[go: up one dir, main page]

CN113315853B - Cloud protection node scheduling method, system and storage medium - Google Patents

Cloud protection node scheduling method, system and storage medium Download PDF

Info

Publication number
CN113315853B
CN113315853B CN202110578577.0A CN202110578577A CN113315853B CN 113315853 B CN113315853 B CN 113315853B CN 202110578577 A CN202110578577 A CN 202110578577A CN 113315853 B CN113315853 B CN 113315853B
Authority
CN
China
Prior art keywords
alias
domain name
node
record
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110578577.0A
Other languages
Chinese (zh)
Other versions
CN113315853A (en
Inventor
李雅苹
范渊
杨勃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202110578577.0A priority Critical patent/CN113315853B/en
Publication of CN113315853A publication Critical patent/CN113315853A/en
Application granted granted Critical
Publication of CN113315853B publication Critical patent/CN113315853B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种云防护节点调度方法、系统及存储介质,方法包括:DNS管理系统在接收到客户端发送的域名解析请求时,提取域名解析请求中的防护域名,并利用防护域名对应的第一别名记录,解析第一别名;第一别名为防护域名专属的域名别名;利用第一别名对应的第二别名记录,解析第二别名,并确定与第二别名建立绑定关系的多个节点IP地址;将节点IP地址输入云防护节点调度算法,确定可用的目标节点IP地址,并将目标节点IP地址发送至客户端,以使客户端将发向防护域名的数据发送至目标节点IP地址对应的云防护节点。本方法对多个云防护节点IP地址进行统一调度,可有效确保节点可用,进而避免单节点离线所导致的源站站点无法访问问题。

Figure 202110578577

The invention discloses a cloud protection node scheduling method, system, and storage medium. The method includes: when a DNS management system receives a domain name resolution request sent by a client, extracts the protection domain name in the domain name resolution request, and uses the domain name corresponding to the protection domain name The first alias record, resolve the first alias; the first alias is the domain name alias exclusive to the protected domain name; use the second alias record corresponding to the first alias, resolve the second alias, and determine multiple binding relationships with the second alias Node IP address; input the node IP address into the cloud protection node scheduling algorithm, determine the available target node IP address, and send the target node IP address to the client, so that the client will send the data sent to the protection domain name to the target node IP The cloud protection node corresponding to the address. This method uniformly schedules the IP addresses of multiple cloud protection nodes, which can effectively ensure that the nodes are available, thereby avoiding the problem of inaccessibility of the source site caused by the offline of a single node.

Figure 202110578577

Description

一种云防护节点调度方法、系统及存储介质A cloud protection node scheduling method, system and storage medium

技术领域technical field

本发明涉及云防护领域,特别涉及一种云防护节点调度方法、系统及存储介质。The present invention relates to the field of cloud protection, in particular to a cloud protection node scheduling method, system and storage medium.

背景技术Background technique

随着网络安全意识的不断增强,越来越多网站选择将源站站点接入云防护平台,并利用云防护平台进行网络攻击防御。相关技术中,用户为需要保护的防护域名设置域名别名,并将该域名别名指向云防护节点的节点IP地址,这样其他客户端便可通过DNS管理系统首先得到节点IP地址,并将发往该防护域名的数据发向该节点IP地址,以使该数据在通过云防护节点的攻击检测后再发往防护域名原先指向的源站IP地址。然而,当云防护节点出现服务异常,或当节点IP地址被运营商封禁时,发送至防护域名的数据将无法到达源站IP地址对应的服务器,进而导致客户端无法访问源站站点,影响源站站点的正常运行。With the increasing awareness of network security, more and more websites choose to connect their origin sites to the cloud protection platform and use the cloud protection platform to defend against network attacks. In related technologies, the user sets a domain name alias for the protection domain name that needs to be protected, and points the domain name alias to the node IP address of the cloud protection node, so that other clients can first obtain the node IP address through the DNS management system, and send it to the The data of the protected domain name is sent to the IP address of the node, so that the data passes the attack detection of the cloud protection node and then sent to the IP address of the source station originally pointed to by the protected domain name. However, when the service of the cloud protection node is abnormal, or when the IP address of the node is blocked by the operator, the data sent to the protection domain name will not be able to reach the server corresponding to the IP address of the source site, which will cause the client to be unable to access the source site and affect the source site. normal operation of the site.

发明内容Contents of the invention

本发明的目的是提供一种云防护节点调度方法、系统及存储介质,可对多个云防护节点的节点IP地址进行统一调度,在确保节点IP地址对应的云防护节点可用后才向发送域名解析请求的客户端返回节点IP地址,可有效确保云防护节点有效可靠,进而避免单节点离线所导致的源站站点无法访问问题。The purpose of the present invention is to provide a cloud protection node scheduling method, system and storage medium, which can uniformly schedule the node IP addresses of multiple cloud protection nodes, and send domain names to The client that resolves the request returns the IP address of the node, which can effectively ensure that the cloud protection node is effective and reliable, thereby avoiding the problem of inaccessibility of the source site caused by a single node being offline.

为解决上述技术问题,本发明提供一种云防护节点调度方法,包括:In order to solve the above technical problems, the present invention provides a cloud protection node scheduling method, including:

DNS管理系统在接收到客户端发送的域名解析请求时,提取所述域名解析请求中的防护域名,并利用所述防护域名对应的第一别名记录,解析第一别名;所述第一别名为所述防护域名专属的域名别名;When the DNS management system receives the domain name resolution request sent by the client, it extracts the protected domain name in the domain name resolution request, and uses the first alias record corresponding to the protected domain name to resolve the first alias; the first alias is A domain name alias dedicated to the protected domain name;

利用所述第一别名对应的第二别名记录,解析第二别名,并确定与所述第二别名建立绑定关系的多个节点IP地址;Using the second alias record corresponding to the first alias, resolve the second alias, and determine a plurality of node IP addresses that establish a binding relationship with the second alias;

将所述节点IP地址输入云防护节点调度算法,确定可用的目标节点IP地址,并将所述目标节点IP地址发送至所述客户端,以使所述客户端将发向所述防护域名的数据发送至所述目标节点IP地址对应的云防护节点。Input the IP address of the node into the cloud protection node scheduling algorithm, determine the available IP address of the target node, and send the IP address of the target node to the client, so that the client will send the IP address to the protection domain name The data is sent to the cloud protection node corresponding to the IP address of the target node.

可选地,在DNS管理系统接收客户端发送的域名解析请求之前,还包括:Optionally, before the DNS management system receives the domain name resolution request sent by the client, it also includes:

云防护管理平台在接收到配置请求时,从所述配置请求中提取待配置防护域名及对应的待配置第一别名,将所述待配置防护域名的第一别名记录,设置为指向所述待配置第一别名,并确定所述待配置防护域名的主域名;When the cloud protection management platform receives the configuration request, it extracts the domain name to be configured and the corresponding first alias to be configured from the configuration request, and sets the first alias record of the domain name to be configured to point to the domain name to be configured. Configure the first alias, and determine the main domain name of the domain name to be protected;

判断是否配置有归属于所述主域名的其他防护域名;Judging whether there are other protected domain names belonging to the main domain name configured;

若是,则查找与所述主域名对应的第二别名,并将所述待配置第一别名的第二别名记录,设置为指向所述主域名对应的第二别名;If so, search for a second alias corresponding to the primary domain name, and set the second alias record of the first alias to be configured to point to the second alias corresponding to the primary domain name;

若否,则确定每一所述第二别名对应的主域名数量,并将所述待配置第一别名的第二别名记录,设置为指向所述主域名数量最小的第二别名;If not, then determine the number of primary domain names corresponding to each of the second aliases, and set the second alias record of the first alias to be configured to point to the second alias with the smallest number of primary domain names;

将所述待配置防护域名的第一别名记录及所述待配置第一别名的第二别名记录写入所述DNS管理系统。Writing the first alias record of the protected domain name to be configured and the second alias record of the first alias to be configured into the DNS management system.

可选地,在确定每一所述第二别名对应的主域名数量之后,还包括:Optionally, after determining the number of primary domain names corresponding to each of the second aliases, the method further includes:

所述云防护管理平台判断所述主域名数量中的最小值是否大于等于预设阈值;The cloud protection management platform judges whether the minimum value in the number of primary domain names is greater than or equal to a preset threshold;

若是,则生成告警信息,并将所述告警信息发送至告警服务器,以使所述告警服务器执行告警操作;If so, generating alarm information, and sending the alarm information to the alarm server, so that the alarm server performs an alarm operation;

若否,则执行所述将所述待配置第一别名的第二别名记录,设置为指向所述主域名数量最少的第二别名的步骤。If not, execute the step of setting the second alias record of the first alias to be configured to point to the second alias with the least number of primary domain names.

可选地,在将所述待配置防护域名的第一别名记录及所述待配置第一别名的第二别名记录写入所述DNS管理系统之后,还包括:Optionally, after writing the first alias record of the protected domain name to be configured and the second alias record of the first alias to be configured into the DNS management system, the method further includes:

所述云防护管理平台在接收到域名移除请求时,将所述域名移除请求中的防护域名设置为待移除防护域名,并利用所述待移除防护域名的第一别名记录,确定待移除第一别名;When the cloud protection management platform receives the domain name removal request, it sets the protected domain name in the domain name removal request as the protected domain name to be removed, and uses the first alias record of the protected domain name to be removed to determine The first alias to be removed;

所述云防护管理平台在所述DNS管理系统中,将所述待移除防护域名对应的第一别名记录及所述待移除第一别名的第二别名记录移除。In the DNS management system, the cloud protection management platform deletes the first alias record corresponding to the protected domain name to be removed and the second alias record of the first alias to be removed.

可选地,在DNS管理系统接收到客户端发送的域名解析请求之后,还包括:Optionally, after the DNS management system receives the domain name resolution request sent by the client, it further includes:

所述DNS管理系统提取所述域名解析请求中的源IP地址;The DNS management system extracts the source IP address in the domain name resolution request;

相应的,所述云防护节点调度算法根据所述节点IP地址对应云防护节点的运行情况,以及所述源地址所属的地区信息和/或运营商信息确定所述目标节点IP地址。Correspondingly, the cloud protection node scheduling algorithm determines the target node IP address according to the operation status of the cloud protection node corresponding to the node IP address, and the region information and/or operator information to which the source address belongs.

本发明还提供一种云防护节点调度系统,包括:DNS管理系统和云防护节点,其中,The present invention also provides a cloud protection node scheduling system, including: a DNS management system and a cloud protection node, wherein,

DNS管理系统,用于在接收到客户端发送的域名解析请求时,提取所述域名解析请求中的防护域名,并利用所述防护域名对应的第一别名记录,解析第一别名;所述第一别名为所述防护域名专属的域名别名;利用所述第一别名对应的第二别名记录,解析第二别名,并确定与所述第二别名建立绑定关系的多个节点IP地址;将所述节点IP地址输入云防护节点调度算法,确定可用的目标节点IP地址,并将所述目标节点IP地址发送至所述客户端,以使所述客户端将发向所述防护域名的数据发送至所述目标节点IP地址对应的云防护节点;The DNS management system is configured to extract the protected domain name in the domain name resolution request when receiving the domain name resolution request sent by the client, and use the first alias record corresponding to the protected domain name to resolve the first alias; the second An alias is a domain name alias exclusive to the protected domain name; using the second alias record corresponding to the first alias, the second alias is resolved, and a plurality of node IP addresses that establish a binding relationship with the second alias are determined; The node IP address is input into the cloud protection node scheduling algorithm, the available target node IP address is determined, and the target node IP address is sent to the client, so that the client will send data to the protection domain name Send to the cloud protection node corresponding to the IP address of the target node;

所述云防护节点,用于对所述客户端向所述防护域名发送的数据进行攻击检测。The cloud protection node is configured to perform attack detection on the data sent by the client to the protection domain name.

可选地,还包括:云防护管理平台,其中,Optionally, it also includes: a cloud protection management platform, wherein,

所述云防护管理平台,用于在接收到配置请求时,从所述配置请求中提取待配置防护域名及对应的待配置第一别名,将所述待配置防护域名的第一别名记录,设置为指向所述待配置第一别名,并确定所述待配置防护域名的主域名;判断是否配置有归属于所述主域名的其他防护域名;若是,则查找与所述主域名对应的第二别名,并将所述待配置第一别名的第二别名记录,设置为指向所述主域名对应的第二别名;若否,则确定每一所述第二别名对应的主域名数量,并将所述待配置第一别名的第二别名记录,设置为指向所述主域名数量最小的第二别名;将所述待配置防护域名的第一别名记录及所述待配置第一别名的第二别名记录写入所述DNS管理系统;The cloud protection management platform is configured to, when receiving a configuration request, extract the domain name to be configured for protection and the corresponding first alias to be configured from the configuration request, record the first alias of the domain name for protection to be configured, and set In order to point to the first alias to be configured, and determine the main domain name of the protected domain name to be configured; determine whether other protected domain names belonging to the main domain name are configured; if so, search for the second domain name corresponding to the main domain name Alias, and set the second alias record of the first alias to be configured to point to the second alias corresponding to the main domain name; if not, determine the number of main domain names corresponding to each second alias, and set The second alias record of the first alias to be configured is set to point to the second alias with the smallest number of primary domain names; the first alias record of the protected domain name to be configured and the second alias record of the first alias to be configured The alias record is written into the DNS management system;

所述DNS管理系统,还用于保存接收到的第一别名记录和第二别名记录。The DNS management system is further configured to save the received first alias record and second alias record.

可选地,还包括:告警服务器,其中,Optionally, it also includes: an alarm server, wherein,

所述云防护管理平台,还用于判断所述主域名数量中的最小值是否大于等于预设阈值;若是,则生成告警信息,并将所述告警信息发送至告警服务器,以使所述告警服务器执行告警操作;若否,则执行所述将所述待配置第一别名的第二别名记录,设置为指向所述主域名数量最少的第二别名的步骤;The cloud protection management platform is also used to judge whether the minimum value of the number of primary domain names is greater than or equal to a preset threshold; if so, generate alarm information and send the alarm information to the alarm server, so that the alarm The server executes an alarm operation; if not, execute the step of setting the second alias record of the first alias to be configured to point to the second alias with the least number of primary domain names;

所述告警服务器,用于在接收到所述告警信息时执行告警操作。The alarm server is configured to perform an alarm operation when receiving the alarm information.

可选地,Optionally,

所述云防护管理平台,还用于在接收到域名移除请求时,将所述域名移除请求中的防护域名设置为待移除防护域名,并利用所述待移除防护域名的第一别名记录,确定待移除第一别名;在所述DNS管理系统中,将所述待移除防护域名对应的第一别名记录及所述待移除第一别名的第二别名记录移除。The cloud protection management platform is further configured to set the protected domain name in the domain name removal request as the protected domain name to be removed when receiving the domain name removal request, and use the first An alias record, determining the first alias to be removed; in the DNS management system, removing the first alias record corresponding to the protected domain name to be removed and the second alias record of the first alias to be removed.

本发明还提供一种存储介质,所述存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如上述任一项所述的云防护节点调度方法的步骤。The present invention also provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the cloud protection node scheduling method described in any one of the above are implemented.

本发明提供一种云防护节点调度方法,包括DNS管理系统在接收到客户端发送的域名解析请求时,提取所述域名解析请求中的防护域名,并利用所述防护域名对应的第一别名记录,解析第一别名;所述第一别名为所述防护域名专属的域名别名;利用所述第一别名对应的第二别名记录,解析第二别名,并确定与所述第二别名建立绑定关系的多个节点IP地址;将所述节点IP地址输入云防护节点调度算法,确定可用的目标节点IP地址,并将所述目标节点IP地址发送至所述客户端,以使所述客户端将发向所述防护域名的数据发送至所述目标节点IP地址对应的云防护节点。The present invention provides a cloud protection node scheduling method, which includes that when the DNS management system receives the domain name resolution request sent by the client, extracts the protection domain name in the domain name resolution request, and uses the first alias record corresponding to the protection domain name , resolve the first alias; the first alias is a domain name alias exclusive to the protected domain name; use the second alias record corresponding to the first alias to resolve the second alias, and determine to establish a binding with the second alias multiple node IP addresses of the relationship; input the node IP address into the cloud protection node scheduling algorithm, determine the available target node IP address, and send the target node IP address to the client, so that the client Send the data sent to the protection domain name to the cloud protection node corresponding to the IP address of the target node.

可见,本方法使用第二别名对多个节点IP地址进行统一调度,当DNS管理系统解析出域名解析请求中的防护域名对应的第一别名后,会进一步确定第一别名对应的第二别名,由于第二别名绑定有多个节点IP地址,因此DNS管理系统可将这些节点IP地址输入云防护节点调度算法,对节点IP地址的可用性进行检测,并在确定出可用的目标节点IP地址之后,才会将目标节点IP地址发送至客户端,可首先确保目标节点IP地址对应的云防护节点可用,能够对客户端发送的数据进行有效攻击检测;同时由于第二别名绑定有多个节点IP地址,当某个节点IP地址出现异常无法使用时,还能够切换其他正常的节点IP地址进行攻击检测,可有效避免相关技术采用单个节点IP地址进行攻击检测所导致的源站站点无法访问问题,最终提升云防护节点攻击检测功能的有效性及可靠性。本发明还提供一种云防护节点调度系统及存储介质,具有上述有益效果。It can be seen that this method uses the second alias to uniformly schedule the IP addresses of multiple nodes. After the DNS management system resolves the first alias corresponding to the protected domain name in the domain name resolution request, it will further determine the second alias corresponding to the first alias. Since the second alias is bound with multiple node IP addresses, the DNS management system can input these node IP addresses into the cloud protection node scheduling algorithm to detect the availability of node IP addresses, and determine the available target node IP addresses , the IP address of the target node will be sent to the client, which can first ensure that the cloud protection node corresponding to the IP address of the target node is available, and can effectively detect the attack on the data sent by the client; at the same time, because the second alias is bound to multiple nodes IP address, when the IP address of a certain node is abnormal and cannot be used, it can also switch to other normal node IP addresses for attack detection, which can effectively avoid the problem of inaccessibility of the source site caused by related technologies using a single node IP address for attack detection , and ultimately improve the effectiveness and reliability of the cloud protection node attack detection function. The present invention also provides a cloud protection node scheduling system and a storage medium, which have the above beneficial effects.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.

图1为本发明实施例所提供的一种云防护节点调度方法的流程图;FIG. 1 is a flow chart of a cloud protection node scheduling method provided by an embodiment of the present invention;

图2为本发明实施例所提供的云防护管理平台添加防护域名的流程图;Fig. 2 is a flow chart of adding a protection domain name to the cloud protection management platform provided by the embodiment of the present invention;

图3为本发明实施例所提供的云防护管理平台删除防护域名的流程图;Fig. 3 is the flowchart of deleting the protected domain name by the cloud protection management platform provided by the embodiment of the present invention;

图4a为本发明实施例所提供的一种云防护节点调度系统的结构框图;Fig. 4a is a structural block diagram of a cloud protection node scheduling system provided by an embodiment of the present invention;

图4b为本发明实施例所提供的另一种云防护节点调度系统的结构框图;Fig. 4b is a structural block diagram of another cloud protection node scheduling system provided by an embodiment of the present invention;

图4c为本发明实施例所提供的又一种云防护节点调度系统的结构框图。Fig. 4c is a structural block diagram of another cloud protection node scheduling system provided by an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

相关技术中,用户为需要保护的防护域名设置域名别名,并将该域名别名指向云防护节点的节点IP地址,这样其他客户端便可通过DNS管理系统首先得到节点IP地址,并将发往该防护域名的数据发向该节点IP地址,以使该数据在通过云防护节点的攻击检测后再发往防护域名原先指向的源站IP地址。然而,当云防护节点出现服务异常,或当节点IP地址被运营商封禁时,发送至防护域名的数据将无法到达源站IP地址对应的服务器,进而导致客户端无法访问源站站点,影响源站站点的正常运行。有鉴于此,本发明提供一种云防护节点调度方法,可对多个云防护节点的节点IP地址进行统一调度,在确保节点IP地址对应的云防护节点可用后才向发送域名解析请求的客户端返回节点IP地址,可有效确保云防护节点有效可靠,进而避免单节点离线所导致的源站站点无法访问问题。请参考图1,图1为本发明实施例所提供的一种云防护节点调度方法的流程图,该方法可以包括:In related technologies, the user sets a domain name alias for the protection domain name that needs to be protected, and points the domain name alias to the node IP address of the cloud protection node, so that other clients can first obtain the node IP address through the DNS management system, and send it to the The data of the protected domain name is sent to the IP address of the node, so that the data passes the attack detection of the cloud protection node and then sent to the IP address of the source station originally pointed to by the protected domain name. However, when the service of the cloud protection node is abnormal, or when the IP address of the node is blocked by the operator, the data sent to the protection domain name will not be able to reach the server corresponding to the IP address of the source site, which will cause the client to be unable to access the source site and affect the source site. normal operation of the site. In view of this, the present invention provides a cloud protection node scheduling method, which can uniformly schedule the node IP addresses of multiple cloud protection nodes, and only send the domain name resolution request to the client after ensuring that the cloud protection node corresponding to the node IP address is available. The terminal returns the node IP address, which can effectively ensure that the cloud protection node is effective and reliable, thereby avoiding the problem of inaccessibility of the source site caused by the offline of a single node. Please refer to FIG. 1. FIG. 1 is a flowchart of a cloud protection node scheduling method provided by an embodiment of the present invention. The method may include:

S101、DNS管理系统在接收到客户端发送的域名解析请求时,提取域名解析请求中的防护域名,并利用防护域名对应的第一别名记录,解析第一别名;第一别名为防护域名专属的域名别名。S101. When the DNS management system receives the domain name resolution request sent by the client, it extracts the protected domain name in the domain name resolution request, and uses the first alias record corresponding to the protected domain name to resolve the first alias; the first alias is exclusive to the protected domain name Domain aliases.

域名别名(CNAME)是一种用于设置域名之间或域名与IP地址之间的映射关系的域名。在本发明实施例中,被云防护节点进行攻击防护的域名为防护域名,而第一别名正是防护域名用于映射至云防护节点IP地址的域名别名。可以理解的是,第一别名为防护域名专属的域名别名,换句话说,第一别名与防护域名的对应关系为一对一。A domain name alias (CNAME) is a domain name used to set the mapping relationship between domain names or between domain names and IP addresses. In the embodiment of the present invention, the domain name protected against attacks by the cloud protection node is the protection domain name, and the first alias is exactly the domain name alias that the protection domain name is used to map to the IP address of the cloud protection node. It can be understood that the first alias is a domain name alias exclusive to the protected domain name. In other words, the correspondence between the first alias and the protected domain name is one-to-one.

需要说明的是,本发明实施例并不限定防护域名的具体形式,具体可参考网络域名的相关技术。可以理解的是,防护域名为用户向云防护节点服务商提供的域名,其内容可由用户自由设置。本发明实施例也不限定第一别名的具体形式,第一别名与防护域名一样,也可自由设置。首先可以理解的是,由于第一别名的作用为映射至云防护节点,因此第一别名的主域名可设置为云防护节点服务商的主域名;此外,为了便于管理,第一别名可进一步设置与防护域名相关的内容。例如,当云防护节点服务商的主域名为yunfanghu.com,而防护域名为www.abc.com时,此时该防护域名的第一别名可设置为abc-com.yunfanghu.com。当然,若防护域名为example.abc.com时,第一别名也可设置为example-abc-com.yunfanghu.com。进一步,为了提高第一别名的规范程度,以便高效管理,也可使用统一的命名模板对防护域名进行调整,以得到第一别名。需要说明的是,本发明实施例并不限定具体的命名模板,同样可根据实际应用情况进行灵活调整。It should be noted that the embodiment of the present invention does not limit the specific form of the protected domain name, and for details, refer to related technologies of network domain names. It can be understood that the protection domain name is a domain name provided by the user to the cloud protection node service provider, and its content can be freely set by the user. The embodiment of the present invention also does not limit the specific form of the first alias, and the first alias, like the protected domain name, can also be set freely. First of all, it can be understood that since the role of the first alias is to map to the cloud protection node, the primary domain name of the first alias can be set as the primary domain name of the cloud protection node service provider; in addition, for the convenience of management, the first alias can be further set Content related to the protected domain name. For example, when the main domain name of the cloud protection node service provider is yunfanghu.com and the protection domain name is www.abc.com, the first alias of the protection domain name can be set as abc-com.yunfanghu.com. Of course, if the protected domain name is example.abc.com, the first alias can also be set to example-abc-com.yunfanghu.com. Further, in order to improve the standardization of the first alias for efficient management, a unified naming template can also be used to adjust the protected domain name to obtain the first alias. It should be noted that the embodiment of the present invention does not limit a specific naming template, which can also be flexibly adjusted according to actual application conditions.

进一步,可以理解的是,第一别名记录的具体内容为防御域名与第一别名之间的映射关系。本发明实施例并不限定第一别名记录的具体形式,可参考DNS(Domain NameSystem)域名系统的相关技术。本发明也不限定域名解析请求的具体形式及内容,可参考DNS域名系统的相关技术。Further, it can be understood that the specific content of the first alias record is the mapping relationship between the defense domain name and the first alias. The embodiment of the present invention does not limit the specific form of the first alias record, and reference may be made to related technologies of the DNS (Domain Name System) domain name system. The present invention does not limit the specific form and content of the domain name resolution request, and reference may be made to related technologies of the DNS domain name system.

S102、利用第一别名对应的第二别名记录,解析第二别名,并确定与第二别名建立绑定关系的多个节点IP地址。S102. Using the second alias record corresponding to the first alias, resolve the second alias, and determine IP addresses of multiple nodes that establish a binding relationship with the second alias.

相关技术中,由于第一别名直接指向节点IP地址,因此DNS管理系统在解析得到第一别名后,便会直接将第一别名对应的节点IP地址返回至客户端,以使客户端将发向防护域名的数据发送至节点IP地址。然而,当节点IP地址对应的云防护节点不可用,或是节点IP地址被运营商封禁时,此时客户端发向节点IP地址的数据将无法进一步发送至防护域名源站站点的IP地址,导致源站站点无法正常工作;同样,由于节点IP地址不可用,因此客户端也无法通过节点IP地址溯源到防护域名源站站点的IP地址,进而造成源站站点无法访问。而在本发明实施例中,第一别名将不会直接指向节点IP地址,而是指向第二别名,第二别名下绑定有多个节点IP地址,而DNS管理系统将会从这些节点IP地址中选择可用的节点IP地址发送至客户端,可有效确保云防护节点可用,进而避免由云防护节点失效导致的防护域名源站站点无法访问的情况。In related technologies, since the first alias directly points to the node IP address, the DNS management system will directly return the node IP address corresponding to the first alias to the client after analyzing the first alias, so that the client will send to The data of the protected domain name is sent to the node IP address. However, when the cloud protection node corresponding to the node IP address is unavailable, or the node IP address is blocked by the operator, the data sent by the client to the node IP address will not be further sent to the IP address of the source site of the protection domain name. As a result, the source site cannot work normally; similarly, because the node IP address is unavailable, the client cannot trace the source to the IP address of the protected domain name source site through the node IP address, thus causing the source site to be inaccessible. However, in the embodiment of the present invention, the first alias will not directly point to the node IP address, but will point to the second alias. There are multiple node IP addresses bound under the second alias, and the DNS management system will learn from these node IP addresses. Select an available node IP address in the address and send it to the client, which can effectively ensure that the cloud protection node is available, thereby avoiding the inaccessibility of the origin site of the protection domain name caused by the failure of the cloud protection node.

需要说明的是,第二别名同样为域名别名,其内容同样可根据实际应用需求进行灵活调整。可以理解的是,第二别名归属于云防护节点服务商,为用于调度节点IP地址的专用域名别名,因此第二别名的具体内容可与云防护节点服务商的主域名有关。例如云防护节点服务商的主域名为yunfanghu.com,此时第二别名可以为second.yunfanghu.com。本发明实施例也不限定第二别名的数量,该数量可根据实际应用需求进行设置。可以理解的是,当第二别名具有多个时,在为第二别名命名过程中可进行排序,例如second1.yunfanghu.com、second2.yunfanghu.com……secondn.yunfanghu.com。It should be noted that the second alias is also a domain name alias, and its content can also be flexibly adjusted according to actual application requirements. It can be understood that the second alias belongs to the cloud protection node service provider and is a dedicated domain name alias for scheduling node IP addresses, so the specific content of the second alias may be related to the primary domain name of the cloud protection node service provider. For example, the primary domain name of the cloud protection node service provider is yunfanghu.com, and the second alias can be second.yunfanghu.com. The embodiment of the present invention also does not limit the number of second aliases, which can be set according to actual application requirements. It can be understood that when there are multiple second aliases, they can be sorted during the process of naming the second aliases, for example, second1.yunfanghu.com, second2.yunfanghu.com...secondn.yunfanghu.com.

进一步,可以理解的是,为了提升第二别名的利用率,可将多个第一别名设置为指向同一个第二别名,换句话说,第一别名与第二别名之间的数量对应关系为多对一。同样可以理解的是,可以为第二别名设置映射上限,即只能有有限数量的第一别名指向同一第二别名。需要说明的是,本发明实施例并不限定映射上限的具体数值,可根据实际应用需求进行设置。当然,由于带有相同主域名的防护域名通常来自于同一公司,例如example1.abc.com、example2.abc.com、example3.abc.com均带有相同的主域名abc.com,而该主域名通常来自于同一公司,为了有效地对同一公司的防护域名进行管理,第二别名的也可以设置与主域名有关的映射上限,即第二别名只能由有限数量的主域名进行指向。例如对于防护域名example1.abc.com、example2.abc.com,它们的第一别名分别为example1-abc-com.yunfanghu.comexample2-abc-com.yunfanghu.com,这两个第一别名均指向second.yunfanghu.com这一第二别名,由于防护域名均具有相同的主域名abc.com,因此此时第二别名second.yunfanghu.com对应的主域名数量为1;又例如,对于防护域名example.abc1.com、example.ab2c.com,它们的第一别名为example-abc1-com.yunfanghu.com、example-abc2-com.yunfanghu.com,这两个第一别名均指向second.yunfanghu.com这一第二别名,由于防护域名具有不同的主域名,即abc1.com和abc2.com,因此此时第二别名second.yunfanghu.com对应的主域名数量为2。为了有效地对同一公司的防护域名进行管理,在本发明实施例中,第二别名的可以设置与主域名有关的映射上限,即第二别名只能由有限数量的主域名进行指向。需要说明的是,本发明实施例并不限定每一第二别名对应的映射上限的具体数值,可根据实际应用需求进行设置。Further, it can be understood that, in order to improve the utilization rate of the second alias, multiple first aliases can be set to point to the same second alias, in other words, the quantitative correspondence between the first alias and the second alias is Many to one. It is also understandable that a mapping upper limit can be set for the second alias, that is, only a limited number of first aliases can point to the same second alias. It should be noted that the embodiment of the present invention does not limit the specific value of the upper limit of the mapping, which can be set according to actual application requirements. Of course, since the protected domain names with the same primary domain name usually come from the same company, for example, example1.abc.com, example2.abc.com, and example3.abc.com all have the same primary domain name abc.com, and the primary domain name Usually from the same company, in order to effectively manage the protected domain names of the same company, the upper limit of mapping related to the main domain name can also be set for the second alias, that is, the second alias can only be pointed to by a limited number of main domain names. For example, for the protected domain names example1.abc.com and example2.abc.com, their first aliases are respectively example1-abc-com.yunfanghu.comexample2-abc-com.yunfanghu.com, both of which point to the second For the second alias of .yunfanghu.com, since the protected domain names all have the same primary domain name abc.com, the number of primary domain names corresponding to the second alias second.yunfanghu.com is 1; for another example, for the protected domain name example. abc1.com, example.ab2c.com, their first aliases are example-abc1-com.yunfanghu.com, example-abc2-com.yunfanghu.com, these two first aliases point to second.yunfanghu.com A second alias, since the protected domain name has different main domain names, namely abc1.com and abc2.com, so the number of main domain names corresponding to the second alias second.yunfanghu.com is 2 at this time. In order to effectively manage the protected domain names of the same company, in the embodiment of the present invention, a mapping upper limit related to the primary domain name can be set for the second alias, that is, the second alias can only be pointed to by a limited number of primary domain names. It should be noted that the embodiment of the present invention does not limit the specific value of the mapping upper limit corresponding to each second alias, which can be set according to actual application requirements.

进一步,本发明实施例并不限定每个第二别名所绑定的节点IP地址的数量,可根据实际应用需求进行设置。本发明也不限定确定与第二别名建立绑定关系的节点IP地址的具体方式,例如可通过A(Address)记录进行确定,可参考DNS的相关技术。Further, the embodiment of the present invention does not limit the number of node IP addresses bound to each second alias, which can be set according to actual application requirements. The present invention also does not limit the specific manner of determining the IP address of the node that establishes the binding relationship with the second alias, for example, it may be determined through an A (Address) record, and relevant technologies of DNS may be referred to.

S103、将节点IP地址输入云防护节点调度算法,确定可用的目标节点IP地址,并将目标节点IP地址发送至客户端,以使客户端将发向防护域名的数据发送至目标节点IP地址对应的云防护节点。S103. Input the node IP address into the cloud protection node scheduling algorithm, determine the available target node IP address, and send the target node IP address to the client, so that the client sends the data sent to the protection domain name to the corresponding target node IP address cloud protection node.

需要说明的是,本发明实施例并不限定云防护节点调度算法的具体实现方式及过程,只要该算法能够在输入的节点IP地址中选择可用的目标节点IP地址即可。可以理解的是,为了确保节点IP地址可用,该算法可使用网络诊断工具(ping,Packet InternetGrouper)对节点IP地址进行访问诊断,也可获取云防护节点的运行情况,例如云防护服务正常运行或异常运行的信息、具体的运算资源(CPU、硬盘等)占有率等,并根据运行情况确定云防护节点是否正常工作,进而确定可用的节点IP地址。由于具体的云防护节点运行情况能够整体有效地反映云防护节点的工作情况,因此在本发明实施例中,云防护节点调度算法可根据节点IP地址对应云防护节点的运行情况确定目标节点IP地址。It should be noted that the embodiment of the present invention does not limit the specific implementation and process of the cloud protection node scheduling algorithm, as long as the algorithm can select an available target node IP address from the input node IP addresses. It can be understood that, in order to ensure that the node IP address is available, the algorithm can use network diagnostic tools (ping, Packet InternetGrouper) to perform access diagnosis on the node IP address, and can also obtain the operation status of the cloud protection node, such as the normal operation of the cloud protection service or Abnormal operation information, specific computing resource (CPU, hard disk, etc.) occupancy rate, etc., and determine whether the cloud protection node is working normally according to the operation status, and then determine the available node IP address. Since the specific operating conditions of the cloud protection nodes can effectively reflect the working conditions of the cloud protection nodes as a whole, in the embodiment of the present invention, the cloud protection node scheduling algorithm can determine the IP address of the target node according to the operation of the cloud protection node corresponding to the node IP address .

进一步,考虑到云防护节点可能设置与多个地区及运营商,为了进一步提升客户端访问防护域名源站站点的速度,DNS管理系统在获取到域名解析请求时,也可进一步提取该请求中的源IP地址(即客户端对应的IP地址),并根据源IP地址对应的地区信息、所属的运营商信息或地区信息与运营商信息的组合,进一步在可用的节点IP地址中确定该客户端可快速访问的节点IP地址。Furthermore, considering that the cloud protection node may be set up with multiple regions and operators, in order to further increase the speed of client access to the source site of the protected domain name, the DNS management system can further extract the domain name resolution request when it obtains the request. The source IP address (that is, the IP address corresponding to the client), and according to the region information corresponding to the source IP address, the operator information it belongs to, or the combination of region information and operator information, further determine the client in the available node IP addresses Quickly accessible node IP address.

在一种可能的情况中,在DNS管理系统接收到客户端发送的域名解析请求之后,还包括:In a possible situation, after the DNS management system receives the domain name resolution request sent by the client, it further includes:

步骤11:DNS管理系统提取域名解析请求中的源IP地址。Step 11: The DNS management system extracts the source IP address in the domain name resolution request.

相应的,云防护节点调度算法根据节点IP地址对应云防护节点的运行情况,以及源地址所属的地区信息和/或运营商信息确定目标节点IP地址。Correspondingly, the cloud protection node scheduling algorithm determines the IP address of the target node according to the operation status of the cloud protection node corresponding to the node IP address, and the region information and/or operator information to which the source address belongs.

最后,需要说明的是,本发明实施例并不限定具体的DNS管理系统,只要能够实现上述功能即可,具体的DNS管理系统或DNS管理设备可参考DNS的相关技术。Finally, it should be noted that the embodiment of the present invention does not limit a specific DNS management system, as long as the above functions can be realized, and the specific DNS management system or DNS management device can refer to DNS related technologies.

基于上述实施例,本方法使用第二别名对多个节点IP地址进行统一调度,当DNS管理系统解析出域名解析请求中的防护域名对应的第一别名后,会进一步确定第一别名对应的第二别名,由于第二别名绑定有多个节点IP地址,因此DNS管理系统可将这些节点IP地址输入云防护节点调度算法,对节点IP地址的可用性进行检测,并在确定出可用的目标节点IP地址之后,才会将目标节点IP地址发送至客户端,可首先确保目标节点IP地址对应的云防护节点可用,能够对客户端发送的数据进行有效攻击检测;同时由于第二别名绑定有多个节点IP地址,当某个节点IP地址出现异常无法使用时,还能够切换其他正常的节点IP地址进行攻击检测,可有效避免相关技术采用单个节点IP地址进行攻击检测所导致的源站站点无法访问问题,最终提升云防护节点攻击检测功能的有效性及可靠性。Based on the above embodiments, this method uses the second alias to uniformly schedule multiple node IP addresses. After the DNS management system resolves the first alias corresponding to the protected domain name in the domain name resolution request, it will further determine the first alias corresponding to the first alias. Two aliases, since the second alias is bound to multiple node IP addresses, the DNS management system can input these node IP addresses into the cloud protection node scheduling algorithm to detect the availability of node IP addresses and determine the available target nodes After the IP address, the target node IP address will be sent to the client, which can first ensure that the cloud protection node corresponding to the target node IP address is available, and can effectively detect the attack on the data sent by the client; at the same time, because the second alias binding has Multiple node IP addresses, when a node IP address is abnormal and cannot be used, it can also switch to other normal node IP addresses for attack detection, which can effectively avoid the source station site caused by related technologies using a single node IP address for attack detection Inability to access the problem, and ultimately improve the effectiveness and reliability of the cloud defense node attack detection function.

基于上述实施例,可以理解的是为了让DNS管理系统根据防护域名解析出相应的节点IP地址,需要将防护域名的第一别名记录及第二别名记录设置于DNS管理系统中。下面对防护域名的第一别名记录及第二别名记录的设置方式进行介绍,在DNS管理系统接收客户端发送的域名解析请求之前,还可以包括:Based on the above embodiments, it can be understood that in order for the DNS management system to resolve the corresponding node IP address according to the protection domain name, the first alias record and the second alias record of the protection domain name need to be set in the DNS management system. The following is an introduction to the setting method of the first alias record and the second alias record of the protected domain name. Before the DNS management system receives the domain name resolution request sent by the client, it may also include:

S201、云防护管理平台在接收到配置请求时,从配置请求中提取待配置防护域名及对应的待配置第一别名,将待配置防护域名的第一别名记录,设置为指向待配置第一别名,并确定待配置防护域名的主域名。S201. When the cloud protection management platform receives the configuration request, it extracts the protection domain name to be configured and the corresponding first alias name to be configured from the configuration request, and sets the first alias record of the protection domain name to be configured to point to the first alias name to be configured , and determine the primary domain name of the protected domain name to be configured.

在本发明实施例中,第一别名记录和第二别名记录的设置功能可由云防护管理平台实现,该平台为独立于DNS管理系统的单独平台。需要说明的是,本发明实施例并不限定云防护管理平台的具体硬件结构,只要其能够完成本发明实施例中相应的功能即可,可根据实际应用需求进行设定。In the embodiment of the present invention, the setting function of the first alias record and the second alias record can be implemented by the cloud protection management platform, which is a separate platform independent of the DNS management system. It should be noted that the embodiment of the present invention does not limit the specific hardware structure of the cloud protection management platform, as long as it can complete the corresponding functions in the embodiment of the present invention, which can be set according to actual application requirements.

进一步,可以理解的是,配置请求为用于设置第一别名记录和第二别名记录的请求,该请求可在云防护管理平台上进行人工输入,或是由用户通过客户端向云防护管理平台进行发送,关于配置请求信息的生成及发送方式在本发明实施例中不做限定。进一步,为了有效设置别名记录,配置请求中至少包含待配置防护域名及对应的待配置第一别名;当然,为了进一步设置与待配置防护域名相关的云防护节点,配置请求中也可以包含待配置防护域名对应的源站点IP地址,这样云防护管理平台在完成第一别名记录和第二别名记录的设置之后,便可将待配置防护域名的源站点IP地址写入相应的云防护节点中。Further, it can be understood that the configuration request is a request for setting the first alias record and the second alias record, and the request can be manually input on the cloud protection management platform, or sent to the cloud protection management platform by the user through the client. Sending is performed, and the method of generating and sending the configuration request information is not limited in this embodiment of the present invention. Furthermore, in order to effectively set the alias record, the configuration request includes at least the domain name to be configured and the corresponding first alias to be configured; of course, in order to further set the cloud protection nodes related to the domain name to be configured, the configuration request may also include the The IP address of the source site corresponding to the protection domain name, so that after the cloud protection management platform completes the setting of the first alias record and the second alias record, it can write the source site IP address of the protection domain name to be configured into the corresponding cloud protection node.

进一步,需要说明的是,本发明实施例并不限定确定待配置防护域名的主域名的具体方式,可参考域名的相关技术。Further, it should be noted that the embodiment of the present invention does not limit the specific manner of determining the primary domain name of the domain name to be protected, and reference can be made to related technologies of domain names.

S202、判断是否配置有归属于主域名的其他防护域名;若是,则进入步骤S203;若否,则进入步骤S204。S202. Determine whether other protected domain names belonging to the main domain name are configured; if yes, proceed to step S203; if not, proceed to step S204.

考虑到拥有相同主域名的防护域名通常来自同一公司,为了对防护域名进行有效管理,在本发明实施例中,利用同一第二别名对拥有相同主域名的防护域名进行统一管理,因此本步骤的目的在于查找待配置防御域名所归属的主域名下是否配置有其他防御域名,若有,则将待配置防护域名的第一别名指向其他防御域名对应的第二别名。Considering that the protected domain names with the same primary domain name usually come from the same company, in order to effectively manage the protected domain names, in the embodiment of the present invention, the same second alias is used to manage the protected domain names with the same primary domain name in a unified manner, so the steps of this step The purpose is to find out whether there are other defense domain names configured under the main domain name to which the defense domain name belongs. If so, point the first alias of the protection domain name to the second alias corresponding to other defense domain names.

S203、查找与主域名对应的第二别名,并将待配置第一别名的第二别名记录,设置为指向主域名对应的第二别名。S203. Search for a second alias corresponding to the primary domain name, and set the second alias record of the first alias to be configured to point to the second alias corresponding to the primary domain name.

S204、确定每一第二别名对应的主域名数量,并将待配置第一别名的第二别名记录,设置为指向主域名数量最小的第二别名。S204. Determine the number of primary domain names corresponding to each second alias, and set the second alias record of the first alias to be configured to point to the second alias with the smallest number of primary domain names.

当待配置防护域名的主域名并不具有已设置过的防护域名时,此时云防护管理平台将会确定每个第二别名对应的主域名数量,以将待配置防护域名分配至主域名数量最少的第二别名中,进而确保每一第二别名的负载平衡。可以理解的是,当主域名数量最小的第二别名有多个时,可按照一定顺序从这些第二别名中选择一个进行设置。When the main domain name of the protection domain name to be configured does not have a protection domain name that has been set, the cloud protection management platform will determine the number of main domain names corresponding to each second alias, so as to allocate the protection domain name to be configured to the number of main domain names The least number of secondary aliases, thereby ensuring load balancing for each secondary alias. It can be understood that when there are multiple second aliases with the smallest number of primary domain names, one of these second aliases may be selected in a certain order for setting.

进一步,若云防护管理平台在每次设置待配置防御域名时,都需重新确定第二别名对应的主域名数量,将会导致设置效率下降,因此可以为每一第二别名设置对应的计数器,以记录第二别名被消费的次数,并在每次完成将待配置第一别名的第二别名记录设置为指向主域名数量最小的第二别名的步骤后,便将对应的第二别名的计数器加一,这样云防护管理平台仅需读取计数器值便可快速确定第二别名对应的主域名数量。Furthermore, if the cloud protection management platform needs to re-determine the number of primary domain names corresponding to the second alias every time when setting the defense domain name to be configured, the setting efficiency will be reduced. Therefore, a corresponding counter can be set for each second alias. To record the number of times the second alias is consumed, and each time after completing the step of setting the second alias record of the first alias to be configured to point to the second alias with the smallest number of primary domain names, the counter of the corresponding second alias Add one, so that the cloud protection management platform only needs to read the counter value to quickly determine the number of primary domain names corresponding to the second alias.

进一步,在本发明实施例中,为了确保每一第二别名仅服务有限数量的主域名,可为第二别名设置对应的主域名数量上限,并在确定每一第二别名对应的主域名数量之后,进一步确定主域名数量中的最小值是否大于该主域名数量上限。若是,则可确定所有第二别名均已满,进而便可执行相应的告警操作,以提醒管理人员进行扩容。需要说明的是,本发明实施例并不限定每一第二别名对应的主域名数量上限的具体数值,可根据实际应用需求进行设定;本发明实施例也不限定具体的告警操作,例如显示告警信息,播放告警音频、视频;当然,也可以生成告警信息并发送至告警服务器,以使告警服务器执行上述告警操作。为了对云防护节点调度系统进行有效管理,并明确划分各设备的具体功能,在本发明实施例中,云防护管理平台可生成告警信息并发送至告警服务器,以使告警服务器执行上述告警操作。Further, in the embodiment of the present invention, in order to ensure that each second alias only serves a limited number of primary domain names, an upper limit on the number of corresponding primary domain names can be set for the second alias, and when determining the number of primary domain names corresponding to each second alias After that, it is further determined whether the minimum value in the number of primary domain names is greater than the upper limit of the number of primary domain names. If yes, it can be determined that all the second aliases are full, and then a corresponding alarm operation can be performed to remind the management personnel to expand the capacity. It should be noted that the embodiment of the present invention does not limit the specific value of the upper limit of the number of primary domain names corresponding to each second alias, which can be set according to actual application requirements; the embodiment of the present invention also does not limit specific alarm operations, such as displaying Alarm information, play alarm audio and video; of course, alarm information can also be generated and sent to the alarm server, so that the alarm server can perform the above alarm operation. In order to effectively manage the cloud protection node scheduling system and clearly divide the specific functions of each device, in the embodiment of the present invention, the cloud protection management platform can generate alarm information and send it to the alarm server, so that the alarm server can perform the above alarm operation.

在一种可能的情况中,在确定每一第二别名对应的主域名数量之后,还可以包括:In a possible situation, after determining the number of primary domain names corresponding to each second alias, it may also include:

步骤21:云防护管理平台判断主域名数量中的最小值是否大于等于预设阈值;若是,则进入步骤22;若否,则进入步骤23。Step 21: The cloud protection management platform judges whether the minimum value of the number of primary domain names is greater than or equal to a preset threshold; if yes, proceed to step 22; if not, proceed to step 23.

需要说明的是,该预设阈值变为上述主域名数量上限。当然,为了进一步提升管理人员的管理效率,也可以设置一个预警阈值,以使云防护管理平台在确定主域名数量中的最小值到达该预警阈值时,执行相应的预警操作。需要说明的是,本发明对预警操作的限定描述,与上述对告警操作的限定描述一致。It should be noted that the preset threshold becomes the above-mentioned upper limit of the number of primary domain names. Of course, in order to further improve the management efficiency of managers, an early warning threshold can also be set, so that the cloud protection management platform performs corresponding early warning operations when it determines that the minimum value of the number of primary domain names reaches the early warning threshold. It should be noted that the limited description of the warning operation in the present invention is consistent with the above-mentioned limited description of the warning operation.

步骤22:生成告警信息,并将告警信息发送至告警服务器,以使告警服务器执行告警操作。Step 22: Generate alarm information, and send the alarm information to the alarm server, so that the alarm server performs an alarm operation.

步骤23:执行将待配置第一别名的第二别名记录,设置为指向主域名数量最少的第二别名的步骤。Step 23: Execute the step of setting the second alias record of the first alias to be configured to point to the second alias with the least number of primary domain names.

S205、将待配置防护域名的第一别名记录及待配置第一别名的第二别名记录写入DNS管理系统。S205. Write the first alias record of the protected domain name to be configured and the second alias record of the first alias to be configured into the DNS management system.

进一步,可以理解的是,云防护管理平台同样可将已配置过的防护域名进行删除,并将已删除的防护域名在DNS管理系统中的第一别名记录和第二别名记录进行删除。Further, it can be understood that the cloud protection management platform can also delete the configured protection domain name, and delete the first alias record and the second alias record of the deleted protection domain name in the DNS management system.

在一种可能的情况中,在将待配置防护域名的第一别名记录及待配置第一别名的第二别名记录写入DNS管理系统之后,还可以包括:In a possible situation, after writing the first alias record of the domain name to be protected and the second alias record of the first alias to be configured into the DNS management system, it may also include:

步骤31:云防护管理平台在接收到域名移除请求时,将域名移除请求中的防护域名设置为待移除防护域名,并利用待移除防护域名的第一别名记录,确定待移除第一别名;Step 31: When the cloud protection management platform receives the domain name removal request, set the protected domain name in the domain name removal request as the protected domain name to be removed, and use the first alias record of the protected domain name to be removed to determine the domain name to be removed first alias;

步骤32:云防护管理平台在DNS管理系统中,将待移除防护域名对应的第一别名记录及待移除第一别名的第二别名记录移除。Step 32: In the DNS management system, the cloud protection management platform deletes the first alias record corresponding to the protected domain name to be removed and the second alias record corresponding to the first alias to be removed.

需要说明的是,若为每一第二别名设置有记录主域名数量的计数器,在移除防护域名的同时,云防护管理平台也需要确定待移除防御域名对应的主域名下是否配置有其他未被移除的防护域名,若是,则直接将待移除防护域名及对应的第一别名记录、第二别名记录移除即可;若否,则需要将待移除防护域名对应第二别名的计数器减一,并将待移除防护域名及对应的第一别名记录、第二别名记录移除。It should be noted that if a counter is set to record the number of primary domain names for each second alias, while removing the protected domain name, the cloud protection management platform also needs to determine whether there are other domain names configured under the primary domain name corresponding to the protected domain name to be removed For the protected domain name that has not been removed, if so, just delete the protected domain name to be removed and the corresponding first alias record and the second alias record; The counter of the domain name is decremented by one, and the protected domain name to be removed and the corresponding first alias record and second alias record are removed.

基于上述实施例,本方法可通过云防护管理平台实现对防护域名的有效设置和管理,并在设置防护域名的过程中,将相应的第一别名记录和第二别名记录写入DNS管理系统,以便DNS管理系统根据该第一别名记录和第二别名记录进行有效解析。Based on the above-mentioned embodiments, this method can realize the effective setting and management of the protected domain name through the cloud protection management platform, and in the process of setting the protected domain name, write the corresponding first alias record and the second alias record into the DNS management system, So that the DNS management system can perform effective resolution according to the first alias record and the second alias record.

下面结合具体的流程图介绍云防护管理平台对防护域名的设置过程,请参考图2,图2为本发明实施例所提供的云防护管理平台添加防护域名的流程图,该流程可以包括:The following describes the process of setting the protection domain name on the cloud protection management platform in combination with a specific flow chart. Please refer to FIG. 2, which is a flow chart of adding a protection domain name to the cloud protection management platform provided by the embodiment of the present invention. The process may include:

1、云防护管理平台在接收到配置请求时,从配置请求中提取待配置防护域名及对应的待配置第一别名,将待配置防护域名的第一别名记录,设置为指向待配置第一别名,并确定待配置防护域名的主域名;1. When the cloud protection management platform receives the configuration request, it extracts the domain name to be configured and the corresponding first alias to be configured from the configuration request, and sets the first alias record of the domain name to be configured to point to the first alias to be configured , and determine the primary domain name of the protected domain name to be configured;

2、判断是否配置有归属于主域名的其他防护域名;若是,则进入步骤3;若否,则进入步骤4;2. Determine whether there are other protected domain names belonging to the main domain name configured; if yes, go to step 3; if not, go to step 4;

3、查找与主域名对应的第二别名,并将待配置第一别名的第二别名记录,设置为指向主域名对应的第二别名,最后退出流程;3. Find the second alias corresponding to the primary domain name, set the second alias record to be configured as the first alias to point to the second alias corresponding to the primary domain name, and finally exit the process;

4、获取每一第二别名对应的主域名数量,并判断主域名数量中的最小值是否大于等于告警阈值;若是,则进入步骤5;若否,则进入步骤6;4. Obtain the number of main domain names corresponding to each second alias, and determine whether the minimum value of the number of main domain names is greater than or equal to the alarm threshold; if yes, go to step 5; if not, go to step 6;

5、生成告警信息,并将告警信息发送至告警服务器,以使告警服务器执行告警操作,并进入步骤8;5. Generate alarm information, and send the alarm information to the alarm server, so that the alarm server performs an alarm operation, and enters step 8;

6、判断主域名数量中的最小值是否大于等于预警阈值;若是,则进入步骤7;若否,则进入步骤8;其中,预警阈值小于告警阈值;6. Determine whether the minimum value in the number of primary domain names is greater than or equal to the warning threshold; if so, proceed to step 7; if not, proceed to step 8; where the warning threshold is less than the warning threshold;

5、生成预警信息,并将预警信息发送至告警服务器,以使告警服务器执行预警操作,并进入步骤8;5. Generate early warning information, and send the early warning information to the alarm server, so that the alarm server performs the early warning operation, and enter step 8;

8、将待配置第一别名的第二别名记录,设置为指向主域名数量最小的第二别名,并将该第二别名对应的主域名数量加一,8. Set the second alias record of the first alias to be configured to point to the second alias with the smallest number of primary domain names, and add one to the number of primary domain names corresponding to the second alias,

9、将待配置防护域名的第一别名记录及待配置第一别名的第二别名记录写入DNS管理系统。9. Write the first alias record of the protected domain name to be configured and the second alias record of the first alias to be configured into the DNS management system.

请参考图3,图3为本发明实施例所提供的云防护管理平台删除防护域名的流程图,该流程可以包括:Please refer to Fig. 3, Fig. 3 is a flow chart of deleting a protected domain name on the cloud protection management platform provided by an embodiment of the present invention, and the process may include:

1、云防护管理平台在接收到域名移除请求时,将域名移除请求中的防护域名设置为待移除防护域名,并利用待移除防护域名的第一别名记录,确定待移除第一别名;1. When the cloud protection management platform receives a domain name removal request, it sets the protected domain name in the domain name removal request as the protected domain name to be removed, and uses the first alias record of the protected domain name to be removed to determine the second domain name to be removed. an alias;

2、判断待移除防护域名的主域名是否配置有其他未删除的防护域名;若是,则进入步骤3;若否,则进入步骤4;2. Determine whether the main domain name of the protected domain name to be removed is configured with other undeleted protected domain names; if so, proceed to step 3; if not, proceed to step 4;

3、将该主域名对应的第二别名的主域名数量减一,并进入步骤4;3. Subtract one from the number of primary domain names of the second alias corresponding to the primary domain name, and proceed to step 4;

4、在DNS管理系统中,将待移除防护域名对应的第一别名记录及待移除第一别名的第二别名记录移除。4. In the DNS management system, remove the first alias record corresponding to the protected domain name to be removed and the second alias record corresponding to the first alias to be removed.

下面对本发明实施例提供的一种云防护节点调度系统及存储介质进行介绍,下文描述的云防护节点调度系统及存储介质与上文描述的云防护节点调度方法可相互对应参照。A cloud protection node scheduling system and storage medium provided by the embodiments of the present invention are introduced below. The cloud protection node scheduling system and storage medium described below and the cloud protection node scheduling method described above can be referred to in correspondence.

请参考图4a,图4a为本发明实施例所提供的一种云防护节点调度系统的结构框图,该系统包括:DNS管理系统401和云防护节点402,其中,Please refer to FIG. 4a. FIG. 4a is a structural block diagram of a cloud protection node scheduling system provided by an embodiment of the present invention. The system includes: a DNS management system 401 and a cloud protection node 402, wherein,

DNS管理系统401,用于在接收到客户端发送的域名解析请求时,提取域名解析请求中的防护域名,并利用防护域名对应的第一别名记录,解析第一别名;第一别名为防护域名专属的域名别名;利用第一别名对应的第二别名记录,解析第二别名,并确定与第二别名建立绑定关系的多个节点IP地址;将节点IP地址输入云防护节点调度算法,确定可用的目标节点IP地址,并将目标节点IP地址发送至客户端,以使客户端将发向防护域名的数据发送至目标节点IP地址对应的云防护节点402;The DNS management system 401 is configured to extract the protected domain name in the domain name resolution request when receiving the domain name resolution request sent by the client, and use the first alias record corresponding to the protected domain name to resolve the first alias; the first alias is the protected domain name Exclusive domain name alias; use the second alias record corresponding to the first alias to resolve the second alias, and determine the IP addresses of multiple nodes that establish a binding relationship with the second alias; input the node IP addresses into the cloud protection node scheduling algorithm to determine Available IP address of the target node, and send the IP address of the target node to the client, so that the client sends the data sent to the protection domain name to the cloud protection node 402 corresponding to the IP address of the target node;

云防护节点402,用于对客户端向防护域名发送的数据进行攻击检测。The cloud protection node 402 is configured to detect attacks on the data sent by the client to the protection domain name.

可选地,请参考图4b,图4b为本发明实施例所提供的另一种云防护节点调度系统的结构框图,该系统还可以包括:云防护管理平台403,其中,Optionally, please refer to FIG. 4b. FIG. 4b is a structural block diagram of another cloud protection node scheduling system provided by an embodiment of the present invention. The system may also include: a cloud protection management platform 403, wherein,

云防护管理平台403,用于在接收到配置请求时,从配置请求中提取待配置防护域名及对应的待配置第一别名,将待配置防护域名的第一别名记录,设置为指向待配置第一别名,并确定待配置防护域名的主域名;判断是否配置有归属于主域名的其他防护域名;若是,则查找与主域名对应的第二别名,并将待配置第一别名的第二别名记录,设置为指向主域名对应的第二别名;若否,则确定每一第二别名对应的主域名数量,并将待配置第一别名的第二别名记录,设置为指向主域名数量最小的第二别名;将待配置防护域名的第一别名记录及待配置第一别名的第二别名记录写入DNS管理系统401;The cloud protection management platform 403 is configured to extract the domain name to be configured and the corresponding first alias to be configured from the configuration request when receiving the configuration request, and set the first alias record of the domain name to be configured to point to the first alias to be configured. an alias, and determine the main domain name of the domain name to be protected; determine whether there are other protected domain names belonging to the main domain name; if so, search for the second alias corresponding to the main domain name, and set the record, set it to point to the second alias corresponding to the main domain name; if not, determine the number of main domain names corresponding to each second alias, and set the second alias record to be configured to point to the one with the smallest number of main domain names The second alias; write the first alias record of the protected domain name to be configured and the second alias record of the first alias to be configured into the DNS management system 401;

DNS管理系统401,还用于保存接收到的第一别名记录和第二别名记录。The DNS management system 401 is further configured to store the received first alias record and the second alias record.

可选地,请参考图4c,图4c为本发明实施例所提供的又一种云防护节点调度系统的结构框图,该系统还可以包括:告警服务器404,其中,Optionally, please refer to FIG. 4c. FIG. 4c is a structural block diagram of another cloud protection node scheduling system provided by an embodiment of the present invention. The system may also include: an alarm server 404, wherein,

云防护管理平台403,还用于判断主域名数量中的最小值是否大于等于预设阈值;若是,则生成告警信息,并将告警信息发送至告警服务器404,以使告警服务器执行告警操作;若否,则执行将待配置第一别名的第二别名记录,设置为指向主域名数量最少的第二别名的步骤;The cloud protection management platform 403 is also used to judge whether the minimum value in the number of primary domain names is greater than or equal to a preset threshold; if so, generate alarm information and send the alarm information to the alarm server 404, so that the alarm server performs an alarm operation; if If not, perform the step of setting the second alias record of the first alias to be configured to point to the second alias with the least number of primary domain names;

告警服务器404,用于在接收到告警信息时执行告警操作。The alarm server 404 is configured to perform an alarm operation when receiving alarm information.

可选地,云防护管理平台403,还用于在接收到域名移除请求时,将域名移除请求中的防护域名设置为待移除防护域名,并利用待移除防护域名的第一别名记录,确定待移除第一别名;在DNS管理系统401中,将待移除防护域名对应的第一别名记录及待移除第一别名的第二别名记录移除。Optionally, the cloud protection management platform 403 is also configured to set the protected domain name in the domain name removal request as the protected domain name to be removed when receiving the domain name removal request, and use the first alias of the protected domain name to be removed record, determining the first alias to be removed; in the DNS management system 401, removing the first alias record corresponding to the protected domain name to be removed and the second alias record to be removed from the first alias.

可选地,DNS管理系统401,还用于在接收到客户端发送的域名解析请求时,提取域名解析请求中的源IP地址;Optionally, the DNS management system 401 is also configured to extract the source IP address in the domain name resolution request when receiving the domain name resolution request sent by the client;

相应的,DNS管理系统401中的云防护节点调度算法根据节点IP地址对应云防护节点的运行情况,以及源地址所属的地区信息和/或运营商信息确定目标节点IP地址。Correspondingly, the cloud protection node scheduling algorithm in the DNS management system 401 determines the target node IP address according to the operation status of the cloud protection node corresponding to the node IP address, and the region information and/or operator information to which the source address belongs.

本发明实施例还提供一种存储介质,存储介质上存储有计算机程序,计算机程序被处理器执行时实现上述任意实施例的云防护节点调度方法的步骤。An embodiment of the present invention further provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the cloud protection node scheduling method in any of the foregoing embodiments are implemented.

由于存储介质部分的实施例与云防护节点调度方法部分的实施例相互对应,因此存储介质部分的实施例请参见云防护节点调度方法部分的实施例的描述,这里暂不赘述。Since the embodiment of the storage medium part corresponds to the embodiment of the cloud protection node scheduling method part, please refer to the description of the embodiment of the cloud protection node scheduling method part for the embodiment of the storage medium part, and details will not be repeated here.

说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。Each embodiment in the description is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for the related information, please refer to the description of the method part.

专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Professionals can further realize that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, computer software or a combination of the two. In order to clearly illustrate the possible Interchangeability, in the above description, the components and steps of each example have been generally described according to their functions. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present invention.

结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of the methods or algorithms described in connection with the embodiments disclosed herein may be directly implemented by hardware, software modules executed by a processor, or a combination of both. Software modules can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other Any other known storage medium.

以上对本发明所提供的一种云防护节点调度方法、系统及存储介质进行了详细介绍。本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以对本发明进行若干改进和修饰,这些改进和修饰也落入本发明权利要求的保护范围内。A cloud protection node scheduling method, system and storage medium provided by the present invention have been introduced in detail above. In this paper, specific examples are used to illustrate the principle and implementation of the present invention, and the descriptions of the above embodiments are only used to help understand the method and core idea of the present invention. It should be pointed out that for those skilled in the art, without departing from the principle of the present invention, some improvements and modifications can be made to the present invention, and these improvements and modifications also fall within the protection scope of the claims of the present invention.

Claims (8)

1.一种云防护节点调度方法,其特征在于,包括:1. A cloud protection node scheduling method, characterized in that, comprising: DNS管理系统在接收到客户端发送的域名解析请求时,提取所述域名解析请求中的防护域名,并利用所述防护域名对应的第一别名记录,解析第一别名;所述第一别名为所述防护域名专属的域名别名;When the DNS management system receives the domain name resolution request sent by the client, it extracts the protected domain name in the domain name resolution request, and uses the first alias record corresponding to the protected domain name to resolve the first alias; the first alias is A domain name alias dedicated to the protected domain name; 利用所述第一别名对应的第二别名记录,解析第二别名,并确定与所述第二别名建立绑定关系的多个节点IP地址;Using the second alias record corresponding to the first alias, resolve the second alias, and determine a plurality of node IP addresses that establish a binding relationship with the second alias; 将所述节点IP地址输入云防护节点调度算法,确定可用的目标节点IP地址,并将所述目标节点IP地址发送至所述客户端,以使所述客户端将发向所述防护域名的数据发送至所述目标节点IP地址对应的云防护节点;Input the IP address of the node into the cloud protection node scheduling algorithm, determine the available IP address of the target node, and send the IP address of the target node to the client, so that the client will send the IP address to the protection domain name The data is sent to the cloud protection node corresponding to the IP address of the target node; 在DNS管理系统接收客户端发送的域名解析请求之前,还包括:Before the DNS management system receives the domain name resolution request sent by the client, it also includes: 云防护管理平台在接收到配置请求时,从所述配置请求中提取待配置防护域名及对应的待配置第一别名,将所述待配置防护域名的第一别名记录,设置为指向所述待配置第一别名,并确定所述待配置防护域名的主域名;When the cloud protection management platform receives the configuration request, it extracts the domain name to be configured and the corresponding first alias to be configured from the configuration request, and sets the first alias record of the domain name to be configured to point to the domain name to be configured. Configure the first alias, and determine the main domain name of the domain name to be protected; 判断是否配置有归属于所述主域名的其他防护域名;Judging whether there are other protected domain names belonging to the main domain name configured; 若是,则查找与所述主域名对应的第二别名,并将所述待配置第一别名的第二别名记录,设置为指向所述主域名对应的第二别名;If so, search for a second alias corresponding to the primary domain name, and set the second alias record of the first alias to be configured to point to the second alias corresponding to the primary domain name; 若否,则确定每一所述第二别名对应的主域名数量,并将所述待配置第一别名的第二别名记录,设置为指向所述主域名数量最小的第二别名;If not, then determine the number of primary domain names corresponding to each of the second aliases, and set the second alias record of the first alias to be configured to point to the second alias with the smallest number of primary domain names; 将所述待配置防护域名的第一别名记录及所述待配置第一别名的第二别名记录写入所述DNS管理系统。Writing the first alias record of the protected domain name to be configured and the second alias record of the first alias to be configured into the DNS management system. 2.根据权利要求1所述的云防护节点调度方法,其特征在于,在确定每一所述第二别名对应的主域名数量之后,还包括:2. The cloud protection node scheduling method according to claim 1, further comprising: after determining the number of primary domain names corresponding to each of the second aliases: 所述云防护管理平台判断所述主域名数量中的最小值是否大于等于预设阈值;The cloud protection management platform judges whether the minimum value in the number of primary domain names is greater than or equal to a preset threshold; 若是,则生成告警信息,并将所述告警信息发送至告警服务器,以使所述告警服务器执行告警操作;If so, generating alarm information, and sending the alarm information to the alarm server, so that the alarm server performs an alarm operation; 若否,则执行所述将所述待配置第一别名的第二别名记录,设置为指向所述主域名数量最少的第二别名的步骤。If not, execute the step of setting the second alias record of the first alias to be configured to point to the second alias with the least number of primary domain names. 3.根据权利要求1所述的云防护节点调度方法,其特征在于,在将所述待配置防护域名的第一别名记录及所述待配置第一别名的第二别名记录写入所述DNS管理系统之后,还包括:3. The cloud protection node scheduling method according to claim 1, wherein, after writing the first alias record of the protection domain name to be configured and the second alias record of the first alias to be configured into the DNS After the management system, also include: 所述云防护管理平台在接收到域名移除请求时,将所述域名移除请求中的防护域名设置为待移除防护域名,并利用所述待移除防护域名的第一别名记录,确定待移除第一别名;When the cloud protection management platform receives the domain name removal request, it sets the protected domain name in the domain name removal request as the protected domain name to be removed, and uses the first alias record of the protected domain name to be removed to determine The first alias to be removed; 所述云防护管理平台在所述DNS管理系统中,将所述待移除防护域名对应的第一别名记录及所述待移除第一别名的第二别名记录移除。In the DNS management system, the cloud protection management platform deletes the first alias record corresponding to the protected domain name to be removed and the second alias record of the first alias to be removed. 4.根据权利要求1所述的云防护节点调度方法,其特征在于,在DNS管理系统接收到客户端发送的域名解析请求之后,还包括:4. The cloud protection node scheduling method according to claim 1, characterized in that, after the DNS management system receives the domain name resolution request sent by the client, it further includes: 所述DNS管理系统提取所述域名解析请求中的源IP地址;The DNS management system extracts the source IP address in the domain name resolution request; 相应的,所述云防护节点调度算法根据所述节点IP地址对应云防护节点的运行情况,以及所述源IP地址所属的地区信息和/或运营商信息确定所述目标节点IP地址。Correspondingly, the cloud protection node scheduling algorithm determines the target node IP address according to the operation status of the cloud protection node corresponding to the node IP address, and the region information and/or operator information to which the source IP address belongs. 5.一种云防护节点调度系统,其特征在于,包括:DNS管理系统和云防护节点,其中,5. A cloud protection node scheduling system, characterized in that it comprises: a DNS management system and a cloud protection node, wherein, DNS管理系统,用于在接收到客户端发送的域名解析请求时,提取所述域名解析请求中的防护域名,并利用所述防护域名对应的第一别名记录,解析第一别名;所述第一别名为所述防护域名专属的域名别名;利用所述第一别名对应的第二别名记录,解析第二别名,并确定与所述第二别名建立绑定关系的多个节点IP地址;将所述节点IP地址输入云防护节点调度算法,确定可用的目标节点IP地址,并将所述目标节点IP地址发送至所述客户端,以使所述客户端将发向所述防护域名的数据发送至所述目标节点IP地址对应的云防护节点;The DNS management system is configured to extract the protected domain name in the domain name resolution request when receiving the domain name resolution request sent by the client, and use the first alias record corresponding to the protected domain name to resolve the first alias; the second An alias is a domain name alias exclusive to the protected domain name; using the second alias record corresponding to the first alias, the second alias is resolved, and a plurality of node IP addresses that establish a binding relationship with the second alias are determined; The node IP address is input into the cloud protection node scheduling algorithm, the available target node IP address is determined, and the target node IP address is sent to the client, so that the client will send data to the protection domain name Send to the cloud protection node corresponding to the IP address of the target node; 所述云防护节点,用于对所述客户端向所述防护域名发送的数据进行攻击检测;The cloud protection node is configured to perform attack detection on the data sent by the client to the protection domain name; 所述云防护节点调度系统,还包括:云防护管理平台,其中,The cloud protection node scheduling system also includes: a cloud protection management platform, wherein, 所述云防护管理平台,用于在接收到配置请求时,从所述配置请求中提取待配置防护域名及对应的待配置第一别名,将所述待配置防护域名的第一别名记录,设置为指向所述待配置第一别名,并确定所述待配置防护域名的主域名;判断是否配置有归属于所述主域名的其他防护域名;若是,则查找与所述主域名对应的第二别名,并将所述待配置第一别名的第二别名记录,设置为指向所述主域名对应的第二别名;若否,则确定每一所述第二别名对应的主域名数量,并将所述待配置第一别名的第二别名记录,设置为指向所述主域名数量最小的第二别名;将所述待配置防护域名的第一别名记录及所述待配置第一别名的第二别名记录写入所述DNS管理系统;The cloud protection management platform is configured to, when receiving a configuration request, extract the domain name to be configured for protection and the corresponding first alias to be configured from the configuration request, record the first alias of the domain name for protection to be configured, and set In order to point to the first alias to be configured, and determine the main domain name of the protected domain name to be configured; determine whether other protected domain names belonging to the main domain name are configured; if so, search for the second domain name corresponding to the main domain name Alias, and set the second alias record of the first alias to be configured to point to the second alias corresponding to the main domain name; if not, determine the number of main domain names corresponding to each second alias, and set The second alias record of the first alias to be configured is set to point to the second alias with the smallest number of primary domain names; the first alias record of the protected domain name to be configured and the second alias record of the first alias to be configured The alias record is written into the DNS management system; 所述DNS管理系统,还用于保存接收到的第一别名记录和第二别名记录。The DNS management system is further configured to save the received first alias record and second alias record. 6.根据权利要求5所述的云防护节点调度系统,其特征在于,还包括:告警服务器,其中,6. The cloud protection node scheduling system according to claim 5, further comprising: an alarm server, wherein, 所述云防护管理平台,还用于判断所述主域名数量中的最小值是否大于等于预设阈值;若是,则生成告警信息,并将所述告警信息发送至告警服务器,以使所述告警服务器执行告警操作;若否,则执行所述将所述待配置第一别名的第二别名记录,设置为指向所述主域名数量最少的第二别名的步骤;The cloud protection management platform is also used to judge whether the minimum value of the number of primary domain names is greater than or equal to a preset threshold; if so, generate alarm information and send the alarm information to the alarm server, so that the alarm The server executes an alarm operation; if not, execute the step of setting the second alias record of the first alias to be configured to point to the second alias with the least number of primary domain names; 所述告警服务器,用于在接收到所述告警信息时执行告警操作。The alarm server is configured to perform an alarm operation when receiving the alarm information. 7.根据权利要求5所述的云防护节点调度系统,其特征在于,7. The cloud protection node scheduling system according to claim 5, wherein: 所述云防护管理平台,还用于在接收到域名移除请求时,将所述域名移除请求中的防护域名设置为待移除防护域名,并利用所述待移除防护域名的第一别名记录,确定待移除第一别名;在所述DNS管理系统中,将所述待移除防护域名对应的第一别名记录及所述待移除第一别名的第二别名记录移除。The cloud protection management platform is further configured to set the protected domain name in the domain name removal request as the protected domain name to be removed when receiving the domain name removal request, and use the first An alias record, determining the first alias to be removed; in the DNS management system, removing the first alias record corresponding to the protected domain name to be removed and the second alias record of the first alias to be removed. 8.一种存储介质,其特征在于,所述存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1至4任一项所述的云防护节点调度方法的步骤。8. A storage medium, wherein a computer program is stored on the storage medium, and when the computer program is executed by a processor, the steps of the cloud protection node scheduling method according to any one of claims 1 to 4 are implemented .
CN202110578577.0A 2021-05-26 2021-05-26 Cloud protection node scheduling method, system and storage medium Active CN113315853B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110578577.0A CN113315853B (en) 2021-05-26 2021-05-26 Cloud protection node scheduling method, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110578577.0A CN113315853B (en) 2021-05-26 2021-05-26 Cloud protection node scheduling method, system and storage medium

Publications (2)

Publication Number Publication Date
CN113315853A CN113315853A (en) 2021-08-27
CN113315853B true CN113315853B (en) 2023-03-24

Family

ID=77374951

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110578577.0A Active CN113315853B (en) 2021-05-26 2021-05-26 Cloud protection node scheduling method, system and storage medium

Country Status (1)

Country Link
CN (1) CN113315853B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143332B (en) * 2021-11-03 2024-06-11 阿里巴巴(中国)有限公司 Processing method, electronic equipment and medium based on content delivery network CDN
CN114629874A (en) * 2022-02-28 2022-06-14 天翼安全科技有限公司 Cloud protection node switching method, system, equipment and medium of source station server

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450841A (en) * 2018-09-03 2019-03-08 中新网络信息安全股份有限公司 A kind of Large Scale DDoS Attack detection and system of defense and defence method based on the on-demand linkage pattern of cloud+end equipment
CN112100477A (en) * 2020-09-07 2020-12-18 北京视界云天科技有限公司 Multi-cloud scheduling method and device, computer equipment and storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7574508B1 (en) * 2002-08-07 2009-08-11 Foundry Networks, Inc. Canonical name (CNAME) handling for global server load balancing
US8886750B1 (en) * 2011-09-28 2014-11-11 Amazon Technologies, Inc. Alias resource record sets
US20140283106A1 (en) * 2013-03-14 2014-09-18 Donuts Inc. Domain protected marks list based techniques for managing domain name registrations
CN109413220B (en) * 2018-09-03 2022-03-15 中新网络信息安全股份有限公司 A method to avoid DNS propagation by accessing the DDOS cloud protection system in an alias mode
US20200106790A1 (en) * 2018-09-28 2020-04-02 Fireeye, Inc. Intelligent system for mitigating cybersecurity risk by analyzing domain name system traffic
CN109688242B (en) * 2018-12-27 2022-03-22 深信服科技股份有限公司 Cloud protection system and method
CN112769769B (en) * 2020-12-24 2022-11-11 网根(南京)网络中心有限公司 DNS alias resolution method and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450841A (en) * 2018-09-03 2019-03-08 中新网络信息安全股份有限公司 A kind of Large Scale DDoS Attack detection and system of defense and defence method based on the on-demand linkage pattern of cloud+end equipment
CN112100477A (en) * 2020-09-07 2020-12-18 北京视界云天科技有限公司 Multi-cloud scheduling method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN113315853A (en) 2021-08-27

Similar Documents

Publication Publication Date Title
US20220232027A1 (en) Rule-Based Network-Threat Detection
US9501345B1 (en) Method and system for creating enriched log data
US20090006531A1 (en) Client request based load balancing
US11038766B2 (en) System and method for detecting network topology
CN111212134A (en) Request message processing method and device, edge computing system and electronic equipment
CN111585887A (en) Communication method and device based on multiple networks, electronic equipment and storage medium
CN109639589B (en) Load balancing method and device
CN113315853B (en) Cloud protection node scheduling method, system and storage medium
CN111711716A (en) A method, apparatus, device and readable storage medium for domain name resolution
CN112333289A (en) Reverse proxy access method, device, electronic equipment and storage medium
CN113242299A (en) Disaster recovery system, method, computer device and medium for multiple data centers
CN111198756A (en) Application scheduling method and device of kubernets cluster
CN114301872B (en) Domain name based access method and device, electronic equipment and storage medium
CN114500252B (en) DNS service status monitoring method, device, electronic device and storage medium
CN114553771B (en) Method for virtual router loading and related equipment
CN113256360B (en) Invoice processing control method, device, equipment and storage medium based on Ukey cabinet
CN111092966B (en) Domain name system, domain name access method and device
US10050925B1 (en) Method and system for notifying users of misdirected response messages associated with messages sent on the users' behalf by an intermediary service
WO2025086627A1 (en) Cloud resource architecture diagram generation method, cloud management platform, and computing device cluster
CN107231339B (en) Method and device for detecting DDoS attack
CN110311868B (en) Service processing method, device, member equipment and machine-readable storage medium
CN116170301B (en) NAT log collection method of load balancing equipment and load balancing equipment
CN115277506A (en) Load balancing equipment testing method and system
CN105610619A (en) Network element equipment management method and device
CN111641698A (en) A data statistics method, system, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20210827

Assignee: Hangzhou Anheng Information Security Technology Co.,Ltd.

Assignor: Dbappsecurity Co.,Ltd.

Contract record no.: X2024980043364

Denomination of invention: A method, system, and storage medium for scheduling cloud protection nodes

Granted publication date: 20230324

License type: Common License

Record date: 20241231

EE01 Entry into force of recordation of patent licensing contract