CN111130931B - Detection method and device for illegal external connection equipment - Google Patents

Detection method and device for illegal external connection equipment Download PDF

Info

Publication number
CN111130931B
CN111130931B CN201911301058.9A CN201911301058A CN111130931B CN 111130931 B CN111130931 B CN 111130931B CN 201911301058 A CN201911301058 A CN 201911301058A CN 111130931 B CN111130931 B CN 111130931B
Authority
CN
China
Prior art keywords
message
intranet
equipment
request message
response message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911301058.9A
Other languages
Chinese (zh)
Other versions
CN111130931A (en
Inventor
陈文忠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201911301058.9A priority Critical patent/CN111130931B/en
Publication of CN111130931A publication Critical patent/CN111130931A/en
Application granted granted Critical
Publication of CN111130931B publication Critical patent/CN111130931B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a detection method and device for illegal external connection equipment. In the application, the scanner in the intranet simulates an extranet server to send a request message to intranet equipment in the intranet so as to trigger the intranet equipment to actively send a response message to the extranet server. When the intranet equipment violates the extranet, the extranet server can receive the response message sent by the intranet equipment, and when the intranet equipment does not have the extranet, the extranet server cannot receive the response message sent by the intranet equipment. Therefore, whether the intranet equipment has illegal external connection can be determined by whether the extranet server receives the response message sent by the intranet equipment.

Description

Detection method and device for illegal external connection equipment
Technical Field
The application relates to the technical field of internet, in particular to a detection method and device for illegal external connection equipment.
Background
In a network communication system with isolated intranet and extranet, an intranet device in the intranet is generally not allowed to connect to the extranet in order to prevent the leakage of important data in the intranet. Therefore, there is a need for an intranet device that detects the presence of an illegal external connection condition in the intranet in time.
Disclosure of Invention
In view of the above technical problems, the present application provides a method and an apparatus for detecting an illegal external connection device, which can detect an intranet device with an illegal external connection condition in an intranet.
According to a first aspect of the present application, a method for detecting an illegal external connection device is provided, where the method is applied to a scanner, the scanner is located in an intranet, and the method includes:
the method comprises the steps that an analog outer network server sends a request message for establishing connection to an inner network device in an inner network, so that the inner network device returns a response message of the request message to the outer network server, the outer network server detects whether the message is the response message of the request message returned by the inner network device when receiving the message, and if yes, the inner network device is determined to be illegal outer connection equipment.
According to a second aspect of the present application, there is provided another method for detecting an illegal external connection device, where the method is applied to an external network server, and the method includes:
receiving a message;
detecting whether the received message is a response message of a request message returned by the intranet equipment; the request message is a request message which is sent by a scanner simulation outer network server to an inner network device and is used for establishing connection;
and if the message is a response message of the request message returned by the intranet equipment, determining that the intranet equipment is illegal external connection equipment.
According to a third aspect of the present application, there is provided a device for detecting an illegal external connection device, the device being applied to a scanner, the scanner being located in an intranet, the device including:
the device comprises a sending unit and a judging unit, wherein the sending unit is used for simulating an external network server to send a request message for establishing connection to an internal network device in an internal network, so that the internal network device returns a response message of the request message to the external network server, and the external network server detects whether the message is the response message of the request message returned by the internal network device when receiving the message, and if so, the internal network device is determined to be illegal external connection equipment.
According to a fourth aspect of the present application, there is provided another detection apparatus for an illegal external connection device, where the apparatus is applied to an external network server, and the apparatus includes:
a receiving unit, configured to receive a packet;
the detection unit is used for detecting whether the received message is a response message of a request message returned by the intranet equipment; the request message is a request message which is sent by a scanner simulation outer network server to an inner network device and is used for establishing connection;
and the determining unit is used for determining the intranet equipment as the illegal external connection equipment when the message is a response message of a request message returned by the intranet equipment.
According to the application, a scanner in an intranet simulates an extranet server to send a request message to intranet equipment in the intranet so as to trigger the intranet equipment to actively send a response message to the extranet server. When the intranet equipment violates the extranet, the extranet server can receive the response message sent by the intranet equipment, and when the intranet equipment does not have the extranet, the extranet server cannot receive the response message sent by the intranet equipment. Therefore, whether the intranet equipment has illegal external connection can be determined by whether the extranet server receives the response message sent by the intranet equipment.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a schematic diagram of an application scenario shown in an exemplary embodiment of the present application;
fig. 2 is a flowchart illustrating a method for detecting an illegal external connection device according to an exemplary embodiment of the present application;
FIG. 3 is an interaction diagram illustrating a TCP protocol connection establishment method according to an exemplary embodiment of the present application;
fig. 4 is an interaction diagram of a detection method for an illegal external connection device according to an exemplary embodiment of the present application;
FIG. 5 is a diagram illustrating a hardware configuration of a scanner in accordance with an exemplary embodiment of the present application;
fig. 6 is a block diagram of a device for detecting an illegal external connection device according to an exemplary embodiment of the present application;
FIG. 7 is a hardware block diagram of an extranet server according to an exemplary embodiment of the present application;
fig. 8 is a block diagram of another detection apparatus for an illegal external connection device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In a network communication system with isolated intranet and extranet, an intranet device in the intranet is generally not allowed to connect to the extranet in order to prevent the leakage of important data in the intranet.
Therefore, the network communication system needs to detect the intranet device in time when the illegal external connection exists in the intranet.
In view of this, the present application provides a method for detecting an illegal external device. According to the application, a scanner in an intranet simulates an extranet server to send a request message to intranet equipment in the intranet so as to trigger the intranet equipment to actively send a response message to the extranet server. When the intranet equipment violates the extranet, the extranet server can receive the response message sent by the intranet equipment, and when the intranet equipment does not have the extranet, the extranet server cannot receive the response message sent by the intranet equipment. Therefore, whether the intranet equipment has illegal external connection can be determined by whether the extranet server receives the response message sent by the intranet equipment.
The method is suitable for a network communication system as shown in fig. 1, and an intranet of the communication system includes intranet equipment to be detected (only one intranet equipment is taken as an example in the figure). In order to detect the internal network equipment of the illegal external connection, the method of the application also deploys a scanner in the internal network and deploys an external network server in the external network. The scanner may be a server or a PC, and is not particularly limited herein.
Generally, an intranet device cannot be connected with an extranet server due to isolation of the extranet and the extranet. However, if the intranet device has an illegal external connection situation, the intranet device is connected to the external network server through a forwarding device such as a router or a switch.
Referring to fig. 2, fig. 2 is a diagram illustrating a method for detecting an illegal external device according to an exemplary embodiment of the present application.
Step S201: the scanner simulates an extranet server to send a request message for establishing connection to an intranet device in an intranet, so that the intranet device returns a response message of the request message to the extranet server.
In this application, scanner and intranet equipment all are arranged in the intranet, and the network communicates each other. The scanner simulates an outer network server to send a request message for establishing connection to the inner network equipment. After receiving the request message, the intranet equipment acquires the information of the request message and then returns a response message corresponding to the request message.
It can be understood that, if the intranet device is an illegal extranet device, the response message sent by the intranet device is received by the extranet server; if the intranet equipment is not the illegal external connection equipment, the response message sent by the intranet equipment cannot be received by the external network server.
Optionally, the scanner may first obtain the IP address of the extranet server and the preset designated port of the extranet server according to a preset configuration file, then construct a request packet whose source IP address is the IP address of the extranet server and whose source port is the designated port of the extranet server, and send the request packet to the intranet device. Therefore, after receiving the request message, the intranet device can return a response message to the designated port of the extranet server according to the source IP address and the source port of the request message.
Step S202: the external network server receives the message;
step S203: the outer network server detects whether the received message is a response message of a request message returned by the inner network equipment; the request message is a request message which is sent by a scanner simulation outer network server to an inner network device and is used for establishing connection.
Since the extranet server is in a more complex network environment, it is inevitable that many messages in the network will be received. In order to detect the illegal extranet intranet device, the extranet server needs to determine whether the received message is a response message of the request message returned by the intranet device in step S201.
Optionally, the extranet server presets a designated port for receiving the response packet. After receiving the message, the extranet server needs to perform at least the following two-way detection. Firstly, an external network server detects whether an interface for receiving a message is an appointed port; secondly, the external network server detects whether the message type of the message is a response message.
And judging according to the detection result:
if the interface for receiving the message is the designated port and the message type of the message is a response message, the extranet server determines that the received message is the response message of the request message returned by the intranet equipment;
and if the interface for receiving the message is not the designated port and/or the message type of the message is not the response message, the extranet server determines that the received message is not the response message of the request message returned by the intranet equipment.
Step S204: and if the message is a response message of the request message returned by the intranet equipment, the extranet server determines that the intranet equipment is the illegal extranet equipment.
According to step S203, the extranet server may screen out a response message of the request message returned by the intranet device in step S201 from all the received messages. Based on the screened response message, the extranet server can determine that the intranet equipment returning the response message is illegal extranet equipment.
Thus, the flow shown in fig. 2 is completed.
According to the application, a scanner in an intranet simulates an extranet server to send a request message to intranet equipment in the intranet so as to trigger the intranet equipment to actively send a response message to the extranet server. When the intranet equipment violates the extranet, the extranet server can receive a response message sent by the intranet equipment; when the intranet equipment does not have an external network, the external network server cannot receive the response message sent by the intranet equipment. Therefore, whether the intranet equipment has illegal external connection can be determined by whether the extranet server receives the response message sent by the intranet equipment.
As an alternative embodiment, the method described in this application may be implemented based on the procedure of the way TCP protocol "three-way handshake" is used to establish a connection.
The procedure of "TCP successfully establishing a connection" will be described first with reference to fig. 3.
Step S301: the client sends a SYN message for requesting to establish connection to the server, and the sequence number of the message is an initialization value, and the sequence number is assumed to be j.
Step S302: after receiving the SYN message, the server returns a SYN ACK message indicating acknowledgement to the client, and the acknowledgement sequence number of the message is the sum of 1 (i.e. j +1) of the sequence number of the SYN message.
Step S303: after receiving the SYN ACK message of the server, the client sends an ACK message representing confirmation to the server.
At this point, the TCP connection is successfully established between the client and the server.
It can be understood that, if the server rejects the request of the client to establish the connection in step S302, after receiving the SYN message, the server returns an RST ACK message indicating that the connection is closed to the client, and the acknowledgement sequence number of the message is the same as the acknowledgement sequence number of the SYN ACK message when the connection is successfully established in step S302, and is also the sequence number of the SYN message plus 1 (i.e., j + 1).
The method for implementing the present application based on the first two steps in the TCP protocol "three-way handshake" is described as follows:
firstly, a scanner confirms the equipment identifier of at least one intranet equipment to be detected in an intranet, then an extranet server is simulated to send a TCP SYN message to each intranet equipment to be detected, and the serial number of the TCP SYN message is configured to the equipment identifier of the intranet equipment to be received with the SYN message, and x is assumed. The device identifier of the intranet device may be an IP address of the intranet device, or a serial number of the intranet device, and is not specifically limited herein.
Then, after receiving TCP SYN message, if receiving the request of establishing connection, the internal network equipment returns SYN ACK message as response message to the external network server; and if the connection establishment request is rejected, returning the RST ACK message to the external network server as a response message. Wherein, the acknowledgement sequence number of the SYN ACK message or the RST ACK message is the sequence number in the SYN message plus 1 (i.e. x + 1).
Secondly, the extranet server screens out the response messages returned by the intranet device from all the received messages, and the specific screening method may refer to step S203, which is not described herein again.
And finally, the extranet server acquires the confirmation sequence number of the received response message, and subtracts 1 from the confirmation sequence number (namely x +1) to obtain the equipment identifier (namely x) of the intranet equipment. And the extranet equipment determines that the intranet equipment indicated by the equipment identification is the intranet equipment in illegal extranet connection. Optionally, the extranet server may add the device identification to the violation extranet list.
Therefore, the detection of the internal network equipment is completed, and the equipment recorded in the illegal external connection list is illegal external connection equipment; devices that are not recorded in the offending onboarding list are not offending onboarding devices.
In the present application, the response message sent by the intranet equipment is a SYN ACK or RST ACK message. Because the response message is a basic message of TCP connection, the intranet equipment can send the response message no matter the connection is successful or the connection is failed, so that compared with the traditional mode that the intranet equipment sends an ICMP message to an extranet server, the method can avoid the problem that the message is lost due to interception by a firewall or discarding of a route, thereby improving the detection effectiveness.
A specific embodiment for implementing the method of the present application is described below with reference to the interactive diagram shown in fig. 4.
As shown in fig. 4, the steps are as follows:
step S401: the scanner determines the intranet equipment to be detected in the intranet, and constructs SYN messages based on a TCP protocol for each intranet equipment, wherein the source IP addresses of all SYN messages are the IP addresses of the extranet servers, the source ports of all SYN messages are the designated ports of the extranet servers, and the serial number of each SYN message is configured to be the equipment identification of the intranet equipment to be received.
Step S402: and the scanner sends the SYN message constructed in the step S401 to the intranet equipment.
Step S403: the intranet device receives the SYN message in step S402, and then returns a SYN ACK message to the designated port of the extranet server according to the source IP address and the source port of the SYN message.
It can be understood that the sequence number of the SYN message received by each intranet device is the device identifier of the intranet device itself, and according to the basic principle of TCP "three-way handshake" shown in fig. 3, the acknowledgement sequence number of the SYN ACK message returned by each intranet device is the device identifier value of the intranet device itself plus 1.
Step S404: and the outer network server detects whether the received message is a response message returned by the inner network equipment. Specifically, the extranet server detects whether an interface receiving the message is the designated port, and detects whether the message type of the message is a response message.
If the interface for receiving the message is the designated port and the message type of the message is a response message, determining that the received message is the response message of the request message returned by the intranet equipment;
and if the interface for receiving the message is not the designated port and/or the message type of the message is not a response message, determining that the received message is not the response message of the request message returned by the intranet equipment.
According to the detection method, the extranet server screens out the SYN ACK message returned by the intranet equipment in the step S403 from the received messages.
Step S405: and the extranet server acquires the confirmation sequence number of the SYN ACK message, subtracts 1 from the confirmation sequence number to obtain the equipment identifier of the illegal external connection equipment, and adds the equipment identifier into the illegal external connection list.
The flow shown in fig. 4 is completed.
The reason why the scanner simulation extranet server sends the request message for establishing the connection to the intranet equipment in the intranet in the present application is described as follows:
in general, if an intranet device is illegally connected to an extranet, a message sent by the intranet device is sent to the extranet via a forwarding device such as a router, and these forwarding devices usually perform NAT conversion on the message sent by the intranet device.
Because of the existence of NAT conversion, in a network communication system, a private network device must firstly actively send a message to a public network device, and the source IP address of the message is the private network IP address of the private network device. Before forwarding the message, the NAT device modifies the source IP address of the message into a public network IP address, and meanwhile, the NAT device establishes a corresponding relation between the private network IP address and the public network IP address. When the public network device returns a message to the private network device, the NAT conversion device can perform DNAT conversion based on the established correspondence between the private network IP address and the public network IP address (i.e., modify the destination IP address of the returned message from the public network IP address to the private network IP address based on the correspondence), and send the message after DNAT conversion to the private network device. Therefore, if the public network device actively sends a message to the private network device, because the NAT device does not have the above correspondence, the NAT device discards the message, and thus the private network device cannot receive the message actively sent by the public network device.
For the reasons, the request message for establishing the connection is sent to the intranet equipment in the intranet by the scanner simulation extranet server instead of the extranet server actively sending the request message to the intranet equipment to trigger the intranet equipment to send the response message to the extranet server.
In addition, in the method for triggering the intranet equipment to actively send the message to the extranet server by using the scanner, the intranet equipment does not need to be adaptively changed, and only needs to support the basic function of a TCP/IP protocol, so that the performance of the intranet equipment is not influenced, and the detection efficiency is higher.
The reason why the serial number of the TCP SYN packet is used to carry the device identifier of the intranet device in the present application is described as follows:
after the response message converted by the NAT is received by the external network server, because the private network IP address of the internal network device originally recorded in the source IP address field of the response message is already converted into the public network IP address, the external network server cannot directly determine the private network IP address of the internal network device that sends the response message according to the source IP address field of the response message.
Based on the above reasons, the present application utilizes the TCP "three-way handshake" packet to carry the device identifier in the sequence number of the request packet, so that the intranet device carries the processed device identifier in the confirmation sequence number of the response packet. Even if the response message is forwarded through the NAT, the confirmation sequence number of the response message is not changed. Therefore, the extranet server can determine the equipment identifier of the illegal external connection equipment according to the confirmation sequence number field in the response message sent by the intranet equipment.
Corresponding to the embodiment of the detection method of the illegal external equipment, the application also provides an embodiment of a detection device of the illegal external equipment.
The embodiment of the detection device for the illegal external equipment can be applied to a scanner. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for operation through the processor of the scanner where the device is located. From a hardware aspect, as shown in fig. 5, the disclosure is a hardware structure diagram of a scanner where the violation external device detection apparatus is located, except for the processor, the memory, the network output interface, and the nonvolatile memory shown in fig. 5, the scanner where the apparatus is located in the embodiment may also include other hardware according to the actual function of the scanner, which is not described again.
Referring to fig. 6, fig. 6 is a block diagram of a detection apparatus for an illegal external connection device according to an exemplary embodiment of the present application. The device can be applied to a scanner located in an intranet, and the device can comprise:
a sending unit 601, configured to simulate an extranet server to send a request message for establishing a connection to an intranet device in an intranet, so that the intranet device returns a response message of the request message to the extranet server, and so that the extranet server detects whether the message is the response message of the request message returned by the intranet device when receiving the message, and if so, determines that the intranet device is an illegal extranet device.
Optionally, the sending unit includes:
a constructing subunit 602 (not shown in the figure), configured to construct a request packet for establishing a connection, where a source IP address of the request packet is an IP address of an extranet server, and a source port of the request packet is a preset designated port of the extranet server;
a sending subunit 603 (not shown in the figure), configured to send the request message to an intranet device in an intranet.
Optionally, the configuration subunit is further configured to configure the sequence number of the request packet as the device identifier of the intranet device, so that the extranet server further obtains the sequence number in the response packet returned by the intranet device after determining that the intranet device is an illegal extranet device, determines the device identifier of the intranet device based on the obtained sequence number, and adds the device identifier of the intranet device to an illegal extranet list.
Thus, the block diagram of the apparatus shown in fig. 6 is completed.
The embodiment of the illegal external connection equipment detection device can also be applied to an external network server. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and as a logical device, the device is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for operation through the processor of the extranet server where the device is located. In terms of hardware, as shown in fig. 7, the hardware structure diagram of the extranet server where the illegal external connection device detection apparatus of the present application is located is shown, except for the processor, the memory, the network output interface, and the nonvolatile memory shown in fig. 7, the extranet server where the apparatus is located in the embodiment may also include other hardware generally according to the actual function of the extranet server, which is not described again.
Referring to fig. 8, fig. 8 is a block diagram of a detection apparatus for an illegal external connection device according to an exemplary embodiment of the present application. The device can be applied to an extranet server, and the device can comprise:
a receiving unit 801, configured to receive a packet;
a detecting unit 802, configured to detect whether a received message is a response message of a request message returned by an intranet device; the request message is a request message which is sent by a scanner simulation outer network server to an inner network device and is used for establishing connection;
a determining unit 803, configured to determine that the intranet device is an illegal external connection device when the message is a response message of a request message returned by the intranet device.
Optionally, the source port of the request packet is a preset designated port of the extranet server;
the detection unit includes:
a detecting subunit 804 (not shown in the figure), configured to detect whether an interface receiving the packet is the designated port, and detect whether a packet type of the packet is a response packet;
a first determining subunit 805 (not shown in the figure), configured to determine that the received message is a response message of a request message returned by the intranet device when the interface for receiving the message is the designated port and the message type of the message is a response message;
a second determining subunit 806 (not shown in the figure), configured to determine that the received packet is not a response packet of the request packet returned by the intranet device when the interface receiving the packet is not the designated port and/or the packet type of the packet is not a response packet.
Optionally, the request packet is specifically a TCP SYN packet, and a response packet returned by the intranet device to the extranet server is a SYN ACK packet or a RST ACK packet; the serial number of the request message is the equipment identification of the intranet equipment;
after determining that the intranet device is an illegal extranet device, the determination unit is further configured to:
acquiring a serial number in a response message returned by the intranet equipment, and determining an equipment identifier of the intranet equipment based on the acquired serial number;
and adding the equipment identifier of the intranet equipment into the illegal external connection list.
Thus, the block diagram of the apparatus shown in fig. 8 is completed.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (12)

1. A detection method for illegal external connection equipment is characterized by being applied to a scanner, wherein the scanner is located in an intranet, and the method comprises the following steps:
simulating an extranet server to send a request message for establishing connection to an intranet device in an intranet, wherein the serial number of the request message comprises a device identifier of the intranet device, so that the intranet device returns a response message corresponding to the request message to the extranet server, and the extranet server detects whether the message is the response message corresponding to the request message returned by the intranet device when receiving the message, if so, the intranet device is determined to be a violation extranet device, and the device identifier of the intranet device is determined based on the serial number in the response message;
the request message is specifically a TCP SYN message, so that a response message returned by the intranet equipment to the extranet server is a SYN ACK message or a RST ACK message.
2. The method according to claim 1, wherein the sending, by the emulated extranet server, the request message for establishing the connection to the intranet device in the intranet comprises:
constructing a request message for establishing connection, wherein a source IP address of the request message is an IP address of an external network server, and a source port of the request message is a preset designated port of the external network server;
and sending the request message to intranet equipment in an intranet.
3. The method according to claim 2, wherein the determining of the device identifier of the intranet device further comprises adding the device identifier of the intranet device to an illegal extranet list.
4. A detection method for illegal external connection equipment is applied to an external network server, and comprises the following steps:
receiving a message;
detecting whether the received message is a response message corresponding to a request message returned by the intranet equipment; the request message is a request message which is sent by a scanner simulation outer network server to an inner network device and is used for establishing connection;
the serial number of the request message contains the equipment identifier of the intranet equipment, so that the serial number of the response message corresponding to the request message can determine the equipment identifier information of the intranet equipment;
if the message is a response message corresponding to a request message returned by the intranet equipment, determining that the intranet equipment is illegal external connection equipment;
the request message is specifically a TCP SYN message, and the response message returned by the intranet device to the extranet server is a SYN ACK message or a RST ACK message.
5. The method according to claim 4, wherein the source port of the request packet is a predetermined port of the extranet server;
the detecting whether the received message is a response message of a request message returned by the intranet equipment includes:
detecting whether an interface for receiving the message is the designated port or not, and detecting whether the message type of the message is a response message or not;
if the interface for receiving the message is the designated port and the message type of the message is a response message, determining that the received message is the response message of the request message returned by the intranet equipment;
and if the interface for receiving the message is not the designated port and/or the message type of the message is not a response message, determining that the received message is not the response message of the request message returned by the intranet equipment.
6. The method of claim 4,
after determining that the intranet device is an illegal extranet device, the method further includes:
acquiring a serial number in a response message returned by the intranet equipment, and determining an equipment identifier of the intranet equipment based on the acquired serial number;
and adding the equipment identifier of the intranet equipment into the illegal external connection list.
7. A detection device for illegal external connection equipment is characterized by being applied to a scanner, wherein the scanner is positioned in an intranet, and the device comprises:
a sending unit, configured to simulate an extranet server to send a request message for establishing a connection to an intranet device in an intranet, where a sequence number of the request message includes a device identifier of the intranet device, so that the intranet device returns a response message corresponding to the request message to the extranet server, and so that when receiving the message, the extranet server detects whether the message is a response message corresponding to the request message returned by the intranet device, and if so, determines that the intranet device is an illegal extranet device, and determines a device identifier of the intranet device based on a sequence number in the response message;
the request message is specifically a TCP SYN message, so that a response message returned by the intranet equipment to the extranet server is a SYN ACK message or a RST ACK message.
8. The apparatus of claim 7, wherein the sending unit comprises:
a constructing subunit, configured to construct a request packet for establishing a connection, where a source IP address of the request packet is an IP address of an external network server, and a source port of the request packet is a preset designated port of the external network server;
and the sending subunit is used for sending the request message to intranet equipment in an intranet.
9. The apparatus of claim 8,
the construction subunit is further to:
and after the intranet equipment is determined to be the illegal external connection equipment, adding the equipment identification of the intranet equipment into an illegal external connection list.
10. A detection device for illegal external connection equipment is applied to an external network server, and comprises:
a receiving unit, configured to receive a packet;
the detection unit is used for detecting whether the received message is a response message corresponding to a request message returned by the intranet equipment; the request message is a request message which is sent by a scanner simulation outer network server to an inner network device and is used for establishing connection; the serial number of the request message contains the equipment identifier of the intranet equipment, so that the serial number of the response message corresponding to the request message can determine the equipment identifier information of the intranet equipment;
the request message is specifically a TCP SYN message, and a response message returned to the external network server by the internal network equipment is a SYN ACK message or a RST ACK message;
and the determining unit is used for determining the intranet equipment as the illegal external connection equipment when the message is a response message of a request message returned by the intranet equipment.
11. The apparatus according to claim 10, wherein the source port of the request packet is a predetermined port of the extranet server;
the detection unit includes:
the detection subunit is used for detecting whether an interface for receiving the message is the designated port or not and detecting whether the message type of the message is a response message or not;
the first judging subunit is configured to determine that the received message is a response message of a request message returned by the intranet device when the interface for receiving the message is the designated port and the message type of the message is a response message;
and the second judging subunit is configured to determine that the received message is not a response message of the request message returned by the intranet device when the interface for receiving the message is not the designated port and/or the message type of the message is not a response message.
12. The apparatus of claim 10,
after determining that the intranet device is an illegal extranet device, the determination unit is further configured to:
acquiring a serial number in a response message returned by the intranet equipment, and determining an equipment identifier of the intranet equipment based on the acquired serial number;
and adding the equipment identifier of the intranet equipment into the illegal external connection list.
CN201911301058.9A 2019-12-17 2019-12-17 Detection method and device for illegal external connection equipment Active CN111130931B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911301058.9A CN111130931B (en) 2019-12-17 2019-12-17 Detection method and device for illegal external connection equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911301058.9A CN111130931B (en) 2019-12-17 2019-12-17 Detection method and device for illegal external connection equipment

Publications (2)

Publication Number Publication Date
CN111130931A CN111130931A (en) 2020-05-08
CN111130931B true CN111130931B (en) 2022-04-26

Family

ID=70499269

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911301058.9A Active CN111130931B (en) 2019-12-17 2019-12-17 Detection method and device for illegal external connection equipment

Country Status (1)

Country Link
CN (1) CN111130931B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073381B (en) * 2020-08-13 2021-12-17 中国电子科技集团公司第三十研究所 Detection method for connecting internet equipment to access intranet
CN112202749B (en) * 2020-09-24 2023-07-14 深信服科技股份有限公司 Illegal external connection detection method, detection equipment, networking terminal and storage medium
CN112887264B (en) * 2020-12-30 2024-02-02 浙江远望信息股份有限公司 Illegal external connection detection method for NAT access equipment
CN112910735A (en) * 2021-01-30 2021-06-04 山东兆物网络技术股份有限公司 Comprehensive detection method and system for discovering illegal external connection of intranet equipment
CN114244808B (en) * 2021-11-17 2023-08-08 广东电网有限责任公司 Offline illegal external connection method and device based on passive inspection of non-client mode
CN114244570B (en) * 2021-11-18 2023-12-22 广东电网有限责任公司 Illegal external connection monitoring method and device for terminal, computer equipment and storage medium
CN114785721B (en) * 2022-04-12 2023-11-10 中国南方电网有限责任公司 Network violation operation identification system, method and device
CN114785584A (en) * 2022-04-15 2022-07-22 山东云天安全技术有限公司 Method and system for detecting illegal external connection of equipment
CN116938570B (en) * 2023-07-27 2024-05-28 北京天融信网络安全技术有限公司 Detection method and device, storage medium and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136797A (en) * 2007-09-28 2008-03-05 深圳市利谱信息技术有限公司 Detection of inside and outside network physical connection, on-off control method and device for using the same
CN102291441A (en) * 2011-08-02 2011-12-21 杭州迪普科技有限公司 Method and security agent device for protecting against attack of synchronize (SYN) Flood
CN109413097A (en) * 2018-11-30 2019-03-01 深信服科技股份有限公司 A kind of lawless exterior joint detecting method, device, equipment and storage medium
CN110266713A (en) * 2019-06-28 2019-09-20 深圳市网心科技有限公司 Intranet and extranet communication means, device, system and proxy server and storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8819060B2 (en) * 2010-11-19 2014-08-26 Salesforce.Com, Inc. Virtual objects in an on-demand database environment
CN102790811B (en) * 2012-07-25 2015-10-14 浙江宇视科技有限公司 A kind of method and apparatus of cross-over NAT equipment in monitor network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136797A (en) * 2007-09-28 2008-03-05 深圳市利谱信息技术有限公司 Detection of inside and outside network physical connection, on-off control method and device for using the same
CN102291441A (en) * 2011-08-02 2011-12-21 杭州迪普科技有限公司 Method and security agent device for protecting against attack of synchronize (SYN) Flood
CN109413097A (en) * 2018-11-30 2019-03-01 深信服科技股份有限公司 A kind of lawless exterior joint detecting method, device, equipment and storage medium
CN110266713A (en) * 2019-06-28 2019-09-20 深圳市网心科技有限公司 Intranet and extranet communication means, device, system and proxy server and storage medium

Also Published As

Publication number Publication date
CN111130931A (en) 2020-05-08

Similar Documents

Publication Publication Date Title
CN111130931B (en) Detection method and device for illegal external connection equipment
Provos A Virtual Honeypot Framework.
CN103401726B (en) Network path detection method and device, system
US9491189B2 (en) Revival and redirection of blocked connections for intention inspection in computer networks
EP2140656B1 (en) Method and apparatus for detecting port scans with fake source address
US11349862B2 (en) Systems and methods for testing known bad destinations in a production network
CN111756712B (en) Method for forging IP address and preventing attack based on virtual network equipment
TW200951757A (en) Malware detection system and method
CN105743878A (en) Dynamic service handling using a honeypot
CN110266650B (en) Identification method of Conpot industrial control honeypot
CN113179280B (en) Deception defense method and device based on malicious code external connection behaviors and electronic equipment
CN104363243A (en) Method and device for preventing gateway deceit
US7599365B1 (en) System and method for detecting a network packet handling device
CN101494536B (en) Method, apparatus and system for preventing ARP aggression
CN110995763B (en) Data processing method and device, electronic equipment and computer storage medium
Esnaashari et al. Determining home users' vulnerability to Universal Plug and Play (UPnP) attacks
CN110351159B (en) Cross-intranet network performance testing method and device
CN114500118B (en) Method and device for hiding satellite network topology
Popereshnyak et al. Intrusion detection method based on the sensory traps system
JP2002344481A (en) System, method and program for searching router
CN112738032B (en) Communication system for preventing IP deception
TWI813214B (en) System, method and computer-readable medium for ipv6 information security testing
CN114172734B (en) Data processing method and device for complex network communication and computer storage medium
WO2024116666A1 (en) Detection system, detection method, and program
CN106453221A (en) Message detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant