[go: up one dir, main page]

CN116366323A - Network target range scene isolated access method and system based on dynamic domain name - Google Patents

Network target range scene isolated access method and system based on dynamic domain name Download PDF

Info

Publication number
CN116366323A
CN116366323A CN202310297692.XA CN202310297692A CN116366323A CN 116366323 A CN116366323 A CN 116366323A CN 202310297692 A CN202310297692 A CN 202310297692A CN 116366323 A CN116366323 A CN 116366323A
Authority
CN
China
Prior art keywords
address
domain name
access
target machine
scene
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310297692.XA
Other languages
Chinese (zh)
Other versions
CN116366323B (en
Inventor
金正阳
唐海均
李杰瑶
刘子馨
李志烽
黄云
戴冕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Saining Wang'an Technology Co ltd
Original Assignee
Beijing Saining Wang'an Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Saining Wang'an Technology Co ltd filed Critical Beijing Saining Wang'an Technology Co ltd
Priority to CN202310297692.XA priority Critical patent/CN116366323B/en
Publication of CN116366323A publication Critical patent/CN116366323A/en
Application granted granted Critical
Publication of CN116366323B publication Critical patent/CN116366323B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network target scene isolation access method and system based on a dynamic domain name, wherein when a user requests to start a target scene or view a target machine address interface of the scene through a browser, a request address used by the user is recorded; when a target range scene is started, dynamically generating a globally unique character string for an access target aircraft in the scene, and accessing the character string as the target aircraft to a domain name with three or more levels in a domain name address; simultaneously recording the corresponding relation between the domain name and the real address of the target drone; when a user requests to access the target aircraft through the domain name address, address consistency verification is carried out, after the verification is passed, the real address of the target aircraft is obtained, and reverse proxy is carried out. The invention does not need to use a special client and occupy public network IP, and has the advantages of simple configuration, easy expansion, high concurrency support, low operation and maintenance cost, high safety and the like.

Description

一种基于动态域名的网络靶场场景隔离接入方法与系统A dynamic domain name-based network shooting range scene isolation access method and system

技术领域technical field

本发明涉及一种基于动态域名的网络靶场场景隔离接入方法与系统,属于网络安全技术领域。The invention relates to a network shooting range scene isolation access method and system based on a dynamic domain name, belonging to the technical field of network security.

背景技术Background technique

网络靶场是通过虚拟化技术,模拟仿真出真实网络空间攻防作战环境,能够支撑作战能力研究和武器装备验证的试验平台。为了达到上述目的,在实际的训练或验证过程中,需要对不同场景提供隔离环境,并对不同的用户提供统一的接入方式。The network shooting range is a test platform that simulates the real cyberspace offensive and defensive combat environment through virtualization technology, and can support combat capability research and weapon equipment verification. In order to achieve the above purpose, in the actual training or verification process, it is necessary to provide an isolated environment for different scenarios and provide a unified access method for different users.

如图1所示,一个典型的用户接入系统至少包括如下组件,客户端VPN,VPN服务端,靶机场景、VLAN交换机、靶场调度中心。各组件功能如下:VPN客户端:该客户端由接入用户安装,必须运行安装在接入用户系统上,运行后用户接入场景网络。VPN服务端:该服务端通过网络配置对不同的客户端提供接入不同场景的功能,包括限流,场景隔离等功能,占用大量资源。VLAN交换机:构建不同的网络隔离环境。靶机场景:待接入的目标环境,不同靶机场景应提供相对应的隔离,并使分配至该场景的用户接入。靶场调度中心:启动靶场中的靶机,构建交换机中的网络环境,并将靶机分配至不同的场景。As shown in Figure 1, a typical user access system includes at least the following components, client VPN, VPN server, target scene, VLAN switch, and shooting range dispatch center. The functions of each component are as follows: VPN client: the client is installed by the access user, must be run and installed on the access user system, and the user accesses the scene network after operation. VPN server: The server provides different clients with access to different scenarios through network configuration, including functions such as current limiting and scenario isolation, which take up a lot of resources. VLAN switch: build different network isolation environments. Target drone scenario: the target environment to be accessed. Different target drone scenarios should provide corresponding isolation and allow users assigned to the scenario to access. Shooting range scheduling center: Start the target drones in the shooting range, build the network environment in the switch, and assign the target drones to different scenarios.

图1所示接入系统的接入步骤包括:1、靶场调度中心启动靶机,通过VLAN交换机构建网络隔离环境,将不同的靶机接入不同的场景当中。2、服务端VPN根据预定义的规则,开启服务接入,并在客户端接入时将用户分配到不同的网络环境。3、用户开启客户端通过VPN服务端接入不同的网络隔离环境。The access steps of the access system shown in Figure 1 include: 1. The range dispatch center starts the target drone, builds a network isolation environment through a VLAN switch, and connects different target drones to different scenarios. 2. The server VPN enables service access according to predefined rules, and assigns users to different network environments when the client accesses. 3. The user opens the client to access different network isolation environments through the VPN server.

现有用户接入系统存在如下问题:1、需要用户安装VPN客户端,客户端需匹配用户系统环境,非常用操作系统可能无法接入。2、VPN服务端承载流量过大,并发数量较多时用户接入存在延迟缓慢问题。3、VPN服务端需要针对不同的网络靶场场景环境进行网络配置,任务繁重,操作复杂,灵活度低。4、如果直接使用端口映射的方式接入,数量较少的公网IP会导致端口扫描,不同的用户会接入不同的场景,存在安全隐患问题。5、VPN客户端无法针对网络靶场进行防作弊限制,不同用户只需要交换VPN客户端配置文件,即可接入其他场景。The existing user access system has the following problems: 1. The user needs to install a VPN client, and the client needs to match the user's system environment, and the unused operating system may not be able to access it. 2. The traffic carried by the VPN server is too large, and there is a problem of slow user access when the number of concurrent users is large. 3. The VPN server needs to configure the network for different network shooting range scenarios, which is heavy tasks, complicated operations, and low flexibility. 4. If you directly use port mapping to access, a small number of public network IPs will cause port scanning, and different users will access different scenarios, posing security risks. 5. The VPN client cannot implement anti-cheating restrictions on the network shooting range. Different users only need to exchange VPN client configuration files to access other scenes.

发明内容Contents of the invention

发明目的:本发明目的在于提供一种基于动态域名的网络靶场场景隔离接入方法与系统,通过将场景分配至不同的三级或以上域名进行用户动态接入,无需使用VPN客户端,无需占用公网IP,具有配置简单、易扩展、支持高并发、运维成本低、安全性高等优点。Purpose of the invention: The purpose of the present invention is to provide a network shooting range scene isolation access method and system based on a dynamic domain name, by assigning the scene to different third-level or above domain names for dynamic user access, without using a VPN client, without occupying Public network IP has the advantages of simple configuration, easy expansion, support for high concurrency, low operation and maintenance costs, and high security.

技术方案:为实现上述发明目的,本发明采用如下技术方案:Technical solution: In order to achieve the above-mentioned purpose of the invention, the present invention adopts the following technical solution:

一种基于动态域名的网络靶场场景隔离接入方法,包括:A dynamic domain name-based network shooting range scene isolation access method, comprising:

在用户通过浏览器请求开启靶场场景或查看场景靶机地址界面时,记录用户使用的请求地址;When the user requests to open the shooting range scene or view the scene target machine address interface through the browser, record the request address used by the user;

在靶场场景启动时,为场景中的接入靶机动态生成全局唯一的字符串,并将其作为靶机接入域名地址中的三级或以上域名;同时记录该三级或以上域名与靶机真实地址的对应关系;When the shooting range scene is started, a globally unique character string is dynamically generated for the access target machine in the scene, and it is used as the third-level or above domain name in the target machine access domain name address; at the same time, the third-level or above domain name and the target The corresponding relationship of the real address of the computer;

将靶机的接入域名地址反馈给用户,接收用户通过域名地址接入靶机的请求,获取用户接入请求的请求地址,与记录的请求地址进行一致性校验通过后,根据域名地址中的三级或以上域名,获取到靶机真实地址,将请求的域名地址与靶机真实地址绑定,代理域名地址的访问请求。Feedback the access domain name address of the target machine to the user, receive the user's request to access the target machine through the domain name address, obtain the request address of the user's access request, and pass the consistency check with the recorded request address, according to the domain name address obtain the real address of the target machine, bind the requested domain name address with the real address of the target machine, and proxy the access request of the domain name address.

作为优选,对于多个用户接入场景中多个靶机的情况,为场景中的每个靶机动态生成一个或多个域名。Preferably, for a situation where multiple users access multiple target machines in the scene, one or more domain names are dynamically generated for each target machine in the scene.

作为优选,在用户查看场景靶机地址页面时,将用户请求的地址写入靶机允许接入地址池;在用户通过域名接入靶机时查询请求地址是否在地址池中,如果不存在则拒绝接入,存在则进行对靶机真实地址的反向代理。As a preference, when the user views the scene target machine address page, the address requested by the user is written into the target machine to allow access to the address pool; when the user accesses the target machine through a domain name, query whether the requested address is in the address pool, if not If access is denied, if it exists, reverse proxy to the real address of the target machine will be performed.

作为优选,对于以组为单位接入场景中靶机的情况,为靶机生成的域名包含用户所属组的识别信息。Preferably, for the case of accessing the target machine in the scene in units of groups, the domain name generated for the target machine includes identification information of the group to which the user belongs.

作为优选,动态生成的三级或以上域名采用UUID字符串,或者包含UUID的字符串。Preferably, the dynamically generated third-level or above domain names use UUID strings, or strings containing UUIDs.

一种基于动态域名的网络靶场场景隔离接入系统,包括:A network shooting range scene isolation access system based on a dynamic domain name, including:

请求地址记录模块,用于记录用户开启靶场场景或查看场景靶机地址界面时使用的请求地址;The request address recording module is used to record the request address used when the user opens the shooting range scene or checks the scene target machine address interface;

动态域名生成模块,用于在靶场场景启动时,为场景中的接入靶机动态生成全局唯一的字符串,并将其作为靶机接入域名地址中的三级或以上域名;同时记录该三级或以上域名与靶机真实地址的对应关系;The dynamic domain name generation module is used to dynamically generate a globally unique character string for the access target machine in the scene when the shooting range scene is started, and use it as the third-level or above domain name in the target machine access domain name address; at the same time, record the The corresponding relationship between the third-level or above domain name and the real address of the target machine;

接入代理模块,用于接收用户通过域名地址接入靶机的请求,获取用户接入请求的请求地址,与记录的请求地址进行一致性校验通过后,根据域名地址中的三级或以上域名,获取到靶机真实地址,将请求的域名地址与靶机真实地址绑定,代理域名地址的访问请求。The access proxy module is used to receive the user's request to access the target machine through the domain name address, obtain the request address of the user's access request, and pass the consistency check with the recorded request address, according to the third level or above in the domain name address Domain name, obtain the real address of the target machine, bind the requested domain name address with the real address of the target machine, and proxy the access request of the domain name address.

一种计算机系统,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述计算机程序被加载至处理器时实现所述的基于动态域名的网络靶场场景隔离接入方法的步骤。A computer system, comprising a memory, a processor, and a computer program stored on the memory and operable on the processor. When the computer program is loaded into the processor, the dynamic domain name-based network shooting range scene isolation access is realized. method steps.

有益效果:与现有技术相比,本发明具有如下优点:1、无需安装额外的VPN客户端程序,用户接入靶场场景更加简便。2、接入服务配置简单,统一管理,能够快速拓展功能,高并发场景下能够快速添加设备,运维成本降低。3、隐藏靶场场景真实目标地址,防止用户对平台的破坏性操作,提高了抗风险能力。4、记录用户请求地址并联合域名校验,不同用户/战队无法通过同一域名地址接入靶机,有效防止用户作弊。5、域名动态生成,随机性强,用户无法通过扫描的方式暴力接入平台。Beneficial effects: Compared with the prior art, the present invention has the following advantages: 1. It is easier for users to access shooting range scenes without installing an additional VPN client program. 2. Access service configuration is simple, unified management, can quickly expand functions, can quickly add devices in high concurrency scenarios, and reduce operation and maintenance costs. 3. Hide the real target address of the shooting range scene, prevent users from destructive operations on the platform, and improve the ability to resist risks. 4. Record the user's request address and verify it with the domain name. Different users/teams cannot access the target machine through the same domain name address, effectively preventing users from cheating. 5. The domain name is dynamically generated with strong randomness, and users cannot violently access the platform through scanning.

附图说明Description of drawings

图1为现有接入系统结构图。FIG. 1 is a structural diagram of an existing access system.

图2为本发明实施例的方法流程示意图。Fig. 2 is a schematic flow chart of the method of the embodiment of the present invention.

图3为本发明实施例中的动态域名接入示例图。Fig. 3 is an example diagram of dynamic domain name access in the embodiment of the present invention.

具体实施方式Detailed ways

下面将结合附图和具体实施例,对本发明的技术方案进行清楚、完整的描述。The technical solutions of the present invention will be clearly and completely described below in conjunction with the accompanying drawings and specific embodiments.

如图2所示,本发明实施例公开的一种基于动态域名的网络靶场场景隔离接入方法,在用户通过浏览器请求开启靶场场景或查看场景靶机地址界面时,记录用户使用的请求地址;在靶场场景启动时,为场景中的接入靶机动态生成全局唯一的字符串,并将其作为靶机接入域名地址中的三级或以上域名;同时记录该三级或以上域名与靶机真实地址的对应关系;将靶机的接入域名地址反馈给用户,接收用户通过域名地址接入靶机的请求,获取用户接入请求的请求地址,与记录的请求地址进行一致性校验通过后,根据域名地址中的三级或以上域名,获取到靶机真实地址,将请求的域名地址与靶机真实地址绑定,代理域名地址的访问请求。As shown in Figure 2, a network shooting range scene isolation access method based on a dynamic domain name disclosed in the embodiment of the present invention records the request address used by the user when the user requests to open the shooting range scene or view the scene target machine address interface through the browser ; When the shooting range scene is started, dynamically generate a globally unique character string for the access target machine in the scene, and use it as the third-level or above domain name in the target machine access domain name address; record the third-level or above domain name and The corresponding relationship of the real address of the target machine; feedback the access domain name address of the target machine to the user, receive the user's request to access the target machine through the domain name address, obtain the request address of the user's access request, and verify the consistency with the recorded request address After the verification is passed, the real address of the target machine is obtained according to the third-level or above domain name in the domain name address, the requested domain name address is bound to the real address of the target machine, and the access request of the domain name address is delegated.

上述方案通过将场景中靶机分配至不同的三级或以上域名进行用户动态接入网络靶场中的场景,无需安装VPN客户端,直接使用标准的不同场景的接入方式,接入场景靶机即可。在不同的应用场景可以灵活配置,例如对于多个用户接入场景中多个靶机的情况,可以为场景中的每个靶机动态生成一个或多个域名,供用户接入。域名中也可以增加用户/用户组的标识信息,便于用户识别。The above solution assigns the target machine in the scene to different third-level or above domain names to dynamically access the scene in the network shooting range. It does not need to install a VPN client, and directly uses the standard access method of different scenes to access the target machine in the scene. That's it. It can be flexibly configured in different application scenarios. For example, in the case of multiple users accessing multiple drones in the scenario, one or more domain names can be dynamically generated for each drone in the scenario for users to access. User/user group identification information can also be added to the domain name to facilitate user identification.

基于相同的发明构思,本发明实施例公开的一种基于动态域名的网络靶场场景隔离接入系统,包括:请求地址记录模块,用于记录用户开启靶场场景或查看场景靶机地址界面时使用的请求地址;动态域名生成模块,用于在靶场场景启动时,为场景中的接入靶机动态生成全局唯一的字符串,并将其作为靶机接入域名地址中的三级或以上域名;同时记录该三级或以上域名与靶机真实地址的对应关系;接入代理模块,用于接收用户通过域名地址接入靶机的请求,获取用户接入请求的请求地址,与记录的请求地址进行一致性校验通过后,根据域名地址中的三级或以上域名,获取到靶机真实地址,将请求的域名地址与靶机真实地址绑定,代理域名地址的访问请求。Based on the same inventive concept, a network shooting range scene isolation access system based on a dynamic domain name disclosed in an embodiment of the present invention includes: a request address recording module for recording the user’s address when opening the shooting range scene or viewing the scene target machine address interface The request address; the dynamic domain name generation module is used to dynamically generate a globally unique string for the access target machine in the scene when the shooting range scene is started, and use it as the third-level or above domain name in the target machine access domain name address; At the same time, record the corresponding relationship between the third-level or above domain name and the real address of the target machine; the access proxy module is used to receive the user's request to access the target machine through the domain name address, obtain the request address of the user's access request, and record the request address After the consistency check is passed, the real address of the target machine is obtained according to the third-level or above domain name in the domain name address, and the requested domain name address is bound to the real address of the target machine to proxy the access request of the domain name address.

基于相同的发明构思,本发明实施例公开的一种计算机系统,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述计算机程序被加载至处理器时实现所述的基于动态域名的网络靶场场景隔离接入方法的步骤。Based on the same inventive concept, a computer system disclosed in an embodiment of the present invention includes a memory, a processor, and a computer program stored in the memory and operable on the processor. When the computer program is loaded into the processor, the The steps of the above-mentioned dynamic domain name-based network shooting range scene isolation access method.

下面结合图3示例,说明具体动态域名接入的流程。The following describes a specific dynamic domain name access process with reference to the example in FIG. 3 .

1、用户通过浏览器接入平台(如竞赛平台、对抗平台等),当用户开启靶场场景时,记录下开启靶场场景时使用的请求地址。对于小规模的解题或实验场景中,可由用户自己开启场景,可以在用户开启场景时记录其请求IP地址,用于接入时对比判断是否具有接入权限(用于可以接入自己的场景,无法接入他人场景);对于大规模对抗场景,场景预先启动,平台可以记录用户登录查看场景靶机地址界面(用户可接入场景的权限由平台管理)时所使用IP地址,加入场景可接入地址池,当用户接入平台场景时比对接入场景地址是否在地址池中,判断用户是否拥有该场景的接入权限。1. The user accesses the platform (such as competition platform, confrontation platform, etc.) through a browser. When the user opens the shooting range scene, record the request address used when opening the shooting range scene. For small-scale problem-solving or experimental scenarios, the user can open the scene by himself, and record the requested IP address when the user opens the scene, and use it to compare and judge whether he has access rights when accessing (for the scene that can access his own , cannot access other people’s scenes); for large-scale confrontation scenes, the scene is pre-started, and the platform can record the IP address used when the user logs in to view the target machine address interface of the scene (the authority of the user to access the scene is managed by the platform). To access the address pool, when the user accesses the platform scene, compare whether the address of the access scene is in the address pool, and judge whether the user has the access authority of the scene.

2、靶场调度中心启动场景之后动态生成域名分配至靶机,供靶机接入,动态生成的随机三级域名可以采用UUID+特殊标识的形式。2. After the shooting range dispatch center starts the scene, the domain name is dynamically generated and assigned to the target machine for access by the target machine. The dynamically generated random third-level domain name can be in the form of UUID + special identification.

普通在线题目场景中,靶场生成场景之后分配内网地址至场景内的靶机,竞赛平台将内网靶机地址记录,并生成随机字符串,将随机字符串与平台域名合并生成该域名,并绑定靶机内网地址,将该键值对存储到数据库当中。供用户通过该域名接入使用。In the ordinary online topic scenario, after the shooting range generates the scene, the intranet address is assigned to the target machine in the scene. The competition platform will record the address of the intranet target machine, and generate a random string, combine the random string with the platform domain name to generate the domain name, and Bind the intranet address of the target machine, and store the key-value pair in the database. For users to access through the domain name.

在多组对抗的大型场景中,平台将大量的场景靶机分别分配随机字符串,并将该随机字符串与靶机内网地址作联合查询,大型场景将存在多个不同的域名指向同一场景内不同的靶机内网地址情况,由靶机内部作网络隔离,不受域名地址的影响,用户使用不同的域名地址接入时仅接入该域名所指靶机,靶机之间网络仅在场景中感知,用户不受影响。In a large-scale scenario involving multiple groups of confrontations, the platform assigns random strings to a large number of scene target machines, and jointly queries the random string and the intranet address of the target machine. In a large-scale scene, there will be multiple different domain names pointing to the same scene In the case of different intranet addresses of the target machine, the network is isolated by the internal network of the target machine, and is not affected by the domain name address. Perceived in the scene, the user is not affected.

当平台以战队形式进行靶机接入时,存在不同用户接入同一域名的情况,该情况下,该战队所有用户必须点击查看靶机地址界面,则平台记录点击查看靶机地址时用户所使用地址,并写入靶机允许接入地址池,在接入靶机时查询该地址池是否存在该地址,判断该用户为所属场景战队用户。When the platform accesses the target machine in the form of a team, there are cases where different users access the same domain name. In this case, all users of the team must click to view the target machine address interface, and the platform will record the user's name when clicking to view the target machine address. address, and write the target machine to allow access to the address pool. When accessing the target machine, check whether the address pool exists for the address, and determine that the user is a user of the scene team to which it belongs.

3、用户直接通过域名方式接入平台。3. Users access the platform directly through the domain name.

4、平台根据用户接入请求地址,联合请求靶机域名作校验,防止用户通过不同的请求地址接入靶机。4. According to the user's access request address, the platform jointly requests the domain name of the target machine for verification to prevent users from accessing the target machine through different request addresses.

对于用户开启的场景,对比开启请求地址与接入靶机地址是否相同,相同则运行接入,开启反向代理;对于大规模场景,用户查看场景靶机地址时,所用网络地址被平台记录,并写入该靶机域名可接入地址池,用户通过靶机域名接入靶机时所用网络地址将与该靶机域名可接入地址池进行匹配,如不存在则拒绝该连接,如存在允许接入,开启对内网靶机的反向代理。For the scene opened by the user, compare whether the opening request address is the same as the address of the access target machine, and if they are the same, run the access and open the reverse proxy; for large-scale scenarios, when the user checks the address of the target machine in the scene, the network address used will be recorded by the platform. And write the address pool that the domain name of the target machine can access. The network address used by the user to access the target machine through the domain name of the target machine will match the address pool that the domain name of the target machine can access. If it does not exist, the connection will be rejected. Access is allowed, and the reverse proxy to the intranet target machine is enabled.

5.通过校验后,平台直接代理该域名绑定的后端地址。具体可以通过Nginx+Lua工具实现反向代理与负载均衡。5. After passing the verification, the platform directly proxies the backend address bound to the domain name. Specifically, reverse proxy and load balancing can be realized through the Nginx+Lua tool.

6.用户成功接入靶机。6. The user successfully accesses the target machine.

当接入使用组以组为单位接入场景,如竞赛团队赛,一个组存在多个用户,多个用户允许接入同一地址,且同时对保留在现场环境下多用户接入同一地址的状态,接入系统仅针对靶机进行域名与靶机的双向匹配,不影响多用户接入情况,且在多用户情况下,域名可接入地址池可允许多个地址存在,当该组任一用户查看该题目则可接入该题,在团队赛中,域名生成可携带该组名称或对应识别码。域名组成部分携带部分用户可识别信息,帮助用户准确判断是否为所需场景靶机地址。When the access usage group accesses the scene in groups, such as a competition team competition, there are multiple users in one group, multiple users are allowed to access the same address, and at the same time, the status of multiple users accessing the same address in the on-site environment is reserved , the access system only performs two-way matching between the domain name and the target machine for the target machine, which does not affect the multi-user access situation, and in the case of multiple users, the domain name accessible address pool can allow multiple addresses to exist, The user can access the question after viewing the question. In the team competition, the domain name generation can carry the group name or the corresponding identification code. The domain name component carries some user identifiable information to help users accurately determine whether it is the target address of the desired scene.

本发明方案中,用户无需使用专用客户端,仅使用标准服务接入方式即可直接接入靶机。不同用户/战队无法通过同一域名地址接入靶机。域名动态生成,用户无法用户扫描的方式,暴力接入平台。In the solution of the present invention, the user does not need to use a dedicated client, and can directly access the target machine only by using a standard service access method. Different users/teams cannot access the target machine through the same domain name address. The domain name is dynamically generated, and users cannot access the platform violently by means of user scanning.

Claims (10)

1.一种基于动态域名的网络靶场场景隔离接入方法,其特征在于,包括:1. A network shooting range scene isolation access method based on a dynamic domain name, characterized in that, comprising: 在用户通过浏览器请求开启靶场场景或查看场景靶机地址界面时,记录用户使用的请求地址;When the user requests to open the shooting range scene or view the scene target machine address interface through the browser, record the request address used by the user; 在靶场场景启动时,为场景中的接入靶机动态生成全局唯一的字符串,并将其作为靶机接入域名地址中的三级或以上域名;同时记录该三级或以上域名与靶机真实地址的对应关系;When the shooting range scene is started, a globally unique character string is dynamically generated for the access target machine in the scene, and it is used as the third-level or above domain name in the target machine access domain name address; at the same time, the third-level or above domain name and the target The corresponding relationship of the real address of the computer; 将靶机的接入域名地址反馈给用户,接收用户通过域名地址接入靶机的请求,获取用户接入请求的请求地址,与记录的请求地址进行一致性校验通过后,根据域名地址中的三级或以上域名,获取到靶机真实地址,将请求的域名地址与靶机真实地址绑定,代理域名地址的访问请求。Feedback the access domain name address of the target machine to the user, receive the user's request to access the target machine through the domain name address, obtain the request address of the user's access request, and pass the consistency check with the recorded request address, according to the domain name address obtain the real address of the target machine, bind the requested domain name address with the real address of the target machine, and proxy the access request of the domain name address. 2.根据权利要求1所述的基于动态域名的网络靶场场景隔离接入方法,其特征在于,对于多个用户接入场景中多个靶机的情况,为场景中的每个靶机动态生成一个或多个域名。2. the network shooting range scene isolation access method based on dynamic domain name according to claim 1, it is characterized in that, for the situation of a plurality of target machines in a plurality of user access scenes, for each target machine in the scene dynamically generate One or more domain names. 3.根据权利要求1所述的基于动态域名的网络靶场场景隔离接入方法,其特征在于,在用户查看场景靶机地址页面时,将用户请求的地址写入靶机允许接入地址池;在用户通过域名接入靶机时查询请求地址是否在地址池中,如果不存在则拒绝接入,存在则进行对靶机真实地址的反向代理。3. the network shooting range scene isolation access method based on the dynamic domain name according to claim 1, is characterized in that, when the user checks the scene target machine address page, the address requested by the user is written into the target machine to allow access to the address pool; When the user accesses the target machine through the domain name, check whether the requested address is in the address pool. If it does not exist, the access will be rejected, and if it exists, the reverse proxy to the real address of the target machine will be performed. 4.根据权利要求1所述的基于动态域名的网络靶场场景隔离接入方法,其特征在于,对于以组为单位接入场景中靶机的情况,为靶机生成的域名包含用户所属组的识别信息。4. the network shooting range scene isolation access method based on dynamic domain name according to claim 1, it is characterized in that, for the situation that the target machine in the scene is accessed in units of groups, the domain name generated for the target machine includes the user's belonging group identifying information. 5.根据权利要求1所述的基于动态域名的网络靶场场景隔离接入方法,其特征在于,动态生成的三级或以上域名采用UUID字符串,或者包含UUID的字符串。5. The network shooting range scene isolation access method based on a dynamic domain name according to claim 1, wherein the dynamically generated third-level domain name or above adopts a UUID string, or a string containing a UUID. 6.一种基于动态域名的网络靶场场景隔离接入系统,其特征在于,包括:6. A network shooting range scene isolation access system based on a dynamic domain name, characterized in that it comprises: 请求地址记录模块,用于记录用户开启靶场场景或查看场景靶机地址界面时使用的请求地址;The request address recording module is used to record the request address used when the user opens the shooting range scene or checks the scene target machine address interface; 动态域名生成模块,用于在靶场场景启动时,为场景中的接入靶机动态生成全局唯一的字符串,并将其作为靶机接入域名地址中的三级或以上域名;同时记录该三级或以上域名与靶机真实地址的对应关系;The dynamic domain name generation module is used to dynamically generate a globally unique character string for the access target machine in the scene when the shooting range scene is started, and use it as the third-level or above domain name in the target machine access domain name address; at the same time, record the The corresponding relationship between the third-level or above domain name and the real address of the target machine; 接入代理模块,用于接收用户通过域名地址接入靶机的请求,获取用户接入请求的请求地址,与记录的请求地址进行一致性校验通过后,根据域名地址中的三级或以上域名,获取到靶机真实地址,将请求的域名地址与靶机真实地址绑定,代理域名地址的访问请求。The access proxy module is used to receive the user's request to access the target machine through the domain name address, obtain the request address of the user's access request, and pass the consistency check with the recorded request address, according to the third level or above in the domain name address Domain name, obtain the real address of the target machine, bind the requested domain name address with the real address of the target machine, and proxy the access request of the domain name address. 7.根据权利要求1所述的基于动态域名的网络靶场场景隔离接入系统,其特征在于,对于多个用户接入场景中多个靶机的情况,为场景中的每个靶机动态生成一个或多个域名。7. The network shooting range scene isolation access system based on dynamic domain name according to claim 1, characterized in that, for the situation of multiple target machines in the access scene of multiple users, each target machine in the scene is dynamically generated One or more domain names. 8.根据权利要求1所述的基于动态域名的网络靶场场景隔离接入系统,其特征在于,在用户查看场景靶机地址页面时,将用户请求的地址写入靶机允许接入地址池;在用户通过域名接入靶机时查询请求地址是否在地址池中,如果不存在则拒绝接入,存在则进行对靶机真实地址的反向代理。8. The network shooting range scene isolation access system based on a dynamic domain name according to claim 1, wherein when the user checks the scene target machine address page, the address requested by the user is written into the target machine to allow access to the address pool; When the user accesses the target machine through the domain name, check whether the requested address is in the address pool. If it does not exist, the access will be rejected, and if it exists, the reverse proxy to the real address of the target machine will be performed. 9.根据权利要求1所述的基于动态域名的网络靶场场景隔离接入系统,其特征在于,对于以组为单位接入场景中靶机的情况,为靶机生成的域名包含用户所属组的识别信息。9. The network shooting range scene isolation access system based on a dynamic domain name according to claim 1, characterized in that, for the situation of accessing the target machine in the scene in units of groups, the domain name generated for the target machine includes the name of the group to which the user belongs. identifying information. 10.一种计算机系统,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述计算机程序被加载至处理器时实现根据权利要求1-5任一项所述的基于动态域名的网络靶场场景隔离接入方法的步骤。10. A computer system, comprising a memory, a processor, and a computer program stored in the memory and operable on the processor, characterized in that, when the computer program is loaded into the processor, the computer program according to any of claims 1-5 is implemented. A step of the method for isolating and accessing a network shooting range scene based on a dynamic domain name.
CN202310297692.XA 2023-03-24 2023-03-24 A network range scene isolation access method and system based on dynamic domain name Active CN116366323B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310297692.XA CN116366323B (en) 2023-03-24 2023-03-24 A network range scene isolation access method and system based on dynamic domain name

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310297692.XA CN116366323B (en) 2023-03-24 2023-03-24 A network range scene isolation access method and system based on dynamic domain name

Publications (2)

Publication Number Publication Date
CN116366323A true CN116366323A (en) 2023-06-30
CN116366323B CN116366323B (en) 2025-10-03

Family

ID=86918645

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310297692.XA Active CN116366323B (en) 2023-03-24 2023-03-24 A network range scene isolation access method and system based on dynamic domain name

Country Status (1)

Country Link
CN (1) CN116366323B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116566749A (en) * 2023-07-11 2023-08-08 南京赛宁信息技术有限公司 A resource access method and system in the case of network shooting range scene isolation

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140344890A1 (en) * 2013-05-16 2014-11-20 Guest Tek Interactive Entertainment Ltd. Dns-based captive portal with integrated transparent proxy to protect against user device caching incorrect ip address
US20150237158A1 (en) * 2012-03-31 2015-08-20 Beijing Qihoo Technology Company Limited Method and system for accessing website
WO2018090933A1 (en) * 2016-11-17 2018-05-24 腾讯科技(深圳)有限公司 Method, apparatus, and system for resolving service platform address
CN112187610A (en) * 2020-09-24 2021-01-05 北京赛宁网安科技有限公司 Network isolation system and method for network target range
CN114338597A (en) * 2021-11-30 2022-04-12 奇安信科技集团股份有限公司 Network access method and device
CN114422446A (en) * 2022-03-29 2022-04-29 南京赛宁信息技术有限公司 Application layer background traffic scheduling method and system in target range

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150237158A1 (en) * 2012-03-31 2015-08-20 Beijing Qihoo Technology Company Limited Method and system for accessing website
US20140344890A1 (en) * 2013-05-16 2014-11-20 Guest Tek Interactive Entertainment Ltd. Dns-based captive portal with integrated transparent proxy to protect against user device caching incorrect ip address
WO2018090933A1 (en) * 2016-11-17 2018-05-24 腾讯科技(深圳)有限公司 Method, apparatus, and system for resolving service platform address
CN112187610A (en) * 2020-09-24 2021-01-05 北京赛宁网安科技有限公司 Network isolation system and method for network target range
CN114338597A (en) * 2021-11-30 2022-04-12 奇安信科技集团股份有限公司 Network access method and device
CN114422446A (en) * 2022-03-29 2022-04-29 南京赛宁信息技术有限公司 Application layer background traffic scheduling method and system in target range

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
徐国天;: "面向取证能力提升的网络靶场训练系统构建", 警察技术, no. 03, 7 May 2020 (2020-05-07) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116566749A (en) * 2023-07-11 2023-08-08 南京赛宁信息技术有限公司 A resource access method and system in the case of network shooting range scene isolation
CN116566749B (en) * 2023-07-11 2023-10-24 南京赛宁信息技术有限公司 Resource access method and system under condition of network target range scene isolation

Also Published As

Publication number Publication date
CN116366323B (en) 2025-10-03

Similar Documents

Publication Publication Date Title
RU2461050C2 (en) Network group name for virtual machines
Zhuang et al. A theory of cyber attacks: A step towards analyzing MTD systems
US8694637B1 (en) Virtual private server with CPU time scheduler and isolation of system components
US9047462B2 (en) Computer account management system and realizing method thereof
CN109254831B (en) Virtual machine network security management method based on cloud management platform
US9152401B2 (en) Methods and systems for generating and delivering an interactive application delivery store
CN113392415B (en) Data warehouse access control method, system and electronic device
CN1604039A (en) Method and system for execution of request in managing computing environment
CN102063818A (en) Experimental cloud platform system for serving computer-and-software-based education in schools of higher education
CN106411857A (en) Private cloud GIS service access control method based on virtual isolation mechanism
CN112256399B (en) Docker-based Jupitter Lab multi-user remote development method and system
CN109271807A (en) The data safety processing method and system of database
CN110008019A (en) Method and device, the system of shared server resource
CN116366323A (en) Network target range scene isolated access method and system based on dynamic domain name
CN114039751B (en) Network dynamic sensing device, system and method
CN115618378A (en) A column-level hive access control system and method
JP4342242B2 (en) Secure file sharing method and apparatus
WO2025082159A1 (en) Examination system and examination deployment method based on cloud computing and k8s cluster deployment
Millar et al. dCache, agile adoption of storage technology
US8909799B2 (en) File system firewall
CN105763532B (en) A kind of method and device logging in virtual desktop
CN117319501A (en) Data access method, system, medium and equipment based on cloud computing and K8s cluster deployment
CN112333025A (en) Network security simulation training method, device and system
CN112733118B (en) Cloud security product user management method, device and system and readable storage medium
Qian et al. Design of in-depth security protection system of integrated intelligent Police Cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant