[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN105681353B - Defend the method and device of port scan invasion - Google Patents

Defend the method and device of port scan invasion Download PDF

Info

Publication number
CN105681353B
CN105681353B CN201610168479.9A CN201610168479A CN105681353B CN 105681353 B CN105681353 B CN 105681353B CN 201610168479 A CN201610168479 A CN 201610168479A CN 105681353 B CN105681353 B CN 105681353B
Authority
CN
China
Prior art keywords
message
address
source
mac
blacklist
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610168479.9A
Other languages
Chinese (zh)
Other versions
CN105681353A (en
Inventor
周迪
赵晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Uniview Technologies Co Ltd
Original Assignee
Zhejiang Uniview Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Uniview Technologies Co Ltd filed Critical Zhejiang Uniview Technologies Co Ltd
Priority to CN201610168479.9A priority Critical patent/CN105681353B/en
Publication of CN105681353A publication Critical patent/CN105681353A/en
Application granted granted Critical
Publication of CN105681353B publication Critical patent/CN105681353B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a kind of method and device of defence port scan invasion, and the method is applied on security gateway, which comprises receives the message that purpose IP address is monitoring device;Judge the source address information carried in blacklist with the presence or absence of the message;If so, abandoning the message;If it is not, then judging the destination port carried in preconfigured white list with the presence or absence of the message;If it does not exist, it is determined that the message is abnormal access message, and the source IP address that the message carries is added in blacklist.The defence that port scan invasion is carried out to invasion equipment is realized by recording open service port in white list using the embodiment of the present application.

Description

Defend the method and device of port scan invasion
Technical field
This application involves network communication technology field more particularly to a kind of method and devices of defence port scan invasion.
Background technique
With the networking of video monitoring system, people increasingly pay close attention to the protection to monitoring device.Under normal conditions, it holds Mouth scanning is to invade information search behavior common before equipment is attacked, and invasion equipment is sentenced by the detection of port basis Whether disconnected monitoring device is using the port, and then finds that monitoring device is the service of the open-ended, or even the software of operation Version selects suitable attack means to monitoring device in this way, invasion equipment provides the port loophole of service by analyzing these Carry out Network Intrusion.Since invasion equipment provides weight by port scan information obtained to invade the Network Intrusion of equipment Information is wanted, therefore, timely and accurately detects that port scan is invaded, and be scanned into invade to port and be on the defensive, can protect prison Control the safety of equipment.
Judge that monitoring device whether during using the port, enters by the detection of port basis invading equipment It invades equipment and first sends the message for being directed to 1 port, retransmit the message for being directed to 2 ports, and so on, in this process In, invasion equipment does not know which port is open service port, so being port basis detection monitoring device.
Summary of the invention
In view of this, the application provide it is a kind of defence port scan invasion method and device, with solve invasion equipment into The problem of row port scan is invaded.
According to the embodiment of the present application in a first aspect, providing a kind of method of defence port scan invasion, the method is answered For security gateway, which comprises
Receive the message that purpose IP address is monitoring device;
Judge the source address information carried in blacklist with the presence or absence of the message;
If so, abandoning the message;
If it is not, then judging the destination port carried in preconfigured white list with the presence or absence of the message;Wherein, described Record has open service port in white list;
If it does not exist, it is determined that the message is abnormal access message, and the source IP address that the message is carried adds Into blacklist.
According to the second aspect of the embodiment of the present application, a kind of device of defence port scan invasion is provided, described device is answered For security gateway, described device includes:
Receiving unit, for receiving the message that purpose IP address is monitoring device;
First judging unit, the source address information for judging to carry in blacklist with the presence or absence of the message;
Discarding unit, for abandoning the message when the judging result of first judging unit, which is, is;
Second judgment unit, for judging preconfigured white when the judging result of first judging unit is no The destination port carried in list with the presence or absence of the message;Wherein, record has open service port in the white list;
Determination unit determines that the message is different in the absence of being for the judging result when the second judgment unit Message is asked in frequentation;
Adding unit, for when the determination unit determines that the message is abnormal access message, the message to be taken The source IP address of band is added in blacklist.
Sentence first using the embodiment of the present application when security gateway receives the message that purpose IP address is monitoring device The source address information carried in disconnected blacklist with the presence or absence of the message;If so, abandoning the message;If it is not, then judging again The destination port carried in preconfigured white list with the presence or absence of the message;If it does not exist, it is determined that the message is different Message is asked in frequentation, and the source IP address that the message carries is added in blacklist.Based on above-mentioned implementation, security gateway is logical The record open service port in white list is crossed, realizes the defence for carrying out port scan invasion to invasion equipment, since invasion is set It is standby not know which port is open service port, therefore meeting port basis is detected, therefore, security gateway is receiving When message, as long as the destination port that discovery message carries is not in white list, so that it may which the source IP address for carrying message adds Into blacklist, to forbid the message for invading equipment transmission to enter monitoring device by blacklist.In this way, due to invasion equipment hair The message sent cannot be introduced into monitoring device, and invasion equipment also can not just judge whether monitoring device is using the port, also with regard to nothing Method finds that monitoring device is the service of the open-ended, or even the software version of operation.Therefore, invasion equipment can not analyze these The port loophole of service is provided, Network Intrusion is carried out to monitoring device.
Detailed description of the invention
Fig. 1 is a kind of the application application scenarios signal of defence port scan invasion shown according to an exemplary embodiment Figure;
Fig. 2 is a kind of the application embodiment of the method for defence port scan invasion shown according to an exemplary embodiment Flow chart;
Fig. 3 is a kind of the application applied field of client change access network site shown according to an exemplary embodiment Scape schematic diagram;
Fig. 4 is a kind of the application embodiment stream of mode of unicast acquisition MAC address entries shown according to an exemplary embodiment Cheng Tu;
Fig. 5 is a kind of the application hardware structure diagram of security gateway shown according to an exemplary embodiment;
Fig. 6 is a kind of the application embodiment of the device of defence port scan invasion shown according to an exemplary embodiment Structure chart.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application. It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".
It is shown in Figure 1, for a kind of application scenarios schematic diagram of defence port scan invasion, comprising: monitoring device (such as Web camera, analog video camera, encoder etc.), security gateway, the network equipment (1, three layer of three-tier switch is shown in Fig. 1 Interchanger 2, three-tier switch 3 and Layer 2 switch 1), client.Wherein, the monitoring device is used for video monitoring, to be protected Protect equipment;The security gateway is used for protecting, monitoring equipment, for example, the port scan invasion of defence invasion equipment;The network Equipment is used for transmission message, can be the equipment such as interchanger, router;The client is used for the business of accessing monitoring equipment, It can be computer, tablet device, mobile phone etc., be also possible to invade equipment.
It is shown in Figure 2, it is a kind of the application side of defence port scan invasion shown according to an exemplary embodiment The embodiment flow chart of method, the embodiment are applied on security gateway, below with reference to shown in Fig. 1, carry out to the embodiment detailed Description, the embodiment the following steps are included:
Step S201: the message that purpose IP address is monitoring device is received.
Since monitoring device is used for video monitoring, intermediate there can be no disrupted conditions, have real-time.Therefore, it is necessary to tight Lattice protecting, monitoring equipment cannot be by Network Intrusion.Under normal conditions, invasion equipment is had by way of port scan, to search Collect monitoring device be the open-ended information on services, for example, can with anonymous login, whether have writeable FTP (File Transfer Protocol, File Transfer Protocol) catalogue etc., and then the port loophole of service is provided by analysis, monitoring is set It is standby to carry out Network Intrusion.In order to defend monitoring device not by invasion equipment Network Intrusion, by the way that safety is arranged before monitoring device Gateway is on the defensive to invasion equipment, security gateway can receive all purposes IP (Internet Protocol, it is internet Agreement) address be monitoring device message, then judge message whether be invade equipment transmission the exception for port scan Access message.
Based on foregoing description it is found that the security gateway being arranged before monitoring device, has no effect on original network configuration, no It will affect the performance and processing of monitoring device, only all purposes IP address is that the message of monitoring device is required by safety net After pass is filtered, it can just be sent to monitoring device.
Step S202: the source address information carried in blacklist with the presence or absence of the message is judged, if so, thening follow the steps S203, if it is not, thening follow the steps S204.
It is provided with blacklist in security gateway, only there can be IP address by record in the blacklist, with also having can recorde IP The corresponding relationship of location and MAC (Medium Access Control, media access control) address.It is recorded in blacklist IP address, or the process of the corresponding relationship of IP address and MAC Address is recorded, it will be described in detail in the follow-up process.Cause This, when in the blacklist only record have IP address when, then source address information be source IP address, when in the blacklist record with having IP When the corresponding relationship of location and MAC Address, then source address information is source IP address or source MAC.Below in two kinds of situation into Row detailed description:
Situation one, the source address information is source IP address, when a record has IP address in blacklist, as shown in Figure 1, objective The purpose IP address that family end 2 is sent is the message of monitoring device, is forwarded to three-tier switch 1 through three-tier switch 3 first, then By three-tier switch 1 it is forwarded to security gateway, at this point, the source IP address that the message carries is still the IP of client 2 Location, and the source MAC that the message carries has been changed to the MAC Address of three-tier switch 1.Therefore, security gateway can obtain The source IP address for taking the message to carry is as source address information, to judge in blacklist with the presence or absence of the source address information.
Situation two, the source address information are source MACs, and record has IP address corresponding with MAC Address in blacklist When relationship, as shown in figure 3, client 2 is directly connected on security gateway, therefore, client 2 can directly be set access monitoring Standby message is sent on security gateway, at this point, that source IP address and the source MAC direction that the message carries is client End 2.Therefore, the source MAC that the available message of security gateway carries is as source address information, to judge in blacklist With the presence or absence of the source address information.
Based on described in situation two it is found that security gateway can first judge in blacklist with the presence or absence of the message carry source IP address, and if it exists, then follow the steps S203, if it does not exist, then judge again in blacklist with the presence or absence of message carrying Source MAC, if so, S203 is thened follow the steps, if it is not, thening follow the steps S204.In this way, even if being directly connected to security gateway Invasion equipment changing message carry source IP address, can also be matched in blacklist message carrying source MAC.
Step S203: the message is abandoned.
If showing that the message is the end invading equipment and sending there are the source address information that the message carries in blacklist Mouth scanning message, then security gateway abandons the message.
Step S204: judge the destination port carried in preconfigured white list with the presence or absence of the message, and if it exists, S205 is thened follow the steps, if it does not exist, thens follow the steps S206.
Wherein, record has open service port in the white list, and the open service port refers to the port UDP/TCP Number, it can be configured by management equipment, the open service port includes common well-known port and monitors private port, this A little ports are all normal monitoring business ports of monitoring device.Common well-known port can have 21,23,25,80,554 Equal ports, wherein 21 ports can be used for FTP service, and 23 ports can be used for Telnet (Telnet) service, and 25 ports can To service for SMTP (Simple Mail Transfer Protocol, Simple Mail Transfer protocol), 80 ports can be used for HTTP (Hyper Text Transport Protocol, hypertext transfer protocol) service, 554 ports can be used for RTSP (Real Time Streaming Protocol, real-time streaming protocol) service, since client knows these common well-known ends Mouthful, it is not known that monitoring private port therefore can only access these common well-known ports, and these monitoring private ports (such as Database port) it is by other server access in monitoring system.
Since invasion equipment is before carrying out Network Intrusion, it is not only intended to detect the information of these common well-known ports, Also want to detect monitoring private port, and then finds that monitoring device is the open service of the monitoring private port, or even run Software version.And these services are usually server service to be used, can more influence the real time monitoring industry of monitoring device Business is normally carried out.
Step S205: the message is allowed to pass through.
If the destination port that the message carries exists in white list, then the message is not abnormal access message, But the message of the normal monitoring business port of client accessing monitoring equipment, it can permit the message and pass through.
Step S206: it determines that the message is abnormal access message, and the source IP address that the message carries is added to In blacklist.
If the destination port that the message carries is not in white list, then the message is client accessing monitoring equipment The message of improper monitoring business port can determine that the message is abnormal access message, and the source that the message is carried IP address is added in blacklist.
Wherein, be the process of abnormal access message for the determination message, security gateway can first judge it is current whether There are the corresponding abnormal access of source IP address that the message carries to count;If it is not, then it is corresponding to create the source IP address Abnormal access counts, and the destination port that the message carries is added in abnormal access counting, and abnormal access is counted Numerical value add 1;If it is, judging the corresponding abnormal access of the source IP address in counting with the presence or absence of message carrying Destination port;If it is present the numerical value for keeping the corresponding abnormal access of the source IP address to count is constant, if it does not, The numerical value that the corresponding abnormal access of the source IP address counts then is added 1;And the numerical value for further judging that abnormal access counts is No is more than preset threshold, if being more than, it is determined that the message is abnormal access message, if not exceeded, then determining the message not It is abnormal access message.
Wherein, when preset threshold is 1, security gateway can not need creation abnormal access and count, and can directly determine The message is abnormal access message, i.e. situation in step S206.However in order to avoid client maloperation, monitoring is had accessed The improper monitoring business port of equipment, i.e., the port not recorded in white list are added so as to cause the IP address of client It is added in blacklist.Security gateway can set 2 or 3 for the preset threshold, be since invasion equipment carries out port scan Port basis scanning, therefore the numerical value that abnormal access counts still can be more than preset threshold.If maloperation leads to client IP address is added in blacklist, then can pass through the manual delete processing of administrator.
For example, again as shown in Figure 1, client 2 starts 80 ports that transmission message has accessed monitoring device, then to send again Message has accessed 554 ports of monitoring device, and as described in step S204, there are record in 80 ports and 554 ports in white list, Therefore abnormal access counting is not carried out, subsequent client 2 continues to send message, but accidentally has accessed 445 ports of monitoring device, Since 445 ports do not record in white list, security gateway will do it abnormal access counting, what the as described message carried Source IP address creates anomalous counts, and the numerical value that abnormal access counts is added 1.
Based on foregoing description it is found that security gateway has recorded all open service ports in white list, since invasion is set Standby not know which port is open service port, meeting port basis is detected, and therefore, security gateway can receive eventually Message of the destination port of carrying not in white list, as long as and find message carry destination port not in white list, Can by message carry source IP address be added in blacklist, with by blacklist forbid invade equipment transmission message into Enter monitoring device.In addition, can be to avoid the maloperation behavior of client by abnormal access counting.And when the determining message When being abnormal access message, then directly forbid the message to enter monitoring device, can effectively defend the port of invasion equipment Scanning invasion.
It should be noted that in step S202, application scenarios described in situation two, in order to avoid invading equipment changing The source IP address that message carries carries out port scan, and security gateway is added to blacklist in the source IP address for carrying the message In after, the corresponding MAC Address of the available source IP address, and the MAC Address is corresponded into the source IP address and is added Into blacklist.
Wherein, for the process for obtaining the corresponding MAC Address of the source IP address, security gateway can pass through mode of unicast The inquiry request message for carrying the source IP address is sent, so as to receive the network equipment of the inquiry request message in determination After the corresponding route table items of the source IP address are direct-connected destination network segment, local ARP (Address Resolution is inquired Protocol, address resolution protocol) list item to obtain the corresponding MAC Address of the source IP address, then receives the network and sets The standby inquiry response message for carrying the MAC Address returned, and the MAC Address is parsed from inquiry response message. The process for obtaining MAC Address by mode of unicast is described in detail below:
As shown in figure 4, the embodiment flow chart of MAC address entries is obtained for mode of unicast, the embodiment answering as shown in connection with fig. 1 It is described in detail with scene, comprising the following steps:
Step S401: security gateway sends the inquiry for carrying the source IP address to the three-tier switch 1 connecting with itself Request message.
Wherein, what the purpose IP address of the inquiry request heading and target MAC (Media Access Control) address were directed to is three-tier switch 1, and the IP address (the i.e. described source IP address) of inquiry in need is added in the inquiry request message content, and inquire It to be sent to whose IP address (IP address of security gateway), afterwards so that a certain network equipment is inquiring the source IP address pair When the MAC Address answered, security gateway can be sent to by mode of unicast.
Step S402: the inquiry request message is sent to three-tier switch 2 by 1 table of query and routing of three-tier switch.
It is detailed, such as the IP address of client 1 is 192.168.2.100, the IP address of client 2 is 192.168.3.200, the IP address of three-tier switch 2 is 192.168.2.1, and the IP address of three-tier switch 3 is 192.168.3.1.Assuming that the source IP address is 192.168.2.100, three-tier switch 1 is receiving inquiry request message When, 192.168.2.100, and table of query and routing are obtained from inquiry request message content, are a kind of exemplary as shown in table 1 Routing table, three-tier switch 1 can inquire the purpose net that route table items are 192.168.2.0/24 according to longest match principle The next-hop ip address of section, the outgoing interface of G1/2,192.168.2.1, thus, three-tier switch 1 is next to outgoing interface G1/2's It jumps three-tier switch 2 and sends inquiry request message.
Destination network segment Outgoing interface Next-hop ip address Type
192.168.2.0/24 G1/2 192.168.2.1 It is indirectly connected
192.168.3.0/24 G1/3 192.168.3.1 It is indirectly connected
Table 1
In this way, the client access that the IP address 192.168.2.100 that inquiry request message is only inquired to needs is directed toward Three-tier switch 2 transmits, and will not transmit to whole network.
Step S403: 2 table of query and routing of three-tier switch determines that the corresponding route table items of the source IP address are direct-connected mesh Network segment after, local ARP entry is inquired, to obtain the corresponding MAC Address of the source IP address.
Routing table lookup process as described in step S402, three-tier switch 2 can inquire route table items and be 192.168.2.0/24 direct-connected destination network segment, as shown in table 2, be a kind of exemplary routing table.The direct-connected destination network segment is used The corresponding MAC Address of IP address 192.168.2.100 of inquiry in need is recorded in the ARP entry of instruction three-tier switch 2. Therefore it can use the local ARP entry of 192.168.2.100 inquiry, be a kind of exemplary ARP entry as shown in table 3, thus The corresponding MAC Address 00-0A-F7-0E-8B-A2 of 192.168.2.100 can be obtained.
Table 2
IP address MAC Address
192.168.2.100 00-0A-F7-0E-8B-A2
192.168.3.200 00-0A-F7-0E-8B-A1
Table 3
Step S404: the inquiry response message for carrying the MAC Address is sent to by three-tier switch 2 by mode of unicast Security gateway.
Due to carrying the IP address of security gateway in inquiry request message content, three-tier switch 2 can pass through The inquiry response message for carrying the MAC Address is sent to security gateway by mode of unicast.
In addition, security gateway can also obtain MAC Address by multicast mode, for example, security gateway can use in advance Purpose IP address and destination port of the multicast ip address and port of configuration as inquiry request heading, such as multicast ip address For 239.239.239.239, port 10239, and IP address (the i.e. institute that addition needs are inquired in inquiry request message content State source IP address), and whose IP address (IP address of security gateway) is sent to after inquiring.Each network equipment (such as Three-tier switch 1, three-tier switch 2, three-tier switch 3, Layer 2 switch 1) it is added in the multicast group as multicast receivers, And in corresponding port snooping inquiry request message, as shown in Figure 1, security gateway is first by the inquiry request message of multiast types It is sent to three-tier switch 1, three-tier switch 1 then sends out inquiry request message to three-tier switch 2 and three-tier switch 3 It send, and so on, until the all-network equipment being sent to inquiry request message in the multicast group.Each network equipment is receiving When to the inquiry request message for carrying the source IP address, inquire local ARP (Address Resolution Protocol, Address resolution protocol) list item, if a certain network equipment inquires the corresponding MAC Address of the source IP address, by the MAC Address is added in the message content of inquiry response message, and inquiry response message is sent to safety net by mode of unicast It closes.
Further, in step S202, application scenarios described in situation one are abnormal in order to reduce security gateway statistics The act of defense, can be moved forward to the network equipment (such as three-tier switch 1, three by the pressure of access count and defence invasion equipment Layer switch 2, three-tier switch 3, Layer 2 switch 1) on.Meanwhile also for invasion equipment changing source IP address is avoided, pass through The network equipment sends message to monitoring device.Therefore, security gateway get the corresponding MAC Address of the source IP address it Afterwards, the forbidden notice message for carrying the MAC Address can be sent, so that the network for receiving the forbidden notice message is set It is standby to abandon the message that source MAC is the MAC Address.
Wherein, the process of the forbidden notice message of the MAC Address, then as shown in Figure 1, safety net are carried for transmission It closes and forbidden notice message is sent to the three-tier switch 1 connecting with itself by mode of unicast, three-tier switch 1 is according to local Forbidden notice message is passed through mode of unicast again and sent out to three-tier switch 2 connected to it and three-tier switch 3 by ARP entry It goes, wherein record the IP address for having three-tier switch 2 and three-tier switch 3, MAC Address in the ARP entry and correspond to Outgoing interface, after three-tier switch 2 or three-tier switch 3 receive forbidden notice message, since forbidden notice message is taken The source IP address of band is the IP address of three-tier switch 1, so three-tier switch 2 and three-tier switch 3 are according to local ARP table Item only sends forbidden notice message to the IP address of other network equipments connected to it, will not again return to forbidden notice message To three-tier switch 1, so as to avoid loopback.And so on, until each network equipment (three-tier switch in whole network And Layer 2 switch) receive forbidden notice message.
In addition, after each network equipment receives forbidden notice message, it can be by configuring ACL (Access Control List, accesses control list) rule, i.e., the MAC Address is added in ACL.When each network equipment receives When message, matching ACL is gone to abandon the message if being matched to the MAC Address using the source MAC that message carries, The message that source MAC is the MAC Address is abandoned to realize in each network equipment.
Based on foregoing description it is found that since network equipment record has the MAC Address, even if invasion equipment changing source IP address, when sending message to monitoring device by the network equipment, due to invasion equipment changing not source MAC, in net The packet loss can be fallen by being matched to the MAC Address in network equipment.Also, due to the all-network equipment in network Record has the MAC Address, including security gateway, even if the position of invasion device transform access network, to monitoring device When sending message, equally can also it be dropped.
It is further that security gateway, can be by the first forbidden time pair when adding the MAC Address to blacklist The MAC Address is answered to be added in blacklist, to abandon source address information within the described first forbidden time in blacklist Message.In addition, can also be added in forbidden notice message for the second forbidden time, when sending forbidden notice message so as to connect The network equipment of forbidden notice message is received within the described second forbidden time, abandons the report that source MAC is the MAC Address Text.
Wherein, the first or second forbidden time can be the specified period, for example, in the afternoon between 1 point to 5 points It is easy time for being invaded, the i.e. critical days of monitoring device for monitoring device, it can will be between 1 point to 5 points as first or the Two forbidden times.The first or second forbidden time is also possible to from the time begun with, such as 4 hours, for example, institute Stating for the second forbidden time is 5 hours, and the network equipment when receiving the message that source MAC is the MAC Address for the first time It came into force for the second forbidden time, and after more than the second forbidden time, just no longer forbidding source MAC is the MAC Address Message.For example, Layer 2 switch 1 receive source MAC be the MAC Address packet loss fall after, after 4 hours, The position of device transform in a network is invaded, three-tier switch 3 is linked into, it is described for sending source MAC to three-tier switch 3 The message of MAC Address, three-tier switch 3 can be matched to the MAC Address, abandon the message, so that the MAC Address is corresponding The second forbidden time come into force, i.e., three-tier switch 3 is the message of the MAC Address still according to source MAC is forbidden within 5 hours Pass through, rather than 1 hour.
In addition, as described in step S206, after the source IP address corresponding first forbidden time failure, by the source The corresponding abnormal access of IP address, which counts, to be deleted, to realize that the abnormal access for restarting the source IP address counts, and When the numerical value that the abnormal access counts is more than preset threshold again, then the source IP address is added in blacklist.
As described in above-described embodiment, when security gateway receives the message that purpose IP address is monitoring device, sentence first The source address information carried in disconnected blacklist with the presence or absence of the message;If so, abandoning the message;If it is not, then judging again The destination port carried in preconfigured white list with the presence or absence of the message;If it does not exist, it is determined that the message is different Message is asked in frequentation, and the source IP address that the message carries is added in blacklist.Based on above-mentioned implementation, security gateway is logical The record open service port in white list is crossed, realizes the defence for carrying out port scan invasion to invasion equipment, since invasion is set It is standby not know which port is open service port, therefore meeting port basis is detected, therefore, security gateway is receiving When message, as long as the destination port that discovery message carries is not in white list, so that it may which the source IP address for carrying message adds Into blacklist, to forbid the message for invading equipment transmission to enter monitoring device by blacklist.In this way, due to invasion equipment hair The message sent cannot be introduced into monitoring device, and invasion equipment also can not just judge whether monitoring device is using the port, also with regard to nothing Method finds that monitoring device is the service of the open-ended, or even the software version of operation.Therefore, invasion equipment can not analyze these The port loophole of service is provided, Network Intrusion is carried out to monitoring device.
Corresponding with the embodiment of method of aforementioned defence port scan invasion, present invention also provides defence port scans The embodiment of the device of invasion.
The application defends the embodiment of the device of port scan invasion that can apply on security gateway.Installation practice can Can also be realized by way of hardware or software and hardware combining by software realization.Taking software implementation as an example, as one Device on logical meaning is to be referred to computer program corresponding in nonvolatile memory by the processor of equipment where it It enables and is read into memory what operation was formed.For hardware view, as shown in figure 5, defending port scan invasion for the application A kind of hardware structure diagram of equipment where device in addition to processor shown in fig. 5, memory, network interface and non-volatile is deposited Except reservoir, the equipment in embodiment where device can also include other hardware generally according to the actual functional capability of the equipment, right This is repeated no more.
It is shown in Figure 6, it is a kind of the application dress of defence port scan invasion shown according to an exemplary embodiment The example structure figure set, the embodiment are applied on security gateway, and described device includes: that the judgement of receiving unit 610, first is single First 620, discarding unit 630, second judgment unit 640, determination unit 650, adding unit 660.
Wherein, the receiving unit 610, for receiving the message that purpose IP address is monitoring device;
First judging unit 620, the source address information for judging to carry in blacklist with the presence or absence of the message;
Discarding unit 630, for abandoning the message when the judging result of first judging unit 620, which is, is;
Second judgment unit 640, for when the judging result of first judging unit 620 is no, judgement to be matched in advance The destination port carried in the white list set with the presence or absence of the message;Wherein, record has open service end in the white list Mouthful;
Determination unit 650 determines the report in the absence of being for the judging result when the second judgment unit 640 Text is abnormal access message;
Adding unit 660 will be described for when the determination unit 650 determines that the message is abnormal access message The source IP address that message carries is added in blacklist.
In an optional implementation, the determination unit 650, being specifically used for judgement currently whether there is the report The corresponding abnormal access of the source IP address that text carries counts;If it is not, then creating the corresponding abnormal access meter of the source IP address Number, and the destination port that the message carries is added in abnormal access counting, and the numerical value that the abnormal access is counted Add 1;If it is, judging that the corresponding abnormal access of the source IP address whether there is the destination that the message carries in counting Mouthful;If it is present the numerical value for keeping the corresponding abnormal access of the source IP address to count is constant, if it does not exist, then by institute It states the numerical value that the corresponding abnormal access of source IP address counts and adds 1;And further judge whether is numerical value that the abnormal access counts More than preset threshold, if being more than, it is determined that the message is abnormal access message, if not exceeded, then determining that the message is not Abnormal access message.
In another optional implementation, described device further includes (being not shown in Fig. 6):
Acquiring unit, for the source IP address that the message carries to be added in blacklist in the adding unit 660 Later, the corresponding MAC Address of the source IP address is obtained;
The adding unit 660, is also used to the MAC Address corresponding to the source IP address and is added to the blacklist In;And/or described device further includes (being not shown in Fig. 6): transmission unit, carries the forbidden of the MAC Address for sending Notice message, so that the network equipment for receiving the forbidden notice message abandons the report that source MAC is the MAC Address Text.
In another optional implementation, the acquiring unit is specifically used for sending carrying institute by mode of unicast The inquiry request message of source IP address is stated, so as to receive the network equipment of the inquiry request message with determining the source IP The corresponding route table items in location is after direct-connected destination network segment, it are corresponding to obtain the source IP address to inquire local ARP entry MAC Address;Receive the inquiry response message for carrying the MAC Address that the network equipment returns;From the inquiry response The MAC Address is parsed in message.
In another optional implementation, the adding unit 660 is also used to adding the MAC Address to black When list, the first forbidden time was corresponded into the MAC Address and is added in blacklist, to be abandoned within the described first forbidden time Message of the source address information in blacklist;And/or the transmission unit, it is also used to when sending forbidden notice message, in institute The second forbidden time of addition is stated in forbidden notice message, so as to receive the network equipment of the forbidden notice message described the In two forbidden times, the message that source MAC is the MAC Address is abandoned.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus Realization process, details are not described herein.
As described in above-described embodiment, when security gateway receives the message that purpose IP address is monitoring device, sentence first The source address information carried in disconnected blacklist with the presence or absence of the message;If so, abandoning the message;If it is not, then judging again The destination port carried in preconfigured white list with the presence or absence of the message;If it does not exist, it is determined that the message is different Message is asked in frequentation, and the source IP address that the message carries is added in blacklist.Based on above-mentioned implementation, security gateway is logical The record open service port in white list is crossed, realizes the defence for carrying out port scan invasion to invasion equipment, since invasion is set It is standby not know which port is open service port, therefore meeting port basis is detected, therefore, security gateway is receiving When message, as long as the destination port that discovery message carries is not in white list, so that it may which the source IP address for carrying message adds Into blacklist, to forbid the message for invading equipment transmission to enter monitoring device by blacklist.In this way, due to invasion equipment hair The message sent cannot be introduced into monitoring device, and invasion equipment also can not just judge whether monitoring device is using the port, also with regard to nothing Method finds that monitoring device is the service of the open-ended, or even the software version of operation.Therefore, invasion equipment can not analyze these The port loophole of service is provided, Network Intrusion is carried out to monitoring device.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying Out in the case where creative work, it can understand and implement.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.

Claims (8)

1. a kind of method of defence port scan invasion, which is characterized in that the method is applied on security gateway, the method Include:
Receive the message that purpose Internet protocol IP address is monitoring device;
Judge that the source address information carried in blacklist with the presence or absence of the message, the source address information refer to source IP address Or source MAC;
If so, abandoning the message;
If it is not, then judging the destination port carried in preconfigured white list with the presence or absence of the message;Wherein, the white name Record has open service port in list;
If it does not exist, then judge that the corresponding abnormal access of the source IP address currently carried with the presence or absence of the message counts;
It is counted if it is not, then creating the corresponding abnormal access of the source IP address, and the destination port that the message carries is added It is added in abnormal access counting, and the numerical value that the abnormal access counts is added 1;
If it is, judging that the corresponding abnormal access of the source IP address whether there is the destination that the message carries in counting Mouthful;
If it is present the numerical value for keeping the corresponding abnormal access of the source IP address to count is constant, if it does not exist, then by institute It states the numerical value that the corresponding abnormal access of source IP address counts and adds 1;
And whether the numerical value for further judging that the abnormal access counts is more than preset threshold, if being more than, it is determined that the message It is abnormal access message, and the source IP address that the message carries is added in blacklist;
If not exceeded, then determining the message not is abnormal access message.
2. the method according to claim 1, wherein the source IP address that the message is carried be added to it is black After in list, further includes:
Obtain the corresponding MAC address of the source IP address;
The MAC Address is corresponded to the source IP address to be added in the blacklist;And/or it sends with carrying the MAC The forbidden notice message of location, so that the network equipment for receiving the forbidden notice message abandons source MAC for the MAC The message of location.
3. according to the method described in claim 2, it is characterized in that, the source IP address corresponding MAC Address of obtaining Process specifically includes:
The inquiry request message for carrying the source IP address is sent by mode of unicast, so as to receive the inquiry request message The network equipment after determining that the corresponding route table items of the source IP address are direct-connected destination network segment, inquire local address solution Agreement ARP entry is analysed to obtain the corresponding MAC Address of the source IP address;
Receive the inquiry response message for carrying the MAC Address that the network equipment returns;
The MAC Address is parsed from the inquiry response message.
4. according to the method described in claim 2, it is characterized in that, the method also includes:
When adding the MAC Address to blacklist, the first forbidden time was corresponded into the MAC Address and is added in blacklist, To abandon message of the source address information in blacklist within the described first forbidden time;And/or
When sending forbidden notice message, added for the second forbidden time in the forbidden notice message, so as to receive described The network equipment of forbidden notice message abandons the message that source MAC is the MAC Address within the described second forbidden time.
5. a kind of device of defence port scan invasion, which is characterized in that described device is applied on security gateway, described device Include:
Receiving unit, for receiving the message that purpose Internet protocol IP address is monitoring device;
First judging unit, the source address information for judging to carry in blacklist with the presence or absence of the message, the source address Information refers to source IP address or source MAC;
Discarding unit, for abandoning the message when the judging result of first judging unit, which is, is;
Second judgment unit, for judging preconfigured white list when the judging result of first judging unit is no In with the presence or absence of the message carry destination port;Wherein, record has open service port in the white list;
Determination unit determines that the message is abnormal visit in the absence of being for the judging result when the second judgment unit Ask message;
Adding unit, for when the determination unit determines that the message is abnormal access message, the message to be carried Source IP address is added in blacklist;
Wherein, the determination unit, it is currently corresponding different with the presence or absence of the source IP address of message carrying specifically for judging Normal access count;It is counted if it is not, then creating the corresponding abnormal access of the source IP address, and the purpose that the message is carried Port is added in abnormal access counting, and the numerical value that the abnormal access counts is added 1;If it is, judging the source IP The corresponding abnormal access in address whether there is the destination port that the message carries in counting;If it is present keeping the source The numerical value that the corresponding abnormal access of IP address counts is constant, if it does not exist, then by the corresponding abnormal access of the source IP address The numerical value of counting adds 1;And whether the numerical value for further judging that the abnormal access counts is more than preset threshold, if being more than, really The fixed message is abnormal access message, if not exceeded, then determining the message not is abnormal access message.
6. device according to claim 5, which is characterized in that described device further include:
Acquiring unit, for obtaining after the source IP address that the message carries is added in blacklist by the adding unit Take the corresponding MAC address of the source IP address;
The adding unit, is also used to the MAC Address corresponding to the source IP address and is added in the blacklist;And/or Described device further include: transmission unit, for sending the forbidden notice message for carrying the MAC Address, so as to receive institute The network equipment for stating forbidden notice message abandons the message that source MAC is the MAC Address.
7. device according to claim 6, which is characterized in that
The acquiring unit carries the inquiry request message of the source IP address specifically for sending by mode of unicast, so that The network equipment for receiving the inquiry request message is determining that the corresponding route table items of the source IP address are direct-connected purpose net After section, local Address Resolution Protocol ARP list item is inquired to obtain the corresponding MAC Address of the source IP address;Described in reception The inquiry response message for carrying the MAC Address that the network equipment returns;It is parsed from the inquiry response message described MAC Address.
8. device according to claim 6, which is characterized in that
The adding unit is also used to that the first forbidden time was corresponded to the MAC when adding the MAC Address to blacklist Address is added in blacklist, to abandon message of the source address information in blacklist within the described first forbidden time;With/ Or, the transmission unit, is also used to when sending forbidden notice message, when addition second is forbidden in the forbidden notice message Between, so as to receive the network equipment of the forbidden notice message within the described second forbidden time, abandoning source MAC is institute State the message of MAC Address.
CN201610168479.9A 2016-03-22 2016-03-22 Defend the method and device of port scan invasion Active CN105681353B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610168479.9A CN105681353B (en) 2016-03-22 2016-03-22 Defend the method and device of port scan invasion

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610168479.9A CN105681353B (en) 2016-03-22 2016-03-22 Defend the method and device of port scan invasion

Publications (2)

Publication Number Publication Date
CN105681353A CN105681353A (en) 2016-06-15
CN105681353B true CN105681353B (en) 2019-06-11

Family

ID=56215138

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610168479.9A Active CN105681353B (en) 2016-03-22 2016-03-22 Defend the method and device of port scan invasion

Country Status (1)

Country Link
CN (1) CN105681353B (en)

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107395643B (en) * 2017-09-01 2020-09-11 天津赞普科技股份有限公司 Source IP protection method based on scanning probe behavior
CN108337222B (en) * 2017-11-28 2022-02-25 中国电子科技集团公司电子科学研究院 Port opening method and device for distinguishing access terminal identity and readable storage medium
CN107948195B (en) * 2017-12-25 2020-12-04 杭州迪普科技股份有限公司 Method and device for protecting Modbus attack
CN108234473B (en) * 2017-12-28 2021-02-09 新华三技术有限公司 Message anti-attack method and device
CN108200068B (en) * 2018-01-08 2020-07-14 平安科技(深圳)有限公司 Port monitoring method and device, computer equipment and storage medium
CN108965286A (en) * 2018-07-09 2018-12-07 国网重庆市电力公司电力科学研究院 A kind of lightweight network equipment port detection method based on python
CN109495472A (en) * 2018-11-19 2019-03-19 南京邮电大学 A kind of defence method for intranet and extranet camera configuration weak passwurd loophole
CN109711166B (en) * 2018-12-17 2020-12-11 北京知道创宇信息技术股份有限公司 Vulnerability detection method and device
CN110297732B (en) * 2019-06-14 2024-01-23 杭州迪普科技股份有限公司 FPGA state detection method and device
CN112153631A (en) * 2019-06-28 2020-12-29 北京奇虎科技有限公司 Method and device for identifying illegal intrusion and router
CN110740125A (en) * 2019-09-23 2020-01-31 公安部第一研究所 method for implementing vulnerability library used for vulnerability detection of video monitoring equipment
CN110909361A (en) * 2019-11-08 2020-03-24 北京长亭未来科技有限公司 Vulnerability detection method and device and computer equipment
CN110912936B (en) * 2019-12-20 2022-02-18 东软集团股份有限公司 Media file security situation perception method and firewall
CN112187775B (en) * 2020-09-23 2021-09-03 北京微步在线科技有限公司 Port scanning detection method and device
CN112511523A (en) * 2020-11-24 2021-03-16 超越科技股份有限公司 Network security control method based on access control
CN112565297A (en) * 2020-12-24 2021-03-26 杭州迪普科技股份有限公司 Message control method and device
CN113992363B (en) * 2021-10-11 2024-02-27 杭州迪普科技股份有限公司 IEC104 protocol communication-based method and device
CN114244786B (en) * 2021-11-30 2024-05-10 深圳市飞速创新技术股份有限公司 Security protection method, device, equipment and storage medium
CN115225368B (en) * 2022-07-15 2024-10-29 北京天融信网络安全技术有限公司 Message processing method and device, electronic equipment and storage medium
CN115842655A (en) * 2022-11-10 2023-03-24 合芯科技有限公司 Method, device, system and storage medium for preventing illegal equipment access

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101188612A (en) * 2007-12-10 2008-05-28 中兴通讯股份有限公司 A blacklist real time management method and device
CN102769549A (en) * 2011-05-05 2012-11-07 腾讯科技(深圳)有限公司 Network security monitoring method and device
CN103475746A (en) * 2013-08-09 2013-12-25 杭州华三通信技术有限公司 Terminal service method and apparatus
CN103490895A (en) * 2013-09-12 2014-01-01 北京斯庄格科技有限公司 Industrial control identity authentication method and device with state cryptographic algorithms
CN104158767A (en) * 2014-09-03 2014-11-19 吕书健 Network access device and network access method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103607392A (en) * 2010-12-14 2014-02-26 华为数字技术(成都)有限公司 Method and device used for preventing fishing attack
US9231972B2 (en) * 2012-11-13 2016-01-05 Tencent Technology (Shenzhen) Company Limited Malicious website identifying method and system
CN104767748B (en) * 2015-03-30 2017-10-10 西北工业大学 Opc server security protection system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101188612A (en) * 2007-12-10 2008-05-28 中兴通讯股份有限公司 A blacklist real time management method and device
CN102769549A (en) * 2011-05-05 2012-11-07 腾讯科技(深圳)有限公司 Network security monitoring method and device
CN103475746A (en) * 2013-08-09 2013-12-25 杭州华三通信技术有限公司 Terminal service method and apparatus
CN103490895A (en) * 2013-09-12 2014-01-01 北京斯庄格科技有限公司 Industrial control identity authentication method and device with state cryptographic algorithms
CN104158767A (en) * 2014-09-03 2014-11-19 吕书健 Network access device and network access method

Also Published As

Publication number Publication date
CN105681353A (en) 2016-06-15

Similar Documents

Publication Publication Date Title
CN105681353B (en) Defend the method and device of port scan invasion
AU2021209277B2 (en) Efficient packet capture for cyber threat analysis
US11824875B2 (en) Efficient threat context-aware packet filtering for network protection
US10673881B2 (en) Method and system for limiting the range of data transmissions
CN101030977B (en) Device for protection against illegal communications and network system thereof
US9736051B2 (en) Smartap arrangement and methods thereof
KR101231975B1 (en) Method of defending a spoofing attack using a blocking server
KR20200007931A (en) Correlation-Based Threat Assessment and Treatment
EP1919162A2 (en) Identification of potential network threats using a distributed threshold random walk
CN105991637A (en) Network attack protection method and network attack protection device
US7596808B1 (en) Zero hop algorithm for network threat identification and mitigation
US20080104688A1 (en) System and method for blocking anonymous proxy traffic
Dakhane et al. Active warden for TCP sequence number base covert channel
US7475420B1 (en) Detecting network proxies through observation of symmetric relationships
EP4044505B1 (en) Detecting botnets
JP2017212705A (en) Communication controller, communication system, communication control method, and program
Aziz et al. A distributed infrastructure to analyse SIP attacks in the Internet
KR101118398B1 (en) Method and apparatus for overriding denunciations of unwanted traffic in one or more packet networks
US20070011743A1 (en) Method and apparatus for communicating intrusion-related information between Internet service providers
KR101976794B1 (en) Network security method and apparatus thereof
KR101080734B1 (en) Method and apparatus for preventing spoofing
Dai et al. SMap: Internet-wide Scanning for Ingress Filtering
KR20230173706A (en) Efficient threat situation awareness packet filtering method and system for network protection
Turup et al. network forensics system for ICMP attacks using real time approach
JP2006148594A (en) Transmission source tracking system and repeater used in the system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant