[go: up one dir, main page]

CN110417679B - Method, device and system for avoiding bypass blocking - Google Patents

Method, device and system for avoiding bypass blocking Download PDF

Info

Publication number
CN110417679B
CN110417679B CN201810388128.8A CN201810388128A CN110417679B CN 110417679 B CN110417679 B CN 110417679B CN 201810388128 A CN201810388128 A CN 201810388128A CN 110417679 B CN110417679 B CN 110417679B
Authority
CN
China
Prior art keywords
reset
packet
receiving
server
condition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810388128.8A
Other languages
Chinese (zh)
Other versions
CN110417679A (en
Inventor
刘廷伟
闵庆欢
朱照远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201810388128.8A priority Critical patent/CN110417679B/en
Publication of CN110417679A publication Critical patent/CN110417679A/en
Application granted granted Critical
Publication of CN110417679B publication Critical patent/CN110417679B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/26Flow control; Congestion control using explicit feedback to the source, e.g. choke packets
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/28Flow control; Congestion control in relation to timing considerations
    • H04L47/283Flow control; Congestion control in relation to timing considerations in response to processing delays, e.g. caused by jitter or round trip time [RTT]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/32Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a device and a system for avoiding bypass blocking. Wherein, the method comprises the following steps: judging whether the received data packet is a reset packet or not; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet and receiving a response message fed back by the server; and if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server. The invention solves the technical problem that normal service can not be accessed normally under the condition of applying the bypass flow blocking equipment.

Description

Method, device and system for avoiding bypass blocking
Technical Field
The invention relates to the field of Internet technology application, in particular to a method, a device and a system for avoiding bypass blocking.
Background
In a Content Delivery Network (CDN) system, because an operator deploys a bypass traffic blocking device for safety considerations (e.g., illegal/illegal links, etc.), but the bypass traffic blocking device may erroneously block a normal service request, which results in a high failure rate of a hypertext Transfer Protocol (http) request when a Content Delivery Network (CDN) node is sourced back to a client source station.
The current solution to circumvent this problem is as follows:
the http over Secure Socket Layer (https) technology has an improved security (e.g., encryption performance) compared to http, so that it can avoid being mistakenly killed by a bypass blocking device, but because https needs to encrypt and decrypt, the computing power of a Central Processing Unit (CPU) is consumed. Https can therefore cause a performance degradation, in certain cases even a system performance degradation of more than 30%.
However, the source station of the client may not support https, so that the https scheme requires the CDN to provide an intermediate https-http translation layer, thereby increasing the operation and maintenance cost;
in addition, https back source is lossy for both computation and bandwidth, https can only solve blocking for 7-layer requested content, and https solution cannot solve for 4-layer bypass blocking.
Another solution is to use a layer 3 request (e.g. VPN protocol), which has the following problems: due to the adoption of a private protocol, intermediate equipment is required for protocol conversion, and the operation and maintenance cost is increased.
In view of the above problem that normal services cannot be accessed normally due to the application of the bypass traffic blocking device, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a method, a device and a system for avoiding bypass blocking, which at least solve the technical problem that normal services cannot be normally accessed due to the application of bypass flow blocking equipment.
According to an aspect of the embodiments of the present invention, there is provided a method of avoiding bypass blocking, including: judging whether the received data packet is a reset packet or not; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet, and receiving a response message fed back by the server according to the sent request message; and if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server according to the sent request message.
Optionally, the setting the delayed reset clock includes: the delayed reset clock is set according to the current time, the smoothed round trip time, and the variance.
Further, optionally, the duration of the delayed reset clock is set to a smooth round trip time of a preset multiple.
Optionally, the method further includes: and triggering the reset to close the connection under the condition that the preset delay reset clock is overtime.
Optionally, after determining whether the received data packet is a reset packet, the method includes: judging whether a preset delay reset clock exists or not under the condition that the judgment result is negative; executing a processing flow corresponding to the data packet under the condition that the preset delay reset clock does not exist in the judgment result; and deleting the preset delay reset clock and executing the corresponding processing flow of the data packet under the condition that the preset delay reset clock exists in the judgment result.
Further, optionally, the processing flow includes: in the handshake communication flow, in a case where the request message includes a handshake request message, the processing flow includes: receiving a handshake response message; or, in the network layer request flow, the request message includes a network layer request message, and the processing flow includes: a network layer response message is received.
According to another aspect of the embodiments of the present invention, there is also provided an apparatus for avoiding bypass blocking, including: the first judging module is used for judging whether the received data packet is a reset packet or not; the second judgment module is used for judging whether a preset delay reset clock exists or not under the condition of receiving the reset packet; the first receiving module is used for discarding the reset packet and receiving a response message fed back by the server according to the sent request message under the condition that the judgment result is yes; and the second receiving module is used for setting a delay reset clock, discarding the reset packet and receiving a response message fed back by the server according to the sent request message under the condition that the judgment result is negative.
According to another aspect of the embodiments of the present invention, there is also provided a system for avoiding bypass blocking, including: the system comprises a client, bypass flow blocking equipment and a server, wherein the client sends a request message to the server; the bypass flow blocking equipment sends a reset packet to the client; the client judges whether the received data packet is a reset packet or not; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet and receiving a response message fed back by the server; and if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server.
Optionally, in the process of establishing a connection between the client and the server, the request message includes: a handshake request; or, in the process of data interaction between the client and the server, the request message includes: requesting data; wherein the data request comprises: a hypertext transfer protocol request.
According to still another aspect of the embodiments of the present invention, there is provided a storage medium including a stored program, wherein when the program runs, a device on which the storage medium is located is controlled to perform: judging whether the received data packet is a reset packet or not; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet and receiving a response message fed back by the server; and if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server.
According to still another aspect of the embodiments of the present invention, there is further provided a processor, configured to execute the program, where the program executes: judging whether the received data packet is a reset packet or not; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet, and receiving a response message fed back by the server; and if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server.
In the embodiment of the invention, a mode of triggering the closing of the reset process by a delay reset clock is adopted, and whether the received data packet is a reset packet or not is judged; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet and receiving a response message fed back by the server; and if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server, so as to achieve the purpose of avoiding the influence of bypass blocking on http service access, thereby achieving the technical effect of reducing the operation and maintenance cost, and further solving the technical problem that normal service cannot be normally accessed due to the application of bypass flow blocking equipment.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a block diagram of a hardware structure of a computer terminal of a method for avoiding bypass blocking according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for avoiding bypass blocking according to a first embodiment of the invention;
FIG. 3 is a flow chart of another method for circumventing bypass blocking according to a first embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a device for avoiding bypass blocking according to a second embodiment of the invention;
FIG. 5a is a schematic diagram of a system for avoiding bypass blocking according to a third embodiment of the present invention, in which a bypass traffic blocking device is not involved in interaction between a client and a server;
FIG. 5b is an interaction diagram of a system for avoiding bypass blocking interacting at layer 4 according to a third embodiment of the present invention;
fig. 5c is an interaction diagram of a system for avoiding bypass blocking interacting at layer 7 according to a third embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in other sequences than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The technical terms related to the present application are as follows:
SYN: SYN is a handshake signal used when a Transmission Control Protocol/Internet Protocol (Transmission Control Protocol/Internet Protocol, TCP/IP for short) establishes a connection;
RTT: round trip time, message sample round trip time;
SRTT: smooth Round-Trip Time.
Example 1
There is also provided, in accordance with an embodiment of the present invention, an embodiment of a method of circumventing bypass blocking, it being noted that the steps illustrated in the flowchart of the figure may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than that presented herein.
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking the example of running on a computer terminal, fig. 1 is a hardware structure block diagram of the computer terminal of the method for avoiding bypass blocking according to the embodiment of the present invention. As shown in fig. 1, the computer terminal 10 may include one or more (only one shown) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission module 106 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be configured to store software programs and modules of application software, such as program instructions/modules corresponding to the method for avoiding bypass blocking in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, that is, the method for avoiding bypass blocking of the application software described above is implemented. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
Under the operating environment, the application provides a method for avoiding bypass blocking as shown in fig. 2. Fig. 2 is a flowchart of a method for avoiding bypass blocking according to an embodiment of the present invention. On the client side, the method for avoiding bypass blocking provided by the application specifically comprises the following steps:
step S202, judging whether the received data packet is a reset packet;
in the above step S202, the method for avoiding bypass blocking provided by the present application is applicable to a communication system composed of a client, a bypass flow blocking device, and a server, where, at the client, after the client sends a request message to the server, the client receives a data packet and determines whether the data packet is a reset packet, and if so, step S204 is executed.
According to the method for avoiding bypass blocking, when a reset packet is not received, that is, when a received data packet is not a reset packet, corresponding operation is performed according to current service requirements, for example, if a handshake response message is received, communication service is performed according to the handshake response, that is, data to be transmitted is transmitted to other devices. Here, the above example is only used as an example, and the method for avoiding bypass blocking provided by the present application is not particularly limited.
Step S204, under the condition of receiving the reset packet, judging whether a preset delay reset clock exists or not;
in the above step S204, if the data packet is a reset packet, the client determines whether a preset delayed reset clock exists, if so, performs the step S206, and if not, performs the step S208.
Here, the reset packet may be represented as a reset packet, and the reset packet sent by the bypass traffic blocking apparatus is described as an example.
Step S206, under the condition that the judgment result is yes, discarding the reset packet, and receiving a response message fed back by the server according to the sent request message;
and step S208, if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server according to the sent request message.
In summary, as shown in fig. 2, after the client side sends the request message, no matter which layer (taking layer 4 and layer 7 as examples), after receiving the data packet, it is determined whether the data packet is a reset packet, if the determination result is yes, it is determined whether a preset delayed reset clock exists, and if so, the response message sent by the data packet receiving server is discarded; if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server according to the sent request message;
In addition to the above implementation, if there is no default delayed reset clock, it may also indicate that the reset packet is not received in the default delayed reset clock, that is, the timeout of the default delayed reset clock may occur, and therefore, the default delayed reset clock is reset at this time, the reset packet is discarded, and the response message sent by the server is received.
The reason why the client receives the reset packet sent by the bypass traffic blocking device is that an operator deploys the bypass traffic blocking device due to security considerations (for example, illegal \ illegal link and the like), but the bypass traffic blocking device can mistakenly block a normal service request, and in the prior art, the client stops receiving any data packet fed back from the outside after receiving the reset packet, so that the request failure rate is high;
the method for avoiding bypass blocking provided by the application is characterized in that a preset delay reset clock is set, and the preset delay reset clock is marked as follows: and the delay reset timer does not immediately stop receiving any data packet fed back from the outside after receiving the reset packet sent by the bypass flow blocking device, but performs further judgment in the delay reset timer, thereby solving the problem that the normal http service cannot be normally accessed under the condition of applying the bypass flow blocking device. Therefore, the problems of operation, maintenance and compatibility in the conventional https scheme are solved, the situation that the https scheme is not solved in the communication process of the specific layer is avoided, extra equipment does not need to be added for protocol conversion, and the operation and maintenance cost is reduced.
It should be noted that the client provided in the embodiment of the present application may include a terminal device or a server, and the present application takes the client as the server for description, so as to implement the method for avoiding bypass blocking provided by the present application, which is not particularly limited.
In the embodiment of the invention, a mode of triggering the closing of the reset process by a delay reset clock is adopted, and whether the received data packet is a reset packet or not is judged; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet, and receiving a response message fed back by the server according to the sent request message; and if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server according to the sent request message, so as to achieve the purpose of avoiding the influence of bypass blocking on http service access, thereby achieving the technical effect of reducing the operation and maintenance cost, and further solving the technical problem that normal service cannot be normally accessed due to the application of bypass flow blocking equipment.
Specifically, as shown in fig. 3, fig. 3 is a flowchart of another method for avoiding bypass blocking according to a first embodiment of the present invention. The method for avoiding bypass blocking specifically comprises the following steps:
Specifically, as shown in fig. 3, before the received data packet is determined to be the reset packet, the client receives the data packet, determines whether the data packet is the reset packet, and executes steps S202 to S208 of the present application if the data packet is the reset packet; if the data packet is not a reset packet, step S205 to step S209 of the present application are executed.
Optionally, the setting of the delayed reset clock in step S206 includes:
in step S2061, the delay reset clock is set according to the current time, the smooth round trip time, and the variance.
Specifically, as shown in fig. 3, the setting of the delayed reset clock according to the current time, the smooth round trip time, and the variance includes: the current time is marked now, the smoothed round trip time is marked SRTT, and the RTT variance is marked delta, so the delayed reset clock after reset is as follows:
delay reset timer=now+2SRTT+delta;(1)
the time set by the delay reset timer is not limited to a point value of 2SRTT, but may vary according to specific situations, for example, 1.5SRTT may also be, where 2 in the 2SRTT in formula (1) is a multiple (i.e., the time length for setting the delay reset clock is a smooth round trip time of a preset multiple), and the application takes the SRTT as 2SRTT as an example to explain the method for implementing the avoidance bypass blocking provided by the application, which is not limited specifically.
Optionally, the method for avoiding bypass blocking provided by the present application further includes:
step S210, triggering the reset to close the connection when the preset delayed reset clock is overtime.
Specifically, as shown in fig. 3, when the delay reset timer times out, the flow of resetting to close the connection is triggered.
Further, optionally, after determining whether the received data packet is a reset packet in step S202, the method for avoiding bypass blocking specifically includes:
step S205, under the condition that the judgment result is negative, judging whether a preset delay reset clock exists or not;
step S207, executing a processing flow corresponding to the data packet if the determination result indicates that the preset delayed reset clock does not exist;
in step S209, when the determination result indicates that the preset delayed reset clock exists, the preset delayed reset clock is deleted, and a processing flow corresponding to the data packet is executed.
Specifically, as shown in fig. 3, when the received data packet is not a reset packet, it is determined whether the received data packet has a preset delay reset clock, and when the determination result is that the preset delay reset clock does not exist, the data packet is pushed to the protocol stack flow for processing; and under the condition that the judgment result shows that the preset delay reset clock exists, the preset delay reset clock fails because the data packet is not a reset packet, so that the preset delay reset clock is deleted, and the data packet is pushed to a protocol stack flow for processing.
Further, optionally, the processing flow includes: in the handshake communication flow, in a case where the request message includes a handshake request message, the processing flow includes: receiving a handshake response message; or, in the network layer request flow, the request message includes a network layer request message, and the processing flow includes: a network layer response message is received.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method of avoiding bypass blocking according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
According to an embodiment of the present invention, there is further provided an apparatus for implementing the above-mentioned method for avoiding bypass blocking, fig. 4 is a schematic structural diagram of an apparatus for avoiding bypass blocking according to a second embodiment of the present invention, and as shown in fig. 4, the apparatus includes: a first determining module 42, a second determining module 44, a first receiving module 46, and a second receiving module 48.
The first determining module 42 is configured to determine whether the received data packet is a reset packet; a second determining module 44, configured to determine whether a preset delayed reset clock exists or not when the reset packet is received; a first receiving module 46, configured to discard the reset packet if the determination result is yes, and receive a response message fed back by the server according to the sent request message; and a second receiving module 48, configured to set a delayed reset clock, discard the reset packet, and receive a response message fed back by the server according to the sent request message, if the determination result is negative.
In the embodiment of the invention, a mode of triggering the closing of the reset process by a delay reset clock is adopted, and whether the received data packet is a reset packet or not is judged; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet, and receiving a response message fed back by the server according to the sent request message; and if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server according to the sent request message, so as to achieve the purpose of avoiding the influence of bypass blocking on http service access, thereby achieving the technical effect of reducing the operation and maintenance cost, and further solving the technical problem that normal service cannot be normally accessed due to the application of bypass flow blocking equipment.
It should be noted that the first determining module 42, the second determining module 44, the first receiving module 46 and the second receiving module 48 correspond to steps S202 to S208 in the first embodiment, and the four modules are the same as the corresponding steps in the example and the application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as a part of the apparatus may run in the client provided in the first embodiment, and may be implemented by software or hardware.
Example 3
According to another aspect of the embodiments of the present invention, there is also provided a system for avoiding bypass blocking, including: client 52, bypass traffic blocking device 54, and server 56.
Wherein the client 52 sends a request message to the server 56; bypass traffic blocking device 54 sends a reset packet to client 52; the client 52 determines whether the received data packet is a reset packet; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet, and receiving a response message fed back by the server 56; in the case that the judgment result is no, the delayed reset clock is set, the reset packet is discarded, and the response message fed back by the server 56 is received.
Optionally, in the process of establishing the connection between the client 52 and the server 56, the request message includes: a handshake request; or, in the process of data interaction between the client 52 and the server 56, the request message includes: requesting data; wherein the data request comprises: a hypertext transfer protocol request.
Specifically, the process of interacting between the client 52 and the server 56 without the bypass traffic blocking device 54, and the interaction flows of the client 52, the bypass traffic blocking device 54 and the server 56 at layers 4 and 7 are respectively described as an example, wherein,
scenario one: no bypass traffic blocking device 54 intervenes in the interaction between client 52 and server 56:
fig. 5a is a schematic diagram of a system for avoiding bypass blocking according to a third embodiment of the present invention, in which no bypass traffic blocking device intervenes between a client and a server, as shown in fig. 5a, during the interaction between the client 52 and the server 56 without the bypass traffic blocking device 54,
step S1, the client 52 sends a handshake request (SYN) to the server 56;
step S2, the server 56 returns a handshake acknowledgement (SYN-ack, abbreviated as SYN ack) to the client 52;
In step S3, the client 52 sends acknowledgement information ACK, which acknowledges the connection, to the server 56, the acknowledgement information ACK being used to instruct the client 52 to establish the connection with the server 56.
Here, steps S1 to S3 are three-way handshakes, in which the three-way handshake is how to track and negotiate the amount of data transmitted each time to synchronize the transmission and reception of data segments, and when to cancel the connection after the data transmission and reception are completed, and establish a virtual connection, based on the number of data acknowledgements determined based on the amount of data received.
Step S4, the client 52 sends a hypertext transfer protocol request (http request for short) to the server 56;
at step S5, the server 56 returns an HTTP response to the client 52.
Scenario two: the interaction flow of the client 52, the bypass traffic blocking device 54 and the server 56 at the 4-layer is as follows:
different from the normal situation of fig. 5a, fig. 5b is an interactive schematic diagram of a system for avoiding bypass blocking interacting at 4 layers according to a third embodiment of the present invention, as shown in fig. 5b,
step S1, the client 52 sends a handshake request (SYN) to the server 56;
step S2, the client 52 receives the reset packet reset sent by the bypass traffic blocking device 54;
In step S3, the client 52 receives the SYN ACK packet returned by the server 56.
Here, the client 52 receives the reset packet transmitted by the bypass traffic blocking apparatus 54, and receives the SYN ACK packet returned by the server at step S3 based on steps S202 to S209 corresponding to embodiment 1. And the influence of bypass blocking on http service access is avoided.
Scenario three: interaction flow of client 52, bypass traffic blocking device 54 and server 56 at layer 7:
different from the normal situation of fig. 5a, fig. 5c is an interactive schematic diagram of a system for avoiding bypass blocking interacting at layer 7 according to a third embodiment of the present invention, as shown in fig. 5c,
step S1, the client 52 sends a handshake request (SYN) to the server 56;
step S2, the server 56 returns a handshake acknowledgement (SYN-ack, abbreviated as SYN ack) to the client 52;
in step S3, the client 52 sends acknowledgement information ACK, which acknowledges the connection, to the server 56, the acknowledgement information ACK being used to instruct the client 52 to establish the connection with the server 56.
Step S4, the client 52 sends a hypertext transfer protocol request (http request for short) to the server 56;
step S5, the client 52 receives the reset packet reset sent by the bypass traffic blocking device 54;
In step S6, the client 52 receives http response returned by the server 56.
The principle is the same as scenario two, except that scenario two occurs during the three-way handshake, scenario three occurs after the three-way handshake, and after the client 52 sends the http request to the server 56, where the client 52 receives the reset packet sent by the bypass traffic blocking device 54, and receives the SYN ACK packet returned by the server at step S3 based on steps S202 to S209 corresponding to embodiment 1. And the influence of bypass blocking on http service access is avoided.
The bypass blocking avoiding system solves the problem of bypass blocking, and does not need to modify upper-layer services and protocols.
Example 4
According to still another aspect of the embodiments of the present invention, there is provided a storage medium including a stored program, wherein when the program runs, a device on which the storage medium is located is controlled to perform: judging whether the received data packet is a reset packet or not; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet, and receiving a response message fed back by the server; and if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server.
Example 5
According to still another aspect of the embodiments of the present invention, there is further provided a processor, configured to execute the program, where the program executes: judging whether the received data packet is a reset packet or not; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet, and receiving a response message fed back by the server; and if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server.
Example 6
The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the storage medium may be configured to store program codes executed by the method for avoiding bypass blocking provided in the first embodiment.
Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: judging whether the received data packet is a reset packet or not; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet, and receiving a response message fed back by the server according to the sent request message; and if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server according to the sent request message.
Optionally, in this embodiment, the storage medium is configured to store program codes for performing the following steps: setting the delayed reset clock includes: the delayed reset clock is set according to the current time, the smoothed round trip time, and the variance.
Further, optionally, in the present embodiment, the storage medium is configured to store program code for performing the following steps: setting the duration of the delayed reset clock to a preset multiple of the smoothed round trip time.
Optionally, in this embodiment, the storage medium is configured to store program codes for performing the following steps: and triggering the reset to close the connection under the condition that the preset delay reset clock is overtime.
Optionally, in this embodiment, the storage medium is configured to store program codes for performing the following steps: after judging whether the received data packet is a reset packet or not, judging whether a preset delay reset clock exists or not under the condition that the judgment result is negative; executing a processing flow corresponding to the data packet under the condition that the judgment result is that the preset delay reset clock does not exist; and deleting the preset delay reset clock and executing the corresponding processing flow of the data packet under the condition that the judgment result shows that the preset delay reset clock exists.
Further, optionally, in this embodiment, the storage medium is configured to store program codes for performing the following steps: the processing flow comprises the following steps: in the handshake communication flow, in a case where the request message includes a handshake request message, the processing flow includes: receiving a handshake response message; or, in the network layer request process, the request message includes a network layer request message, and the processing process includes: a network layer response message is received.
The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages and disadvantages of the embodiments.
In the above embodiments of the present invention, the description of each embodiment has its own emphasis, and reference may be made to the related description of other embodiments for parts that are not described in detail in a certain embodiment.
In the embodiments provided in the present application, it should be understood that the disclosed technical content can be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (11)

1. A method of circumventing bypass blocking, comprising:
judging whether the received data packet is a reset packet or not;
under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not;
if the judgment result is yes, discarding the reset packet, and receiving a response message fed back by the server according to the sent request message;
and under the condition that the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server according to the sent request message.
2. The method of avoiding bypass blocking according to claim 1, wherein setting a delayed reset clock comprises:
the delayed reset clock is set according to the current time, the smoothed round trip time, and the variance.
3. The method for avoiding bypass blocking according to claim 2, wherein the setting the duration of the delayed reset clock to a preset multiple of the smooth round trip time.
4. The method of avoiding bypass blocking according to claim 1, further comprising:
and triggering the reset to close the connection under the condition that the preset delay reset clock is overtime.
5. The method for avoiding bypass blocking according to claim 1, wherein after said determining whether the received data packet is a reset packet, the method further comprises:
under the condition that the judgment result is negative, judging whether the preset delay reset clock exists or not;
executing a processing flow corresponding to the data packet under the condition that the preset delay reset clock does not exist in the judgment result;
and deleting the preset delay reset clock and executing the corresponding processing flow of the data packet under the condition that the judgment result shows that the preset delay reset clock exists.
6. The method for avoiding bypass blocking according to claim 5, wherein the processing flow comprises:
in a handshake communication flow, in a case where the request message includes a handshake request message, the processing flow includes: receiving a handshake response message; or the like, or, alternatively,
in a network layer request process, where the request message includes a network layer request message, the processing process includes: a network layer response message is received.
7. An apparatus for circumventing bypass blocking, comprising:
the first judging module is used for judging whether the received data packet is a reset packet or not;
the second judgment module is used for judging whether a preset delay reset clock exists or not under the condition of receiving the reset packet;
the first receiving module is used for discarding the reset packet and receiving a response message fed back by the server according to the sent request message under the condition that the judgment result is yes;
and the second receiving module is used for setting a delay reset clock, discarding the reset packet and receiving a response message fed back by the server according to the sent request message under the condition that the judgment result is negative.
8. A system for circumventing bypass blocking, comprising: a client, a bypass traffic blocking device, and a server, wherein,
the client sends a request message to the server;
the bypass traffic blocking device sends a reset packet to the client;
the client judges whether the received data packet is a reset packet or not; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet and receiving a response message fed back by the server; and if the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server.
9. The system of avoiding bypass blocking according to claim 8,
in the process of establishing a connection between the client and the server, the request message includes: a handshake request; or the like, or, alternatively,
in the process of data interaction between the client and the server, the request message includes: requesting data; wherein the data request comprises: a hypertext transfer protocol request.
10. A storage medium, characterized in that the storage medium includes a stored program, wherein when the program runs, a device on which the storage medium is located is controlled to execute: judging whether the received data packet is a reset packet or not; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet and receiving a response message fed back by the server; and under the condition that the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server.
11. A processor, wherein the processor is configured to execute a program, wherein the program when executed performs: judging whether the received data packet is a reset packet or not; under the condition of receiving a reset packet, judging whether a preset delay reset clock exists or not; if the judgment result is yes, discarding the reset packet and receiving a response message fed back by the server; and under the condition that the judgment result is negative, setting a delay reset clock, discarding the reset packet, and receiving a response message fed back by the server.
CN201810388128.8A 2018-04-26 2018-04-26 Method, device and system for avoiding bypass blocking Active CN110417679B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810388128.8A CN110417679B (en) 2018-04-26 2018-04-26 Method, device and system for avoiding bypass blocking

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810388128.8A CN110417679B (en) 2018-04-26 2018-04-26 Method, device and system for avoiding bypass blocking

Publications (2)

Publication Number Publication Date
CN110417679A CN110417679A (en) 2019-11-05
CN110417679B true CN110417679B (en) 2022-06-14

Family

ID=68346068

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810388128.8A Active CN110417679B (en) 2018-04-26 2018-04-26 Method, device and system for avoiding bypass blocking

Country Status (1)

Country Link
CN (1) CN110417679B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112769833B (en) * 2021-01-12 2023-01-24 恒安嘉新(北京)科技股份公司 Method and device for detecting command injection attack, computer equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902440A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method and device for blocking TCP connection
CN102244663A (en) * 2011-08-16 2011-11-16 山东盛世光明软件技术有限公司 User identification method and system based on transmission control protocol (TCP) data packet construction technology
CN107395632A (en) * 2017-08-25 2017-11-24 北京神州绿盟信息安全科技股份有限公司 SYN Flood means of defences, device, cleaning equipment and medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ATE306163T1 (en) * 2002-04-16 2005-10-15 Bosch Gmbh Robert METHOD FOR MONITORING AN ACCESS PROCESS CONTROL FOR A COMMUNICATIONS MEDIUM A COMMUNICATIONS CONTROL OF A COMMUNICATIONS SYSTEM

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902440A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method and device for blocking TCP connection
CN102244663A (en) * 2011-08-16 2011-11-16 山东盛世光明软件技术有限公司 User identification method and system based on transmission control protocol (TCP) data packet construction technology
CN107395632A (en) * 2017-08-25 2017-11-24 北京神州绿盟信息安全科技股份有限公司 SYN Flood means of defences, device, cleaning equipment and medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"Development of a Secure Traffic Analysis System to Trace Malicious Activities on Internal Networks";Soshi Hirono 等;《 2014 IEEE 38th Annual Computer Software and Applications Conference》;20140922;全文 *
"基于TCP/IP协议的网络通信的侦听和阻断";姜照林等;《嘉兴学院学报》;20081115(第06期);全文 *
"基于旁路阻断技术的互联网内容控制系统设计";马勤;《中国优秀博硕士学位论文全文数据库(硕士)·信息科技辑》;20090815;全文 *

Also Published As

Publication number Publication date
CN110417679A (en) 2019-11-05

Similar Documents

Publication Publication Date Title
JP7142722B2 (en) Transmission control method and device
US8156235B2 (en) Apparatus and method for determining modes and directing streams in remote communication
CN109412946B (en) A method, apparatus, server and readable storage medium for determining a back-to-source path
EP2739002B1 (en) Systems and methods for transparently monitoring network traffic for denial of service attacks
EP3101866B1 (en) A method & apparatus for managing connections in a communication network
EP2543162B1 (en) Selectively disabling reliability mechanisms on a network connection
EP2741463B1 (en) Data packet transmission method
BR112019009138B1 (en) APPLICATION CHARACTERIZATION USING TRANSPORT PROTOCOL ANALYSIS
US20130311614A1 (en) Method for retrieving content and wireless communication device for performing same
WO2014031046A1 (en) Tcp proxy server
US10355961B2 (en) Network traffic capture analysis
WO2015066372A1 (en) Communication across network address translation
JP7050094B2 (en) Packet transmission method, proxy server, and computer readable storage medium
EP3151504B1 (en) Method and device for establishing multipath network connections
CN113300981B (en) Message transmission method, device and system
CN103414725A (en) Method and device used for detecting and filtering data message
US7970878B1 (en) Method and apparatus for limiting domain name server transaction bandwidth
US9819730B2 (en) System and method for network access based on application layer data
CN114363351B (en) Proxy connection suppression method, network architecture and proxy server
CN111935108A (en) Cloud data security access control method and device, electronic device and storage medium
CN110417679B (en) Method, device and system for avoiding bypass blocking
CN109714135B (en) Data packet transmission method and device
CN113424578A (en) Transmission control protocol acceleration method and device
CN114125023A (en) Data connection determination method and device, storage medium and electronic device
CN104980456B (en) Method, intermediate node, the terminal and server of transmission services

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant