platform to launch DDoS attacks on one or more targets, thereby multiplying the risk of denial of service attacks. power. Typically, an attacker uses a stolen account to install a DDoS master program on a computer, and at a set time the master program will communicate with a large number of agents, which have been installed on many computers on the network. The agent attacks when instructed to do so. Using client/server technology, the host program can activate hundreds of agent runs in seconds.

互联网协议地址(Internet Protocol Address,简称IP地址):IP地址是IP协议提供的一种统一的地址格式,它为互联网上的每一个网络和每一台主机分配一个逻辑地址,以此来屏蔽物理地址的差异。Internet Protocol Address (IP address for short): IP address is a unified address format provided by the IP protocol. It assigns a logical address to each network and each host on the Internet to shield physical address differences.

针对上述提及的现有的数据处理方法对设备要求较高,且无法有效较少网络中流量的技术问题,本发明提供了一种数据处理方法、装置、设备及计算机可读存储介质。Aiming at the above-mentioned technical problems that the existing data processing methods have higher requirements on equipment and cannot effectively reduce traffic in the network, the present invention provides a data processing method, apparatus, equipment and computer-readable storage medium.

需要说明的是,本申请提供数据处理方法、装置、设备及计算机可读存储介质可运用在各种数据传输的场景中。It should be noted that the data processing method, apparatus, device and computer-readable storage medium provided by this application can be applied in various data transmission scenarios.

例如,本申请可以应用在游戏领域中,游戏服务端若不能及时收到/处理客户端发送的数据包,用户这边就会出现画面卡顿、技能释放延迟、玩家沟通不畅等情况,严重的甚至会导致客户端掉线。酣畅淋漓的游戏体验荡然无存,严重影响玩家的体验和留存。For example, this application can be applied in the field of games. If the game server cannot receive/process the data packets sent by the client in time, the user will experience screen freezes, delayed skill release, and poor player communication. may even cause the client to drop out. The hearty game experience is gone, which seriously affects the player's experience and retention.

例如,本申请可以应用在云计算领域,在云计算领域,若是存在一些服务端不能及时收到/处理客户端发送的数据包,服务器的客户这边,就会失去通信联系,浏览不到相关信息,或者是网页数据得不到更新,比如证券业看不到实时更新的证券指数变化信息,而导致出现投资失误。从而很大的降低了云计算服务的安全稳定性,随着可会的流失,而大规模降低云计算企业的运营利润。For example, this application can be applied in the field of cloud computing. In the field of cloud computing, if there are some servers that cannot receive/process the data packets sent by the client in time, the client of the server will lose communication and cannot browse the relevant information. Information, or webpage data cannot be updated, for example, the securities industry cannot see real-time updated information on changes in securities indices, resulting in investment mistakes. As a result, the security and stability of cloud computing services are greatly reduced, and the operating profits of cloud computing enterprises are reduced on a large scale with the loss of potential.

为了避免遭受ddos攻击,现有技术中服务器获取到的同步请求数据量较大时,会将来自于同一IP地址的同步请求丢弃,已达到降低数据量的目的,保证服务器正常运行。但是,上述方法仅能够在核心交换机上进行拦截,对入口交换机的压力较大,需要云计算的服务器的互联网内容提供商周边配备高规格的交换机。In order to avoid being attacked by ddos, in the prior art, when the amount of synchronization request data obtained by the server is large, the synchronization request from the same IP address is discarded, which has achieved the purpose of reducing the amount of data and ensured the normal operation of the server. However, the above method can only intercept on the core switch, which puts a lot of pressure on the ingress switch, and requires high-standard switches around the Internet content provider of the cloud computing server.

因此,为了在降低数据量的基础上,降低对设备的需求,发明人在研究过程中发现,可以预先设置不同的触发条件,当满足触发条件时,再进行网络请求包的发送。从而能够避免网络请求包的频发发送。Therefore, in order to reduce the demand for equipment on the basis of reducing the amount of data, the inventor found in the research process that different trigger conditions can be preset, and when the trigger conditions are met, the network request packet is sent. Thus, frequent sending of network request packets can be avoided.

发明人进一步研究发现,通过当获取到的终端设备发送的网络请求包满足预设的触发条件时,再对网络请求包进行传输,从而能够避免频繁地向云资源池发送请求。此外,通过在传输网络请求包之前,对该网络请求包进行签名操作,从而后续云资源池能够根据该签名对目标数据包进行验证操作,进而能够有效地避免服务端受到DDOS攻击。The inventor has further researched and found that when the acquired network request packet sent by the terminal device satisfies the preset trigger condition, the network request packet is transmitted, thereby avoiding frequently sending requests to the cloud resource pool. In addition, by performing a signature operation on the network request packet before transmitting the network request packet, the subsequent cloud resource pool can perform a verification operation on the target data packet according to the signature, thereby effectively avoiding DDOS attacks on the server.

图1为本发明基于的系统架构示意图,如图1所示,本发明基于的系统架构至少包括:终端设备1以及数据处理装置2。其中,测试装置2采用C/C++、Java、Shell或Python等语言编写;终端设备1则可例如台式电脑、平板电脑等。终端设备1与数据处理装置2通信连接,从而能够与数据处理装置进行信息交互。FIG. 1 is a schematic diagram of a system architecture on which the present invention is based. As shown in FIG. 1 , the system architecture on which the present invention is based at least includes: a terminal device 1 and a data processing apparatus 2 . The testing device 2 is written in languages such as C/C++, Java, Shell, or Python; the terminal device 1 can be, for example, a desktop computer, a tablet computer, or the like. The terminal device 1 is connected in communication with the data processing apparatus 2, so as to be able to exchange information with the data processing apparatus.

图2为本发明实施例一提供的数据处理方法的流程示意图,如图2所示,所述方法包括:FIG. 2 is a schematic flowchart of a data processing method according to Embodiment 1 of the present invention. As shown in FIG. 2 , the method includes:

步骤101、获取并存储终端设备发送的网络请求包,所述网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识。Step 101: Acquire and store a network request packet sent by a terminal device, where the network request packet includes application process information, a target Internet Protocol address, and an identifier of an application server to be sent.

本实施例的执行主体为数据处理装置,该数据处理装置与终端设备通信连接,从而能够与终端设备进行信息交互。需要说明的是,该数据处理装置可以安装在终端设备中,也可以为独立于终端设备的装置。The execution body of this embodiment is a data processing apparatus, and the data processing apparatus is communicatively connected with the terminal device, so as to be able to perform information interaction with the terminal device. It should be noted that the data processing apparatus may be installed in the terminal equipment, or may be an apparatus independent of the terminal equipment.

在本实施方式中,当终端设备上安装的应用软件需要进行数据更新时,可以向数据处理装置发送网络请求包。相应地,数据处理装置在获取到终端设备发送的网络请求包,可以暂时不对该网络请求包进行转发操作。可以暂时对该网络请求包进行存储,当存储的网络请求包满足预设条件时,在对该网络请求包进行发送。其中,该网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识。In this embodiment, when the application software installed on the terminal device needs to perform data update, a network request packet can be sent to the data processing apparatus. Correspondingly, after acquiring the network request packet sent by the terminal device, the data processing apparatus may temporarily not perform the forwarding operation on the network request packet. The network request packet may be temporarily stored, and when the stored network request packet meets a preset condition, the network request packet is sent. Wherein, the network request packet includes application process information, target internet protocol address and the identifier of the application server to be sent.

具体地,该网络请求包是终端设备通过终端预设的安全证书进行签名后发送的,因此数据处理装置在获取到网络请求包之后,首先需要对该网络请求包进行验证,验证通过之后,再对网络请求包进行存储。Specifically, the network request packet is sent by the terminal device after being signed by the security certificate preset by the terminal. Therefore, after the data processing device obtains the network request packet, it first needs to verify the network request packet, and after the verification is passed, then Store network request packets.

步骤102、通过预设的安全证书对所述网络请求包进行签名,获得目标数据包。Step 102: Sign the network request packet with a preset security certificate to obtain a target data packet.

在本实施方式中,在获取并存储终端设备发送的网络请求包之后,通过预设的安全证书对网络请求包进行签名,获得待传输的目标数据包。In this embodiment, after acquiring and storing the network request packet sent by the terminal device, the network request packet is signed by using a preset security certificate to obtain the target data packet to be transmitted.

具体地,可以通过预设的sim模块中的安全证书对所述网络请求包进行签名。若数据处理装置安装在手机等终端设备上时,可以通过手机自带的SIM卡模块进行签名操作;若数据处理装置安装在电脑等终端设备上时,由于该终端设备上不具有SIM模块,则首先需要在该终端设备上设置SIM模块,再通过SIM卡模块进行签名操作。Specifically, the network request package may be signed by the security certificate in the preset sim module. If the data processing device is installed on a terminal device such as a mobile phone, the signature operation can be performed through the SIM card module that comes with the mobile phone; if the data processing device is installed on a terminal device such as a computer, since the terminal device does not have a SIM module, then First, a SIM module needs to be set on the terminal device, and then a signature operation is performed through the SIM card module.

步骤103、当满足预设的触发条件时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。Step 103: When a preset trigger condition is satisfied, send the target data packet to the cloud resource pool where the target Internet Protocol address is located.

在本实施方式中,可以确定当前获取到的目标数据包是否满足预设的触发条件。当满足该触发条件时,数据处理装置可以将该目标数据包发送至目标互联网协议地址所在的云资源池。从而后续云资源池可以根据待发送应用服务器标识将目标数据包转发至该待发送应用服务器。In this embodiment, it can be determined whether the currently acquired target data packet satisfies a preset trigger condition. When the trigger condition is satisfied, the data processing apparatus may send the target data packet to the cloud resource pool where the target Internet Protocol address is located. Therefore, the subsequent cloud resource pool can forward the target data packet to the application server to be sent according to the identifier of the application server to be sent.

图3为本发明实施例提供的应用场景示意图,如图3所示,当用户在通过应用软件上浏览页面时,可以通过下拉实现对页面的刷新,相应地,终端设备可以根据该刷新操作向数据处理装置发送网络请求包,并根据服务端反馈的数据进行页面的刷新操作。该页面具体可以为天气参考信息页面,用户可以通过下拉实现对最新天气的获取。FIG. 3 is a schematic diagram of an application scenario provided by an embodiment of the present invention. As shown in FIG. 3, when a user browses a page through application software, the page can be refreshed by pulling down. The data processing device sends a network request packet, and performs a page refresh operation according to the data fed back by the server. The page may specifically be a weather reference information page, and the user can obtain the latest weather by pulling down.

图4为本发明实施例提供的数据处理装置结构图,如图4所示,实线表示现有的数据处理装置的结构,包括应用层、Socket抽象层、运输层、网络层以及链路层,虚线为本发明新增的模块,包括加密模块以及拦截模块。其中,应用层用于获取用户触发的网络请求包,加密模块在获取到应用层发送的网络请求包之后,通过SIM模块对该网络请求包进行加密操作,拦截模块对加密后的目标数据包进行存储,当满足预设的触发条件时,将目标数据包发送至链路层中的硬件接口,从而硬件接口可以通过传输媒介将目标数据包发送至云资源池。FIG. 4 is a structural diagram of a data processing apparatus provided by an embodiment of the present invention. As shown in FIG. 4 , the solid line represents the structure of an existing data processing apparatus, including an application layer, a socket abstraction layer, a transport layer, a network layer, and a link layer , the dotted line is the newly added module of the present invention, including an encryption module and an interception module. The application layer is used to obtain the network request packet triggered by the user. After obtaining the network request packet sent by the application layer, the encryption module encrypts the network request packet through the SIM module, and the interception module encrypts the encrypted target data packet. Storage, when the preset trigger conditions are met, the target data packet is sent to the hardware interface in the link layer, so that the hardware interface can send the target data packet to the cloud resource pool through the transmission medium.

进一步地,在实施例一的基础上,步骤103具体包括:Further, on the basis of Embodiment 1, step 103 specifically includes:

若检测到当前获取的网络请求包的报文长度超过预设的长度阈值时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。If it is detected that the packet length of the currently obtained network request packet exceeds a preset length threshold, the target data packet is sent to the cloud resource pool where the target Internet Protocol address is located.

在本实施例中,该预设的触发条件可以为报文长度超过预设的长度阈值,若检测到当前获取的网络请求包的报文长度超过预设的长度阈值时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。从而能够有效地避免频繁地发送目标数据包而造成的业务压力。其中,该长度阈值可以为默认的经验值,也可以为用户根据实际需求设置的,本发明对此不做限制。In this embodiment, the preset trigger condition may be that the length of the packet exceeds the preset length threshold. If it is detected that the packet length of the currently obtained network request packet exceeds the preset length threshold, the target data The packet is sent to the cloud resource pool where the target Internet Protocol address is located. Thus, the service pressure caused by frequently sending target data packets can be effectively avoided. The length threshold may be a default empirical value, or may be set by a user according to actual needs, which is not limited in the present invention.

进一步地,在实施例一的基础上,步骤103具体包括:Further, on the basis of Embodiment 1, step 103 specifically includes:

若当前获取网络请求包的时间超过预设的时间阈值时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。If the current time for obtaining the network request packet exceeds a preset time threshold, the target data packet is sent to the cloud resource pool where the target Internet Protocol address is located.

在本实施例中,该预设的触发条件可以为获取网络请求包的时间超过预设的时间阈值,若当前获取网络请求包的时间超过预设的时间阈值时,通过预设的安全证书对所述网络请求包进行签名,获得目标数据包。从而能够有效地避免频繁地发送目标数据包而造成的业务压力。其中,该时间阈值可以为默认的经验值,也可以为用户根据实际需求设置的,本发明对此不做限制。In this embodiment, the preset trigger condition may be that the time for acquiring the network request packet exceeds a preset time threshold, and if the current time for acquiring the network request packet exceeds the preset time threshold, the preset security certificate The network request packet is signed to obtain the target data packet. Thus, the service pressure caused by frequently sending target data packets can be effectively avoided. The time threshold may be a default empirical value, or may be set by a user according to actual needs, which is not limited in the present invention.

本实施例提供的数据处理方法,通过当获取到的终端设备发送的网络请求包满足预设的触发条件时,再对网络请求包进行传输,从而能够避免频繁地向云资源池发送请求。此外,通过在传输网络请求包之前,对该网络请求包进行签名操作,从而后续云资源池能够根据该签名对目标数据包进行验证操作,进而能够有效地避免服务端受到DDOS攻击。The data processing method provided by this embodiment can avoid sending requests to the cloud resource pool frequently by transmitting the network request packet when the acquired network request packet sent by the terminal device satisfies the preset trigger condition. In addition, by performing a signature operation on the network request packet before transmitting the network request packet, the subsequent cloud resource pool can perform a verification operation on the target data packet according to the signature, thereby effectively avoiding DDOS attacks on the server.

图5为本发明实施例二提供的数据处理方法的流程示意图,如图5所示,所述方法包括:FIG. 5 is a schematic flowchart of a data processing method according to Embodiment 2 of the present invention. As shown in FIG. 5 , the method includes:

步骤201、获取数据处理装置发送的目标数据包,所述目标数据包是所述数据处理装置通过预设的安全证书对网络请求包签名后,在满足预设的触发条件时发送的,其中,所述网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识;Step 201: Obtain a target data packet sent by a data processing device, where the target data packet is sent when a preset trigger condition is satisfied after the data processing device signs the network request packet with a preset security certificate, wherein, The network request packet includes application process information, target Internet Protocol address and application server identifier to be sent;

步骤202、通过所述边缘检查节点验证所述目标数据包的签名;Step 202, verifying the signature of the target data packet by the edge checking node;

步骤203、当验证通过时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池边界网关。Step 203: When the verification is passed, send the target data packet to the border gateway of the cloud resource pool where the target Internet Protocol address is located.

进一步地,在实施例二的基础上,步骤202之后,还包括:Further, on the basis of Embodiment 2, after step 202, it also includes:

当验证不通过时,将所述目标数据包发送至预设的黑洞路由进行处理。When the verification fails, the target data packet is sent to a preset black hole route for processing.

本实施例的执行主体为云资源池,该云资源池与数据处理装置通信连接,从而能够与数据处理装置进行信息交互。云资源池具体可以包括边缘检查节点以及云资源池边界网关。The execution body of this embodiment is a cloud resource pool, and the cloud resource pool is communicatively connected with the data processing apparatus, so that information can be exchanged with the data processing apparatus. The cloud resource pool may specifically include edge inspection nodes and cloud resource pool border gateways.

在本实施例中,云资源池可以获取数据处理装置发送的目标数据包,该目标数据包具体为数据处理装置通过预设的安全证书对网络请求包签名后,在满足预设的触发条件时发送的,其中,网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识。In this embodiment, the cloud resource pool may acquire a target data packet sent by the data processing device, where the target data packet is specifically, after the data processing device signs the network request packet with a preset security certificate, when a preset trigger condition is satisfied sent, wherein the network request packet includes application process information, target Internet Protocol address and the identifier of the application server to be sent.

在获取到数据处理装置发送的目标数据包之后,为了避免待发送应用服务器受到DDOS攻击,需要对目标数据包的合法性进行验证。具体地,可以通过预设的安全证书对该目标数据包的签名进行验证,当验证通过的时候,可以将目标数据包发送至所述目标互联网协议地址所在的云资源池边界网关。相应地,当验证不通过时,为了保证服务器的安全,可以将该目标数据包发送至预设的黑洞路由进行处理。After acquiring the target data packet sent by the data processing device, in order to avoid the application server to be sent from being subjected to DDOS attack, the validity of the target data packet needs to be verified. Specifically, the signature of the target data packet can be verified through a preset security certificate, and when the verification is passed, the target data packet can be sent to the cloud resource pool border gateway where the target Internet Protocol address is located. Correspondingly, when the verification fails, in order to ensure the security of the server, the target data packet may be sent to a preset black hole route for processing.

进一步地,在实施例二的基础上,所述方法还包括:Further, on the basis of Embodiment 2, the method further includes:

通过所述云资源池边界网关将所述目标数据包中的目标互联网协议地址以及目标端口号替换为预设的互联网协议地址以及端口号。The target internet protocol address and target port number in the target data packet are replaced by the preset internet protocol address and port number through the cloud resource pool border gateway.

在本实施例中,云资源池还可以通过云资源池网关将所述目标数据包中的目标互联网协议地址以及目标端口号替换为预设的互联网协议地址以及端口号。从而可以避免长应用的服务把子消息的响应直接发送给终端设备,而不经过数据处理装置通过建立的消息发送特殊通道发送。In this embodiment, the cloud resource pool may also replace the target Internet protocol address and target port number in the target data packet with the preset Internet protocol address and port number through the cloud resource pool gateway. Therefore, it can be avoided that the service of the long application sends the response of the sub-message directly to the terminal device, instead of sending the response through the special channel for message sending established by the data processing device.

进一步地,在实施例二的基础上,步骤203之后,还包括:Further, on the basis of Embodiment 2, after step 203, it also includes:

通过所述云资源池边界网关确定传输所述目标数据包的通道标识、目标数据包对应的序列号、目标互联网协议地址以及目标端口号之间的对应关系;Determine the correspondence between the channel identifier for transmitting the target data packet, the sequence number corresponding to the target data packet, the target Internet Protocol address, and the target port number through the cloud resource pool border gateway;

通过所述云资源池边界网关将所述目标数据包发送至待发送应用服务器。The target data packet is sent to the application server to be sent through the cloud resource pool border gateway.

在本实施例中,云资源池还可以通过云资源池边界网关确定传输所述目标数据包的通道标识、目标数据包对应的序列号、目标互联网协议地址以及目标端口号之间的对应关系;通过所述云资源池边界网关将所述目标数据包发送至待发送应用服务器。从而当待发送应用服务器标识返回子消息的响应报文以后,可以将响应报文的目的地址的和目的端口号替换回来。In this embodiment, the cloud resource pool may further determine the correspondence between the channel identifier for transmitting the target data packet, the sequence number corresponding to the target data packet, the target Internet Protocol address, and the target port number through the cloud resource pool border gateway; The target data packet is sent to the application server to be sent through the cloud resource pool border gateway. Therefore, after the application server to be sent identifies the response packet of the returned sub-message, the destination address and destination port number of the response packet can be replaced.

本实施例提供的数据处理方法,通过对数据处理装置发送的目标数据包进行验证,并根据验证结果对目标数据包进行相应处理,将疑似攻击数据发送至预设的黑洞路由进行处理,从而能够有效地避免服务端受到DDOS攻击。In the data processing method provided in this embodiment, by verifying the target data packet sent by the data processing device, and correspondingly processing the target data packet according to the verification result, the suspected attack data is sent to the preset black hole route for processing, so that it can be processed. Effectively avoid DDOS attacks on the server.

图6为本发明实施例三提供的数据处理装置的结构示意图,如图6所示,所述装置包括:获取模块31、签名模块32以及发送模块33,其中,获取模块31,用于获取并存储终端设备发送的网络请求包,所述网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识;签名模块32,用于通过预设的安全证书对所述网络请求包进行签名,获得目标数据包;发送模块33,用于当满足预设的触发条件时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。FIG. 6 is a schematic structural diagram of a data processing apparatus provided in Embodiment 3 of the present invention. As shown in FIG. 6 , the apparatus includes: an acquisition module 31 , a signature module 32 and a sending module 33 , wherein the acquisition module 31 is used for acquiring and The network request package sent by the terminal device is stored, and the network request package includes the application process information, the target Internet protocol address, and the identifier of the application server to be sent; the signature module 32 is used for performing a preset security certificate on the network request package. signature to obtain the target data packet; the sending module 33 is configured to send the target data packet to the cloud resource pool where the target Internet Protocol address is located when a preset trigger condition is satisfied.

进一步地,在实施例三的基础上,发送模块33具体用于:Further, on the basis of Embodiment 3, the sending module 33 is specifically used for:

若检测到当前获取的网络请求包的报文长度超过预设的长度阈值时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。If it is detected that the packet length of the currently obtained network request packet exceeds a preset length threshold, the target data packet is sent to the cloud resource pool where the target Internet Protocol address is located.

进一步地,在实施例三的基础上,发送模块33具体用于:Further, on the basis of Embodiment 3, the sending module 33 is specifically used for:

若当前获取网络请求包的时间超过预设的时间阈值时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。If the current time for obtaining the network request packet exceeds a preset time threshold, the target data packet is sent to the cloud resource pool where the target Internet Protocol address is located.

进一步地,在实施例三的基础上,签名模块32具体用于:Further, on the basis of the third embodiment, the signature module 32 is specifically used for:

通过预设的sim模块中的安全证书对所述网络请求包进行签名。The network request package is signed by the security certificate in the preset sim module.

本实施例提供的数据处理装置,通过当获取到的终端设备发送的网络请求包满足预设的触发条件时,再对网络请求包进行传输,从而能够避免频繁地向云资源池发送请求。此外,通过在传输网络请求包之前,对该网络请求包进行签名操作,从而后续云资源池能够根据该签名对目标数据包进行验证操作,进而能够有效地避免服务端受到DDOS攻击。The data processing apparatus provided in this embodiment can avoid sending requests to the cloud resource pool frequently by transmitting the network request packet when the acquired network request packet sent by the terminal device satisfies the preset trigger condition. In addition, by performing a signature operation on the network request packet before transmitting the network request packet, the subsequent cloud resource pool can perform a verification operation on the target data packet according to the signature, thereby effectively avoiding DDOS attacks on the server.

图7为本发明实施例四提供的云资源池的结构示意图,如图7所示,所述云资源池包括边缘检查节点以及云资源池边界网关,所述云资源池包括:数据包获取模块41、验证模块42以及处理模块43,其中,数据包获取模块41,用于获取数据处理装置发送的目标数据包,所述目标数据包是所述数据处理装置通过预设的安全证书对网络请求包签名后,在满足预设的触发条件时发送的,其中,所述网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识;验证模块42,用于通过所述边缘检查节点验证所述目标数据包的签名;处理模块43,用于当验证通过时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池边界网关。FIG. 7 is a schematic structural diagram of a cloud resource pool according to Embodiment 4 of the present invention. As shown in FIG. 7 , the cloud resource pool includes an edge inspection node and a cloud resource pool border gateway, and the cloud resource pool includes: a data packet acquisition module 41. The verification module 42 and the processing module 43, wherein the data packet acquisition module 41 is used to acquire the target data packet sent by the data processing device, and the target data packet is a request made by the data processing device to the network through a preset security certificate. After the package is signed, it is sent when a preset trigger condition is met, wherein the network request package includes application process information, target Internet Protocol address, and the identifier of the application server to be sent; the verification module 42 is configured to pass the edge check The node verifies the signature of the target data packet; the processing module 43 is configured to send the target data packet to the border gateway of the cloud resource pool where the target Internet Protocol address is located when the verification is passed.

进一步地,在实施例四的基础上,所述处理模块43还用于:Further, on the basis of the fourth embodiment, the processing module 43 is also used for:

当验证不通过时,将所述目标数据包发送至预设的黑洞路由进行处理。When the verification fails, the target data packet is sent to a preset black hole route for processing.

进一步地,在实施例四的基础上,所述装置还包括:Further, on the basis of Embodiment 4, the device further includes:

替换模块,用于通过所述云资源池边界网关将所述目标数据包中的目标互联网协议地址以及目标端口号替换为预设的互联网协议地址以及端口号。A replacement module, configured to replace the target internet protocol address and target port number in the target data packet with a preset internet protocol address and port number through the cloud resource pool border gateway.

进一步地,在实施例四的基础上,所述装置还包括:Further, on the basis of Embodiment 4, the device further includes:

确定模块,用于通过所述云资源池边界网关确定传输所述目标数据包的通道标识、目标数据包对应的序列号、目标互联网协议地址以及目标端口号之间的对应关系;a determining module, configured to determine, through the cloud resource pool border gateway, the channel identifier for transmitting the target data packet, the sequence number corresponding to the target data packet, the target Internet Protocol address and the corresponding relationship between the target port number;

转发模块,用于通过所述云资源池边界网关将所述目标数据包发送至待发送应用服务器。A forwarding module, configured to send the target data packet to the application server to be sent through the cloud resource pool border gateway.

图8为本发明实施例五提供的数据处理设备的结构示意图,如图8所示,所述数据处理设备包括:存储器51,处理器52;FIG. 8 is a schematic structural diagram of a data processing device according to Embodiment 5 of the present invention. As shown in FIG. 8 , the data processing device includes: a memory 51 and a processor 52;

存储器51;用于存储所述处理器52可执行指令的存储器51;memory 51; memory 51 for storing executable instructions of the processor 52;

其中,所述处理器52被配置为由所述处理器52执行如上述任一实施例所述的数据处理方法。Wherein, the processor 52 is configured to execute the data processing method according to any one of the above embodiments by the processor 52 .

存储器51,用于存放程序。具体地,程序可以包括程序代码,所述程序代码包括计算机操作指令。存储器51可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。The memory 51 is used to store programs. Specifically, the program may include program code, and the program code includes computer operation instructions. The memory 51 may include high-speed RAM memory, and may also include non-volatile memory, such as at least one disk memory.

其中,处理器52可能是一个中央处理器(Central Processing Unit,简称为CPU),或者是特定集成电路(Application Specific Integrated Circuit,简称为ASIC),或者是被配置成实施本发明实施例的一个或多个集成电路。The processor 52 may be a central processing unit (Central Processing Unit, referred to as CPU), or a specific integrated circuit (Application Specific Integrated Circuit, referred to as ASIC), or is configured to implement one or more embodiments of the present invention. multiple integrated circuits.

可选的,在具体实现上,如果存储器51和处理器52独立实现,则存储器51和处理器52可以通过总线相互连接并完成相互间的通信。所述总线可以是工业标准体系结构(Industry Standard Architecture,简称为ISA)总线、外部设备互连(PeripheralComponent,简称为PCI)总线或扩展工业标准体系结构(Extended Industry StandardArchitecture,简称为EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图8中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。Optionally, in terms of specific implementation, if the memory 51 and the processor 52 are implemented independently, the memory 51 and the processor 52 may be connected to each other through a bus and complete mutual communication. The bus may be an Industry Standard Architecture (referred to as ISA) bus, a Peripheral Component (referred to as PCI) bus, or an Extended Industry Standard Architecture (referred to as EISA) bus or the like. The bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is used in FIG. 8, but it does not mean that there is only one bus or one type of bus.

可选的,在具体实现上,如果存储器51和处理器52集成在一块芯片上实现,则存储器51和处理器52可以通过内部接口完成相同间的通信。Optionally, in terms of specific implementation, if the memory 51 and the processor 52 are integrated on one chip, the memory 51 and the processor 52 can complete the same communication through an internal interface.

本发明还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机执行指令,所述计算机执行指令被处理器执行时用于实现如上述任一实施例所述的数据处理方法。The present invention further provides a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and when the computer-executable instructions are executed by a processor, are used to implement the data processing described in any of the foregoing embodiments method.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的装置的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, for the specific working process of the device described above, reference may be made to the corresponding process in the foregoing method embodiments, which will not be repeated here.

本领域普通技术人员可以理解:实现上述各方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成。前述的程序可以存储于一计算机可读取存储介质中。该程序在执行时,执行包括上述各方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by program instructions related to hardware. The aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the steps including the above method embodiments are executed; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other media that can store program codes.

最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions described in the foregoing embodiments can still be modified, or some or all of the technical features thereof can be equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the embodiments of the present invention. scope.

Claims (12)

1.一种数据处理方法,其特征在于,包括:1. a data processing method, is characterized in that, comprises: 获取并存储终端设备发送的网络请求包,所述网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识;Acquire and store a network request packet sent by the terminal device, where the network request packet includes application process information, target internet protocol address and the identifier of the application server to be sent; 通过预设的安全证书对所述网络请求包进行签名,获得目标数据包;Sign the network request package by using the preset security certificate to obtain the target data package; 当满足预设的触发条件时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。When a preset trigger condition is satisfied, the target data packet is sent to the cloud resource pool where the target Internet Protocol address is located. 2.根据权利要求1所述的方法,其特征在于,所述当满足预设的触发条件时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池,包括:2. The method according to claim 1, wherein when a preset trigger condition is met, sending the target data packet to the cloud resource pool where the target Internet Protocol address is located, comprising: 若检测到当前获取的网络请求包的报文长度超过预设的长度阈值时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。If it is detected that the packet length of the currently obtained network request packet exceeds a preset length threshold, the target data packet is sent to the cloud resource pool where the target Internet Protocol address is located. 3.根据权利要求1所述的方法,其特征在于,所述当满足预设的触发条件时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池,包括:3. The method according to claim 1, wherein when a preset trigger condition is met, sending the target data packet to the cloud resource pool where the target Internet Protocol address is located, comprising: 若当前获取网络请求包的时间超过预设的时间阈值时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。If the current time for obtaining the network request packet exceeds a preset time threshold, the target data packet is sent to the cloud resource pool where the target Internet Protocol address is located. 4.根据权利要求1-3任一项所述的方法,其特征在于,所述通过预设的安全证书对所述网络请求包进行签名,包括:4. The method according to any one of claims 1-3, wherein the signing the network request package by using a preset security certificate comprises: 通过预设的sim模块中的安全证书对所述网络请求包进行签名。The network request package is signed by the security certificate in the preset sim module. 5.一种数据处理方法,其特征在于,应用于云资源池,所述云资源池包括边缘检查节点以及云资源池边界网关,所述方法包括:5. A data processing method, characterized in that, applied to a cloud resource pool, the cloud resource pool comprising an edge inspection node and a cloud resource pool border gateway, the method comprising: 获取数据处理装置发送的目标数据包,所述目标数据包是所述数据处理装置通过预设的安全证书对网络请求包签名后,在满足预设的触发条件时发送的,其中,所述网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识;Obtain a target data packet sent by the data processing device, where the target data packet is sent when a preset trigger condition is satisfied after the data processing device signs the network request packet with a preset security certificate, wherein the network The request packet includes application process information, target internet protocol address and the identifier of the application server to be sent; 通过所述边缘检查节点验证所述目标数据包的签名;Verify the signature of the target data packet by the edge check node; 当验证通过时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池边界网关。When the verification is passed, the target data packet is sent to the border gateway of the cloud resource pool where the target Internet Protocol address is located. 6.根据权利要求5所述的方法,其特征在于,所述通过所述边缘检查节点验证所述目标数据包的签名之后,还包括:6. The method according to claim 5, wherein after verifying the signature of the target data packet by the edge checking node, the method further comprises: 当验证不通过时,将所述目标数据包发送至预设的黑洞路由进行处理。When the verification fails, the target data packet is sent to a preset black hole route for processing. 7.根据权利要求5-6任一项所述的方法,其特征在于,所述方法还包括:7. The method according to any one of claims 5-6, wherein the method further comprises: 通过所述云资源池边界网关将所述目标数据包中的目标互联网协议地址以及目标端口号替换为预设的互联网协议地址以及端口号。The target internet protocol address and target port number in the target data packet are replaced by the preset internet protocol address and port number through the cloud resource pool border gateway. 8.根据权利要求5-6任一项所述的方法,其特征在于,所述将所述目标数据包发送至所述目标互联网协议地址所在的云资源池边界网关之后,还包括:8. The method according to any one of claims 5-6, wherein after the sending the target data packet to the border gateway of the cloud resource pool where the target Internet Protocol address is located, the method further comprises: 通过所述云资源池边界网关确定传输所述目标数据包的通道标识、目标数据包对应的序列号、目标互联网协议地址以及目标端口号之间的对应关系;Determine the correspondence between the channel identifier for transmitting the target data packet, the sequence number corresponding to the target data packet, the target Internet Protocol address, and the target port number through the cloud resource pool border gateway; 通过所述云资源池边界网关将所述目标数据包发送至待发送应用服务器。The target data packet is sent to the application server to be sent through the cloud resource pool border gateway. 9.一种数据处理装置,其特征在于,包括:9. A data processing device, comprising: 获取模块,用于获取并存储终端设备发送的网络请求包,所述网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识;an acquisition module, configured to acquire and store a network request packet sent by the terminal device, where the network request packet includes application process information, a target Internet Protocol address and an application server identifier to be sent; 签名模块,用于通过预设的安全证书对所述网络请求包进行签名,获得目标数据包;a signature module, configured to sign the network request package through a preset security certificate to obtain a target data package; 发送模块,用于当满足预设的触发条件时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池。A sending module, configured to send the target data packet to the cloud resource pool where the target Internet Protocol address is located when a preset trigger condition is satisfied. 10.一种云资源池,其特征在于,所述云资源池包括边缘检查节点以及云资源池边界网关,所述云资源池包括:10. A cloud resource pool, characterized in that the cloud resource pool comprises an edge inspection node and a cloud resource pool border gateway, and the cloud resource pool comprises: 数据包获取模块,用于获取数据处理装置发送的目标数据包,所述目标数据包是所述数据处理装置通过预设的安全证书对网络请求包签名后,在满足预设的触发条件时发送的,其中,所述网络请求包中包括应用进程信息、目标互联网协议地址以及待发送应用服务器标识;A data packet acquisition module, configured to acquire a target data packet sent by the data processing device, where the target data packet is sent when a preset trigger condition is met after the data processing device signs the network request packet with a preset security certificate , wherein the network request packet includes application process information, target Internet Protocol address and the identifier of the application server to be sent; 验证模块,用于通过所述边缘检查节点验证所述目标数据包的签名;a verification module, configured to verify the signature of the target data packet through the edge check node; 处理模块,用于当验证通过时,将所述目标数据包发送至所述目标互联网协议地址所在的云资源池边界网关。A processing module, configured to send the target data packet to the cloud resource pool border gateway where the target Internet Protocol address is located when the verification is passed. 11.一种数据处理设备,其特征在于,包括:存储器,处理器;11. A data processing device, comprising: a memory and a processor; 存储器;用于存储所述处理器可执行指令的存储器;memory; memory for storing instructions executable by the processor; 其中,所述处理器被配置为由所述处理器执行如权利要求1-4或5-8任一项所述的数据处理方法。Wherein, the processor is configured to execute the data processing method according to any one of claims 1-4 or 5-8 by the processor. 12.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机执行指令,所述计算机执行指令被处理器执行时用于实现如权利要求1-4或5-8任一项所述的数据处理方法。12. A computer-readable storage medium, characterized in that, computer-executable instructions are stored in the computer-readable storage medium, and when the computer-executable instructions are executed by a processor, they are used to implement claims 1-4 or 5- 8. The data processing method described in any one of 8.
CN202010279788.XA 2020-04-10 2020-04-10 Data processing method, device, equipment and computer readable storage medium Active CN111510300B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010279788.XA CN111510300B (en) 2020-04-10 2020-04-10 Data processing method, device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010279788.XA CN111510300B (en) 2020-04-10 2020-04-10 Data processing method, device, equipment and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN111510300A true CN111510300A (en) 2020-08-07
CN111510300B CN111510300B (en) 2023-04-18

Family

ID=71864790

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010279788.XA Active CN111510300B (en) 2020-04-10 2020-04-10 Data processing method, device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN111510300B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115514501A (en) * 2021-06-03 2022-12-23 中国移动通信集团四川有限公司 Method and device for blocking network attack

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010011206A (en) * 2008-06-27 2010-01-14 Mitsubishi Electric Corp Gateway device and packet filtering method
CN101635715A (en) * 2009-05-31 2010-01-27 北京飞天诚信科技有限公司 Method and system for improving network application safety
CN104980354A (en) * 2015-06-26 2015-10-14 中国科学院大学 Data transmission processing method and device
WO2015174100A1 (en) * 2014-05-14 2015-11-19 学校法人東京電機大学 Packet transfer device, packet transfer system, and packet transfer method
WO2016107339A1 (en) * 2014-12-30 2016-07-07 北京奇虎科技有限公司 Method and device for transmitting message in batch
WO2018049887A1 (en) * 2016-09-14 2018-03-22 广东欧珀移动通信有限公司 Data transmission processing method and terminal device
CN108965230A (en) * 2018-05-09 2018-12-07 深圳市中信网安认证有限公司 A kind of safety communicating method, system and terminal device
US20190245697A1 (en) * 2018-02-05 2019-08-08 Nokia Technologies Oy Securing blockchain access through a gateway

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010011206A (en) * 2008-06-27 2010-01-14 Mitsubishi Electric Corp Gateway device and packet filtering method
CN101635715A (en) * 2009-05-31 2010-01-27 北京飞天诚信科技有限公司 Method and system for improving network application safety
WO2015174100A1 (en) * 2014-05-14 2015-11-19 学校法人東京電機大学 Packet transfer device, packet transfer system, and packet transfer method
WO2016107339A1 (en) * 2014-12-30 2016-07-07 北京奇虎科技有限公司 Method and device for transmitting message in batch
CN104980354A (en) * 2015-06-26 2015-10-14 中国科学院大学 Data transmission processing method and device
WO2018049887A1 (en) * 2016-09-14 2018-03-22 广东欧珀移动通信有限公司 Data transmission processing method and terminal device
US20190245697A1 (en) * 2018-02-05 2019-08-08 Nokia Technologies Oy Securing blockchain access through a gateway
CN108965230A (en) * 2018-05-09 2018-12-07 深圳市中信网安认证有限公司 A kind of safety communicating method, system and terminal device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115514501A (en) * 2021-06-03 2022-12-23 中国移动通信集团四川有限公司 Method and device for blocking network attack

Also Published As

Publication number Publication date
CN111510300B (en) 2023-04-18

Similar Documents

Publication Publication Date Title
US11019383B2 (en) Internet anti-attack method and authentication server
US10270792B1 (en) Methods for detecting malicious smart bots to improve network security and devices thereof
US10097530B2 (en) Security authentication method and bidirectional forwarding detection BFD device
CN105516186B (en) A method and server for preventing replay attacks
WO2023005773A1 (en) Message forwarding method and apparatus based on remote direct data storage, and network card and device
US9749354B1 (en) Establishing and transferring connections
JP2018528679A (en) Device and method for establishing a connection in a load balancing system
CN103931162B (en) Service processing method and network device
CN107800723A (en) CC attack guarding methods and equipment
CN115314231A (en) Network attack information processing method and device, electronic equipment and storage medium
CN102404326A (en) Method, system and device for validating safety of messages
CN111510300B (en) Data processing method, device, equipment and computer readable storage medium
CN113873057B (en) Data processing methods and devices
CN112491836B (en) Communication system, method, device and electronic equipment
US11496438B1 (en) Methods for improved network security using asymmetric traffic delivery and devices thereof
CN105933298B (en) Apparatus and method for performing Transmission Control Protocol handshake
CN115987536A (en) Message source address identification method and device
CN113986578A (en) Message checking method and first equipment
CN114969730A (en) Page display method and device, electronic equipment and computer storage medium
WO2025010980A1 (en) Link tracing method and device
CN108833418B (en) Method, device and system for defending attack
CN108462672A (en) A kind of authentication protection method and system of reply network attack
CN117375857A (en) A message processing method, device, system and related equipment
CN114978590A (en) API (application program interface) security protection method and device and readable storage medium
CN110035041B (en) Method and equipment for identifying application attack source

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant