CN119232800B - CDN edge node access request processing method, device and computer equipment - Google Patents
CDN edge node access request processing method, device and computer equipment Download PDFInfo
- Publication number
- CN119232800B CN119232800B CN202411718471.6A CN202411718471A CN119232800B CN 119232800 B CN119232800 B CN 119232800B CN 202411718471 A CN202411718471 A CN 202411718471A CN 119232800 B CN119232800 B CN 119232800B
- Authority
- CN
- China
- Prior art keywords
- verification
- target object
- target
- cdn
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims description 9
- 238000012795 verification Methods 0.000 claims abstract description 286
- 238000000034 method Methods 0.000 claims abstract description 45
- 238000012545 processing Methods 0.000 claims abstract description 29
- 230000015654 memory Effects 0.000 claims description 27
- 230000008569 process Effects 0.000 claims description 15
- 230000001360 synchronised effect Effects 0.000 claims description 12
- 230000002159 abnormal effect Effects 0.000 claims description 9
- 238000004458 analytical method Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 6
- 230000008859 change Effects 0.000 claims description 3
- 230000004044 response Effects 0.000 abstract description 11
- 238000010586 diagram Methods 0.000 description 16
- 238000004364 calculation method Methods 0.000 description 4
- 238000009792 diffusion process Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000035515 penetration Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000000593 degrading effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 101000953492 Homo sapiens Inositol hexakisphosphate and diphosphoinositol-pentakisphosphate kinase 1 Proteins 0.000 description 1
- 101000953488 Homo sapiens Inositol hexakisphosphate and diphosphoinositol-pentakisphosphate kinase 2 Proteins 0.000 description 1
- 102100037739 Inositol hexakisphosphate and diphosphoinositol-pentakisphosphate kinase 1 Human genes 0.000 description 1
- 102100037736 Inositol hexakisphosphate and diphosphoinositol-pentakisphosphate kinase 2 Human genes 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network security, and discloses a method, a device and computer equipment for processing an access request of a CDN edge node, wherein the method for processing the access request of the CDN edge node comprises the steps of analyzing based on the access request after receiving the access request of a target object to the edge node in the CDN to obtain configuration information of the target object; the method comprises the steps of establishing a verification task for a target object based on configuration information, obtaining a verification result returned by the target object, generating an object identification for the target object according to the verification result, and synchronizing the object identification to a target node matched with the target object in the CDN, wherein the target node is used for processing an access request of the target object according to the object identification. According to the method and the device, safety protection can be achieved through the edge nodes of the CDN, the defending means are increased, the defending response speed and the defending success rate are improved, and therefore the use experience of a user is improved.
Description
Technical Field
The disclosure relates to the technical field of network security, in particular to a method and a device for processing an access request of a CDN edge node and computer equipment.
Background
The content delivery network is (Content Delivery Network, CDN) a distributed cluster of servers deployed around the world for accelerating content delivery and delivery services over the internet. When a user requests access to a website or application, the CDN selects a server cluster closest to the user to provide content based on the user's location, thereby reducing loading time and increasing website performance.
The working principle of the CDN is to cache static resources (such as pictures, videos, CSS, javaScript files, etc.) of websites onto server clusters located in different geographic locations. When a user requests access to these resources, the CDN will attempt to direct the user request to the nearest edge node by means of the DNS service and deliver the content to the user instead of loading directly from the original server cluster. Therefore, network congestion can be reduced, delay is reduced, page loading speed is improved, user experience is improved, and the load of the original client server cluster is greatly reduced.
However, in the edge network architecture of the CDN, there are a large number of service nodes, each of which is composed of an unequal number of physical/Virtual servers, and collectively provide services through a limited VIP (Virtual IP ADDRESS, i.e., virtual address), where the service nodes may be scattered at any one location in the world and physically isolated. So as a service provider, may be subject to different types of security penetration and attacks every second.
Fig. 1 is a schematic diagram of the foregoing CDN architecture, where, once an edge node in the CDN is impacted by an attacker, a customer source station is affected at a first time to damage a service, and as an attack amount rises and an attack means is changed, the edge node of the CDN is also affected, so that service synchronization of other customers on a CDN service node is damaged, causing uncompensated full service downtime, and seriously affecting use experience of the customers.
Disclosure of Invention
In view of the above, the present disclosure provides a method, an apparatus, and a computer device for processing an access request of an edge node of a CDN, so as to solve the problem that a first time of a client source station is affected and a service is damaged due to impact of the edge node in the CDN by means of an attacker.
In a first aspect, the present disclosure provides a method for processing an access request of a CDN edge node, where the method includes:
After receiving an access request of a target object to an edge node in the CDN, analyzing based on the access request to obtain configuration information of the target object;
Establishing a verification task for the target object based on the configuration information, wherein the verification type of the verification task comprises verification information verification and/or code verification, the verification information verification is used for indicating the target object to input verification information, and the code verification is used for indicating the target object to execute a verification code;
Obtaining a verification result returned by the target object, and generating an object identifier for the target object according to the verification result;
And synchronizing the object identification to a target node matched with the target object in the CDN, wherein the target node is used for processing the access request of the target object according to the object identification.
In a second aspect, the present disclosure provides an access request processing apparatus of a CDN edge node, where the apparatus includes:
the analysis module is used for analyzing based on the access request after receiving the access request of the target object to the edge node in the CDN to obtain the configuration information of the target object;
The creation module is used for creating a verification task for the target object based on the configuration information, wherein the verification type of the verification task comprises verification information verification and/or code verification, the verification information verification is used for indicating the target object to input verification information, and the code verification is used for indicating the target object to execute a verification code;
The generation module is used for acquiring a verification result returned by the target object and generating an object identifier for the target object according to the verification result;
and the synchronization module is used for synchronizing the object identification to a target node matched with the target object in the CDN, wherein the target node is used for processing the access request of the target object according to the object identification.
In a third aspect, the disclosure provides a computer device, including a memory and a processor, where the memory and the processor are communicatively connected to each other, and the memory stores computer instructions, and the processor executes the computer instructions, so as to execute the method for processing an access request of the CDN edge node according to the first aspect or any implementation manner corresponding to the first aspect.
In a fourth aspect, the present disclosure provides a computer readable storage medium, where computer instructions are stored on the computer readable storage medium, where the computer instructions are configured to cause a computer to execute the method for processing an access request of a CDN edge node according to the first aspect or any one of the embodiments corresponding to the first aspect.
In a fifth aspect, the present disclosure provides a computer program product, including computer instructions for causing a computer to execute the method for processing an access request of a CDN edge node according to the first aspect or any implementation manner corresponding to the first aspect.
In the embodiment of the disclosure, firstly, after receiving an access request of a target object to an edge node in a CDN, the access request may be analyzed to obtain configuration information of the target object. Then, a verification task can be created for the target object through the edge node based on the configuration information, and a verification result returned by the target object is obtained, so that an object identifier is generated for the target object according to the verification result. Then, the object identifier can be synchronized to a target node matched with the target object in the CDN, so that the target node processes the access request of the target object according to the object identifier, safety protection can be realized through the edge node of the CDN, a defending means is increased, defending response speed and defending success rate are improved, and further user experience is improved.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the prior art, the drawings that are required in the detailed description or the prior art will be briefly described, it will be apparent that the drawings in the following description are some embodiments of the present disclosure, and other drawings may be obtained according to the drawings without inventive effort for a person of ordinary skill in the art.
FIG. 1 is a schematic diagram of a CDN architecture;
FIG. 2 is a schematic diagram of an attack on a CDN;
FIG. 3 is a schematic diagram of an access request handling scheme for an associated CDN edge node;
FIG. 4 is a flow chart of a method of processing access requests by CDN edge nodes according to an embodiment of the present disclosure;
FIG. 5 is a schematic diagram of the verification of an access request by a secure element;
FIG. 6 is a flow chart of another method of processing access requests by CDN edge nodes according to an embodiment of the present disclosure;
FIG. 7 is a schematic diagram of performing a sequence of sub-verification tasks;
FIG. 8 is a flow chart of a target object performing a verification task under a cross-domain request;
FIG. 9 is a schematic diagram of an edge state diffusion mechanism;
FIG. 10 is a block diagram of an access request handling device of a CDN edge node according to an embodiment of the present disclosure;
fig. 11 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. Based on the embodiments in this disclosure, all other embodiments that a person skilled in the art would obtain without making any inventive effort are within the scope of protection of this disclosure.
The application scenario is described herein in connection with an application scenario on which execution of an access request processing method of a CDN edge node depends.
The content delivery network is (Content Delivery Network, CDN) a distributed cluster of servers deployed around the world for accelerating content delivery and delivery services over the internet. When a user requests access to a website or application, the CDN selects a server cluster closest to the user to provide content based on the user's location, thereby reducing loading time and increasing website performance.
The working principle of the CDN is to cache static resources (such as pictures, videos, CSS, javaScript files, etc.) of websites onto server clusters located in different geographic locations. When a user requests access to these resources, the CDN will attempt to direct the user request to the nearest edge node by means of the DNS service and deliver the content to the user instead of loading directly from the original server cluster. Therefore, network congestion can be reduced, delay is reduced, page loading speed is improved, user experience is improved, and the load of the original client server cluster is greatly reduced.
However, in the edge network architecture of the CDN, there are a large number of service nodes, each of which is composed of an unequal number of physical/Virtual servers, and collectively provide services through a limited VIP (Virtual IP ADDRESS, i.e., virtual address), where the service nodes may be scattered at any one location in the world and physically isolated. So as a service provider, may be subject to different types of security penetration and attacks every second.
Fig. 1 is a schematic diagram of the foregoing CDN architecture, where, once an edge node in the CDN is impacted by an attacker, a customer source station is affected at a first time to damage a service, and as an attack amount rises and an attack means is changed, the edge node of the CDN is also affected, so that service synchronization of other customers on a CDN service node is damaged, causing uncompensated full service downtime, and seriously affecting use experience of the customers.
Specifically, the attack means for the CDN may include CC (CHALLENGE COLLAPSAR ATTACK, a specific type of distributed denial of service attack), OWASP, BOT (behavior of simulating human user behavior by using a robot program robot, and performing malicious attack on the target website), and the like. As shown in fig. 2, a schematic diagram of an attack on a CDN is shown, where, taking a common attack means CC as an example, a large number of forged HTTP requests may be sent to a target network server cluster, where the requests typically require complex and time-consuming computation or database operations, so as to deplete server cluster resources, resulting in service unavailability. In addition, an attack means of penetration of technical and business logic vulnerabilities to the target network service can be utilized, and the method is more concealed and difficult to judge.
Fig. 3 is a schematic diagram of an access request processing scheme of an associated CDN edge node, where a security protection module may be accessed before a source station to defend against external security attacks, and in this way, only a part of the intrusion may be resisted. However, the security protection module cannot collect all information of the real attacker, and only can passively receive limited HTTP data forwarded to it by the CDN node, so that decisions that can be made are very limited, and misjudgment is likely to occur. Meanwhile, the edge node can directly process the user request without passing through the source station, which results in a large amount of resources cached in the CDN edge node, and the resources cannot pass through the safety protection module in front of the source station, so that the protection effect cannot be achieved, and the cache is possibly stolen and brushed, so that the CDN charging bandwidth is expanded.
Based on this, the embodiment of the disclosure provides a method for processing an access request of an edge node of a CDN, first, after receiving an access request of a target object to the edge node in the CDN, the method may analyze based on the access request to obtain configuration information of the target object. Then, a verification task can be created for the target object based on the configuration information, and a verification result returned by the target object is obtained, so that an object identifier is generated for the target object according to the verification result. Then, the object identifier can be synchronized to a target node matched with the target object in the CDN, so that the target node processes the access request of the target object according to the object identifier, safety protection can be realized through the edge node of the CDN, a defending means is increased, defending response speed and defending success rate are improved, and further user experience is improved.
In accordance with the disclosed embodiments, a video annotation method embodiment is provided, it being noted that the steps shown in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown here.
It will be appreciated that prior to using the technical solutions disclosed in the embodiments of the present disclosure, the user should be informed and authorized of the type, usage range, usage scenario, etc. of the personal information related to the present disclosure in an appropriate manner according to the relevant legal regulations.
For example, in response to receiving an active request from a user, a prompt is sent to the user to explicitly prompt the user that the operation it is requesting to perform will require personal information to be obtained and used with the user. Thus, the user can autonomously select whether to provide personal information to software or hardware such as an electronic device, an application program, a server or a storage medium for executing the operation of the technical scheme of the present disclosure according to the prompt information.
As an alternative but non-limiting implementation, in response to receiving an active request from a user, the manner in which the prompt information is sent to the user may be, for example, a popup, in which the prompt information may be presented in a text manner. In addition, a selection control for the user to select to provide personal information to the electronic device in a 'consent' or 'disagreement' manner can be carried in the popup window.
It will be appreciated that the above-described notification and user authorization process is merely illustrative and not limiting of the implementations of the present disclosure, and that other ways of satisfying relevant legal regulations may be applied to the implementations of the present disclosure.
It will be appreciated that the data (including but not limited to the data itself, the acquisition or use of the data) involved in the present technical solution should comply with the corresponding legal regulations and the requirements of the relevant regulations.
According to an embodiment of the disclosure, an access request processing method embodiment of a CDN edge node is provided, it should be noted that the steps illustrated in the flowchart of the drawing may be performed in a computer system such as a set of computer executable instructions, and, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different from that illustrated herein.
In this embodiment, an access request processing method for a CDN edge node is provided, which may be used in the foregoing CDN (hereinafter referred to as CDN), and fig. 4 is a flowchart of an access request processing method for a CDN edge node according to an embodiment of the present disclosure, as shown in fig. 4, where the flowchart includes the following steps:
step S401, after receiving the access request of the target object to the edge node in the CDN, analyzes based on the access request to obtain configuration information of the target object.
In the embodiment of the disclosure, the target object may be a terminal device that is used by a user to request data from the CDN, for example, a mobile phone, a computer, etc., and the configuration information may include a configuration of the terminal device, where the configuration information may be used to indicate a type of a verification task that can be received by the terminal device.
Specifically, the CDN may direct the access request of the user to the nearest edge node according to the geographic location of the user for processing, and the edge node may obtain, in the source station, data requested by the access request and transmit the data to the user.
It should be appreciated that the service nodes in a CDN may generally be divided into multiple tiers, with the lowest tier of service nodes being edge nodes and the service nodes intermediate the edge nodes and the source being non-edge nodes. Here, edge nodes are typically deployed in geographic locations near end users, such as nodes at the city level, providing fast response and processing power. The non-edge nodes may be located in the core or middle of the network and take on the tasks of aggregation, storage and long-distance transmission of data. In addition, the edge node can perform a large amount of data processing and analysis locally, so that the dependence on a central data center is reduced, the bandwidth cost is reduced, the edge node is not mainly dependent on the processing capacity of a source station, the data needs to be transmitted in a long distance, and the delay and the bandwidth cost are increased.
Step S402, a verification task is created for the target object based on the configuration information, wherein the verification type of the verification task comprises verification information verification and/or code verification, the verification information verification is used for indicating the target object to input verification information, and the code verification is used for indicating the target object to execute verification codes.
In the embodiment of the present disclosure, a security unit may be set in an edge node of the CDN, where the security unit may identify whether the target object is a risk object, and if so, may create a verification task for the target object based on the configuration information.
Specifically, the frequency of the target object initiating the access request can be detected, if the frequency is higher than the preset frequency, the target object is determined to be a risk object, so that the target object is verified for the second time through the verification task, and the access request is not directly refused, thereby avoiding false killing of the service with high protection precision requirement.
Step S403, obtaining a verification result returned by the target object, and generating an object identifier for the target object according to the verification result.
In the embodiment of the disclosure, the user can perform security authentication based on the verification task to obtain a verification result, and the verification result is returned to the edge node, so that the edge node generates the object identifier for the user according to the verification result. In particular, the object identification may include a malicious tag as well as a normal tag.
It should be appreciated that after the user triggers the object identifier, the object identifier may be cached in the security element of the edge node, and the user's request is responded according to the object identifier within the caching time, without triggering the verification task flow, so as to reduce the consumption of computing power resources of the edge node.
In step S404, the object identifier is synchronized to a target node in the CDN that matches the target object, where the target node is configured to process the access request of the target object according to the object identifier.
In the embodiment of the disclosure, considering that the same attack means in the context of access request processing of CDN edge nodes often does not attack only one edge node in the CDN, the matching target node may be determined in the edge nodes of the CDN based on the geographic location of the target object.
Specifically, an edge node that satisfies a matching condition with the geographic position of the target object may be determined as the target node. For example, if the geographic location of the target object is located in an X country, an edge node disposed in the country may be determined as an edge node satisfying the matching condition.
After synchronizing the object identification into the security element in the target node, the target node may respond to the access request of the target object according to the pair of object identifications. Specifically, when the object identifier is the malicious tag, the target node can directly intercept the access request of the target object within a certain time, so that the verification of consuming resources is not needed, and a large amount of server cluster resources can be saved because the interception is positioned at the forefront end of the CDN flow. In addition, when the object identifier is the normal label, the target object is trusted by the target node within a certain time, and the target object can directly respond to the access request of the target object to return to the normal resource without consuming the resource for verification.
As can be seen from the foregoing description, in the embodiments of the present disclosure, after an access request of a target object to an edge node in a CDN is received, analysis may be performed based on the access request to obtain configuration information of the target object. Then, a verification task can be created for the target object through the edge node based on the configuration information, and a verification result returned by the target object is obtained, so that an object identifier is generated for the target object according to the verification result. Then, the object identifier can be synchronized to a target node matched with the target object in the CDN, so that the target node processes the access request of the target object according to the object identifier, safety protection can be realized through the edge node of the CDN, a defending means is increased, defending response speed and defending success rate are improved, and further user experience is improved.
In an alternative embodiment, the verification type of the verification task includes verification information verification and/or code verification, wherein the verification information verification is used for indicating the target object to input verification information, and the code verification is used for indicating the target object to execute verification codes.
In an embodiment of the present disclosure, the security unit may include a Javascript challenge subunit and a Captcha challenge subunit, where the Javascript challenge subunit is used to create the code verification task, and the Captcha challenge subunit is used to create the verification information verification task.
Specifically, the Javascript challenge includes a section of executable Javascript check code wrapped by < script > </script >, the content of the check code is a random calculation formula for calculation, the browser environment can automatically calculate in the background and return a result to the edge node, and an attack program of a malicious user cannot complete the calculation task of the check code.
In addition, the Captcha challenge contains an HTML page, which contains verification information and an input box, and after the user submits the verification information, the edge node verifies whether the verification information is correct. Here, the browser of the target object automatically renders the verification page, guides the normal user to write the verification information and clicks the submission, and the attack program of the malicious user cannot process the verification information.
Here, as shown in fig. 5, a schematic diagram of checking an access request through a security unit is shown, where if a normal user starts an access request 1 through VIP1, a check task 2 is returned, and a check result 3 returned by the user is obtained, and if the check result indicates that the user passes a Javascript challenge and a Captcha challenge, target data 4 may be returned in response to the access request. In addition, if the pirate user attacks the server cluster of the edge node through VIP2, the pirate user is blocked by the Javascript challenge unit and the Captcha challenge unit.
In the embodiment of the disclosure, the security unit of the edge node may include a plurality of subunits for performing security verification, for example, a Javascript challenge subunit and a Captcha challenge subunit, so as to improve the complexity of security verification and further improve the security protection reliability of the CDN.
In this embodiment, another method for processing an access request of a CDN edge node is provided, which may be used in the CDN described above, and fig. 6 is a flowchart of another method for processing an access request of a CDN edge node according to an embodiment of the present disclosure, as shown in fig. 6, where the flowchart includes the following steps:
step S601, after receiving an access request of a target object to an edge node in the CDN, analyzing based on the access request to obtain configuration information of the target object. Please refer to step S401 in the embodiment shown in fig. 4 in detail, which is not described herein.
Step S602, a verification task is created for the target object based on the configuration information, wherein the verification type of the verification task comprises verification information verification and/or code verification, the verification information verification is used for indicating the target object to input verification information, and the code verification is used for indicating the target object to execute verification codes.
Specifically, the step S602 includes:
Step S6021, analyzing based on the configuration information to obtain at least one target check type matched with the version information of the target object.
Step S6022, creating a verification task for the target object based on the target verification type.
In the embodiment of the disclosure, considering that the authentication forms that can be supported by different terminal devices have a certain limitation, for example, the authentication forms corresponding to the mobile phone and the computer may be different. Accordingly, the type and version information of the target object may be analyzed based on the configuration information of the target object.
Specifically, a browser version corresponding to the target object may be determined based on the version information, and a target verification type corresponding to the browser version may be determined. For example, it may be determined whether the browser version supports the Captcha challenge, if so, the Captcha challenge and the Javascript challenge may be determined to be the target check type, and if not, the Javascript challenge may be determined to be the target check type.
Step S603, a verification result returned by the target object is obtained, and an object identifier is generated for the target object according to the verification result. Please refer to step S403 in the embodiment shown in fig. 4 in detail, which is not described herein.
In step S604, the object identifier is synchronized to a target node in the CDN that matches the target object, where the target node is configured to process an access request of the target object according to the object identifier. Please refer to step S404 in the embodiment shown in fig. 4 in detail, which is not described herein.
In the embodiment of the disclosure, since the security unit of the edge node may include a plurality of subunits for performing security verification, each subunit has different verification types, but not all terminal devices can support all verification types, the target verification types supported by the target object can be analyzed based on the version information of the target object, thereby improving the complexity of security verification and ensuring the success rate of execution of the verification task.
In some alternative embodiments, step S6022 includes:
and a step a1, respectively establishing sub-verification tasks for each target verification type.
Step a2, obtaining preset check times, and distributing check execution times for the sub-check tasks according to the preset check times.
And a step a3, creating a verification task according to the sub-verification task and the corresponding verification execution times.
In the embodiment of the present disclosure, the preset check number may be a default check number, where the default check number is a sum of execution numbers of respective sub-check tasks. Here, when the default check number is set, the execution number of sub-check tasks of each target check type may be set, or specific setting may not be performed. It should be understood that the preset number of checks may be adaptively adjusted, for example, if the edge node has been operated for a period of time, and then the operation experience of the region is obtained, the operation adjustment may be performed on the preset number of checks.
For example, if the default verification number is 3, as shown in fig. 7, a schematic diagram of executing sub-verification tasks sequentially is shown, where when the execution number of sub-verification tasks of each target verification type is set, it may be determined that the target verification type includes Captcha challenges and Javascript challenges, where the execution number of Javascript challenges may be set to 2 times, and the execution number of Javascript challenges may be set to 1 time.
For another example, if the default verification number is 3, the execution number of sub-verification tasks of each target verification type may be determined according to the history object identifier of the target object. Specifically, considering that the Captcha challenge requires the user to input verification information, the verification accuracy is higher, while the Javascript challenge is verification that the user does not feel, but the verification accuracy is lower, so that the more malicious tags in the history object identifier, the higher the execution times of the Captcha challenge.
In the embodiment of the disclosure, the verification execution times can be allocated to each sub-verification task through the preset verification times, so that the verification tasks are formulated for each edge node, verification forms of the verification tasks are enriched, and the safety protection reliability of the CDN is improved.
In some optional embodiments, the step S403 includes:
And if the verification result characterization verification is unsuccessful, determining the object identifier as an abnormal identifier.
In the embodiment of the disclosure, the normal label is the normal label, and the abnormal label is the malicious label. Here, if the target object passes all the sub-verification tasks, it is determined that the target object is successfully verified, and if the verification of at least one sub-verification task of the target object is not passed, it is determined that the target object is not successfully verified.
Specifically, when the verification type of the verification task includes verification information verification and code verification, if verification results indicate that verification is unsuccessful, determining the object identifier as an abnormal identifier, including the following steps:
And b1, if the verification result of verification information verification represents that verification is unsuccessful, degrading the verification task into code verification.
And b2, if the verification result of the code verification represents that the verification is unsuccessful, determining the object identifier as an abnormal identifier.
In the embodiment of the present disclosure, the verification sequence of the sub-verification tasks of each verification type may be preset, specifically, the verification sequence of the sub-verification task of the resource consumption type may be set to be higher, for example, the verification sequence may be a Javascript challenge first, and if the user passes the Javascript challenge, the Captcha challenge is executed.
Here, if the user passes the Javascript challenge, the Captcha challenge described above may be performed. If the user passes the Captcha challenge, the object identifier of the user is determined to be a normal tag, and if the user does not pass the Captcha challenge, the verification task can be downgraded to a Javascript challenge so as to execute code verification again. It should be appreciated that if a user fails the verification task after demotion, the user's object identification may be determined to be a malicious tag.
In addition, considering that the general client service and the browser environment running by the general client service do not allow cross-domain existence, the cross-domain request is non-homologous, and in this case, if the identity challenge returns by using the cross-domain request, many unexpected situations are brought, and in this case, the identity challenge should be returned by using the homologous domain name, as if the domain name has an own interface and resource.
Specifically, homology refers to agreement of protocols (protocols), domain names (host), and ports (ports) of two requested interface URLs, and an interface URL of "http:// www.example.com:443/path/resource. Jpg" is taken as an example, where "http:/" is protocol, "/www.example.com" is host, and "80" is port. Thus, request 1"http:// www.same.com/path1/1.Jpg" is considered a homologous request to request 2"http:// www.same.com/path2/2.Jpg", and request 3"http:// www.same.com/path1/1.Jpg" is a cross-domain request relative to request 4"http:// www.different.com/path2/2. Jpg".
Fig. 8 is a flowchart of performing a verification task on a target object in a cross-domain request, where an edge node corresponding to a domain name www.same.com is accessed by a normal user while being subjected to hacking, and when the normal user triggers the verification task, verification content may return along with a first access request, so as to shorten the original 4 interactions to 2.
In the embodiment of the disclosure, the verification sequence of the sub-verification tasks of each verification type can be preset, specifically, the verification sequence of the sub-verification tasks of the resource consumption type can be set to be higher, and when the execution of the sub-verification tasks of the resource consumption type fails, the sub-verification tasks with lower resource consumption are downgraded, so that the safety protection reliability of the CDN is improved while the calculation resources are saved, and the false killing probability of the access request is reduced.
In some alternative embodiments, the step S404 includes:
in step S4041, a target node matching the target object is determined in the edge nodes of the CDN.
In step S4042, the object identification is synchronized to the security element of the target node.
In the disclosed embodiment, the security unit may be CHALLANGE modules. Considering that a malicious user does not attack only one edge node in the CDN when an attack is performed on a source station of a client through the edge node in the CDN, after any one edge node in the CDN determines an object identifier of a target object, the object identifier may be synchronized to a CHALLANGE module of the target node associated with the edge node through an edge state diffusion mechanism in a security element.
Specifically, an edge node that satisfies a matching condition with the geographic position of the target object may be determined as the target node. For example, if the geographic location of the target object is located in an X country, then the edge node disposed in that country may be determined as the target node satisfying the matching condition. Here, as shown in fig. 9, a schematic diagram of an edge state diffusion mechanism is shown, where after the edge node 1 marks a malicious user, a malicious label may be synchronized into the edge node 2 as a target node. Or in order to improve the defending ability of the whole CDN against malicious behaviors, all edge nodes in the CDN can be determined to be target nodes, and the specific target node setting mode is not particularly limited in the disclosure, and the actual use requirement of a user is determined.
In addition, after any target node detects the change of the object identifier of the target object, the changed object identifier may be updated to the security units of all the target nodes.
In the embodiment of the disclosure, after updating the object identifier, any target node may actively synchronize the updated object identifier to a target node that is closer to the object identifier, and after the target node completes synchronization, the target node may resynchronize the object identifier to other target nodes that are closer to the object identifier until the object identifier is synchronously spread to all the target nodes.
For example, if the target node includes edge node 1, edge node 2, edge node n, after the object identifier of the target object in edge node 1 is updated from a malicious label to a normal label, the normal label may be diffused to edge node 2 closer to the edge node, edge node 2 diffuses the normal label to edge node 3 closer to the edge node, and so on, until the normal label is diffused to all the target nodes.
In the embodiment of the disclosure, considering that a malicious user does not attack only one edge node in the CDN when the malicious user attacks a source station of a client through the edge node in the CDN, after any one edge node in the CDN determines an object identifier of a target object, the object identifier can be synchronized to a CHALLANGE module of the target node associated with the edge node through an edge state diffusion mechanism in a security unit, so that the defending performance of the CDN as a whole against malicious attacks is improved.
In summary, in the embodiments of the present disclosure, after an access request of a target object to an edge node in a CDN is received, analysis may be performed based on the access request to obtain configuration information of the target object. Then, a verification task can be created for the target object through the edge node based on the configuration information, and a verification result returned by the target object is obtained, so that an object identifier is generated for the target object according to the verification result. Then, the object identifier can be synchronized to a target node matched with the target object in the CDN, so that the target node processes the access request of the target object according to the object identifier, safety protection can be realized through the edge node of the CDN, a defending means is increased, defending response speed and defending success rate are improved, and further user experience is improved.
The embodiment also provides an access request processing device of the CDN edge node, which is used to implement the foregoing embodiment and the preferred embodiment, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The present embodiment provides an access request processing apparatus for a CDN edge node, as shown in fig. 10, including:
The analysis module 1001 is configured to, after receiving an access request from a target object to an edge node in the CDN, analyze the access request to obtain configuration information of the target object;
the creation module 1002 is configured to create a verification task for the target object based on the configuration information, where a verification type of the verification task includes verification information verification for indicating that the target object inputs verification information and/or code verification for indicating that the target object executes a verification code;
a generating module 1003, configured to obtain a verification result returned by the target object, and generate an object identifier for the target object according to the verification result;
The synchronization module 1004 is configured to synchronize the object identifier to a target node in the CDN that matches the target object, where the target node is configured to process an access request of the target object according to the object identifier.
In some alternative embodiments, creation module 1002 is further configured to:
Analyzing based on the configuration information to obtain at least one target check type matched with the version information of the target object;
Based on the target verification type, a verification task is created for the target object.
In some alternative embodiments, creation module 1002 is further configured to:
Respectively establishing sub-verification tasks for each target verification type;
Acquiring preset check times, and distributing check execution times for sub-check tasks according to the preset check times;
And creating a verification task according to the sub-verification task and the corresponding verification execution times.
In some alternative embodiments, the generating module 1003 is further configured to:
if the verification result represents that the verification is successful, determining the object identifier as a normal identifier;
If the verification result represents that verification is unsuccessful, the object identification is determined to be an abnormal identification.
In some alternative embodiments, the verification type of the verification task includes verification information verification and/or code verification, a generation module 1003 further configured to:
if the verification result of verification information verification represents that verification is unsuccessful, degrading the verification task into code verification;
And if the verification result of the code verification represents that the verification is unsuccessful, determining the object identifier as an abnormal identifier.
In some alternative embodiments, the synchronization module 1004 is further configured to:
determining a target node matched with the target object in edge nodes of the CDN;
The object identification is synchronized to the security element of the target node.
In some alternative embodiments, the synchronization module 1004 is further configured to:
detecting the object identification change of the target object, and updating the changed object identification to the security unit of the target node.
Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.
The access request processing device of the CDN edge node in this embodiment is presented as a functional unit, where the unit refers to an ASIC (Application SPECIFIC INTEGRATED Circuit) Circuit, a processor and a memory that execute one or more software or fixed programs, and/or other devices that can provide the above functions.
The embodiment of the disclosure also provides a computer device, which is provided with the access request processing device of the CDN edge node shown in the figure 10.
Referring to fig. 11, fig. 11 is a schematic structural diagram of a computer device according to an alternative embodiment of the present disclosure, and as shown in fig. 11, the computer device includes one or more processors 10, a memory 20, and interfaces for connecting components, including a high-speed interface and a low-speed interface. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 11.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform the methods shown in implementing the above embodiments.
The memory 20 may include a storage program area that may store an operating system, application programs required for at least one function, and a storage data area that may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The memory 20 may comprise volatile memory, such as random access memory, or nonvolatile memory, such as flash memory, hard disk or solid state disk, or the memory 20 may comprise a combination of the above types of memory.
The computer device also includes a communication interface 30 for the computer device to communicate with other devices or communication networks.
The presently disclosed embodiments also provide a computer readable storage medium, and the methods described above according to the presently disclosed embodiments may be implemented in hardware, firmware, or as recordable storage medium, or as computer code downloaded over a network that is originally stored in a remote storage medium or a non-transitory machine-readable storage medium and is to be stored in a local storage medium, such that the methods described herein may be stored on such software processes on a storage medium using a general purpose computer, special purpose processor, or programmable or dedicated hardware. The storage medium may be a magnetic disk, an optical disk, a read-only memory, a random-access memory, a flash memory, a hard disk, a solid state disk, or the like, and further, the storage medium may further include a combination of the above types of memories. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
It will be appreciated that prior to using the technical solutions disclosed in the embodiments of the present disclosure, the user should be informed and authorized of the type, usage range, usage scenario, etc. of the personal information related to the present disclosure in an appropriate manner according to the relevant legal regulations.
For example, in response to receiving an active request from a user, a prompt is sent to the user to explicitly prompt the user that the operation it is requesting to perform will require personal information to be obtained and used with the user. Thus, the user can autonomously select whether to provide personal information to software or hardware such as an electronic device, an application program, a server or a storage medium for executing the operation of the technical scheme of the present disclosure according to the prompt information.
As an alternative but non-limiting implementation, in response to receiving an active request from a user, the manner in which the prompt information is sent to the user may be, for example, a popup, in which the prompt information may be presented in a text manner. In addition, a selection control for the user to select to provide personal information to the electronic device in a 'consent' or 'disagreement' manner can be carried in the popup window.
It will be appreciated that the above-described notification and user authorization process is merely illustrative and not limiting of the implementations of the present disclosure, and that other ways of satisfying relevant legal regulations may be applied to the implementations of the present disclosure.
Portions of the present disclosure may be applied as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or techniques in accordance with the present disclosure by way of operation of the computer. Those skilled in the art will appreciate that the existence of computer program instructions in a computer-readable medium includes, but is not limited to, source files, executable files, installation package files, and the like, and accordingly, the manner in which computer program instructions are executed by a computer includes, but is not limited to, the computer directly executing the instructions, or the computer compiling the instructions and then executing the corresponding compiled programs, or the computer reading and executing the instructions, or the computer reading and installing the instructions and then executing the corresponding installed programs. Herein, a computer-readable medium may be any available computer-readable storage medium or communication medium that can be accessed by a computer.
Although embodiments of the present disclosure have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the disclosure, and such modifications and variations are within the scope defined by the appended claims.
Claims (8)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411718471.6A CN119232800B (en) | 2024-11-27 | 2024-11-27 | CDN edge node access request processing method, device and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411718471.6A CN119232800B (en) | 2024-11-27 | 2024-11-27 | CDN edge node access request processing method, device and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN119232800A CN119232800A (en) | 2024-12-31 |
| CN119232800B true CN119232800B (en) | 2025-03-21 |
Family
ID=94046864
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411718471.6A Active CN119232800B (en) | 2024-11-27 | 2024-11-27 | CDN edge node access request processing method, device and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119232800B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110598446A (en) * | 2019-09-16 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Block chain based test method and device, storage medium and computer equipment |
| CN114615333A (en) * | 2020-11-25 | 2022-06-10 | 贵州白山云科技股份有限公司 | Resource access request processing method, device, equipment and medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107888546B (en) * | 2016-09-29 | 2021-10-01 | 腾讯科技(深圳)有限公司 | Network attack defense method, device and system |
| CN114969730A (en) * | 2021-02-20 | 2022-08-30 | 腾讯科技(深圳)有限公司 | Page display method and device, electronic equipment and computer storage medium |
| CN115514697B (en) * | 2021-06-21 | 2024-11-22 | 贵州白山云科技股份有限公司 | Data verification method, electronic device, electronic equipment and medium |
| CN116527632A (en) * | 2023-05-18 | 2023-08-01 | 北京火山引擎科技有限公司 | Method, device, equipment and medium for processing content distribution network back source request |
| CN118523966B (en) * | 2024-07-23 | 2024-11-15 | 广东爱智存科技有限公司 | Resource access method, computer device, and computer readable storage medium |
-
2024
- 2024-11-27 CN CN202411718471.6A patent/CN119232800B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110598446A (en) * | 2019-09-16 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Block chain based test method and device, storage medium and computer equipment |
| CN114615333A (en) * | 2020-11-25 | 2022-06-10 | 贵州白山云科技股份有限公司 | Resource access request processing method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN119232800A (en) | 2024-12-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11245662B2 (en) | Registering for internet-based proxy services | |
| US10574698B1 (en) | Configuration and deployment of decoy content over a network | |
| US10778668B2 (en) | HTTP session validation module | |
| US8843758B2 (en) | Migrating authenticated content towards content consumer | |
| US8850567B1 (en) | Unauthorized URL requests detection | |
| CN112491776B (en) | Security authentication method and related equipment | |
| US10911485B2 (en) | Providing cross site request forgery protection at an edge server | |
| CN107770140A (en) | A kind of single sign-on authentication method and device | |
| CN111866124B (en) | Method, device, server and machine-readable storage medium for accessing webpage | |
| US20150143475A1 (en) | Operation Processing Method and Device | |
| US11818149B2 (en) | Content delivery network (CDN) edge server-based bot detection with session cookie support handling | |
| CN112511565B (en) | Request response method and device, computer readable storage medium and electronic equipment | |
| CN108476199A (en) | A kind of system and method for detection and defence CC attacks based on token mechanism | |
| US12101350B2 (en) | Low touch integration of a bot detection service in association with a content delivery network | |
| US11848960B2 (en) | Content delivery network (CDN)-based bot detection service with stop and reset protocols | |
| CN113709136B (en) | Access request verification method and device | |
| CN110177096B (en) | Client authentication method, device, medium and computing equipment | |
| CN119232800B (en) | CDN edge node access request processing method, device and computer equipment | |
| CN114969730A (en) | Page display method and device, electronic equipment and computer storage medium | |
| CN116032621B (en) | Front-end login method, device, electronic device and medium | |
| US20230069845A1 (en) | Using a threat intelligence framework to populate a recursive dns server cache | |
| CN107294920A (en) | It is a kind of reversely to trust login method and device | |
| CN114244607B (en) | Single sign-on method, system, device, medium, and program | |
| CN112751844B (en) | Portal authentication method and device and electronic equipment | |
| CN111865966B (en) | Webpage security access method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |