[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN102752141B - Method and device for detecting accessibility of IP (internet protocol) address - Google Patents

Method and device for detecting accessibility of IP (internet protocol) address Download PDF

Info

Publication number
CN102752141B
CN102752141B CN201210227793.1A CN201210227793A CN102752141B CN 102752141 B CN102752141 B CN 102752141B CN 201210227793 A CN201210227793 A CN 201210227793A CN 102752141 B CN102752141 B CN 102752141B
Authority
CN
China
Prior art keywords
address
nat
session
traffic
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210227793.1A
Other languages
Chinese (zh)
Other versions
CN102752141A (en
Inventor
王涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPtech Information Technology Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201210227793.1A priority Critical patent/CN102752141B/en
Publication of CN102752141A publication Critical patent/CN102752141A/en
Application granted granted Critical
Publication of CN102752141B publication Critical patent/CN102752141B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method for detecting the accessibility of an IP (internet protocol) address, which is applied to a management server, and comprises the following steps: receiving a traffic log sent by a NAT (network address translator) gateway device, and determining a TCP (transmission control protocol) session (the reverse traffic is zero and the forward traffic is not zero) in the traffic log as a traffic anomaly session, wherein the reverse traffic is a traffic sent from the outside of the NAT gateway device to the inside of the NAT gateway device; and counting the proportion of traffic anomaly sessions in all sessions of an source IP address subjected to NAT transformation in the current statistical period, and if the proportion reaches a first preset threshold value, determining that the source IP address subjected to NAT transformation is inaccessible, and informing an administrator. According to the invention, through the further processing on NAT traffic logs, a situation that an IP address (the IP address in a NAT address pool) subjected to one or more NAT transformations is inaccessible can be timely found out.

Description

A kind of inspection method of IP address reachability and device
Technical field
The present invention relates to network technology, particularly relate to a kind of inspection method and device of IP address reachability.
Background technology
Along with the rapid expansion of network size, safety problem becomes day by day complicated, and this proposes very high requirement to Network Security Device.The extensive NAT technology used in Network Security Device was used to realize that IPv4 address saves originally at present, but NAT technology has band to have natural fail safe, and therefore a lot of Network Security Device is all integrated with nat feature.Equipment NAT conversion is carried out to the message received and message repeating give next network equipment.But after employing NAT technology, the disappearance of backhaul route may be caused and the problem causing network obstructed.
Please refer to Fig. 1, the outer portal address pond of NAT gateway equipment is 101.111.36.18-200, correspondingly router has a backhaul direction to the backhaul route of 101.111.36.0/24, because the mask on router is 24, therefore backhaul route coverage is 101.111.36.0-255, and now 101.111.36.18-200 is completely covered.Message reference address after NAT gateway equipment of PC1 access internet is one (as 101.111.36.55) in 101.111.36.18-200, return packet can get back to NAT gateway equipment smoothly through router, gets back on the PC1 of Intranet after NAT address transition.Suppose due on router because backhaul route is revised as 101.111.36.128/25 by the reason such as artificial, now mask is 25, therefore the scope covered is 101.111.36.129-255, public network address so after NAT conversion is between the 101.111.36.18-128, all there is no the route that backhaul is reverse on the router, object IP address cannot be that the message repeating of 101.111.36.18-128 is to NAT gateway equipment by router, this means that 101.111.36.18-128 does not have backhaul route, IP address in these nat address pools is inaccessible concerning external network.
In above-mentioned example, if all IP addresses in this address pool of 101.111.36.18-200 all do not have backhaul route, so keeper at least the user of Timeliness coverage all NAT gateway device interior can not receive this phenomenon of outside message, troubleshooting effort can be launched rapidly, but the possibility that NAT Network Management Equipment does not receive outside message has a variety of, keeper will carry out the eliminating one by one of much possibility situations.What is more important, in above-mentioned example, there is backhaul route some IP address (101.111.36.129-200), and another part IP address 101.111.36.18-128 does not have backhaul route.In this case, through the long period, first keeper just will can find that network goes wrong, and be difficult to the overall picture that accurate reproduction goes wrong, because the public network address that NAT address transition is selected may be random, usually do not select in strict accordance with a constant rule, therefore keeper can't recognize which IP address is unreachable and which IP address can reach intuitively.In fact, keeper can find that the communication that user has is normal, and some communication is abnormal, and likely can be mistaken for correspondent network has problem or carrier network to have problem.Secondly, because keeper may not know that the backhaul route on router (may not belong to the range of management of keeper oneself, such as be the router of operator) have modified, keeper may know.
Summary of the invention
In view of this, the invention provides a kind of checkout gear of IP address reachability, it is applied on management server, and this device comprises:
Journal processing unit, for receiving the traffic log that NAT gateway equipment sends, and is zero by reverse flow in this traffic log and the non-vanishing TCP session of forward flow is defined as Traffic Anomaly session; Wherein said reverse flow is the flow being sent to NAT gateway device interior from NAT gateway device external;
Abnormal decision unit; for in current measurement period, add up the source IP address after NAT conversion all sessions in the ratio of Traffic Anomaly session, if this ratio reaches the first predetermined threshold, be judged to be this NAT change after source IP address unreachable and notify keeper.
The present invention also provides a kind of detection method of IP address reachability, and it is applied on management server, and the method comprises:
A, receive the traffic log that NAT gateway equipment sends, and reverse flow in this traffic log is zero and the non-vanishing TCP session of forward flow is defined as Traffic Anomaly session; Wherein said reverse flow is the flow being sent to NAT gateway device interior from NAT gateway device external;
B, in current measurement period, add up the source IP address after NAT conversion all sessions in the ratio of Traffic Anomaly session, if this ratio reaches the first predetermined threshold, be judged to be this NAT change after source IP address unreachable and notify keeper.
The present invention is by the deep process to NAT traffic log, can one or more NAT of Timeliness coverage change after IP address (the IP address in nat address pool) inaccessible situation, contribute to keeper and get rid of traffic affecting fault or error configurations in network by various measure in time, such as upper level router lacks backhaul route etc.
Accompanying drawing explanation
Fig. 1 is that the present invention is a kind of typically with the networking diagram of NAT gateway equipment.
Fig. 2 is the building-block of logic of IP address reachability checkout gear in one embodiment of the present invention.
Embodiment
Describe the present invention below in conjunction with accompanying drawing.Please refer to Fig. 2, be embodied as example with computer program, the IP address reachability checkout gear in one embodiment of the present invention, its application on the management server, comprises journal processing unit and abnormal decision unit.Wherein management server may be the logical device be integrated on NAT gateway equipment also may be independent physical equipment.The present invention receives the NAT traffic log that NAT gateway equipment sends on the management server, and periodic analytic statistics is carried out to the NAT traffic log received, add up the TCP flow amount of each IP address in nat address pool in the period, and it is aging and do not have the TCP session of backhaul directional flow to add up incomplete condition timer in TCP flow amount, if the total session of TCP that the such TCP session in certain IP address accounted in the current statistic cycle reaches a predetermined ratio, send alarm, when reaching another predetermined ratio, be judged to be that corresponding IP address is unreachable.For TCP session, in present embodiment, the handling process of IP address reachability checkout gear of the present invention comprises the following steps:
Step 101, journal processing unit receives the traffic log that NAT gateway equipment sends, and reverse flow in this traffic log is zero and the non-vanishing TCP session of forward flow is defined as Traffic Anomaly session.
NAT traffic log can be transmitted by various standard or privately owned agreement between management server and NAT gateway equipment.Table 1 is the message format of a kind of typical NAT traffic log in the present invention.
Table 1
The said reverse flow of present embodiment refers to the flow sending message formation from NAT externally to NAT inside, such as, InTotalPkg and/or InTotalByte in table 1 can be used for characterizing reverse flow, and the number (InTotalPkg) of obvious message and byte number InTotalByte all can characterize flow from different dimensions.Forward flow is then the flow that the message being sent to NAT gateway device external from NAT gateway device interior is formed, such as OutTotalPkg and OutTotalByte in table 1 can characterize forward flow.In normal TCP session, be all two-wayly have flow usually.Please refer to Fig. 1; suppose that higher level's router section backhaul route lacks; source IP address (SrcNatIP after this can cause at least one NAT to change; IP address namely in nat address pool) session can present reverse flow and be zero and the non-vanishing usually such abnormal conditions of forward flow, such session is called Traffic Anomaly session in the present invention.The present invention needs to occur that the session of above-mentioned abnormal conditions comes out because these Traffic Anomaly sessions to be likely the IP address that causes the reasons such as source IP address (SrcNatIP) to cause in default of backhaul route unreachable caused.
Furthermore; in the standard determining Traffic Anomaly session; consider from more rigorous angle; journal processing unit can also be classified according to the Operator field of bar session every in NAT traffic log; Operator field is found to be the session (the aging session terminated of timer expiry) of 0x2; and then be 0x2 by Operator field, reverse flow is zero and the non-vanishing session of forward flow is defined as abnormal session.Operator is that 0x2 represents because the aging session terminated of timer expiry, if session terminates because timer is aging, and reverse flow is that zero forward flow is non-vanishing, and so this session has higher possibility to be a Traffic Anomaly session.And if Operator field is 0x3 and 0x4 in daily record, the possibility of reverse flow to be the non-vanishing session (may belong to a few cases) of zero forward flow be abnormal session is relatively low.According to the meaning that 0x3 and 0x4 characterizes, the end of this session may be normal, such as time this session is just set up, reverse flow just does not also have enough time to produce because forced aging has fallen in order to meet the session of high priority.Same reason, if session is two-way all do not have flow, so such session neither need to consider by journal processing unit, has just broken, whether can reach not direct correlation with IP address because these sessions may be session establishment phases.
Please refer to table 1, the session log content example in Table 1 of a normal termination is as follows:
TCP|Ipv4| 0x1|10.11.36.18|101.111.36.19|124.207.41.114|124.207.41.114|1024|10113|80|80|2012/3/3016:54|2012/3/3016:54| 1313540|14|10110
One does not have reverse flow and is that the log content example that timer is aging is as follows:
TCP|Ipv4| 0x2|10.11.36.18|101.111.36.19|124.207.41.114|124.207.41.114|1024|10113|80|80|2012/3/3016:55|2012/3/3016:56|0| 03|120
Step 102, abnormal decision unit adds up the ratio of Traffic Anomaly session in all sessions of the source IP address after same NAT conversion within the current statistic cycle, if this ratio reaches the first predetermined threshold, is judged to be that the source IP address after this NAT conversion is unreachable.
Abnormal decision unit can carry out statistics and analysis according to default cycle and export the result of current period; if have very a high proportion of session (such as reaching 50%) to be all considered as Traffic Anomaly session by journal processing unit in all sessions that certain the IP address in current measurement period in nat address pool participates in, so substantially can determine that the source IP address after this NAT conversion is unreachable.IP address after NAT conversion is exactly the public network IP address in nat address pool in fact, and it usually can be assigned to different users and use.When reverse flow arrives, NAT gateway equipment can distinguish the flow of different user according to IP+ port, this is NAT basic functional principle.If obviously this source IP address occurs that high-volume conversation is Traffic Anomaly session, high possibility is had to be that this source IP address is unreachable.
Step 103, abnormal decision unit sends the unreachable early warning information of the source IP address after changing for this NAT to keeper when aforementioned ratio reaches the second predetermined threshold.
Furthermore; when Traffic Anomaly session ratio is higher time; such as reach second predetermined threshold and (be less than the first predetermined threshold; such as 10%); other abnormal causes now show that the inaccessible conclusion of source IP address after this NAT conversion may not be reliable, because such exception may because cause.When the ratio that abnormal decision unit counts on Traffic Anomaly session within the described scheduled time arrives the second predetermined threshold, send alarm to keeper; Now can by keeper according to the experience of self in conjunction with some other objective factor in network judge current NAT change after source IP address whether be inaccessible IP address really.
Furthermore, in order to get rid of link failure or other reasons causes the inaccessible possibility in IP address, now abnormal decision unit can also the Traffic Anomaly session ratio of source IP address after current NAT conversion check when reaching the first predetermined threshold other NAT change after the ratio of Traffic Anomaly session of source IP address, if the ratio of the Traffic Anomaly session of the source IP address after having one or more other NAT to change is lower than described Second Threshold, the above results is exported to keeper, keeper just can determine be only current NAT change after source IP address unreachable, source IP address situation after other NAT change is normal.
The present invention is by the deep process to NAT traffic log, can one or more NAT of Timeliness coverage change after IP address (the IP address in nat address pool) inaccessible situation, contribute to keeper and get rid of traffic affecting fault or error configurations in network by various measure in time, such as upper level router lacks backhaul route etc.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.

Claims (8)

1. a checkout gear for IP address reachability, it is applied on management server, it is characterized in that, this device comprises:
Journal processing unit, for receiving the traffic log that NAT gateway equipment sends, reverse flow in this traffic log is zero and the non-vanishing TCP session of forward flow, and to terminate because timer expiry is aging in this traffic log, reverse flow is zero and the non-vanishing TCP session of forward flow is defined as Traffic Anomaly session; Wherein said reverse flow is the flow being sent to NAT gateway device interior from NAT gateway device external;
Abnormal decision unit; for in current measurement period, add up the source IP address after NAT conversion all sessions in the ratio of Traffic Anomaly session, if this ratio reaches the first predetermined threshold, be judged to be this NAT change after source IP address unreachable and notify keeper.
2. device as claimed in claim 1, is characterized in that, described abnormal decision unit, is further used for the unreachable early warning information sending the source IP address after changing for this NAT when described ratio reaches the second predetermined threshold to keeper.
3. device as claimed in claim 2, it is characterized in that, described first predetermined threshold is greater than described second predetermined threshold.
4. device as claimed in claim 1, is characterized in that, described abnormal decision unit is used for adding up for the session ratio of the Traffic Anomaly of the source IP address after the multiple NAT conversions in NATIP address pool respectively in current measurement period.
5. a detection method for IP address reachability, it is applied on management server, it is characterized in that, the method comprises:
The traffic log that A, reception NAT gateway equipment send, reverse flow in this traffic log is zero and the non-vanishing TCP session of forward flow, and to terminate because timer expiry is aging in this traffic log, reverse flow is zero and the non-vanishing TCP session of forward flow is defined as Traffic Anomaly session; Wherein said reverse flow is the flow being sent to NAT gateway device interior from NAT gateway device external;
B, in current measurement period, add up the source IP address after NAT conversion all sessions in the ratio of Traffic Anomaly session, if this ratio reaches the first predetermined threshold, be judged to be this NAT change after source IP address unreachable and notify keeper.
6. method as claimed in claim 5, it is characterized in that, described step B comprises further: the alarm sending the source IP address after changing for this NAT when described ratio reaches the second predetermined threshold to keeper.
7. method as claimed in claim 6, it is characterized in that, described first predetermined threshold is greater than described second predetermined threshold.
8. method as claimed in claim 5, it is characterized in that, described step B also comprises: add up for the ratio of the Traffic Anomaly session of the source IP address after the multiple NAT conversions in NATIP address pool respectively in current measurement period.
CN201210227793.1A 2012-06-29 2012-06-29 Method and device for detecting accessibility of IP (internet protocol) address Active CN102752141B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210227793.1A CN102752141B (en) 2012-06-29 2012-06-29 Method and device for detecting accessibility of IP (internet protocol) address

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210227793.1A CN102752141B (en) 2012-06-29 2012-06-29 Method and device for detecting accessibility of IP (internet protocol) address

Publications (2)

Publication Number Publication Date
CN102752141A CN102752141A (en) 2012-10-24
CN102752141B true CN102752141B (en) 2015-05-06

Family

ID=47032050

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210227793.1A Active CN102752141B (en) 2012-06-29 2012-06-29 Method and device for detecting accessibility of IP (internet protocol) address

Country Status (1)

Country Link
CN (1) CN102752141B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932346A (en) * 2012-10-26 2013-02-13 杭州迪普科技有限公司 Method and device for detecting unavailable addresses in network address translator (NAT) address pool
CN105468765B (en) * 2015-12-03 2017-12-19 中国南方电网有限责任公司信息中心 A kind of multinode web services method for detecting abnormality and system
CN107171817B (en) * 2016-03-07 2020-09-11 中国移动通信集团福建有限公司 Fault information acquisition method and device
CN106027326B (en) * 2016-05-10 2019-06-07 杭州迪普科技股份有限公司 Link healthprobe method and device
CN107682470B (en) * 2017-10-16 2021-04-27 杭州迪普科技股份有限公司 Method and device for detecting public network IP availability in NAT address pool
CN109743414B (en) * 2019-02-18 2021-12-31 国家计算机网络与信息安全管理中心 Method for improving address translation availability using redundant connections and computer readable storage medium
CN112054915B (en) * 2019-06-06 2023-10-03 阿里巴巴(中国)网络技术有限公司 Processing method, device and system for client exception pre-warning and computing equipment
CN111371791A (en) * 2020-03-06 2020-07-03 深信服科技股份有限公司 Access relation determining method, device, equipment and medium
CN112737957B (en) * 2020-12-30 2022-12-13 锐捷网络股份有限公司 Flow table aging method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1501644A (en) * 2002-11-19 2004-06-02 ��Ϊ�������޹�˾ Detecting method of reachability among IP network equipments and its application in public dialing network platform accessing backup
CN101247353A (en) * 2008-03-25 2008-08-20 杭州华三通信技术有限公司 Stream aging method and network appliance

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPWO2002045352A1 (en) * 2000-11-30 2004-04-08 富士通株式会社 Network monitoring and control system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1501644A (en) * 2002-11-19 2004-06-02 ��Ϊ�������޹�˾ Detecting method of reachability among IP network equipments and its application in public dialing network platform accessing backup
CN101247353A (en) * 2008-03-25 2008-08-20 杭州华三通信技术有限公司 Stream aging method and network appliance

Also Published As

Publication number Publication date
CN102752141A (en) 2012-10-24

Similar Documents

Publication Publication Date Title
CN102752141B (en) Method and device for detecting accessibility of IP (internet protocol) address
US9736051B2 (en) Smartap arrangement and methods thereof
US9923984B2 (en) Methods, systems, and computer readable media for remote authentication dial in user service (RADIUS) message loop detection and mitigation
US7672245B2 (en) Method, device, and system for detecting layer 2 loop
US8789182B2 (en) Security event logging in process control
CN101728869B (en) Power station automation system data network security monitoring method
US20070022468A1 (en) Packet transmission equipment and packet transmission system
CN111295865B (en) Obtaining local area network diagnostic test results
CN114301676B (en) Nondestructive asset detection method and device for power monitoring system and storage medium
CN104852826B (en) A kind of loop detecting method and device
CN109561111B (en) Method and device for determining attack source
CN112565229B (en) Hidden channel detection method and device
JP2007267151A (en) Apparatus, method and program for detecting abnormal traffic
JP2014147066A (en) Method and system for providing redundancy in data network communication
US9298175B2 (en) Method for detecting abnormal traffic on control system protocol
US8064454B2 (en) Protocol incompatibility detection
KR100588352B1 (en) System for monitoring ip sharer and method thereof
CN117061239B (en) Method and system for safely uploading and storing operation data of Internet of things terminal
CN109587025B (en) Port self-learning intelligent substation switch
CN114285769B (en) Shared internet surfing detection method, device, equipment and storage medium
CN107995182B (en) Excavation system of loophole in transformer substation
CN101888310A (en) UDP message-based IP path active measurement method
CN111884871B (en) Method and equipment for detecting discarded message of switch
CN108833282A (en) Data forwarding method, system, device and SDN switch
EP3158685B1 (en) Identification of candidate problem network entities

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310000 No. 68 in the 6 storey building

Patentee after: Hangzhou Dipu Polytron Technologies Inc

Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310000 No. 68 in the 6 storey building

Patentee before: Hangzhou Dipu Technology Co., Ltd.

CP01 Change in the name or title of a patent holder
TR01 Transfer of patent right

Effective date of registration: 20210616

Address after: 310051 05, room A, 11 floor, Chung Cai mansion, 68 Tong Xing Road, Binjiang District, Hangzhou, Zhejiang.

Patentee after: Hangzhou Dip Information Technology Co.,Ltd.

Address before: 310000, 6 floor, Chung Cai mansion, 68 Tong he road, Binjiang District, Hangzhou, Zhejiang.

Patentee before: Hangzhou DPtech Technologies Co.,Ltd.

TR01 Transfer of patent right