Summary of the invention
The invention provides a kind of security gateway and detect the method for proxy surfing, in order to solve in the prior art problem that can not detect proxy surfing.
Concrete, the invention provides the method that a kind of security gateway detects proxy surfing, comprising:
Step 1, security gateway receive packet, in pre-configured Policy Table, obtain source IP address with described packet corresponding act on behalf of detection; The described detection of acting on behalf of comprises: IP address to be detected, based on the winding time of the ID that received packet last time number of this IP address and last time ID number winding taking place;
Whether step 2, security gateway detect current ID number of receiving packet and act on behalf of ID number that received packet in the detection last time greater than described, if, execution in step 3; Otherwise, execution in step 4;
Step 3, described ID number of receiving packet the last time of acting on behalf of in the detection of security gateway renewal are ID number of current data packet, return step 1;
Step 4, security gateway are judged the generation winding ID number, detect this winding time and the described time difference of acting on behalf of winding time last time of writing down in the detection whether more than or equal to predefined patient time, if be judged to be proxy surfing does not take place; Otherwise, be judged to be the generation proxy surfing.
In the method for the invention, among the described pre-configured Policy Table configuration corresponding with the current IP address that receives packet act on behalf of detection the time also comprise:
Described security gateway adds corresponding with the current IP address that the receives packet detection of acting on behalf of extremely among the described Policy Table, and initialization this act on behalf of parameter in the detection;
Wherein, initialization procedure is specially: IP address to be detected be set be the current IP address that receives packet, be provided with corresponding with this IP address the ID that received packet last time number be zero, the time value that winding took place for ID number last time is set is zero.
In the method for the invention, described security gateway detects and takes place also to comprise behind the proxy surfing: described security gateway is deleted the current detection of acting on behalf of that receives the source IP address correspondence of packet from described Policy Table.
Further, described security gateway also comprises after detecting the generation proxy surfing:
Described security gateway reports this proxy surfing incident, and the current source IP address that receives packet is added in the pre-configured blacklist, perhaps opens pre-configured alarm switch.
In the method for the invention, described security gateway also comprises after proxy surfing does not take place detecting:
Be the winding time for the time that winding took place for ID number the last time in ID number of current data packet, update agent detection when felge forward in the described security gateway update agent detection the ID that received packet last time number.
Further, also comprise after the time of the ID number generation last time in described security gateway update agent detection winding: will respectively act on behalf of detection among the described Policy Table and arrange by winding time ascending order.
In the method for the invention, described security gateway is also when default timing reaches, travel through and respectively act on behalf of detection among the described Policy Table, based on the winding time of respectively acting on behalf of in the detection, whether ID number that detects correspondence in the time of agreement winding does not take place, if the detection of acting on behalf of of correspondence is deleted; Otherwise, do not process.
Wherein, described default timing is more than or equal to described patient time.
The present invention also provides a kind of security gateway, comprising:
Data reception module is used to receive packet, in pre-configured Policy Table, obtain source IP address with described packet corresponding act on behalf of detection; The described detection of acting on behalf of comprises: IP address to be detected, based on the winding time of the ID that received packet last time number of this IP address and last time ID number winding taking place;
The ID comparison module is used for detecting and currently receives ID number of packet and whether received ID number of packet last time greater than the described detection of acting on behalf of, if trigger and act on behalf of the detection update module; Otherwise, trigger the proxy surfing detection module;
Act on behalf of the detection update module, be used for upgrading described ID number of receiving ID number of packet the last time of acting on behalf of detection for current data packet;
The proxy surfing detection module is used for detecting this winding time and describedly acts on behalf of the time difference of winding time last time that detection writes down whether more than or equal to predefined patient time, if be judged to be proxy surfing does not take place; Otherwise, be judged to be the generation proxy surfing.
Wherein, described data reception module, also be used for not disposing corresponding with the current IP address that receives packet when acting on behalf of detection pre-configured Policy Table, add corresponding with the current IP address that the receives packet detection of acting on behalf of extremely among the described Policy Table, and initialization this act on behalf of parameter in the detection.
Further, security gateway of the present invention also comprises:
Act on behalf of the detection recycling module, be used for when default timing reaches, travel through and respectively act on behalf of detection among the described Policy Table, based on the winding time of respectively acting on behalf of in the detection, whether in the time of agreement winding does not take place ID number that detects correspondence, if the detection of acting on behalf of of correspondence is deleted; Otherwise, do not process.
Wherein, described default timing is more than or equal to described patient time.
Compared with prior art, beneficial effect of the present invention is as follows:
Detection proxy surfing method provided by the invention can be effectively to using the IP address of proxy surfing to be judged, for anti-proxy surfing provides support by adopting simple detection algorithm in the network.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
In order to solve problems of the prior art, the invention provides the method for a kind of security gateway and detection proxy surfing thereof.The Core Feature of this detection proxy surfing method is that illegal proxy surfing user is detected, and then the proxy surfing user who finds handled, can be provided with to system alarm, perhaps add disabled user IP to the system blacklist, with IP address disable a period of time of disabled user, the time can set up on their own.
The Changing Pattern that the detection principle of the method for the invention is based on its id field of IP packet that the Windows user sends out is 0->65535->0, be as the criterion so detect the mechanism of proxy user and be exactly according to the time interval that twice winding takes place for the ID in the User IP packet number, if it is interval greater than the patient time tolerate-time value of system's setting then think there is not proxy surfing, otherwise think it at proxy surfing, setting is handled according to system then.Illustrate as follows:
As shown in Figure 1, if the data packet stream of Client1 and two ping of Client2 will pass wall simultaneously, these two ping streams are transmitted from Router, and Router has done proxy surfing, these two ping streams will produce two id streams so, and alternately increase.If id stream is as follows: 12132435465.This is two id streams, and one is from 1 to 6, one is from 1 to 5, and under the default situations, the time interval of any two packets is 1 second for ping, and the time interval that just shows as two id of any one id stream here is 1 second; When two id streams were mixed into one, the time interval that is exactly any three id so was 1 second; We take out 2132 and explain, when packet to 1 the time, because 12 little than the front, anti-agency can think and produces a winding, notes the current winding time, when 3 come in, can not think when 2 come in, to produce winding again one time by the generation winding, at this moment more current winding and last time winding time difference whether less than tolerate-time, if less than, just think the generation proxy surfing.
The value of above-mentioned patient time tolerate-time is closely bound up with user's the network bandwidth and packet size, for the obtain manner of this tolerate-time clearly is described, describes below by a concrete example:
The network bandwidth with present domestic consumer is that 4Mbit/s is an example, and data packets for transmission is 256Byte, and then its packet rate is: 4*1024*1024/256*8=2048pps (packet per second); ID sequence length overall is 65536, and it is 65536/2048=32s that a winding time then takes place.
Be given under the situation of different bandwidth, packet rate the needed time value of a winding below by a form.Specifically as shown in Table 1:
Table one
Family's bandwidth (Mbit) |
Packet size (Byte) |
Packet rate (pps) |
The ID sequence length |
The winding time (s) |
4M |
64 |
8192 |
65536 |
8 |
4M |
128 |
4096 |
65536 |
16 |
4M |
256 |
2048 |
65536 |
32 |
4M |
512 |
1024 |
65536 |
64 |
4M |
1024 |
512 |
65536 |
128 |
4M |
1500 |
349.5 |
65536 |
187.6 |
2M |
64 |
4096 |
65536 |
16 |
2M |
128 |
2048 |
65536 |
32 |
2M |
256 |
1024 |
65536 |
64 |
2M |
512 |
512 |
65536 |
128 |
2M |
1024 |
256 |
65536 |
256 |
2M |
1500 |
174.8 |
65536 |
374.9 |
1M |
64 |
2048 |
65536 |
32 |
1M |
128 |
1024 |
65536 |
64 |
1M |
256 |
512 |
65536 |
128 |
1M |
512 |
256 |
65536 |
256 |
1M |
1024 |
128 |
65536 |
512 |
1M |
1500 |
87.4 |
65536 |
749.8 |
Need to prove, what table one provided is the theoretical value of anti-proxy surfing patient time, with domestic consumer 4M flow is example, its minimum patient time is 8s, and the time interval that produces twice winding in the practical application can only be worth big than this, as long as just can further improve accuracy in detection greatly than this value, for example, default was 10s when the user was provided with.Thus, system can set patient time flexibly according to the above-mentioned theory value.
Below in conjunction with Fig. 2, provide the specific implementation process that security gateway provided by the invention detects the method for proxy surfing, may further comprise the steps:
Step S201, security gateway receive packet, in pre-configured Policy Table, obtain source IP address with described packet corresponding act on behalf of detection; The described detection of acting on behalf of comprises: IP address to be detected, based on the winding time of the ID that received packet last time number of this IP address and last time ID number winding taking place;
Whether step S202, security gateway detect current ID number of receiving packet and act on behalf of ID number that received packet in the detection last time greater than described, if, execution in step S203; Otherwise, execution in step S204;
Step S203, described ID number of receiving packet the last time of acting on behalf of in the detection of security gateway renewal are ID number of current data packet, return step S201;
Step S204, security gateway are judged the generation winding ID number, detect this winding time and the described time difference of acting on behalf of winding time last time of writing down in the detection whether greater than predefined patient time, if be judged to be proxy surfing does not take place; Otherwise, be judged to be the generation proxy surfing.
For clearer statement method provided by the invention, describe the implementation procedure of the method for the invention in detail below by a specific embodiment.
Security gateway is when detecting proxy surfing, and the pre-configured detection strategy of meeting is specially:
(1) adds the source address that detects; For example: source address is 192.168.8.24; That is:
TopsecOS#firewall?policy?add?src?192.168.8.24?action?accept?anti-proxy?on
(2) the patient time value of the anti-proxy surfing of configuration; For example: TopsecOS# network anti-proxytolerate-time 2;
Further, handle for the ease of the user to proxy surfing, security gateway can also be provided with blacklist, and then when the configuration detection strategy, also will dispose following parameter:
(3) the blacklist switch of proxy surfing;
TopsecOS#?network?anti-proxy?blacklist-handle?on
(4) blacklist list;
TopsecOS#?firewall?dynamic-policy?show
Src/sport (source address/source port) |
Dst/dport (destination address/destination interface) |
Expires (forbidding time) |
Comment (reason) |
Hit-sessions (order number of times) |
192.168.8.24/0 |
0.0.0.0/0 |
3600 |
anti-proxy |
123 |
Based on above-mentioned policy configurations, the inner corresponding data structure of security gateway is made following modification:
Security gateway need write down the parameter configuration of anti-proxy surfing in internal memory, be mainly the sustainable minimum winding of the anti-agency of global variable at interval; Certainly, preferred in order to cooperate processing to the proxy surfing user, go back configuration parameter: open the time interval that blacklist is handled switch, opened alarm switch and proxy surfing IP conductively-closed, do not allow proxy surfing IP communication in during this period of time; Specifically be expressed as follows:
Int blacklist_switch; // open blacklist to handle switch
Int alarm_switch; // unlatching alarm switch
Int tolerate_time; The sustainable minimum winding of // anti-agency at interval
Int blacklist_timeout; In the time interval of // proxy surfing IP conductively-closed, do not allow proxy surfing IP communication in during this period of time
Further, security gateway need define one for each detected IP and act on behalf of detection (following being expressed as prevents acting on behalf of the detection architecture body):
struct?antiproxy_record
{
struct?list_head?list;
_ u32ip_addr; The IP address of // these clauses and subclauses correspondence is exactly whether to detect the IP address of proxy surfing; Initial value is 0.
Int last_id; // last time detected ID number, find whether to have winding to take place by relatively last time and current difference, if current ID value takes place than the winding that greatly just do not have of last time, otherwise just think that the winding generation is arranged; Initial value is 0.
Unsigned long last_loop_time; Time value when // last time, winding took place; Initial value is 0.
};
Then, a global variable antiproxy_hash_table of definition (being above-mentioned Policy Table) is used for hash and links the IP structure struct antiproxy_record of all detected proxy surfings.
Below just based on above-mentioned collocation strategy, the implementation procedure of the method for the invention is set forth.
As shown in Figure 3, the anti-proxy surfing detection method flow chart of the security gateway that provides for the embodiment of the invention may further comprise the steps:
Step S301, security gateway receive packet, search the antiproxy_record structure that meets the IP address according to the source IP address of this packet in the antiproxy_hash_table table, if do not find execution in step S302; Otherwise, execution in step S303.
Step S302, the new antiproxy_record structure of security gateway application add this structure in the antiproxy_hash_table table to, and parameter is wherein carried out initialization.
Wherein, initialization procedure is:
record->ip_addr=IP;
Record->IP ID value of last_id=packet;
record->last_loop_time=0;
Step S303, judge that record->last_id is whether less than the ID value of packet IP head, if judge winding does not take place; Execution in step S304; Otherwise, judge winding, execution in step S305 take place.
Step S304, note new ID value (record->last_id=ID), return step S301.
Step S305, detect this winding time and winding time difference last time whether more than or equal to the value of global variable tolerate_time, if be judged to be and proxy surfing do not take place, execution in step S306; Otherwise, be judged to be the generation proxy surfing, execution in step SS307.
Step S306, the antiproxy_record structure of new data packets IP address correspondence more return step S301.
Wherein, upgrading the antiproxy_record structure is specially:
Record->IP ID value of last_id=packet;
This winding time of record->last_loop_time=.
Step S307, with the deletion from the antiproxy_hash_table table of the antiproxy_record structure of correspondence, discharge the internal memory that it takies.
Preferably, security gateway is when detecting proxy surfing, and proxy surfing has taken place reporting system, and according to pre-configured processing policy, this IP is added blacklist or reports to the police.
Preferably, in the described method of the embodiment of the invention, security gateway also has reclaim mechanism to antiproxy_record structure in the antiproxy_hash_table table, and then discharges it to the taking of internal memory, and its way of recycling is as follows:
Security gateway starts a timer, when the timing of setting arrives, security gateway begins traversal from first hash chain of antiproxy_hash_table table, whether the winding time in the detection antiproxy_hash_table table in each antiproxy_record structure satisfies default recovering condition, if, with the antiproxy_record structure deletion of correspondence; Otherwise, do not process.
Wherein, described recovering condition can be set flexibly, its core concept is whether the IP address of detecting in each antiproxy_record structure at long enough the ID winding did not take place in the time, if, then system has reason to judge that proxy surfing does not take place in this IP address, and then can reclaim the antiproxy_record structure of this IP address correspondence, the setting of this recovering condition is described below by an example:
The timing of setting is T, and this T is more than or equal to tolerate_time;
Then recovering condition can be set at: whether the difference of T and record->last_loop_time is more than or equal to 2*tolerate_time.
If this recovering condition is set up, illustrate that this record list item for a long time winding has not taken place, there is not proxy surfing, delete this antiproxy_record structure; Otherwise, do not process.
Need to prove, in order to reduce the operand of system, security gateway is when upgrading the last_loop_time in the antiproxy_record structure, preferably each antiproxy_record structure is arranged according to the last_loop_time ascending order, the time ascending order that winding just takes place is arranged.Because, security gateway is detecting one when not satisfying above-mentioned recovering condition, the antiproxy_record structure of its back does not satisfy too, so when reclaiming, can judge for the antiproxy_record structure that does not satisfy the recovering condition back, and then reduce system's operand.
Illustrate as follows: store in the antiproxy_hash_table table IP address 1, IP address 2 ... IP address n, its last_loop_time ascending order is arranged as 1,10,20,21 ....; The timing of setting is 25; Patient time is 5; Then security gateway is when reclaiming detection:
Have for IP address 1: (25-1) its result is greater than 2*5; Be judged to be and satisfy recovering condition, with antiproxy_record structure deletion from the antiproxy_hash_table table of IP address 1 correspondence;
Have for IP address 2: (20-10) its result is greater than 2*5; Be judged to be and satisfy recovering condition, with antiproxy_record structure deletion from the antiproxy_hash_table table of IP address 2 correspondences;
Have for IP address 3: (25-20) its result is less than 2*5; Be judged to be and do not satisfy recovering condition, then do not process;
Because the last_loop_time of IP address 4 to IP address n all greater than the last_loop_time of IP address 3, so certainty does not all satisfy recovering condition, and then can needn't detect follow-up IP address after detecting IP address 3.
Method provided by the invention can be effectively to using the IP address of proxy surfing to be judged, for anti-proxy surfing provides support by adopting simple detection algorithm in the network.
The present invention also provides a kind of security gateway, as shown in Figure 4, comprising:
Data reception module 410 is used to receive packet, and in pre-configured Policy Table, obtain source IP address with described packet corresponding act on behalf of detection; The described detection of acting on behalf of comprises: IP address to be detected, based on the winding time of the ID that received packet last time number of this IP address and last time ID number winding taking place;
ID comparison module 420 is used for detecting and currently receives ID number of packet and whether received ID number of packet last time greater than the described detection of acting on behalf of, if trigger and act on behalf of detection update module 430; Otherwise, trigger proxy surfing detection module 440;
Act on behalf of detection update module 430, be used for upgrading described ID number of receiving ID number of packet the last time of acting on behalf of detection for current data packet;
Proxy surfing detection module 440 is used for detecting this winding time and describedly acts on behalf of the time difference of winding time last time that detection writes down whether greater than predefined patient time, if be judged to be proxy surfing does not take place; Otherwise, be judged to be the generation proxy surfing.
Wherein, data reception module 410, also be used for not disposing corresponding with the current IP address that receives packet when acting on behalf of detection pre-configured Policy Table, add corresponding with the current IP address that the receives packet detection of acting on behalf of extremely among the described Policy Table, and initialization this act on behalf of parameter in the detection.
Further, described security gateway also comprises:
Act on behalf of detection recycling module 450, be used for when default timing reaches, travel through and respectively act on behalf of detection among the described Policy Table, based on the winding time of respectively acting on behalf of in the detection, whether ID number that detects correspondence in the time of agreement winding does not take place, if the detection of acting on behalf of of correspondence is deleted; Otherwise, do not process.
Wherein, described default timing is more than or equal to described patient time.
Implement device of the present invention, can be by adopting simple detection algorithm effectively to using the IP address of proxy surfing to be judged in the network, for anti-proxy surfing provides support.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.