[go: up one dir, main page]

CN105577627B - Communication method, device, network equipment, terminal equipment and communication system - Google Patents

Communication method, device, network equipment, terminal equipment and communication system Download PDF

Info

Publication number
CN105577627B
CN105577627B CN201410631328.3A CN201410631328A CN105577627B CN 105577627 B CN105577627 B CN 105577627B CN 201410631328 A CN201410631328 A CN 201410631328A CN 105577627 B CN105577627 B CN 105577627B
Authority
CN
China
Prior art keywords
terminal device
access request
equipment
network
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410631328.3A
Other languages
Chinese (zh)
Other versions
CN105577627A (en
Inventor
陈勇
刘剑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Cyber Tianjin Co Ltd
Original Assignee
Tencent Cyber Tianjin Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Cyber Tianjin Co Ltd filed Critical Tencent Cyber Tianjin Co Ltd
Priority to CN201410631328.3A priority Critical patent/CN105577627B/en
Publication of CN105577627A publication Critical patent/CN105577627A/en
Application granted granted Critical
Publication of CN105577627B publication Critical patent/CN105577627B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the application discloses a communication method, a device, network equipment, terminal equipment and a communication system, when the terminal device sends an access request to the network server, the network device intercepts the access request sent by the terminal device to the network server, then the terminal equipment is verified, after the verification is passed, the access request is sent to the network server, whereas a denial-of-service attack is usually a hacker sending a large number of access requests to a network server on the user device side by means of a tool simulating a legitimate user, and does not respond to the network server, and thus, the illegal user equipment does not perform the authentication response, and thus, through the communication method, the communication device, the network equipment, the terminal equipment and the communication system provided by the embodiment of the application, the access request sent by the illegal user can be prevented from reaching the network server, and the probability of the occurrence of the event of carrying out denial of service attack on the network server is reduced.

Description

Communication method, device, network equipment, terminal equipment and communication system
Technical Field
The present invention relates to the field of network technologies, and in particular, to a communication method, an apparatus, a network device, a terminal device, and a communication system.
Background
Denial of service (DOS) refers to an attack method in which an illegal user floods a target host (e.g., a network server) with a large amount of data packets, and the available resources of the target host are exhausted, or even the system crashes, so that the target host cannot respond to the legal user. Distributed denial of service (DDOS) attacks are a type of denial of service attacks that are generated based on traditional denial of service attacks, which refers to combining multiple computers as an attack platform to launch a denial of service attack on one or more target hosts, and overwhelming the target hosts through massive connections or traffic, so that the target hosts cannot respond to legitimate users.
Currently, whether traditional DOS or DDOS, the attack request is identical to the legitimate request in content, which makes authentication of both very difficult. By calculating the request rate, checking the header fields (including IP header, TCP header, HTTP header, etc.) of the network data packet, and even checking the request content of the whole application layer, the attack request and the legal request cannot be effectively distinguished. In order to achieve an obvious attack effect, an attacker often requests a large Flash, a picture, a video file, or causes a server to perform database query and data processing of a load. For example, a well-constructed HTTP request can prompt a web server to perform connection, query, and sorting operations among a plurality of large database tables, and at this time, a small number of puppet hosts sending low-rate attack requests can quickly consume target host resources, so that the puppet hosts cannot respond to requests of legitimate users, and thus the concealment of attacks is strong, and the difficulty in detecting DOS attacks is increased.
At present, no effective method for protecting against distributed denial of service attacks exists.
Disclosure of Invention
The invention aims to provide a communication method, a communication device, network equipment, terminal equipment and a communication system so as to effectively protect denial of service attacks.
In order to achieve the purpose, the invention provides the following technical scheme:
a method of communication, comprising:
the network equipment intercepts and captures an access request sent by the first terminal equipment to the network server;
the network equipment acquires a verification parameter and sends the verification parameter to the first terminal equipment;
if the network equipment receives the encryption factor which is sent by the first terminal equipment and corresponds to the verification parameter, verifying the encryption factor sent by the first terminal equipment according to the verification parameter;
and when the authentication is passed, the network equipment sends the access request to the network server.
A method of communication, comprising:
the first terminal equipment sends an access request to a network server;
the first terminal equipment receives verification parameters, and the verification parameters are acquired by network equipment after intercepting an access request sent by the first terminal to a network server and are sent to the first terminal equipment;
the first terminal equipment calculates an encryption factor according to the verification parameter;
and the first terminal equipment sends the encryption factor to the network server.
A communication device, comprising:
the acquisition module is used for acquiring an access request sent by the first terminal device to the network server;
the parameter acquisition module is used for acquiring verification parameters after the interception module intercepts an access request sent by first terminal equipment to a network server, and sending the verification parameters to the first terminal equipment;
the verification module is used for verifying the encryption factor sent by the first terminal equipment when receiving the encryption factor sent by the first terminal equipment and corresponding to the verification parameter;
and the first sending module is used for sending the access request to the network server when the authentication is passed.
A network device comprising a communication apparatus as described above.
A communication apparatus applied to a first terminal device, the apparatus comprising:
the second sending module is used for sending an access request to the network server;
the receiving module is used for receiving verification parameters, and the verification parameters are acquired by network equipment after intercepting an access request sent by the first terminal equipment to a network server and are sent to the first terminal equipment;
the calculation module is used for calculating an encryption factor according to the verification parameter;
and the third sending module is used for sending the encryption factor to the network server.
A terminal device comprising a communication apparatus as described above.
A communication system, comprising: a terminal device as described above and a network device as described above.
According to the scheme, the communication method, the communication device, the network equipment, the terminal equipment and the communication system provided by the application, when the terminal device sends an access request to the network server, the network device intercepts the access request sent by the terminal device to the network server, then the terminal equipment is verified, after the verification is passed, the access request is sent to the network server, whereas a denial-of-service attack is usually a hacker sending a large number of access requests to a network server on the user device side by means of a tool simulating a legitimate user, and does not respond to the network server, and thus, the illegal user equipment does not perform the authentication response, and thus, through the communication method, the communication device, the network equipment, the terminal equipment and the communication system provided by the embodiment of the application, the access request sent by the illegal user can be prevented from reaching the network server, and the probability of the occurrence of the event of carrying out denial of service attack on the network server is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a communication system according to an embodiment of the present application;
fig. 2 is a flowchart of an implementation of a communication method according to an embodiment of the present application;
fig. 3 is a flowchart of an implementation of verifying an encryption factor sent by a first terminal device according to a verification parameter according to an embodiment of the present application;
fig. 4 is a flowchart of another implementation of a communication method provided in an embodiment of the present application;
fig. 5 is a flowchart of another implementation of the communication method according to the embodiment of the present application;
fig. 6 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a parameter obtaining module according to an embodiment of the present application;
FIG. 8 is a schematic structural diagram of a verification module according to an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of a first obtaining unit according to an embodiment of the present disclosure;
fig. 10 is another schematic structural diagram of a first obtaining unit provided in an embodiment of the present application;
fig. 11 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 14 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 15 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 16 is a block diagram of a hardware structure of a network device according to an embodiment of the present disclosure;
fig. 17 is a schematic structural diagram of a communication device according to an embodiment of the present application;
FIG. 18 is a schematic structural diagram of a computing module according to an embodiment of the present application;
FIG. 19 is a schematic structural diagram of a computing module according to an embodiment of the present disclosure;
fig. 20 is a block diagram of a partial structure of a mobile phone related to a terminal device according to an embodiment of the present application.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be practiced otherwise than as specifically illustrated.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a communication system according to an embodiment of the present application, wherein.
The terminal device 11 accesses the internet through the router 12, and can establish connection with the network server 14 to perform communication, the network device 13 can intercept information sent by the terminal device 11 to the network server 14, verify the validity of the terminal device 11, forward the information sent by the terminal device 11 to the network server 14 when the terminal device 11 is determined to be valid, and otherwise, discard the information sent by the terminal device 11 to the network server 14.
The terminal device 11 may be a Personal Computer (PC), a notebook computer, or a mobile terminal, as long as the device can access the internet.
Based on the communication system shown in fig. 1, an implementation flowchart of the communication method provided by the present application is shown in fig. 2, and may include:
step S21: the network equipment intercepts and captures an access request sent by the first terminal equipment to the network server;
the access request sent by the first terminal device to the network server is intercepted by the network device.
The access request may conform to an access request of an HTTP protocol, for example, may be a GET request, and the network device may request a Common Gateway Interface (CGI) on the network server in a GET manner to obtain the required resource.
Of course, the access request may also be other types of requests in the HTTP protocol, such as a POST request, a HEAD request, etc.
Step S22: the network equipment acquires a verification parameter and sends the verification parameter to the first terminal equipment;
the network equipment acquires the verification parameters after intercepting the access request sent by the first terminal equipment to the network server, and sends the verification parameters to the first terminal equipment.
Optionally, the verification parameter may be obtained according to the identification of the first terminal device and the identification of the network server. In particular, the method comprises the following steps of,
the network device may calculate the authentication parameter according to the source IP (i.e., the IP of the first terminal device) and the destination IP (i.e., the IP of the network server) carried in the access request.
Optionally, HMAC (Hash-based Message authentication code) operation may be performed according to the source IP and the destination IP, that is, an authentication code based on a Hash Message is calculated to obtain an authentication code.
Optionally, the network device may also calculate the authentication parameter according to the hardware address (e.g., MAC address) and the destination IP of the first terminal device carried in the access request.
Similarly, HMAC (Hash-based message Authentication Code) operation may be performed according to the hardware address and the destination IP of the first terminal device to obtain the verification Code.
Specifically, the calculation can be performed according to the following formula (1).
$js1=HMAC($srcip,$dstip) (1)
Wherein, $ js1 is the result of HMAC operation, i.e. the verification code; and the $ srcip and $ dstip are respectively the identification mark of the first terminal equipment and the identification mark of the network server.
Step S23: and if the network equipment receives the encryption factor which is sent by the first terminal equipment and corresponds to the verification parameter, verifying the encryption factor sent by the first terminal equipment according to the verification parameter.
The inventor finds that, in the process of implementing the present invention, in general, a denial of service attack is that a hacker simulates a legitimate user to send a large number of access requests to a network server through a tool on a user equipment side, and the purpose is to attack the network server instead of acquiring resources from the network server side, so that the user equipment controlled by the hacker usually does not respond to an authentication parameter, and does not calculate an authentication factor or send the authentication factor.
And the normal terminal device (i.e. the terminal device which is not controlled by the hacker) responds to the verification parameter, i.e. calculates the verification factor and sends the verification factor.
Therefore, in this embodiment of the present application, when the first terminal device is a valid user, and the network device receives the encryption factor corresponding to the authentication parameter, which is sent by the first terminal device, under the condition that the network is normal; and when the first terminal device is an illegal user controlled by a hacker, the network device usually does not receive the encryption factor corresponding to the authentication parameter sent by the first terminal device.
And after the network method equipment receives the encryption factor which is sent by the first terminal equipment and corresponds to the verification parameter, verifying the encryption factor to determine the validity of the first terminal equipment.
Step S24: and when the authentication is passed, the network equipment sends the access request to the network server.
And when the encryption factor passes the verification, the network equipment forwards the access request sent by the first terminal equipment to the network server. Communication between the legal user equipment and the network server is realized.
According to the communication method provided by the application, when the terminal equipment sends the access request to the network server, the network equipment intercepts and captures the access request sent by the terminal equipment to the network server, then the terminal equipment is verified, and after the verification is passed, the access request is sent to the network server.
In the foregoing embodiment, optionally, the flowchart of an implementation of verifying the encryption factor sent by the first terminal device according to the verification parameter is shown in fig. 3, and may include the following steps:
step S31: the network equipment acquires a local encryption factor according to the verification parameter;
the network equipment and the first terminal equipment adopt the same algorithm to calculate the local encryption factor.
Optionally, the network device may calculate a local encryption factor according to the verification parameter and the identification code of the first terminal device.
Alternatively, the network device may calculate the local encryption factor according to equation (2).
$sessionkey-b=HMAC($key1,$imei,$js1)) (2)
Wherein, $ sessionkey-b is a local encryption factor; the $ key1 is a shared key of the network device and the terminal device; the identifier (such as an IMEI number) or a random number of the terminal equipment, which is sent by the terminal equipment; $ js1 is the verification parameter.
Optionally, the network device may also calculate a local encryption factor according to the verification parameter, the identification code of the first terminal device, and a timestamp when the first terminal device receives the verification parameter.
Alternatively, the network device may calculate the local encryption factor according to equation (3).
$sessionkey-b=HMAC($key1,$imei,$timestamp,$js1)) (3)
Wherein, $ sessionkey-b is a local encryption factor; the $ key1 is a shared key of the network device and the terminal device; the identifier (such as an IMEI number) or a random number of the terminal equipment, which is sent by the terminal equipment; $ timestamp is the timestamp; $ js1 is the verification parameter.
Step S32: and when the encryption factor sent by the first terminal equipment is the same as the local encryption factor, determining that the authentication is passed.
After the local encryption factor is obtained, the local encryption factor can be compared with the encryption factor sent by the first terminal device, and if the encryption factor sent by the first terminal device is the same as the local encryption factor, the verification is determined to be passed; otherwise, it may be determined that the verification failed.
In the foregoing embodiment, optionally, another implementation flowchart of the communication method provided by the present application is shown in fig. 4, and may include:
step S41: the network equipment intercepts and captures an access request sent by the first terminal equipment to the network server;
step S42: the network equipment acquires a verification parameter and sends the verification parameter to the first terminal equipment;
step S43: judging whether an encryption factor corresponding to the verification parameter and sent by the first terminal equipment is received; if so, go to step S44; if not, go to step S47;
optionally, it may be determined whether the encryption factor corresponding to the verification parameter and sent by the first terminal device is received within a preset time period after the verification parameter is sent to the first terminal device, if the encryption factor corresponding to the verification parameter and sent by the first terminal device is received within the preset time period, it may be determined that the encryption factor corresponding to the verification parameter and sent by the first terminal device is received, otherwise, it may be determined that the encryption factor corresponding to the verification parameter and sent by the first terminal device is not received.
Step S44: verifying the encryption factor sent by the first terminal equipment according to the verification parameter;
step S45: judging whether the verification is passed; if the verification is passed, step S46 is executed; otherwise, executing step S47;
step S46: the network device sends the access request to the network server.
Step S47: and discarding the access request sent by the first terminal equipment.
After discarding the access request sent by the first terminal device, the connection between the first terminal device and the network server may also be blocked.
In the embodiment of the application, if the encryption factor corresponding to the verification parameter and sent by the first terminal device is not received, or the verification fails, the access request sent by the first terminal device to the network server is discarded, that is, the access request sent by the first terminal device is not forwarded to the network server.
In the foregoing embodiment, optionally, the communication method provided in this embodiment of the present application may further include:
the network equipment counts the number of times of discarding the access request sent by the first terminal equipment in unit time;
the total number of times the access request sent by the first terminal device is discarded in a period of time may be counted, and the number of times the access request sent by the first terminal device is discarded per unit time, that is, the frequency of discarding the access request sent by the first terminal device, may be determined by dividing the total number of times by the counted time length.
When the number of times that an access request sent by a first terminal device is discarded in a unit time is greater than a preset threshold value, determining that the first terminal device is an illegal user device.
Optionally, after determining that the first terminal device is an illegal user device, after the network device receives an access request sent by the first terminal device to the network server, before obtaining the verification parameter, the method may further include:
judging whether the first terminal equipment is illegal user equipment or not;
if the first terminal equipment is illegal user equipment, discarding the access request; otherwise, executing the step of obtaining the verification parameters.
In this embodiment, after determining that the first terminal device is an illegal user device, if an access request sent by the first terminal device is received, the access request is directly discarded without verifying the validity of the first terminal device, so that the resource consumption of the network device is reduced. Furthermore, the connection between the first terminal device and the network server can be blocked, so that the first terminal device can not send an access request any more, brute force attack can be resisted, and the stability of the first terminal device is enhanced.
Optionally, after determining that the first terminal device is an illegal user device, after the network device receives an access request sent by the first terminal device to the network server, before obtaining the verification parameter, the method may further include:
judging whether the first terminal equipment is illegal user equipment or not;
if the first terminal equipment is illegal user equipment, disconnecting the first terminal equipment from the network server; otherwise, executing the step of obtaining the verification parameters.
In this embodiment, after determining that the first terminal device is an illegal user device, if an access request sent by the first terminal device is received, the first terminal device is directly blocked from being connected with the network device, so that the first terminal device cannot send the access request any more, brute force attack can be resisted, and stability of the first terminal device is enhanced. Further, the access request sent by the first terminal device may be discarded, so as to prevent the access request sent by the first terminal device from occupying the memory space of the network device.
Fig. 5 shows a flowchart of still another implementation of the communication method provided by the present application, which may include:
step S51: the first terminal equipment sends an access request to a network server;
the access request may be an access request conforming to the HTTP protocol.
Step S52: the first terminal equipment receives verification parameters, and the verification parameters are acquired by network equipment after intercepting an access request sent by the first terminal equipment to a network server and are sent to the first terminal equipment;
step S53: the first terminal equipment calculates an encryption factor according to the verification parameter;
and after receiving the verification parameters, the first terminal equipment calculates the encryption factor according to the verification parameters, and the first terminal equipment and the network equipment calculate the encryption factor by adopting the same method.
Optionally, the first terminal device may calculate the encryption factor according to the verification parameter and the identification code of the first terminal device.
Alternatively, the first terminal device may calculate the encryption factor according to equation (4).
$sessionkey-a=HMAC($key1,$imei,$js1)) (4)
Wherein $ sessionkey-a is an encryption factor; the $ key1 is a shared key of the network device and the first terminal device; the identifier (such as IMEI) or a random number of the first terminal equipment; $ js1 is the verification parameter.
Optionally, the first terminal device may also calculate an encryption factor according to the verification parameter, the identification code of the first terminal device, and a timestamp when the first terminal device receives the verification parameter.
Alternatively, the first terminal device may calculate the local encryption factor according to equation (5).
$sessionkey-a=HMAC($key1,$imei,$timestamp,$js1)) (5)
Wherein $ sessionkey-a is an encryption factor; the $ key1 is a shared key of the network device and the terminal device; the identifier (such as IMEI) or a random number of the first terminal equipment; $ timestamp is the timestamp; $ js1 is the verification parameter.
Step S54: and the first terminal equipment sends the encryption factor to the network server.
The encryption factor is intercepted by the network equipment and then verified, if the encryption factor passes the verification, the network equipment forwards the access request sent by the first terminal equipment to the network server, otherwise, the access request is not forwarded to the network server.
The first terminal device may send the encryption factor as a URL parameter, and the URL of the sent GET request may be in the form (where there may be multiple parameters):
http://www.example.com/?SK=$sessionkey&IMEI=$imei
the SK is an encrypted encryption factor to be authenticated submitted by the user, and the IMEI is a certain identifiable number of the user's own mobile phone (for example, an IMEI code available to the mobile phone, and a randomly generated number available to the PC).
In this embodiment, the first terminal device needs to pass the authentication before accessing the network server.
Corresponding to the method embodiment, the application also provides a communication device. A schematic structural diagram of the communication device provided in the present application is shown in fig. 6, and may include:
an interception module 61, a parameter acquisition module 62, a verification module 63 and a first sending module 64; wherein,
the intercepting module 61 is used for intercepting an access request sent by the first terminal device to the network server;
the parameter acquiring module 62 is configured to acquire a verification parameter after the intercepting module intercepts an access request sent by a first terminal device to a network server, and send the verification parameter to the first terminal device;
the verification module 63 is configured to verify the encryption factor sent by the first terminal device when receiving the encryption factor sent by the first terminal device and corresponding to the verification parameter.
The first sending module 64 is configured to send the access request to the network server when the encryption factor sent by the first terminal device is verified.
According to the communication device provided by the application, when the terminal equipment sends the access request to the network server, the network equipment intercepts and captures the access request sent by the terminal equipment to the network server, then the terminal equipment is verified, and after the verification is passed, the access request is sent to the network server.
In the above embodiment, optionally, a schematic structural diagram of the parameter obtaining module 62 is shown in fig. 7, and may include:
a parameter obtaining unit 71, configured to obtain the verification parameter according to the identification identifier of the first terminal device and the identification identifier of the network server.
In the above embodiment, optionally, a schematic structural diagram of the verification module 63 is shown in fig. 8, and may include:
a first acquisition unit 81 and a first determination unit 82; wherein,
the first obtaining unit 81 is configured to obtain a local encryption factor;
the first determining unit 82 is configured to determine that the authentication is passed when the encryption factor sent by the first terminal is the same as the local encryption factor.
In the above embodiment, a schematic structural diagram of the optional first obtaining unit 81 is shown in fig. 9, and may include:
a first obtaining subunit 91, configured to calculate a local encryption factor according to the verification parameter and the identifier of the first terminal device.
In the above embodiment, optionally, another schematic structural diagram of the first obtaining unit 81 is shown in fig. 10, and may include:
and the second obtaining subunit 101 is configured to calculate a local encryption factor according to the verification parameter, the identification code of the first terminal device, and a timestamp when the first terminal device receives the verification parameter.
In the foregoing embodiment, optionally, on the basis of the embodiment shown in fig. 6, another schematic structural diagram of the communication device provided in this application is shown in fig. 11, and may further include:
a first discarding module 111, configured to discard the access request sent by the first terminal device when the encryption factor corresponding to the authentication parameter sent by the first terminal device is not received.
It should be noted that the first discarding module 111 is also applicable to the embodiment shown in any one of fig. 7 to 10.
In the foregoing embodiment, optionally, on the basis of the embodiment shown in fig. 6, another schematic structural diagram of the communication device provided in this application is shown in fig. 12, and may further include:
a second discarding module 121, configured to discard the access request sent by the first terminal device when the authentication fails.
It should be noted that the second discarding module 121 is also applicable to the embodiment shown in any one of fig. 7 to 11.
On the basis of the embodiment shown in fig. 11, another schematic structural diagram of the communication device provided by the present application is shown in fig. 13, and may further include:
a statistics module 131 and a determination module 132; wherein,
the counting module 131 is configured to count the number of times that the access request sent by the first terminal device is discarded in a unit time;
the determining module 132 is configured to determine that the first terminal device is an illegal user device when the number of times that the access request sent by the first terminal device is discarded in a unit time is greater than a preset threshold.
It should be noted that the statistical module 131 and the determination module 132 provided in this embodiment may also be applied to the embodiment shown in fig. 12.
In the foregoing embodiment, optionally, on the basis of the embodiment shown in fig. 13, another schematic structural diagram of the communication device provided in this application is shown in fig. 14, and may further include:
a first judging module 141 and a third discarding module 142; wherein,
the first determining module 141 is configured to determine whether the first terminal device is an illegal user device after the intercepting module 61 intercepts an access request sent by the first terminal device to the network server;
the third discarding module 142 is configured to discard the access request when the first determining module determines that the first terminal device is an illegal user device;
the parameter obtaining module 62 is specifically configured to, when the first determining module 141 determines that the first terminal device is not an illegal user device, obtain a verification parameter, and send the verification parameter to the first terminal device.
In this embodiment, after determining that the first terminal device is an illegal user device, if an access request sent by the first terminal device is received, the access request is directly discarded without verifying the validity of the first terminal device, so that the resource consumption of the network device is reduced.
Further, the third discarding module 142 may further block the connection between the first terminal device and the network server after discarding the access request, so that the first terminal device cannot send the access request any more.
In the foregoing embodiment, optionally, on the basis of the embodiment shown in fig. 13, another schematic structural diagram of the communication device provided in this application is shown in fig. 15, and may further include:
a second determination module 151 and a connection control module 152; wherein,
the second determining module 151 is configured to determine whether the first terminal device is an illegal user device after the intercepting module 61 intercepts an access request sent by the first terminal device to the network server;
the connection control module 153 is configured to disconnect the connection between the first terminal device and the network server when the second determining module determines that the first terminal device is an illegal user device;
the parameter obtaining module 62 is specifically configured to, when the second determining module 151 determines that the first terminal device is not an illegal user device, obtain a verification parameter, and send the verification parameter to the first terminal device.
In this embodiment, after determining that the first terminal device is an illegal user device, if an access request sent by the first terminal device is received, the connection between the first terminal device and the network device is directly blocked, so that the first terminal device cannot send the access request any more.
Further, the connection control module 153 may also discard the access request sent by the first terminal device, so as to prevent the access request sent by the first terminal device from occupying a memory space of the network device.
The present application also provides a network device having the communication apparatus as shown in any one of fig. 6 to 15.
Fig. 16 is a block diagram illustrating a hardware structure of a network device provided in the present application, where the network device may include:
a processor 1, a communication interface 2, a memory 3 and a communication bus 4;
wherein, the processor 1, the communication interface 2 and the memory 3 complete the communication with each other through the communication bus 4;
optionally, the communication interface 2 may be an interface of a communication module, such as an interface of a GSM module, or an ethernet interface, etc.;
a processor 1 for executing a program;
a memory 3 for storing a program;
the program may include program code including computer operating instructions.
The processor 1 may be a central processing unit CPU or an application specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present invention.
The memory 3 may comprise a high-speed RAM memory, and may further comprise a non-volatile memory (non-volatile memory), such as at least one disk memory.
Among them, the procedure can be specifically used for:
intercepting an access request sent by a first terminal device to a network server;
acquiring a verification parameter and sending the verification parameter to the first terminal equipment;
if the encryption factor which is sent by the first terminal equipment and corresponds to the verification parameter is received, verifying the encryption factor sent by the first terminal equipment according to the verification parameter;
and when the authentication is passed, sending the access request to the network server.
Fig. 17 shows another schematic structural diagram of a communication device provided by the present application, which may include:
a second transmitting module 171, a receiving module 172, a calculating module 173, and a third transmitting module 174; wherein,
the second sending module 171 is configured to send an access request to the web server;
the receiving module 172 is configured to receive a verification parameter, where the verification parameter is obtained after a network device intercepts an access request sent by the first terminal device to a network server, and is sent to the first terminal device;
the calculation module 173 is configured to calculate an encryption factor according to the verification parameter;
the third sending module 174 is configured to send the encryption factor to the network server.
In this embodiment, the first terminal device needs to pass the authentication before accessing the network server.
In the above embodiment, optionally, a schematic structural diagram of the calculating module 173 is shown in fig. 18, and may include:
the first calculating unit 181 is configured to calculate the encryption factor according to the verification code and the identification code of the first terminal device.
In the above embodiment, optionally, another structural schematic diagram of the calculation module 173 is shown in fig. 19, and may include:
the second calculating unit 191 is configured to calculate the encryption factor according to the verification parameter, the identifier of the first terminal device, and a timestamp of the first terminal device when receiving the verification parameter.
The present application also provides a terminal device having the communication apparatus according to the embodiment shown in any one of fig. 17 to 19.
The following describes a hardware structure of a terminal device according to an embodiment of the present invention, and the following description refers to the embodiment shown in fig. 5. The terminal device may be any communication device such as a mobile phone, a tablet computer, a PDA (personal digital Assistant), a vehicle-mounted computer, and the like, taking the terminal device as the mobile phone as an example:
fig. 20 is a block diagram showing a partial structure of a cellular phone related to a terminal device provided in an embodiment of the present invention. Referring to fig. 20, the handset includes: radio Frequency (RF) circuitry 1110, memory 1120, input unit 1130, display unit 1140, sensors 1150, audio circuitry 1160, wireless fidelity (WiFi) module 1170, processor 1180, and power supply 1190. Those skilled in the art will appreciate that the handset configuration shown in fig. 20 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
The following describes the components of the mobile phone in detail with reference to fig. 20:
RF circuit 1110 may be used for receiving and transmitting signals during a message transmission or call, and in particular, for receiving downlink messages from a base station and then processing the received downlink messages to processor 1180; in addition, the data for designing uplink is transmitted to the base station. Typically, the RF circuitry includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, the RF circuitry 110 may also communicate with networks and other devices via wireless communications. The wireless communication may use any communication standard or protocol, including but not limited to global system for Mobile communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, Short Messaging Service (SMS), etc.
The memory 1120 may be used to store software programs and modules, and the processor 1180 may execute various functional applications and data processing of the mobile phone by operating the software programs and modules stored in the memory 1120. The memory 1120 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. Further, the memory 1120 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
The input unit 1130 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the cellular phone. Specifically, the input unit 1130 may include a touch panel 1131 and other input devices 1132. Touch panel 1131, also referred to as a touch screen, can collect touch operations of a user on or near the touch panel 1131 (for example, operations of the user on or near touch panel 1131 by using any suitable object or accessory such as a finger or a stylus pen), and drive corresponding connection devices according to a preset program. Alternatively, the touch panel 1131 may include two parts, namely, a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, sends the touch point coordinates to the processor 1180, and can receive and execute commands sent by the processor 1180. In addition, the touch panel 1131 can be implemented by using various types, such as resistive, capacitive, infrared, and surface acoustic wave. The input unit 1130 may include other input devices 1132 in addition to the touch panel 1131. In particular, other input devices 1132 may include, but are not limited to, one or more of a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.
The display unit 1140 may be used to display information input by the user or information provided to the user and various menus of the cellular phone. The Display unit 1140 may include a Display panel 1141, and optionally, the Display panel 1141 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like. Further, the touch panel 1131 can cover the display panel 1141, and when the touch panel 1131 detects a touch operation on or near the touch panel, the touch panel is transmitted to the processor 1180 to determine the type of the touch event, and then the processor 1180 provides a corresponding visual output on the display panel 1141 according to the type of the touch event. Although in fig. 12, the touch panel 1131 and the display panel 1141 are two independent components to implement the input and output functions of the mobile phone, in some embodiments, the touch panel 1131 and the display panel 1141 may be integrated to implement the input and output functions of the mobile phone.
The handset may also include at least one sensor 1150, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 1141 according to the brightness of ambient light, and the proximity sensor may turn off the display panel 1141 and/or the backlight when the mobile phone moves to the ear. As one of the motion sensors, the accelerometer sensor can detect the magnitude of acceleration in each direction (generally, three axes), can detect the magnitude and direction of gravity when stationary, and can be used for applications of recognizing the posture of a mobile phone (such as horizontal and vertical screen switching, related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer and tapping), and the like; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured on the mobile phone, further description is omitted here.
Audio circuitry 1160, speakers 1161, and microphone 1162 may provide an audio interface between a user and a cell phone. The audio circuit 1160 may transmit the electrical signal converted from the received audio data to the speaker 1161, and convert the electrical signal into a sound signal for output by the speaker 1161; on the other hand, the microphone 1162 converts the collected sound signals into electrical signals, which are received by the audio circuit 1160 and converted into audio data, which are then processed by the audio data output processor 1180, and then transmitted to, for example, another cellular phone via the RF circuit 1110, or output to the memory 1120 for further processing.
WiFi belongs to short-distance wireless transmission technology, and the cell phone can help a user to receive and send e-mails, browse webpages, access streaming media and the like through the WiFi module 1170, and provides wireless broadband internet access for the user. Although fig. 20 shows the WiFi module 1170, it is understood that it does not belong to the essential constitution of the handset, and can be omitted entirely as needed within the scope not changing the essence of the invention.
The processor 1180 is a control center of the mobile phone, and is connected to various parts of the whole mobile phone through various interfaces and lines, and executes various functions of the mobile phone and processes data by operating or executing software programs and/or modules stored in the memory 1120 and calling data stored in the memory 1120, thereby performing overall monitoring of the mobile phone. Optionally, processor 1180 may include one or more processing units; preferably, the processor 1180 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated within processor 1180.
The phone also includes a power supply 1190 (e.g., a battery) for powering the various components, and preferably, the power supply may be logically connected to the processor 1180 via a power management system, so that the power management system may manage charging, discharging, and power consumption management functions.
Although not shown, the mobile phone may further include a camera, a bluetooth module, etc., which are not described herein.
In this embodiment of the present invention, the processor 1180 included in the communication device further has the following functions:
sending an access request to a network server;
receiving verification parameters, wherein the verification parameters are acquired by network equipment after intercepting an access request sent by the first terminal to a network server, and are sent to the first terminal equipment;
calculating an encryption factor according to the verification parameter;
and sending the encryption factor to the network server.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (13)

1. A method of communication, comprising:
the network equipment intercepts and captures an access request sent by the first terminal equipment to the network server;
the network equipment judges whether the first terminal equipment is illegal user equipment or not; if the first terminal equipment is illegal user equipment, disconnecting the first terminal equipment from the network server; otherwise, the network equipment acquires verification parameters according to the identification mark of the first terminal equipment and the identification mark of the network server, and sends the verification parameters to the first terminal equipment; the verification parameter is used for calculating an encryption factor by the first terminal equipment;
if the network device receives the encryption factor which is sent by the first terminal device in a URL parameter mode and corresponds to the verification parameter, the network device: calculating a local encryption factor according to the verification parameter and the identification code of the first terminal equipment; or calculating a local encryption factor according to the verification parameter, the identification code of the first terminal device and the timestamp of the first terminal device when receiving the verification parameter;
when the encryption factor sent by the first terminal equipment is the same as the local encryption factor, determining that the authentication is passed;
and when the authentication is passed, the network equipment sends the access request to the network server.
2. The method of claim 1, further comprising:
and if the network equipment does not receive the encryption factor which is sent by the first terminal equipment in a URL parameter mode and corresponds to the verification parameter, discarding the access request sent by the first terminal equipment.
3. The method of claim 1, further comprising:
and when the verification is not passed, the network equipment discards the access request sent by the first terminal equipment.
4. The method of claim 2 or 3, further comprising:
the network device counts the number of times that an access request sent by a first terminal device is discarded in a unit time;
when the number of times that an access request sent by a first terminal device is discarded in a unit time is greater than a preset threshold value, determining that the first terminal device is an illegal user device.
5. The method of claim 4, wherein after receiving the access request sent by the first terminal device to the network server, and before obtaining the authentication parameter, the network device further comprises:
judging whether the first terminal equipment is illegal user equipment or not;
if the first terminal equipment is illegal user equipment, discarding the access request; otherwise, executing the step of obtaining the verification parameters.
6. A communications apparatus, comprising:
the acquisition module is used for acquiring an access request sent by the first terminal device to the network server;
the second judging module is used for judging whether the first terminal equipment is illegal user equipment or not after the intercepting module intercepts an access request sent by the first terminal equipment to the network server;
a connection control module, configured to disconnect the connection between the first terminal device and the network server when the second determination module determines that the first terminal device is an illegal user device; a parameter obtaining module, configured to, after the interception module intercepts an access request sent by a first terminal device to a network server, obtain, by the second determination module, a verification parameter according to an identification identifier of the first terminal device and an identification identifier of the network server when the second determination module determines that the first terminal device is not an illegal user device, and send the verification parameter to the first terminal device;
the verification module is used for calculating a local encryption factor according to the verification parameter and the identification code of the first terminal equipment when receiving the encryption factor which is sent by the first terminal equipment in a URL parameter mode and corresponds to the verification parameter; or calculating a local encryption factor according to the verification parameter, the identification code of the first terminal device and the timestamp of the first terminal device when receiving the verification parameter; when the encryption factor sent by the first terminal equipment is the same as the local encryption factor, determining that the authentication is passed;
and the first sending module is used for sending the access request to the network server when the authentication is passed.
7. The apparatus of claim 6, further comprising:
and the first discarding module is used for discarding the access request sent by the first terminal equipment when the encryption factor corresponding to the verification parameter and sent by the first terminal equipment in a URL parameter mode is not received.
8. The apparatus of claim 6, further comprising:
and the second discarding module is used for discarding the access request sent by the first terminal equipment when the authentication fails.
9. The apparatus of claim 7 or 8, further comprising:
a counting module for counting the number of times that an access request transmitted by a first terminal device is discarded in a unit time;
the determining module is used for determining that the first terminal equipment is illegal user equipment when the number of times that the access request sent by the first terminal equipment is discarded in unit time is larger than a preset threshold value.
10. The apparatus of claim 9, further comprising:
the first judging module is used for judging whether the first terminal equipment is illegal user equipment or not after the intercepting module intercepts an access request sent by the first terminal equipment to a network server;
a third discarding module, configured to discard the access request when the first determining module determines that the first terminal device is an illegal user device;
the parameter obtaining module is configured to obtain a verification parameter when the first determining module determines that the first terminal device is not an illegal user device, and send the verification parameter to the first terminal device.
11. A network device comprising a communication apparatus according to any of claims 6-10.
12. A communication system, comprising: a terminal device and a network device according to claim 11; the terminal equipment is used for sending an access request to a network server; after receiving an access request sent to a network server by a network device and intercepted by the terminal device, acquiring and sending a verification parameter to the terminal device, and calculating an encryption factor according to the verification parameter and an identification code of the terminal device; or, calculating the encryption factor according to the verification parameter, the identification code of the terminal device, and the timestamp when the terminal device receives the verification parameter; and sending the encryption factor to the network equipment in a URL parameter mode.
13. A readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the communication method according to any one of claims 1 to 5.
CN201410631328.3A 2014-11-11 2014-11-11 Communication method, device, network equipment, terminal equipment and communication system Active CN105577627B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410631328.3A CN105577627B (en) 2014-11-11 2014-11-11 Communication method, device, network equipment, terminal equipment and communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410631328.3A CN105577627B (en) 2014-11-11 2014-11-11 Communication method, device, network equipment, terminal equipment and communication system

Publications (2)

Publication Number Publication Date
CN105577627A CN105577627A (en) 2016-05-11
CN105577627B true CN105577627B (en) 2020-08-28

Family

ID=55887290

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410631328.3A Active CN105577627B (en) 2014-11-11 2014-11-11 Communication method, device, network equipment, terminal equipment and communication system

Country Status (1)

Country Link
CN (1) CN105577627B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018120217A1 (en) * 2016-12-30 2018-07-05 华为技术有限公司 Verification method and apparatus for key requester
CN106657165B (en) * 2017-03-09 2020-08-04 腾讯科技(深圳)有限公司 Network attack defense method, server and terminal
CN108055275A (en) * 2017-12-25 2018-05-18 中山市得高行知识产权中心(有限合伙) A security control system for Internet application equipment
CN113811022B (en) * 2021-08-12 2024-03-12 天翼物联科技有限公司 Abnormal terminal rejection method, system, device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101175013A (en) * 2006-11-03 2008-05-07 飞塔信息科技(北京)有限公司 A denial of service attack protection method, network system and proxy server
CN101180826A (en) * 2004-01-26 2008-05-14 思科技术公司 Higher level protocol authentication
CN101834867A (en) * 2010-05-07 2010-09-15 杭州华三通信技术有限公司 Client security protection method and device
CN102148683A (en) * 2010-02-04 2011-08-10 上海果壳电子有限公司 Dual-factor authentication method based on HASH chip or encryption chip

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436958B (en) * 2007-11-16 2011-01-26 太极计算机股份有限公司 Method for resisting abnegation service aggression
CN102164033B (en) * 2010-02-24 2014-05-28 腾讯科技(深圳)有限公司 Method, device and system for preventing services from being attacked
CN103546486A (en) * 2013-11-04 2014-01-29 北京荣之联科技股份有限公司 SYN Cookie source authentication method and device for preventing DDOS attack

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101180826A (en) * 2004-01-26 2008-05-14 思科技术公司 Higher level protocol authentication
CN101175013A (en) * 2006-11-03 2008-05-07 飞塔信息科技(北京)有限公司 A denial of service attack protection method, network system and proxy server
CN102148683A (en) * 2010-02-04 2011-08-10 上海果壳电子有限公司 Dual-factor authentication method based on HASH chip or encryption chip
CN101834867A (en) * 2010-05-07 2010-09-15 杭州华三通信技术有限公司 Client security protection method and device

Also Published As

Publication number Publication date
CN105577627A (en) 2016-05-11

Similar Documents

Publication Publication Date Title
JP6548348B2 (en) Message protection method and related device and system
CN109905380B (en) Node control method and related device in distributed system
US20150229669A1 (en) Method and device for detecting distributed denial of service attack
CN109768977B (en) Streaming media data processing method and device, related equipment and medium
CN107466041B (en) Method and device for identifying pseudo base station and mobile terminal
CN106657165B (en) Network attack defense method, server and terminal
CN104683301B (en) Password storage method and device
WO2014180123A1 (en) Method of access protection from malicious web address and relevant apparatus
CN107087007A (en) A kind of defence method of network attack, relevant device and system
US10237291B2 (en) Session processing method and device, server and storage medium
CN110622539A (en) Detecting a fake cell tower
CN112153032B (en) Information processing method, device, computer readable storage medium and system
CN105577627B (en) Communication method, device, network equipment, terminal equipment and communication system
CN108616878B (en) Encryption and decryption method, equipment and computer storage medium
CN113037741A (en) Authentication method and related device
WO2023151256A1 (en) Weak password blasting attack protection method and apparatus, medium, and electronic device
CN107302526B (en) System interface calling method, device and computer readable storage medium
CN104378327A (en) Network attack protection method, device and system
CN107708115B (en) Redirection control method and device and mobile terminal
CN107835167A (en) A kind of method of data protection, terminal and computer-readable recording medium
CN114389825B (en) Data communication method based on block chain and related device
CN111031004B (en) Service flow processing method, service flow learning method, device and system
CN115379425A (en) Bluetooth attack detection method, device, storage medium and mobile terminal
CN109873787B (en) Access authentication method, device and system
CN116094759B (en) Network detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant