WO2021057348A1

WO2021057348A1 - Server security defense method and system, communication device, and storage medium

Info

Publication number: WO2021057348A1
Application number: PCT/CN2020/110346
Authority: WO
Inventors: 郝振武
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2019-09-25
Filing date: 2020-08-20
Publication date: 2021-04-01
Anticipated expiration: 2022-03-25
Also published as: CN112565318A

Abstract

A server security defense method and system, a communication device, and a storage medium. The method comprises: a client sends a domain name resolution request to a domain name server, and the domain name server resolves a server domain name in request information to an identifier management server IP address and returns same to the client; the client sends a service request to the identifier management server, the service request comprising a service identifier, the identifier management server requests a dynamic identifier from an identifier gateway, the identifier gateway allocates dynamic identifier information and returns same to the identifier management server, and establishes a mapping relationship, and the identifier management server returns a redirection response to the client; the client sends the service request to the identifier gateway, and the identifier gateway converts service request information according to the mapping relationship and sends same to a service server, and converts response information received from the service server and sends same to the client. In some implementation processes, communication parameters of a server are randomly and dynamically changed to proactively protect a target server.

Description

Server security defense method and system, communication equipment, and storage medium

相关申请的交叉引用Cross-references to related applications

本申请基于申请号为201910913485.6、申请日为2019年09月25日的中国专利申请提出，并要求该中国专利申请的优先权，该中国专利申请的全部内容在此引入本申请作为参考。This application is based on a Chinese patent application with application number 201910913485.6 and an application date of September 25, 2019, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is hereby incorporated by reference into this application.

Technical field

本发明实施例涉及但不限于安全技术领域，具体而言，涉及但不限于一种服务器安全防御方法及系统、通信设备、存储介质。The embodiment of the present invention relates to but not limited to the field of security technology, and specifically relates to but not limited to a server security defense method and system, communication equipment, and storage medium.

Background technique

移动目标防御(Moving Target Defense，简称MTD)是一种新型的网络安全防护思想，通过技术手段，对被保护目标呈现给攻击者的攻击面实施持续性的动态变换，以迷惑攻击者，从而增加攻击者实施成功攻击的代价和复杂度，降低其攻击成功的概率，提高系统弹性和安全性。Moving Target Defense (MTD) is a new type of network security protection idea. Through technical means, the attack surface of the protected target presented to the attacker is continuously and dynamically changed to confuse the attacker and increase The cost and complexity of the attacker's successful attack will reduce the probability of successful attack and improve the system's resilience and security.

在互联网业务中，为了保证服务器业务的可达性，服务器的IP地址以及提供服务的端口必须保持稳定，并对所有访问的终端是开放的，这样会导致服务器容易受到攻击。因此，如何有效地对服务器进安全防御成为了亟待解决的问题。In Internet services, in order to ensure the reachability of server services, the IP address of the server and the service port must remain stable and open to all access terminals, which will make the server vulnerable to attacks. Therefore, how to effectively defend the server security has become an urgent problem to be solved.

发明内容Summary of the invention

本发明实施例提供的一种服务器安全防御方法及系统、通信设备、存储介质，旨在至少在一定程度上解决相关的技术问题之一，包括：互联网中，服务器的IP地址以及服务端口对所有访问的终端开放，导致服务器容易受到攻击的问题。The server security defense method and system, communication equipment, and storage medium provided by the embodiments of the present invention aim to solve one of the related technical problems at least to a certain extent, including: in the Internet, the IP address and service port of the server are The access terminal is open, causing the server to be vulnerable to attacks.

有鉴于此，本发明实施例提供一种服务器安全防御方法，包括：客户端向域名服务器发送域名解析请求，域名服务器将所述请求信息中的服务器域名解析为标识管理服务器IP地址，并将所述IP地址返回客户端；客户端向标识管理服务器发送业务请求，所述业务请求包括业务标识，标识管理服务器向标识网关请求动态标识，标识网关分配动态标识信息返回给标识管理服务器，同时建立映射关系，标识管理服务器向客户端返回重定向响应；In view of this, an embodiment of the present invention provides a server security defense method, which includes: a client sends a domain name resolution request to a domain name server, and the domain name server resolves the server domain name in the request information to the IP address of the identification management server, and then The IP address is returned to the client; the client sends a service request to the identity management server, the service request includes a service identity, the identity management server requests a dynamic identity from the identity gateway, and the identity gateway allocates dynamic identity information and returns it to the identity management server, and at the same time establishes a mapping Relationship, which identifies the management server returning a redirection response to the client;

客户端向标识网关发送业务请求，标识网关根据所述映射关系将所述业务请求信息进行转换并发送给业务服务器，并将收到的业务服务器的响应信息转换后发送给客户端。The client sends a service request to the identification gateway, and the identification gateway converts the service request information according to the mapping relationship and sends it to the service server, and converts the received response information of the service server and sends it to the client.

本发明实施例还提供一种服务器安全防御系统，包括：客户端，用于支持域名解析客户端功能和业务访问功能，使用业务标识发起业务请求，还用于支持业务重定向功能，即根据业务服务器返回的重定向响应访问指定的网络资源；域名服务器，用于将业务服务器的域名解析为标识管理服务器的IP地址；并根据预设的策略从多个标识管理服务器中选择一个或多个标识管理服务器的IP地址；标识管理服务器，用于接收客户端发送的业务请求，根据预设的策略选择标识网关，向标识网关请求动态标识，生成重定向业务标识，向客户端返回重定向响应；标识网关，用于根据标识管理服务器的请求生成动态标识，建立客户端IP地址、动态标识、业务服务器标识之间的映射关系，并根据映射关系转发来自客户端的业务请求和发往客户端的响应；业务服务器，用于提供业务服务。The embodiment of the present invention also provides a server security defense system, including: a client, which is used to support the domain name resolution client function and service access function, uses the service identifier to initiate service requests, and is also used to support the service redirection function, that is, according to the service The redirection response returned by the server accesses the specified network resource; the domain name server is used to resolve the domain name of the business server to the IP address of the identity management server; and select one or more identity from multiple identity management servers according to a preset strategy The IP address of the management server; the identification management server is used to receive the service request sent by the client, select the identification gateway according to the preset strategy, request the dynamic identification from the identification gateway, generate the redirection service identification, and return the redirection response to the client; The identification gateway is used to generate a dynamic identification according to the request of the identification management server, establish the mapping relationship between the client IP address, the dynamic identification, and the business server identification, and forward the business request from the client and the response to the client according to the mapping relationship; The business server is used to provide business services.

本发明实施例还提供一种通信设备，包括：处理器、存储器及通信总线；其中，通信总线用于实现处理器和存储器之间的连接通信；其中，处理器用于执行存储器中存储的一个或多个计算机程序，以实现如上所述的服务器安全防御方法的步骤。An embodiment of the present invention also provides a communication device, including: a processor, a memory, and a communication bus; where the communication bus is used to implement connection and communication between the processor and the memory; where the processor is used to execute one or the other stored in the memory. Multiple computer programs to implement the steps of the server security defense method as described above.

本发明实施例还提供一种计算机可读存储介质，存储有一个或者多个程序，其中，所述一个或者多个程序可被一个或者多个处理器执行，以实现如上所述的服务器安全防御方法的步骤。The embodiment of the present invention also provides a computer-readable storage medium that stores one or more programs, where the one or more programs can be executed by one or more processors to implement the server security defense as described above Method steps.

本发明其他特征和相应的有益效果在说明书的后面部分进行阐述说明，且应当理解，至少部分有益效果从本发明说明书中的记载变的显而易见。Other features and corresponding beneficial effects of the present invention are described in the latter part of the specification, and it should be understood that at least part of the beneficial effects will become apparent from the description in the specification of the present invention.

Description of the drawings

图1为本发明实施例一提供的一种服务器安全防御系统结构示意图；FIG. 1 is a schematic structural diagram of a server security defense system provided by Embodiment 1 of the present invention;

图2为本发明实施例一提供的一种服务器安全防御方法流程图；2 is a flowchart of a server security defense method provided by Embodiment 1 of the present invention;

图3为本发明实施例二提供的一种服务器安全防御方法流程图；3 is a flowchart of a server security defense method provided by Embodiment 2 of the present invention;

图4为本发明实施例三提供的一种服务器安全防御方法流程图；4 is a flowchart of a server security defense method provided by Embodiment 3 of the present invention;

图5为本发明实施例四提供的一种服务安全防御系统结构示意图；5 is a schematic structural diagram of a service security defense system provided by Embodiment 4 of the present invention;

图6为本发明实施例四提供的一种服务器安全防御方法流程图；6 is a flowchart of a server security defense method provided by Embodiment 4 of the present invention;

图7为本发明实施例五提供的一种通信设备结构示意图。FIG. 7 is a schematic structural diagram of a communication device according to Embodiment 5 of the present invention.

detailed description

为了使本发明的目的、技术方案及优点更加清楚明白，下面通过具体实施方式结合附图对本发明实施例作进一步详细说明。应当理解，此处所描述的具体实施例仅仅用以解释本发明，并不用于限定本发明。In order to make the objectives, technical solutions, and advantages of the present invention clearer, the following further describes the embodiments of the present invention in detail through specific implementations in conjunction with the accompanying drawings. It should be understood that the specific embodiments described here are only used to explain the present invention, but not to limit the present invention.

实施例一：Example one:

为了解决互联网中，服务器的IP地址以及服务端口对所有访问的终端开放，导致服务器容易受到攻击的问题，本发明实施例提供一种服务器安全防御方法，用于服务器安全防御网络系统中。In order to solve the problem that in the Internet, the server's IP address and service port are open to all accessed terminals, causing the server to be vulnerable to attacks, an embodiment of the present invention provides a server security defense method for use in a server security defense network system.

请参见图1，图1为本发明实施例提供的一种服务器安全防御系统。本发明实施例中，服务器安全防御网络系统中包括：客户端101、域名服务器102、标识管理服务器103、标识网关104、业务服务器105。其中标识网关104位于客户端101和业务服务器105之间，即将客户端101和业务服务器105分为不同的安全区域，其中业务服务器105位于高安全区，标识网关104为业务服务器105提供安全防护，防止来自与客户端的攻击行为。Please refer to FIG. 1, which is a server security defense system provided by an embodiment of the present invention. In the embodiment of the present invention, the server security defense network system includes: a client 101, a domain name server 102, an identity management server 103, an identity gateway 104, and a business server 105. The identification gateway 104 is located between the client 101 and the business server 105, that is, the client 101 and the business server 105 are divided into different security areas, where the business server 105 is located in a high-security zone, and the identification gateway 104 provides security protection for the business server 105. Prevent attacks from the client.

其中，客户端101用于支持域名解析客户端功能和业务访问功能，使用业务标识发起业务请求，还用于支持业务重定向功能，即根据业务服务器返回的重定向响应访问指定的网络资源；域名服务器102用于将业务服务器105的域名解析为标识管理服务器103的IP地址；并根据预设的策略从多个标识管理服务器中选择一个或多个标识管理服务器的IP地址；标识管理服务器103用于接收客户端101发送的业务请求，根据预设的策略选择标识网关，向标识网关请求动态标识，生成重定向业务标识，向客户端返回重定向响应；标识网关104，用于根据标识管理服务器103的请求生成动态标识，建立客户端IP地址、动态标识、业务服务器标识之间的映射关系，并根据映射关系转发来自客户端的业务请求和发往客户端的响应；业务服务器105，用于提供业务服务。Among them, the client 101 is used to support the domain name resolution client function and service access function, use the service identifier to initiate service requests, and also support the service redirection function, that is, access the specified network resource according to the redirection response returned by the service server; The server 102 is used to resolve the domain name of the business server 105 into the IP address of the identity management server 103; and select one or more identity management server IP addresses from multiple identity management servers according to a preset strategy; the identity management server 103 uses After receiving the service request sent by the client 101, the identification gateway is selected according to the preset strategy, the dynamic identification is requested from the identification gateway, the redirection service identification is generated, and the redirection response is returned to the client; the identification gateway 104 is used to manage the server according to the identification The 103 request generates a dynamic identifier, establishes the mapping relationship between the client IP address, dynamic identifier, and service server identifier, and forwards the service request from the client and the response to the client according to the mapping relationship; the service server 105 is used to provide services service.

本发明实施例提供的服务器安全防御方法，请参见图2，包括以下步骤：For the server security defense method provided by the embodiment of the present invention, please refer to FIG. 2, which includes the following steps:

S201：客户端向域名服务器发送域名解析请求，域名服务器将业务服务器域名解析为标识管理服务器IP地址，并返回给客户端。S201: The client sends a domain name resolution request to the domain name server, and the domain name server resolves the domain name of the business server to the IP address of the identification management server, and returns it to the client.

步骤S201中，客户端向域名服务器发送域名解析请求，域名服务器将请求信息中的业务服务器的域名解析为标识管理服务器的IP地址，并将所述经域名服务器解析得到的标识管理服务器的IP地址返回给客户端。其中，所述标识管理服务器可包括一个或多个标识管理服务器，域名服务器接收到来自客户端发送的域名解析请求之后，根据预设的策略从多个标识管路服务器中选择至少一个标识管理服务器的IP地址发送给客户端。In step S201, the client sends a domain name resolution request to the domain name server, and the domain name server resolves the domain name of the business server in the request information to the IP address of the identification management server, and resolves the IP address of the identification management server obtained by the domain name server. Return to the client. Wherein, the identity management server may include one or more identity management servers. After receiving the domain name resolution request sent from the client, the domain name server selects at least one identity management server from a plurality of identity pipeline servers according to a preset policy The IP address is sent to the client.

本发明实施例中，所述策略包括：根据客户端的位置信息，选择相对于客户端位置最近的标识管理服务器；或，轮询各标识管理服务器；或，选择负荷较轻的标识管理服务器。In the embodiment of the present invention, the strategy includes: selecting the identity management server closest to the location of the client according to the location information of the client; or polling each identity management server; or, selecting the identity management server with a lighter load.

S202：客户端向标识管理服务器发送业务请求，标识管理服务器向标识网关请求动态标识，标识网关分配动态标识信息返回给标识管理服务器，同时建立映射关系，标识管理服务器向客户端返回重定向响应。S202: The client sends a service request to the identity management server, the identity management server requests a dynamic identity from the identity gateway, and the identity gateway allocates dynamic identity information and returns it to the identity management server. At the same time, a mapping relationship is established, and the identity management server returns a redirection response to the client.

其中，所述标识管理服务器向标识网关发送动态标识请求时，将客户端的IP地址、业务服务器标识发送给选择的所述标识网关。标识网关接收到所述动态标识请求之后，进行动态标识的分配，并建立客户端IP与动态标识之间的映射关系，或建立客户端IP、动态标识、业务服务器标识之间的映射关系；所述动态标识为标识网关地址和端口，或标识网关域名和端口；所述业务服务器标识为业务服务器的IP地址和端口，或业务服务器域名和端口。标识管理服务器根据业务请求中的业务标识和所述动态标识，将业务标识中的主机标识替换为动态标识，或在其中插入动态标识，生成重定向业务标识，重定向响应中的重定向业务标识信息，指示客户端向标识网关发送业务请求；其中，所述主机标识包括：客户端的IP地址，或，客户端IP地址和客户端的端口。Wherein, when the identity management server sends a dynamic identity request to the identity gateway, it sends the client's IP address and the service server identity to the selected identity gateway. After receiving the dynamic identification request, the identification gateway allocates the dynamic identification, and establishes the mapping relationship between the client IP and the dynamic identification, or establishes the mapping relationship between the client IP, the dynamic identification, and the service server identification; The dynamic identification is the identification of the gateway address and port, or the domain name and port of the gateway; the business server identification is the IP address and port of the business server, or the domain name and port of the business server. The identity management server replaces the host identity in the service identity with the dynamic identity or inserts the dynamic identity in it according to the service identity in the service request and the dynamic identity, and generates a redirection service identity, and the redirection service identity in the redirection response Information, instructing the client to send a service request to the identification gateway; wherein the host identification includes: the client's IP address, or, the client's IP address and the client's port.

S203：客户端向标识网关发送业务请求，标识网关根据映射关系将业务请求信息进行转换并发送给业务服务器，并将接收到的业务服务器的响应信息转换后发送给客户端。S203: The client sends a service request to the identification gateway, and the identification gateway converts the service request information according to the mapping relationship and sends it to the service server, converts the received response information of the service server, and sends it to the client.

在本发明实施例中，标识网关接收到所述业务请求之后，根据请求消息中的源IP、目的IP与目的端口查找映射关系，若查找到对应的映射关系，则将所述业务请求转换后发送给业务服务器，否则，拒绝访问，或引导到预定系统；其中，所述将所述业务请求转换包括：标识网关将业务请求的目的IP和端口，即动态标识，替换为映射关系中业务服务器标识对应的IP和端口，将响应的源IP和端口，即业务服务器标识，替换为动态标识对应的IP和端口；所述将所述业务请求转换还包括：标识网关将业务请求中的业务标识的动态标识替换为业务服务器标识。In the embodiment of the present invention, after receiving the service request, the identification gateway searches for the mapping relationship according to the source IP, destination IP, and destination port in the request message. If the corresponding mapping relationship is found, the service request is converted Send to the service server, otherwise, deny access, or lead to a predetermined system; wherein, the conversion of the service request includes: the identification gateway replaces the destination IP and port of the service request, that is, dynamic identification, with the service server in the mapping relationship Identifies the corresponding IP and port, and replaces the source IP and port of the response, that is, the service server identifier, with the IP and port corresponding to the dynamic identifier; said converting the service request further includes: identifying the gateway to convert the service identifier in the service request Replace the dynamic identifier of with the business server identifier.

本发明实施例提供的一种服务器安全防御方法，客户端向域名服务器发送域名解析请求，域名服务器将所述请求信息中的服务器域名解析为标识管理服务器IP地址，并将所述IP地址返回客户端；客户端向标识管理服务器发送业务请求，所述业务请求包括业务标识，标识管理服务器向标识网关请求动态标识，标识网关分配动态标识信息返回给标识管理服务器，同时建立映射关系，标识管理服务器向客户端返回重定向响应；客户端向标识网关发送业务请求，标识网关根据所述映射关系将所述业务请求信息进行转换并发送给业务服务器，并将收到的业务服务器的响应信息转换后发送给客户端，通过增加标识管理服务器和标识网关，在保证服务器正常业务的情况，通过随机改变服务器对客户端服务的通讯参数，增加针对服务器的攻击难度，从而提升服务器的安全性和服务可用性，提升了用户体验度。In a server security defense method provided by an embodiment of the present invention, a client sends a domain name resolution request to a domain name server, and the domain name server resolves the server domain name in the request information into an identification management server IP address, and returns the IP address to the client End; the client sends a service request to the identity management server, the service request includes a service identity, the identity management server requests a dynamic identity from the identity gateway, and the identity gateway allocates dynamic identity information back to the identity management server, and establishes a mapping relationship to identify the management server Return a redirection response to the client; the client sends a service request to the identification gateway, and the identification gateway converts the service request information according to the mapping relationship and sends it to the service server, and converts the received response information from the service server Send to the client, through the addition of the identity management server and the identity gateway, while ensuring the normal business of the server, by randomly changing the communication parameters of the server to the client service, increasing the difficulty of attacking the server, thereby improving the security and service availability of the server , Improve the user experience.

实施例二：Embodiment two:

为了解决互联网中，服务器的IP地址以及服务端口对所有访问的终端开放，导致服务器容易受到攻击的问题，图3所示为本发明实施例提供一种服务器安全防御方法，包括以下步骤：In order to solve the problem that the server's IP address and service port are open to all accessed terminals on the Internet, which makes the server vulnerable to attacks, FIG. 3 shows a server security defense method provided by an embodiment of the present invention, which includes the following steps:

在此先说明业务标识的概念，业务标识表示用户要访问的互联网业务资源，一般使用统一资源定位符描述，由服务器标识和内容标识组成，如：www.example.com:80/news/top.xml，其中“www.example.com:80”为服务器标识，具体包括服务器域名(www.example.com)端口(80)，其中服务器域名也可以采用服务器的IP地址标识，如果采用默认端口，可以省略端口；“/news/top.xml/”表明该业务服务提供的具体内容，组合起来唯一表示用户要访问的业务。客户端要访问该业务，首先要执行DNS解析过程，获取服务器域名(www.example.com)对应的IP地址，再根据IP地址访问服务器，获取业务标识指定的服务。First, explain the concept of service identification. The service identification represents the Internet service resources that users want to access. It is generally described by a uniform resource locator and consists of server identification and content identification, such as: www.example.com:80/news/top. xml, where "www.example.com:80" is the server identification, specifically including the server domain name (www.example.com) port (80), where the server domain name can also be identified by the server's IP address, if the default port is used, you can Omit the port; "/news/top.xml/" indicates the specific content provided by the business service, and the combination uniquely indicates the business that the user wants to access. To access the service, the client must first perform a DNS resolution process to obtain the IP address corresponding to the server domain name (www.example.com), and then access the server according to the IP address to obtain the service specified by the service ID.

本发明实施例中，提供一种服务器安全防御方法，客户端使用业务标识进行业务访问，包括以下步骤：In the embodiment of the present invention, a server security defense method is provided. The client uses the service identifier to access the service, including the following steps:

S301：客户端向域名服务器发送域名解析请求；S301: The client sends a domain name resolution request to the domain name server;

S302：域名服务器进行域名解析，返回域名查询响应；S302: The domain name server performs domain name resolution and returns a domain name query response;

其中，域名服务器向客户端返回的响应信息中包括至少一个标识管理服务器的IP地址。本发明实施例中，在域名服务器中，服务器域名配置的IP地址不是服务器的真实地址，而是标识管理服务器的IP地址，如果网络中有多台标识管理服务器，可以针对配置多个标识管理服务器的IP地址，域名服务器根据预设的策略从多个标识管理服务器中选择至少一个标识管理服务器的IP地址返回给客户端；本发明实施例中，具体的策略包括：根据客户端的位置信息，选择相对于客户端位置最近的标识管理服务器；或，轮询各标识管理服务器；或，选择负荷较轻的标识管理服务器。Wherein, the response information returned by the domain name server to the client includes at least one IP address identifying the management server. In the embodiment of the present invention, in the domain name server, the IP address configured by the server domain name is not the real address of the server, but the IP address of the identity management server. If there are multiple identity management servers in the network, multiple identity management servers can be configured for The domain name server selects the IP address of at least one identity management server from a plurality of identity management servers according to a preset strategy and returns it to the client; in the embodiment of the present invention, the specific strategy includes: selecting according to the location information of the client The identity management server closest to the client's location; or, poll each identity management server; or, select the identity management server with a lighter load.

S303：客户端根据域名解析的结果，向标识管理服务器发送业务请求；S303: The client sends a service request to the identity management server according to the result of the domain name resolution;

所述的业务请求中包括业务标识，在该请求消息中，目的IP为步骤302中解析得到的标识管理服务器的IP地址，目的端口为该业务应用的默认端口或指定的端口，在所述请求消息中包括完整的业务标识。The service request includes the service identifier. In the request message, the destination IP is the IP address of the identity management server that is parsed in step 302, and the destination port is the default port or designated port of the service application. The message includes the complete business identification.

S304：标识管理服务器提取客户端IP地址和服务器标识，选择标识网关，向标识网关发送动态标识请求；S304: The identity management server extracts the client IP address and the server identity, selects the identity gateway, and sends a dynamic identity request to the identity gateway;

其中，客户端IP地址，从业务请求IP包的源IP地址头部中提取，服务器标识从业务标识中提取。所述选择标识网关，标识管理服务器根据预设的策略从多个标识网关中选择至少一个标识网关，具体的策略包括：根据客户端的位置信息，选择相对于客户端位置最近的标识网关；或，轮询各标识网关；或，选择负荷较轻的标识网关。Among them, the client IP address is extracted from the source IP address header of the service request IP packet, and the server ID is extracted from the service ID. In the selection of the identification gateway, the identification management server selects at least one identification gateway from a plurality of identification gateways according to a preset strategy, and the specific strategy includes: selecting the identification gateway closest to the location of the client according to the location information of the client; or, Polling each identification gateway; or, select an identification gateway with a lighter load.

S305：标识网关从动态标识池中选取动态标识，建立客户端IP、动态标识、服务器标识之间的映射关系，返回动态标识查询响应及选取的动态标识；S305: The identification gateway selects the dynamic identification from the dynamic identification pool, establishes the mapping relationship between the client IP, the dynamic identification, and the server identification, and returns the dynamic identification query response and the selected dynamic identification;

其中，动态标识池由标识网关管理的一个IP地址+端口号，以及协议类型构成；Among them, the dynamic identification pool is composed of an IP address + port number managed by the identification gateway, and a protocol type;

或，or,

动态标识池由标识管理的IP地址，或IP地址段，加上每个IP地址所属的端口范围和协议类型构成。The dynamic identity pool is composed of the IP address managed by the identity, or IP address segment, plus the port range and protocol type to which each IP address belongs.

上述IP地址或IP地址段的IP地址，能够保证以这些地址为目的地址的IP数据包，能够被其他网络设备路由转发到正确的标识网关。The above IP address or IP address in the IP address segment can ensure that IP data packets with these addresses as the destination address can be routed and forwarded by other network devices to the correct identification gateway.

本发明实施中，其动态标识选取的具体规则为：选取动态标识池中没有被所有客户端使用的，或者，选取没有被该用户客户端所使用的，即可以通过客户端IP和动态标识唯一地确定映射关系。In the implementation of the present invention, the specific rules for dynamic identification selection are as follows: select the dynamic identification pool that is not used by all clients, or select the one that is not used by the user client, that is, it can be unique by the client IP and dynamic identification. To determine the mapping relationship.

比如，一个标识网关管理10.10.10.1-10.10.10.10地址段，每个IP地址端口范围为0-65535，为了安全起见，一般选取常用公知的端口以外的范围，如1023-65535。通过上述IP段中的IP地址加上每个IP地址6万多个端口，构成足够大的动态标识池，从而能够保证动态标识分配的随机性。For example, an identity gateway manages the 10.10.10.1-10.10.10.10 address segment, and each IP address has a port range of 0-65535. For safety reasons, generally select a range other than commonly-known ports, such as 1023-65535. Through the IP addresses in the above IP segment plus more than 60,000 ports for each IP address, a sufficiently large dynamic identification pool is formed, so that the randomness of dynamic identification allocation can be ensured.

如果某个客户端，如20.20.20.20，需要访问业务，可以从上述地址池中选取没有使用的动态网络标识，如10.10.10.10:5000没有使用，就可以分配给该客户端，或者被其他客户端使用了，也可以分配客户端，只要保证通过(20.20.20.20，10.10.10.10:5000)能够唯一确定(20.20.20.20，10.10.10.10:5000，example.com:80)映射关系即可。因为动态网络标识数量足够多，因此可优先选取前面的分配方式，即没有被所有用户客户端使用的动态标识，实现相对简单，且随机性高。If a client, such as 20.20.20.20, needs to access services, you can select an unused dynamic network identifier from the above address pool. For example, 10.10.10.10:5000 is not used, it can be assigned to the client, or by other clients If the client is used, the client can also be assigned, as long as the mapping relationship (20.20.20.20, 10.10.10.10:5000, example.com:80) can be uniquely determined through (20.20.20.20, 10.10.10.10:5000). Because the number of dynamic network identities is large enough, the previous allocation method can be selected first, that is, the dynamic identities that are not used by all user clients, the implementation is relatively simple, and the randomness is high.

S306：标识管理服务器生成重定向业务标识，并向客户端返回重定向响应；S306: The identity management server generates a redirect service identity, and returns a redirect response to the client;

本发明实施例中，所述生成重定向业务标识的生成方式包括:将上述步骤304中请求消息中包括的业务标识中的业务服务器标识替换为动态标识，例如：将业务标识“www.example.com:80/news/top.xml”服务器标识“www.example.com:80”替换为动态标识“10.10.10.10:5000”，生成重定向业务标识“10.10.10.10:5000/news/top.xml”。In the embodiment of the present invention, the method for generating the redirect service identifier includes: replacing the service server identifier in the service identifier included in the request message in step 304 with a dynamic identifier, for example: the service identifier "www.example. com:80/news/top.xml" The server identifier "www.example.com:80" is replaced with the dynamic identifier "10.10.10.10:5000" to generate the redirect service identifier "10.10.10.10:5000/news/top.xml" ".

S307：客户端根据重定向业务标识，向标识网关发送业务请求；S307: The client sends a service request to the identification gateway according to the redirected service identifier;

其中，所述业务请求中包括重定向业务标识。此时，所述业务请求中IP包中目的IP和端口分别对应动态标识中的IP地址和端口。Wherein, the service request includes a redirect service identifier. At this time, the destination IP and port in the IP packet in the service request correspond to the IP address and port in the dynamic identification, respectively.

S308：标识网关提取客户端IP和动态标识，查找映射关系，执行转换操作，若没有查找到映射关系，则拒绝业务请求，或将业务请求引导到预定系统；S308: The identification gateway extracts the client IP and the dynamic identification, searches for the mapping relationship, and performs a conversion operation. If the mapping relationship is not found, the service request is rejected or the service request is directed to the predetermined system;

标识网关提取客户端IP和动态标识，查找映射关系，根据映射关系执行转换操作，如果没有查到映射关系，则认为这是非法访问，则拒绝业务请求，或者将业务请求引导到预定系统，如蜜罐系统，对非法访问进一步进行定位。The identification gateway extracts the client IP and dynamic identification, searches for the mapping relationship, and performs conversion operations based on the mapping relationship. If the mapping relationship is not found, it is considered illegal access, and the service request is rejected or the service request is directed to the predetermined system, such as The honeypot system further locates illegal access.

本发明实施例中，其中，具体的转换操作包括：In the embodiment of the present invention, the specific conversion operation includes:

操作一：根据映射关系中服务器标识中服务器域名，解析服务器的IP地址；具体解析过程可以通过标识网关本地保存或缓存的DNS数据，或者向域名服务器请求解析结果，如将“www.example.com”解析为“30.30.30.30”；Operation 1: According to the server domain name in the server identifier in the mapping relationship, resolve the server's IP address; the specific resolution process can be through identifying the DNS data stored or cached locally by the gateway, or requesting the resolution result from the domain name server, such as "www.example.com" "Resolves to "30.30.30.30";

操作二：将业务请求IP包的目的IP地址和端口中携带的动态标识替换为服务器的IP地址和端口，例如将10.10.10.10:5000转换为30.30.30.30:80；Operation 2: Replace the dynamic identifier carried in the destination IP address and port of the service request IP packet with the IP address and port of the server, for example, convert 10.10.10.10:5000 to 30.30.30.30:80;

操作三：将业务请求中的主机标识或重定向业务标识还原为业务标识，还原方法是将主机标识中的标识网关标识还原为业务服务器标识，例如将“10.10.10.10:5000”还原为“www.example.com:80”；或，将重定向业务标识中的标识网关标识还原为业务服务器标识，例如将“10.10.10.10:5000/news/top.xml”还原为“www.example.com:80/news/top.xml”。Operation 3: Restore the host ID or redirect service ID in the service request to the service ID. The restoration method is to restore the ID gateway ID in the host ID to the service server ID, for example, “10.10.10.10:5000” to “www” .example.com:80"; or, restore the identification gateway ID in the redirected service ID to the service server ID, for example, restore "10.10.10.10:5000/news/top.xml" to "www.example.com: 80/news/top.xml".

在本发明实施例的另一示例中，标识网关可以在步骤S308中将服务器域名解析为服务器的IP地址，具体解析过程可以通过标识网关本地保存或缓存的DNS数据，或者向域名服务器请求解析结果，并将映射关系中的主机域名替换为解析结果，如example.com对应的IP地址为30.30.30.30，则映射关系表示为(20.20.20.20，10.10.10.10:5000，30.30.30.30:80)。In another example of the embodiment of the present invention, the identification gateway may resolve the server domain name to the server's IP address in step S308, and the specific resolution process may be through identifying the DNS data stored or cached locally by the gateway, or requesting the resolution result from the domain name server , And replace the host domain name in the mapping relationship with the resolution result. For example, if the IP address corresponding to example.com is 30.30.30.30, the mapping relationship is expressed as (20.20.20.20, 10.10.10.10:5000, 30.30.30.30:80).

在本发明实施例的另一示例中，可以在映射关系中同时保存两种服务器标识，如(20.20.20.20，10.10.10.10:5000，www.example.com:80，30.30.30.30:80)，在操作一中使用30.30.30.30:80，在操作三中使用www.example.com:80，提高效率。In another example of the embodiment of the present invention, two server identifiers can be stored in the mapping relationship at the same time, such as (20.20.20.20, 10.10.10.10:5000, www.example.com:80, 30.30.30.30:80), Use 30.30.30.30:80 in operation one and www.example.com:80 in operation three to improve efficiency.

具体实现时，可以进一步建立转换表，其中包含客户端IP+端口、动态标识、包含服务器IP的服务器标识，其中客户端端口是客户端在建立与服务器连接时选择的本地端口，如客户端选择端口为1000，则建立如下转发关系表(20.20.20.20:1000，10.10.10.10:5000，30.30.30.30:80)，或建立如下包括主机域名形式的服务器标识的转发关系(20.20.20.20:1000，10.10.10.10:5000，30.30.30.30:80，www.example.com:80)。In specific implementation, a conversion table can be further established, which contains client IP + port, dynamic identification, and server identification including the server IP. The client port is the local port selected by the client when establishing a connection with the server, such as the client selection port Is 1000, then the following forwarding relationship table (20.20.20.20:1000, 10.10.10.10:5000, 30.30.30.30:80) is established, or the following forwarding relationship including the server identifier in the form of the host domain name (20.20.20.20:1000, 10.10 .10.10:5000, 30.30.30.30:80, www.example.com:80).

标识网关收到业务请求后，优先查找转换表，如果查找到，则按转换表进行转换，否则查找映射关系，如果查找到，则建立转换表。After the identification gateway receives the service request, it first searches the conversion table, if it finds it, then converts it according to the conversion table, otherwise it searches for the mapping relationship, and if it finds it, it builds the conversion table.

按照这种方法实现，客户端可能会选择多个端口与服务器建立连接，进行不同的业务请求，标识网关建立相应多个转换关系，对应同一个映射关系，便于进行管理。According to this method, the client may select multiple ports to establish a connection with the server, perform different service requests, and identify the gateway to establish multiple corresponding conversion relationships, corresponding to the same mapping relationship, which is convenient for management.

在操作一的步骤中，为了安全起见，所述域名服务器与前面所述的域名服务器不同，保存服务器域名与服务器IP地址之间的关系，位于安全域中，专门为标识网关服务，而客户端无法访问，从而保证了该域名服务器的安全性。In the step of operation 1, for the sake of security, the domain name server is different from the aforementioned domain name server. It saves the relationship between the server domain name and the server IP address. It is located in the security domain and serves specifically to identify the gateway. Unable to access, thus ensuring the security of the domain name server.

S309：业务服务器返回业务响应；S309: The service server returns a service response;

其中，业务响应信息中的目的地址和端口为客户端IP地址和端口，源地址和端口为服务器IP地址和端口。Among them, the destination address and port in the service response information are the client IP address and port, and the source address and port are the server IP address and port.

S310：标识网关执行转换操作，根据映射关系或转换关系，将源地址和端口中的服务器IP地址和端口替换为动态标识的IP地址和端口，然后发送给客户端。S310: The identification gateway performs a conversion operation, and according to the mapping relationship or the conversion relationship, the server IP address and port in the source address and port are replaced with the dynamically identified IP address and port, and then sent to the client.

在上述转换过程中，若没有检查到响应对应的映射关系或转换关系，则拒绝访问，或者将业务请求引导到预定系统。In the above conversion process, if the mapping relationship or conversion relationship corresponding to the response is not checked, the access is denied, or the service request is directed to the predetermined system.

根据业务的不同，后续可能有多次业务请求和响应的交互，将重复步骤S303-S310的过程。According to different services, there may be multiple service request and response interactions, and the process of steps S303-S310 will be repeated.

本发明实施例提供的一种服务器安全防御方法，客户端向域名服务器发送域名解析请求，客户端根据域名解析的结果，向标识管理服务器发送业务请求，标识管理服务器提取客户端IP地址和服务器标识，选择标识网关，向标识网关发送动态标识请求，标识网关从动态标识池中选取动态标识，建立客户端IP、动态标识、服务器标识之间的映射关系，返回动态标识查询响应及选取的动态标识，标识管理服务器生成重定向业务标识，并向客户端返回重定向响应，客户端根据重定向业务标识，向标识网关发送业务请求，标识网关提取客户端IP和动态标识，查找映射关系，执行转换操作，若没有查找到映射关系，则拒绝业务请求，或将业务请求引导到预定系统。通过随机动态变化客户端访问的服务入口，且每个入口只能被指定的客户端访问，从而提高了黑客攻击服务器的难度，提升了服务器的安全性。In a server security defense method provided by an embodiment of the present invention, a client sends a domain name resolution request to a domain name server, and the client sends a service request to an identity management server based on the result of the domain name resolution, and the identity management server extracts the client IP address and server identity , Select the identification gateway, send a dynamic identification request to the identification gateway, the identification gateway selects the dynamic identification from the dynamic identification pool, establishes the mapping relationship between the client IP, the dynamic identification, and the server identification, and returns the dynamic identification query response and the selected dynamic identification , The identity management server generates a redirect service identity and returns a redirect response to the client. The client sends a service request to the identity gateway according to the redirect service identity, and the identity gateway extracts the client IP and dynamic identity, finds the mapping relationship, and performs conversion Operation, if the mapping relationship is not found, the service request is rejected or the service request is directed to the predetermined system. The service entrance accessed by the client is dynamically changed randomly, and each entrance can only be accessed by the designated client, thereby increasing the difficulty of hackers attacking the server and improving the security of the server.

实施例三：Example three:

图4所示为本发明提供的一种服务器安全防御方法流程图，客户端使用业务标识进行业务访问，包括以下步骤：Figure 4 shows a flowchart of a server security defense method provided by the present invention. The client uses the service identifier to access the service, including the following steps:

S401：客户端向域名服务器发送域名解析请求；S401: The client sends a domain name resolution request to the domain name server;

S402：域名服务器进行域名解析，返回域名查询响应；S402: The domain name server performs domain name resolution and returns a domain name query response;

S403：客户端根据域名解析的结果，向标识管理服务器发送业务请求；S403: The client sends a service request to the identity management server according to the result of the domain name resolution;

S404：标识管理服务器提取客户端IP地址和服务器标识，选择标识网关，向标识网关发送动态标识请求；S404: The identity management server extracts the client IP address and the server identity, selects the identity gateway, and sends a dynamic identity request to the identity gateway;

S405：标识网关从动态标识池中选取动态标识，建立客户端IP与动态标识之间的映射关系，同时获取对应的标识网关域名，返回动态标识查询响应及选取的动态标识；S405: The identification gateway selects a dynamic identification from the dynamic identification pool, establishes a mapping relationship between the client IP and the dynamic identification, acquires the corresponding identification gateway domain name, and returns a dynamic identification query response and the selected dynamic identification;

或，or,

同时需要为标识网关管理的IP地址配置对应域名，且在域名服务器中配置标识网关的域名与所管理的动态标识池IP地址之间的解析关系，在一台标识网关管理多个IP的情况下，需要为每个IP地址都配置有域名，如标识网关管理了10个IP地址10.10.10.1-10.10.10.10，对应的域名为idg1，idg2，....，idg10。At the same time, it is necessary to configure the corresponding domain name for the IP address managed by the identification gateway, and configure the resolution relationship between the domain name of the identification gateway and the managed dynamic identification pool IP address in the domain name server, in the case that one identification gateway manages multiple IPs , Each IP address needs to be configured with a domain name. For example, the identification gateway manages 10 IP addresses 10.10.10.1-10.10.10.10, and the corresponding domain names are idg1, idg2,..., idg10.

本发明实施例中，在选取动态标识建立映射关系时，同时获取对应的标识网关的域名，如选取IP地址为10.10.10.10，则同时获取域名idg10；In the embodiment of the present invention, when the dynamic identifier is selected to establish the mapping relationship, the domain name of the corresponding identifier gateway is obtained at the same time. If the IP address is selected as 10.10.10.10, the domain name idg10 is obtained at the same time;

本示例中，建立客户端与动态标识之间的映射关系即可，其中不包括服务器域名，比如(20.20.20.20，10.10.10.10:5000)。标识网关返回动态标识查询响应。In this example, it is sufficient to establish the mapping relationship between the client and the dynamic identifier, which does not include the server domain name, such as (20.20.20.20, 10.10.10.10:5000). The identification gateway returns a dynamic identification query response.

其中，所述动态标识查询响应中包括步骤S305选取的包含标识网关域名的动态标识，例如：idg10:5000。Wherein, the dynamic identification query response includes the dynamic identification including the domain name of the identification gateway selected in step S305, for example, idg10:5000.

S406：标识管理服务器根据业务标识和动态标识，生成重定向业务标识，向客户端返回重定向响应；S406: The identity management server generates a redirection service identity according to the service identity and the dynamic identity, and returns a redirection response to the client;

具体的生成方式包括：将业务服务器域名作为标识网关的次级域名，构造出新的域名，具体格式为“服务器域名”+“.”+“标识网关域名”，如www.example.com.idg10，此时重定向业务标识为“www.example.com.idg10：5000/news/top.xml”。The specific generation method includes: using the business server domain name as the secondary domain name of the identification gateway to construct a new domain name, the specific format is "server domain name" + "." + "identification gateway domain name", such as www.example.com.idg10 , The redirect service identifier at this time is "www.example.com.idg10:5000/news/top.xml".

S407：客户端向域名服务器发送域名解析请求；S407: The client sends a domain name resolution request to the domain name server;

其中，所述请求中包括：从重定向业务标识中提取的主机域名，比如：“www.example.com.idg10”。Wherein, the request includes: the host domain name extracted from the redirect service identifier, for example: "www.example.com.idg10".

S408：域名服务器进行域名解析，返回域名解析响应；S408: The domain name server performs domain name resolution and returns a domain name resolution response;

其中，所述域名解析响应中包括域名对应的标识网关IP地址，在示例中，域名服务器将“www.example.com.idg10”解析为10.10.10.10，和标识网关生成的动态IP保持一致。Wherein, the domain name resolution response includes the identification gateway IP address corresponding to the domain name. In the example, the domain name server resolves "www.example.com.idg10" to 10.10.10.10, which is consistent with the dynamic IP generated by the identification gateway.

S409：客户端根据域名解析结果向标识网关发送业务请求；S409: The client sends a service request to the identity gateway according to the domain name resolution result;

其中，所述请求中包括重定向业务标识；此时，业务请求中目的IP和端口分别对应动态标识中包含的标识网关IP地址和端口。Wherein, the request includes a redirect service identifier; at this time, the destination IP and port in the service request correspond to the identifier gateway IP address and port included in the dynamic identifier, respectively.

S410：标识网关提取客户端IP地址和动态标识，查找映射关系，根据转换操作；S410: The identification gateway extracts the client IP address and the dynamic identification, searches for the mapping relationship, and performs the conversion operation;

操作三：将业务请求中的重定向业务标识还原为业务标识，还原方法是将重定向业务标识中的标识网关标识还原为业务服务器标识，例如将“www.example.com.idg10”还原为“www.example.com”。Operation 3: Restore the redirected service ID in the service request to the service ID. The restoration method is to restore the ID gateway ID in the redirected service ID to the service server ID, for example, restore "www.example.com.idg10" to " www.example.com".

S411：业务服务器返回业务响应；S411: The service server returns a service response;

S412：标识网关执行转换操作，根据映射关系或转换关系，将源地址和端口中的服务器IP地址和端口替换为动态标识的IP地址和端口，然后发送给客户端。S412: The identification gateway performs a conversion operation, and according to the mapping relationship or the conversion relationship, the server IP address and port in the source address and port are replaced with the dynamically identified IP address and port, and then sent to the client.

本发明实施例提供的一种服务器安全防御方法，通过随机动态变化客户端访问的服务入口，且每个入口只能被指定的客户端访问，从而提高了黑客攻击服务器的难度，提升了服务器的安全性。The server security defense method provided by the embodiment of the present invention dynamically changes the service entrances accessed by the client by randomly and dynamically, and each entrance can only be accessed by a designated client, thereby increasing the difficulty of hackers attacking the server and improving the server’s performance. safety.

实施例四：Embodiment four:

图6所示为本发明实施例提供的一种服务器安全防御方法流程图，用于一种服务器安全防御系统，请参见图5，包括客户端501，域名服务器502，标识综合网关503，业务服务器504；其中标识综合网关503包括标识管理功能5031，标识网关功能5032。如图6所示，该方法流程包括如下步骤：Fig. 6 shows a flowchart of a server security defense method provided by an embodiment of the present invention, which is used in a server security defense system. Please refer to Fig. 5, which includes a client 501, a domain name server 502, an identification integrated gateway 503, and a business server. 504; where the identity integrated gateway 503 includes an identity management function 5031 and an identity gateway function 5032. As shown in Figure 6, the method flow includes the following steps:

S601：客户端向域名服务器发送域名查询请求；S601: The client sends a domain name query request to the domain name server;

S602：域名服务器进行域名解析，返回域名查询响应；S602: The domain name server performs domain name resolution and returns a domain name query response;

其中，所述响应包括一个或多个综合网关的IP地址，可在网络中部署多台综合网关，每台综合网关可以配置多个IP地址加上每个IP地址所属的端口范围，构成动态标识池。Wherein, the response includes the IP address of one or more integrated gateways. Multiple integrated gateways can be deployed in the network. Each integrated gateway can be configured with multiple IP addresses plus the port range to which each IP address belongs to form a dynamic identifier. Pool.

本实施例中，域名服务器中服务器域名配置的IP地址是标识综合网关的IP地址，可以根据标识综合网关数量以及标识综合网关所管理的IP地址，配置1个或多个IP地址；具体的策略包括：根据客户端的位置信息，选择相对于客户端位置最近的标识网关；或，轮询各标识网关；或，选择负荷较轻的标识网关。In this embodiment, the IP address configured by the server domain name in the domain name server is the IP address that identifies the integrated gateway, and one or more IP addresses can be configured according to the number of identified integrated gateways and the IP addresses managed by the identified integrated gateway; specific strategies Including: according to the location information of the client, selecting the identification gateway closest to the location of the client; or, polling each identification gateway; or, selecting the identification gateway with a lighter load.

S603：客户端根据域名解析的结果，向标识综合网关发送业务请求，其包括业务标识；S603: The client sends a service request to the identity integrated gateway according to the result of the domain name resolution, which includes the service identity;

S604：综合标识网关中的标识管理功能提取客户端标识以及业务服务器标识，通过内部消息向标识网关功能请求动态标识；S604: The identity management function in the integrated identity gateway extracts the client identity and the service server identity, and requests a dynamic identity from the identity gateway function through an internal message;

其中，所述请求中包括IP包的目的IP，即客户端从域名解析结果中选取的标识综合网关的IP地址。Wherein, the request includes the destination IP of the IP packet, that is, the IP address that identifies the integrated gateway selected by the client from the domain name resolution result.

S605：标识网关功能与从动态标识池中选取动态标识，建立客户端IP、动态标识、服务器标识之间的映射关系，并将动态标识或动态标识的端口部分返回给标识管理服务器；S605: Identify the gateway function and select the dynamic identifier from the dynamic identifier pool, establish a mapping relationship between the client IP, the dynamic identifier, and the server identifier, and return the dynamic identifier or the port part of the dynamic identifier to the identifier management server;

S606：标识管理功能将业务标识中的服务器标识中的端口替换为动态标识中的端口，生成重定向业务标识，并向客户端返回重定向响应；S606: The identity management function replaces the port in the server identity in the service identity with the port in the dynamic identity, generates a redirection service identity, and returns a redirection response to the client;

如步骤S505选择了端口5000，则标识网关根据业务标识“www.example.com:80/news/top.xml”生成重定向业务标识“www.example.com:5000/news/top.xml”。If the port 5000 is selected in step S505, the identification gateway generates the redirect service identification “www.example.com:5000/news/top.xml” according to the service identification “www.example.com:80/news/top.xml”.

S607：客户端根据重定向业务标识，向标识综合网关发送业务请求；S607: The client sends a service request to the integrated identification gateway according to the redirected service identifier;

其中，所述业务请求中包括重定向业务标识。Wherein, the service request includes a redirect service identifier.

S608：标识网关功能提取客户端IP和动态标识，查找映射关系，根据映射关系执行转换操作，若没有查到映射关系，则拒绝访问，或将业务请求引导到预定系统；S608: The identification gateway function extracts the client IP and dynamic identification, searches for the mapping relationship, and performs conversion operations based on the mapping relationship. If the mapping relationship is not found, access is denied or the service request is directed to the predetermined system;

其中，完成了目的IP地址和端口的转换之后，将业务标识中的端口进行还原即可，例如将“www.example.com:5000”还原为“www.example.com:80”。Among them, after completing the conversion of the destination IP address and port, you can restore the port in the service identifier, for example, restore "www.example.com:5000" to "www.example.com:80".

S609：业务服务器返回业务响应；S609: The business server returns a business response;

S610：标识网关功能执行转换操作，根据映射关系或转换关系，将源地址和端口中的服务器IP地址和端口替换为动态标识的IP地址和端口，然后发送给客户端。S610: The identification gateway function performs a conversion operation, and according to the mapping relationship or the conversion relationship, the server IP address and port in the source address and port are replaced with the dynamically identified IP address and port, and then sent to the client.

本发明实施例提供的一种服务器安全防御方法，客户端向域名服务器发送域名查询请求，域名服务器进行域名解析，返回域名查询响应，客户端根据域名解析的结果，向标识综合网关发送业务请求，其包括业务标识，综合标识网关中的标识管理功能提取客户端标识以及业务服务器标识，通过内部消息向标识网关功能请求动态标识，标识网关功能与从动态标识池中选取动态标识，建立客户端IP、动态标识、服务器标识之间的映射关系，并将动态标识或动态标识的端口部分返回给标识管理服务器，标识管理功能将业务标识中的服务器标识中的端口替换为动态标识中的端口，生成重定向业务标识，并向客户端返回重定向响应，客户端根据重定向业务标识，向标识综合网关发送业务请求；标识网关提取客户端IP和动态标识，查找映射关系，根据映射关系执行转换操作，若没有查到映射关系，则拒绝访问，或将业务请求引导到预定系统，业务服务器返回业务响应。通过随机动态变化客户端访问的服务入口，且每个入口只能被指定的客户端访问，从而提高了黑客攻击服务器的难度，提升了服务器的安全性。According to a server security defense method provided by an embodiment of the present invention, a client sends a domain name query request to a domain name server, the domain name server performs domain name resolution, and returns a domain name query response, and the client sends a service request to the identity integrated gateway according to the result of domain name resolution, It includes service identification, the identification management function in the integrated identification gateway extracts the client identification and the service server identification, requests the dynamic identification from the identification gateway function through internal messages, identifies the gateway function and selects the dynamic identification from the dynamic identification pool, and establishes the client IP , Dynamic identification, the mapping relationship between the server identification, and the dynamic identification or the port part of the dynamic identification is returned to the identification management server, the identification management function replaces the port in the server identification in the service identification with the port in the dynamic identification, and generates Redirect the service ID and return a redirection response to the client. The client sends a service request to the ID integrated gateway according to the redirected service ID; the ID gateway extracts the client IP and dynamic ID, finds the mapping relationship, and executes the conversion operation according to the mapping relationship If the mapping relationship is not found, the access is denied, or the service request is directed to the predetermined system, and the service server returns a service response. The service entrance accessed by the client is dynamically changed randomly, and each entrance can only be accessed by the designated client, thereby increasing the difficulty of hackers attacking the server and improving the security of the server.

实施例五：Embodiment five:

本实施例还提供了一种通信设备，参见图7所示，其包括处理器71、存储器72及通信总线73，其中：This embodiment also provides a communication device, as shown in FIG. 7, which includes a processor 71, a memory 72, and a communication bus 73, wherein:

通信总线73用于实现处理器71和存储器72之间的连接通信；The communication bus 73 is used to implement connection and communication between the processor 71 and the memory 72;

处理器71用于执行存储器72中存储的一个或者多个计算机程序，以实现上述实施例一和实施例五中的服务器安全防御方法中的至少一个步骤。The processor 71 is configured to execute one or more computer programs stored in the memory 72 to implement at least one step in the server security defense method in the first embodiment and the fifth embodiment.

本实施例还提供了一种计算机可读存储介质，该计算机可读存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、计算机程序模块或其他数据)的任何方法或技术中实施的易失性或非易失性、可移除或不可移除的介质。计算机可读存储介质包括但不限于RAM(Random Access Memory，随机存取存储器),ROM(Read-Only Memory，只读存储器),EEPROM(Electrically Erasable Programmable read only memory，带电可擦可编程只读存储器)、闪存或其他存储器技术、CD-ROM(Compact Disc Read-Only Memory，光盘只读存储器)，数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。This embodiment also provides a computer-readable storage medium, which is included in any method or technology for storing information (such as computer-readable instructions, data structures, computer program modules, or other data). Volatile or non-volatile, removable or non-removable media. Computer readable storage media include but are not limited to RAM (Random Access Memory), ROM (Read-Only Memory, read-only memory), EEPROM (Electrically Erasable Programmable read only memory, charged Erasable Programmable Read-Only Memory) ), flash memory or other memory technology, CD-ROM (Compact Disc Read-Only Memory), digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, magnetic disk storage or other magnetic storage devices, Or any other medium that can be used to store desired information and that can be accessed by a computer.

本实施例中的计算机可读存储介质可用于存储一个或者多个计算机程序，其存储的一个或者多个计算机程序可被处理器执行，以实现上述实施例一和实施例五中的服务器安全防御方法的至少一个步骤。The computer-readable storage medium in this embodiment can be used to store one or more computer programs, and the stored one or more computer programs can be executed by a processor to implement the server security defense in the first embodiment and the fifth embodiment. At least one step of the method.

根据本发明实施例提供的服务器安全防御方法及系统、通信设备及计算机可读存储介质，客户端向域名服务器发送域名解析请求，域名服务器将所述请求信息中的服务器域名解析为标识管理服务器IP地址，并将所述IP地址返回客户端；客户端向标识管理服务器发送业务请求，所述业务请求包括业务标识，标识管理服务器向标识网关请求动态标识，标识网关分配动态标识信息返回给标识管理服务器，同时建立映射关系，标识管理服务器向客户端返回重定向响应；客户端向标识网关发送业务请求，标识网关根据所述映射关系将所述业务请求信息进行转换并发送给业务服务器，并将收到的业务服务器的响应信息转换后发送给客户端，通过增加标识管理服务器和标识网关，在保证服务器正常业务的情况，通过随机改变服务器对客户端服务的通讯参数，增加针对服务器的攻击难度，从而提升服务器的安全性和服务可用性，提升了用户体验度。According to the server security defense method and system, communication device, and computer-readable storage medium provided by the embodiments of the present invention, the client sends a domain name resolution request to the domain name server, and the domain name server resolves the server domain name in the request information into the identification management server IP And return the IP address to the client; the client sends a service request to the identity management server, the service request includes a service identity, the identity management server requests a dynamic identity from the identity gateway, and the identity gateway allocates dynamic identity information and returns it to the identity management The server establishes a mapping relationship at the same time, and the identification management server returns a redirection response to the client; the client sends a service request to the identification gateway, and the identification gateway converts the service request information according to the mapping relationship and sends it to the service server, and The response information received from the service server is converted and sent to the client. By adding the identity management server and the identity gateway, while ensuring the normal business of the server, the communication parameters of the server to the client service are randomly changed to increase the difficulty of attacking the server. , Thereby improving the security of the server and service availability, and improving the user experience.

可见，本领域的技术人员应该明白，上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件(可以用计算装置可执行的计算机程序代码来实现)、固件、硬件及其适当的组合。在硬件实施方式中，在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分；例如，一个物理组件可以具有多个功能，或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器，如中央处理器、数字信号处理器或微处理器执行的软件，或者被实施为硬件，或者被实施为集成电路，如专用集成电路。It can be seen that those skilled in the art should understand that all or some of the steps in the methods disclosed above, the functional modules/units in the system, and the device can be implemented as software (which can be implemented by computer program code executable by a computing device. ), firmware, hardware and their appropriate combination. In the hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, a physical component may have multiple functions, or a function or step may consist of several physical components. The components are executed cooperatively. Some physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit .

此外，本领域普通技术人员公知的是，通信介质通常包含计算机可读指令、数据结构、计算机程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据，并且可包括任何信息递送介质。所以，本发明不限制于任何特定的硬件和软件结合。In addition, as is well known to those of ordinary skill in the art, communication media usually contain computer-readable instructions, data structures, computer program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery medium. Therefore, the present invention is not limited to any specific combination of hardware and software.

以上内容是结合具体的实施方式对本发明实施例所作的进一步详细说明，不能认定本发明的具体实施只局限于这些说明。对于本发明所属技术领域的普通技术人员来说，在不脱离本发明构思的前提下，还可以做出若干简单推演或替换，都应当视为属于本发明的保护范围。The above content is a further detailed description of the embodiments of the present invention in combination with specific implementations, and it cannot be considered that the specific implementations of the present invention are limited to these descriptions. For those of ordinary skill in the technical field to which the present invention belongs, several simple deductions or substitutions can be made without departing from the concept of the present invention, which should be regarded as belonging to the protection scope of the present invention.

Claims

A server security defense method, including:

The client sends a domain name resolution request to the domain name server, and the domain name server resolves the business server domain name in the request information into an identification management server IP address, and returns the IP address to the client;

The client sends a service request to the identity management server, the service request includes a service identity, the identity management server requests a dynamic identity from the identity gateway, and the identity gateway allocates dynamic identity information to the identity management server. At the same time, a mapping relationship is established and the identity management server sends the client The end returns a redirection response;

The client sends a service request to the identification gateway, and the identification gateway converts the service request information according to the mapping relationship and sends it to the service server, and converts the received response information of the service server and sends it to the client.

The server security defense method according to claim 1, wherein the identity management server includes a plurality of identity management servers; the domain name server selects the IP address of at least one identity management server from the plurality of identity management servers according to a preset policy, And return the IP address to the client.

The server security defense method according to claim 2, wherein the strategy comprises: selecting the identity management server closest to the location of the client according to the location information of the client; or, polling each identity management server; or, selecting the load Lighter identity management server.

The server security defense method according to claim 1, wherein the identification gateway includes a plurality of identification gateways; the identification management server selects at least one identification gateway according to a preset policy to send the dynamic identification request.

The server security defense method according to claim 4, wherein the strategy comprises: selecting the identification gateway closest to the location of the client according to the location information of the client; or polling each identification gateway; or selecting a lighter load The identity gateway.

The server security defense method according to any one of claims 1-5, wherein when the identity management server sends a dynamic identity request to the identity gateway, it sends the client's IP address and business server identity to the selected identity gateway .

The server security defense method according to claim 6, wherein after receiving the dynamic identification request, the identification gateway allocates the dynamic identification and establishes the mapping relationship between the client IP and the dynamic identification, or establishes the client IP , The mapping relationship between the dynamic identification and the business server identification; the dynamic identification is to identify the gateway address and port, or the gateway domain name and port; the business server identification is the IP address and port of the business server, or the business server domain name and port.

The server security defense method according to claim 7, wherein the identity management server replaces the host identity in the service identity with the dynamic identity or inserts the dynamic identity in it according to the service identity in the service request and the dynamic identity, and generates The redirect service identifier, the redirect service identifier information in the redirect response, instructs the client to send a service request to the identification gateway.

The server security defense method according to claim 1, wherein after receiving the service request, the identification gateway searches for the mapping relationship according to the source IP, destination IP, and destination port in the request message, and if the corresponding mapping relationship is found, then The service request is converted and sent to the service server; otherwise, access is denied or directed to a predetermined system.

The server security defense method according to claim 9, wherein said converting said service request comprises: identifying the destination IP and port of the service request by the identifying gateway, namely, dynamic identification, and replacing it with the IP corresponding to the service server identification in the mapping relationship And port, replace the source IP and port of the response, that is, the service server identifier, with the IP and port corresponding to the dynamic identifier.

The server security defense method according to claim 10, wherein the converting the service request further comprises: the identification gateway replaces the dynamic identification of the service identification in the service request with the service server identification.

A server security defense system, including:

The client is used to support the domain name resolution client function and service access function, use the service identifier to initiate service requests, and also support the service redirection function, that is, access the specified network resources according to the redirection response returned by the service server;

The domain name server is used to resolve the domain name of the business server into the IP address of the identity management server; and select one or more IP addresses of the identity management server from multiple identity management servers according to a preset strategy;

The identity management server is used to receive the service request sent by the client, select the identity gateway according to a preset strategy, request a dynamic identity from the identity gateway, generate a redirection service identity, and return a redirection response to the client;

The identification gateway is used to generate a dynamic identification according to the request of the identification management server, establish the mapping relationship between the client IP address, the dynamic identification, and the business server identification, and forward the business request from the client and the response to the client according to the mapping relationship;

The business server is used to provide business services.

A communication device, including a processor, a memory, and a communication bus; among them,

The communication bus is used to realize the connection and communication between the processor and the memory;

The processor is configured to execute one or more computer programs stored in the memory to implement the steps of the server security defense method according to any one of claims 1-11.

A computer-readable storage medium that stores one or more computer programs, wherein the one or more computer programs can be executed by one or more processors to implement the one described in any one of claims 1-11 The steps of the server security defense method.