CN113572735A - Method for preventing network attack by using hidden server - Google Patents
Method for preventing network attack by using hidden server Download PDFInfo
- Publication number
- CN113572735A CN113572735A CN202110707348.4A CN202110707348A CN113572735A CN 113572735 A CN113572735 A CN 113572735A CN 202110707348 A CN202110707348 A CN 202110707348A CN 113572735 A CN113572735 A CN 113572735A
- Authority
- CN
- China
- Prior art keywords
- server
- visible
- hidden
- client
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000004044 response Effects 0.000 claims abstract description 26
- 238000012545 processing Methods 0.000 claims abstract description 4
- 230000008569 process Effects 0.000 claims description 8
- 230000007246 mechanism Effects 0.000 claims description 4
- 230000001360 synchronised effect Effects 0.000 claims description 3
- 238000012546 transfer Methods 0.000 claims description 3
- 238000004891 communication Methods 0.000 description 10
- 230000011218 segmentation Effects 0.000 description 4
- 230000007123 defense Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000004148 unit process Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
A method for preventing network attacks using a hidden server, comprising: the client sends a service request to a visible server with a visible address, wherein the visible address is an address known to the client, and the service request can be addressed to the visible address of the visible server; intercepting the service request by an unaddressed port of a hidden server, and further processing the service request by the hidden server and sending a response to the client by using a visible address of a visible server as a source address of the response; hiding a connection between the server eavesdropping client and the visible server for receiving a service request addressed to the visible server; when the hidden server eavesdrops, the hidden server receives a copy of the service request, and the original service request may be forwarded to the visible server. The method can effectively protect the client.
Description
Technical Field
The present invention relates to a method for preventing network attacks, and more particularly, to a method for preventing network attacks using a hidden server.
Background
With the development of computer network technology, the popularity of computer networks is rapidly increased, but the security problem of the networks is brought while resource sharing is improved. With the development of network attack technology, computer network security also faces a great threat. Aiming at the types of denial of service attack, program attack, electronic spoofing attack, attack on network protocol weakness and the like which mainly exist at present, a corresponding network attack defense method is provided. However, the existing defense mode has the disadvantages that different services often use the same domain name even devices, the defense is attacked, a large amount of bandwidth is consumed, the price is high, and the like.
Disclosure of Invention
The invention relates to a system and a method for preventing network attacks. Attacks are prevented at least by using a hidden server. The hidden server may silently monitor the communication between the client and the visible server. The hidden server may also selectively provide protected data, services or protocols to the authorized client in response to the visible server's response to the request.
Further, communications may be requested to access protected data, services, or protocols supported by a visible device having a visible address. A hidden device with a hidden address may silently monitor for requests and selectively respond by completing the requests in place of the visible device. The selective response may be guided by a segmentation policy that reduces the attack surface of hidden devices and protected data, services, and protocols. The policy may reduce the attack face by reducing the number of ways in which the requesting device destroys the integrity of the protected data. The response from the hidden device replacing the visible device may occur visibly, so the requesting device is unaware that it is receiving data from the hidden device instead of the visible device.
The visible device and the hidden device may include a processor, controller, etc. configured to process data and an interface for transferring data. For example, the visible device and the hidden device may comprise hardware or a combination of hardware and software, such as a personal computer, a handheld computer, a telephone, a computer application, a client, a server, or any combination thereof.
The request may conform to known addressing-based communications. For example, a request may seek to access a particular data, service, or protocol. The request may also identify the address of the visible device to satisfy the request. Other features of the request are possible and will vary based on the particular implementation details of the protocol used to implement the communication with the visible device and the hidden device.
Quiescing the monitoring data request at the hidden device may include receiving a copy of the request without establishing a connection between the hidden device and the requesting device. Furthermore, requests that do not comply with the hidden device fragmentation policy may be ignored by the monitoring hidden device. Other aspects of monitoring are possible and may depend on the specific implementation details of the visible and hidden devices.
The segmentation policy may include a component for segmenting the hidden device from the visible device to which the request is addressed. For example, the segmentation policy may include hiding an address of the hidden device while exposing an address of a visible device to which a data request from the requesting device is addressed. Alternatively, the hidden device may not even have an address. In the case where the address of the hidden device is hidden, the requesting device and the visible device may not know the address. Thus, if the security of the visible device is compromised by the requesting device, the requesting device may not learn the address of the hidden device or its implementation details. The segmentation policy may also include fingerprint erasure to reduce the impact of responding to data requests from hidden devices rather than the visible device to which the data request is addressed. Hiding the split between the device and the visible device may also include reducing software and hardware overlap between the devices. For example, the hidden device and the visible device may be configured with different hardware, different operating systems, different protocol software, and different application software. The reduction in hardware and software overlap may also include configuring the hidden device to include software for only one service, while the visible device may be configured to include software for multiple services.
As a last example, the segmenting may include configuring the hidden device to only respond to data requests from requesting devices having authorization to access secure data stored on the hidden device.
Drawings
Fig. 1 is a schematic diagram of an embodiment of a communication network comprising a hidden server.
Fig. 2 is a schematic diagram of a second embodiment of a communication network with a plurality of hidden servers and a visible server.
Fig. 3 shows a third embodiment of a communication network with trusted and untrusted clients.
Fig. 4 is a schematic view of a fourth embodiment of a communication network comprising a gateway.
Fig. 5 is a flow chart illustrating a method of communicating with a hidden server.
Detailed Description
Referring to FIG. 1, a network 100 is shown containing a client 110, the client 110 communicating with servers 130 and 140 over a network such as the Internet 120. The client 110 sends a service request to the server 140 with the visible address. The visible address may be an address known to the client 110, such as an IP address. The service request may be addressed to a visible address of the server 140. Hidden server 130, which may not have an address, may intercept the service request before it reaches server 140. The hidden server 130 processes the service request and sends a response to the client 110 using the visible address of the server 140 as the source address of the response.
The protocol used in the communication may be any type of protocol commonly used in network communications, including connection-oriented protocols such as the Transmission Control Protocol (TCP). Service requests and responses in TCP contain source and destination addresses.
To receive a service request addressed to the visible server 140, the hidden server 130 may eavesdrop on the connection between the client 110 and the visible server 140. When hidden server 130 eavesdrops, hidden server 130 receives a copy of the service request, and the original service request may be forwarded to visible server 140. The response generated by the visible server 140 may be blocked by an intermediary device (e.g., a gateway, router, bridge or switch, or firewall) while allowing the response generated by the hidden server 130 to reach the client 110.
The operating system of the visible server 140 may be of a first type. Examples of operating systems include Windows, Linux, Unix. The operating system may also change over time to protect the integrity of the visible server 140. The visible server 140 may also run simultaneous instances of the operating system as virtual machines.
The operating system of the hidden server 130 may be of a second type different from the type of operating system running on the visible server 140. Examples of operating systems include Windows, Linux, Unix. The operating system differences between the visible server 140 and the hidden server 130 should reduce the likelihood that an attack against the operating system of the visible server 140 will successfully attack the operating system of the hidden server 130. Other hardware and software features may also differ between the visible server 140 and the hidden server 130 to similarly reduce overlap of security breaches between servers.
The response generated by the hidden server 130 may comprise protected data synchronized to the data transfer state of the connection between the client 110 and the visible server 140. In either case, the hidden server 130 may send the response using the address of the visible server 140, so the client 110 is not aware of the source of the protected data. Further, the response may clear fingerprints that would reveal the use of the hidden server 130 in place of the visible server 140.
As another example, shown in fig. 2, the network 100 may have one or more visible servers 140 with visible addresses. By using one or more visible servers 140, one or more hidden servers 130 may also be used to handle service requests for one or more visible servers 140. A single hidden server 130 may be assigned to a single visible server 140 or a single hidden server 130 may be assigned to handle service requests of more than one visible server. Alternatively, one or more of the visible servers 140 may provide multiple services. Each such service may be provided by a different hidden server 130.
The operating system of the visible server 140 may be of a first type. Examples of operating systems include Windows, Linux, Unix. The operating systems of the visibility servers 140 may be different from one another and may change over time to protect the integrity of the visibility servers 140. The visible server 140 may also run simultaneous instances of the operating system as virtual machines.
The operating system of the hidden server 130 may be of a second type different from the type of operating system running on the visible server 140. Examples of operating systems include Windows, Linux, Unix. The operating system differences between the visible server 140 and the hidden server 130 should reduce the likelihood that an attack against the operating system of the visible server 140 will successfully attack the operating system of the hidden server 130. Other hardware and software features may also be different from the visible server 140 to similarly reduce overlap and security vulnerabilities between the visible and hidden servers.
The hidden servers 130 may be configured to operate using unknown addresses or without their own addresses. For example, if the network connecting the hidden server 130 is a TCP/IP network, the hidden server 130 may use a network port that does not have their own IP address, but operates on the IP address of the visible server 140. Alternatively, the hidden server 130 may include a combination of receive and transmit network ports. The receiving network port may operate in promiscuous mode listening for service requests directed to the visible server 140. The transport network port may be configured to operate at the IP address of the visible server 140.
Fig. 3 shows network 100 with an authentication mechanism between clients 111 and 112 and server 140. Client 111 has been authenticated by server 140 and is considered a trusted client. The client 112 is not authenticated or the authentication process fails. Thus, client 112 may be considered an untrusted client. In this embodiment, the hidden server 130 may only process service requests from the trusted client 111 to limit access to the hidden server 130 to only the trusted client 111.
In an alternative embodiment, the hidden server 130 may handle certain types of service requests while leaving the visible server 140 to handle the remaining types of service requests. For example, the hidden server 130 may only respond to service requests in a protected protocol (e.g., HTTP).
Fig. 4 shows a network 100 with a client 110, which client 110 communicates with servers 130 and 140 over the internet 120 through a gateway device 150 or other equivalent device. The mechanism for handling service requests will be explained with reference to fig. 3.
As shown in fig. 5, in 501, the client 110 sends a service request addressed to the visible server 140. The service request reaches the gateway 150 through the network 120. The gateway 150 forwards the service request to the hidden server 130 in 502. The hidden server 130 receives and processes the service request at 503. The service request may be received at the unaddressed port of the hidden server 130 and passed to the processing unit. At 504, the processing unit processes the service request and uses the address to form an address of the response visible server 140 addressed to the client 110 as the source address of the response. At 505, the response may be inserted in a connection between the visibility server 140 and the client 110 in a connection-oriented protocol. At 506, the response reaches the client 110 through the gateway 150 over the internet 120.
One or more of the methods, functions and systems described herein may also be implemented using a virtual system by distributing elements of the method or system or function across multiple devices or by incorporating the method or function or system into a device.
While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. It will be apparent to persons skilled in the relevant art that various changes in form and detail can be made therein without departing from the spirit and scope. Indeed, it will be apparent to one skilled in the relevant art how to implement alternative embodiments after reading the above description. Thus, the present embodiments should not be limited by any of the above-described exemplary embodiments. Thus, the present embodiments should not be limited by any of the above-described exemplary embodiments. In particular, it should be noted that the above explanation has focused on an example of transmitting a request over the internet for the purpose of example. However, those skilled in the art will recognize that embodiments of the present invention may be implemented, for example, in various other types of networks, including intranets and virtual private networks.
Claims (19)
1. A method for preventing network attacks using a hidden server, comprising:
the client sends a service request to a visible server with a visible address, wherein the visible address is an address known to the client, and the service request can be addressed to the visible address of the visible server;
intercepting the service request by an unaddressed port of a hidden server, and further processing the service request by the hidden server and sending a response to the client by using a visible address of a visible server as a source address of the response;
hiding a connection between the server eavesdropping client and the visible server for receiving a service request addressed to the visible server; when the hidden server eavesdrops, the hidden server receives a copy of the service request, and the original service request may be forwarded to the visible server.
2. A method for preventing cyber attacks according to claim 1, wherein: the visible server-generated response is blocked by the intermediary device while allowing the hidden server-generated response to reach the client.
3. A method for preventing cyber attacks according to claim 2, wherein: the intermediate device is a gateway, router, bridge or switch or firewall.
4. A method for preventing cyber attacks according to claim 1, wherein: the operating system of the visible server is different from the operating system of the hidden server.
5. A method for preventing cyber attacks according to claim 4, wherein: the operating system differences between the visible server and the hidden server should reduce the likelihood that an attack against the operating system of the visible server will successfully attack the operating system of the hidden server.
6. A method for preventing cyber attacks according to claim 1 or 4, wherein: the hidden server generates a response comprising protected data synchronized to a data transfer state of a connection between the client and the visible server; the hidden server sends a response using the address of the visible server so the client is not aware of the source of the protected data.
7. A method for preventing cyber attacks according to claim 1 or 4, wherein: the hidden server generates a response comprising protected data synchronized to a data transfer state of a connection between the client and the visible server; the hidden server sends a response using the address of the visible server so the client is not aware of the source of the protected data.
8. A method for preventing cyber attacks according to claim 1, wherein: the network includes a plurality of visible servers having visible addresses, and service requests for the plurality of visible servers are processed using one or more hidden servers.
9. A method for preventing cyber attacks according to claim 8, wherein: the number of the hidden servers and the number of the visible servers are equal; the servers are in one-to-one correspondence with the visible servers to process service requests.
10. A method for preventing cyber attacks according to claim 7 or 8, wherein: the hidden servers are configured to operate using unknown addresses or without their own addresses.
11. A method for preventing cyber attacks according to claim 9, wherein: the network connecting the hidden servers is a TCP/IP network, with the hidden servers 130 using network ports that do not have their own IP addresses, but operate on the IP addresses of the visible servers.
12. A method for preventing cyber attacks according to claim 9, wherein: the hidden server comprises a combination of a receiving network port and a sending network port; the receiving network port operates in a promiscuous mode that listens for service requests directed to the visible server.
13. A method for preventing cyber attacks according to claim 12, wherein: the receiving network port and the transmitting network port are configured to operate at an IP address of a visible server.
14. A method for preventing cyber attacks according to claim 1, wherein: the network is a network with an authentication mechanism and is arranged between the client and the visible server; the client has been authenticated by the visible server and is considered a trusted client.
15. A method for preventing cyber attacks according to claim 1, wherein: the network is a network with an authentication mechanism and is arranged between the client and the visible server; the client is not authenticated by the visible server and is considered to be an untrusted client.
16. A method for preventing cyber attacks according to claim 13, wherein: the hidden server only processes service requests from trusted clients to limit access to the hidden server to only trusted clients.
17. A method for preventing cyber attacks according to claim 1, wherein: the hidden server only responds to service requests in the protected protocol.
18. A method for preventing cyber attacks according to claim 1, wherein: the client communicates with the hidden server and the visible server over a network through a gateway device.
19. A method for preventing cyber attacks according to claim 18, wherein: the client sends a service request addressed to a visible server, the service request reaches a gateway through a network, the gateway forwards the service request to a hidden server, and the hidden server receives and processes the service request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110707348.4A CN113572735A (en) | 2021-06-24 | 2021-06-24 | Method for preventing network attack by using hidden server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110707348.4A CN113572735A (en) | 2021-06-24 | 2021-06-24 | Method for preventing network attack by using hidden server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113572735A true CN113572735A (en) | 2021-10-29 |
Family
ID=78162713
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110707348.4A Pending CN113572735A (en) | 2021-06-24 | 2021-06-24 | Method for preventing network attack by using hidden server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113572735A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101175013A (en) * | 2006-11-03 | 2008-05-07 | 飞塔信息科技(北京)有限公司 | Method, network system and proxy server for preventing denial of service attack |
| US20120180127A1 (en) * | 2011-01-12 | 2012-07-12 | Kang Brent Byunghoon | System and method for implementing a hidden server |
| CN105337970A (en) * | 2015-10-20 | 2016-02-17 | 上海斐讯数据通信技术有限公司 | Router, server and router-server-cooperative network access control method |
-
2021
- 2021-06-24 CN CN202110707348.4A patent/CN113572735A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101175013A (en) * | 2006-11-03 | 2008-05-07 | 飞塔信息科技(北京)有限公司 | Method, network system and proxy server for preventing denial of service attack |
| US20120180127A1 (en) * | 2011-01-12 | 2012-07-12 | Kang Brent Byunghoon | System and method for implementing a hidden server |
| CN105337970A (en) * | 2015-10-20 | 2016-02-17 | 上海斐讯数据通信技术有限公司 | Router, server and router-server-cooperative network access control method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6961783B1 (en) | DNS server access control system and method | |
| De Vivo et al. | Internet security attacks at the basic levels | |
| US7472414B2 (en) | Method of processing data traffic at a firewall | |
| US7716331B2 (en) | Method of gaining secure access to intranet resources | |
| US5826014A (en) | Firewall system for protecting network elements connected to a public network | |
| US7313618B2 (en) | Network architecture using firewalls | |
| EP1547337B1 (en) | Watermarking at the packet level | |
| US8453208B2 (en) | Network authentication method, method for client to request authentication, client, and device | |
| US20050144441A1 (en) | Presence validation to assist in protecting against Denial of Service (DOS) attacks | |
| EP2464079A1 (en) | Method for authenticating communication traffic, communication system and protection apparatus | |
| US9641485B1 (en) | System and method for out-of-band network firewall | |
| Rashid et al. | Proposed methods of IP spoofing detection & prevention | |
| GB2563497A (en) | Data filtering | |
| US20160205135A1 (en) | Method and system to actively defend network infrastructure | |
| US10313305B2 (en) | Method of unblocking external computer systems in a computer network infrastructure, distributed computer network having such a computer network infrastructure as well as computer program product | |
| Shah et al. | TCP/IP network protocols—Security threats, flaws and defense methods | |
| US8931089B2 (en) | System and method for implementing a hidden server | |
| CN113572735A (en) | Method for preventing network attack by using hidden server | |
| US7860977B2 (en) | Data communication system and method | |
| US10425416B2 (en) | Method of unblocking external computer systems in a computer network infrastructure, distributed computer network having such a computer network infrastructure as well as computer program product | |
| Hubbard et al. | Firewalling the net | |
| KR20200098181A (en) | Network security system by integrated security network card | |
| Yang | Introduction to TCP/IP network attacks | |
| CN113472767A (en) | Hidden server and network security system using same | |
| Alaa et al. | A proposed firewall security method against different types of attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20211029 |
|
| WD01 | Invention patent application deemed withdrawn after publication |