RU2686023C1 - Method of protecting computer networks - Google Patents

Abstract

FIELD: computer equipment.SUBSTANCE: invention relates to security of computer networks. Disclosed is a method of protecting computer networks, in which generating and sending to recipients who sent ARP-requests, response packets messages with false MAC-addresses and false port numbers.EFFECT: high efficiency of protection and misleading an intruder relative to the structure of the computer network.6 cl, 6 dwg

Description

The invention relates to telecommunications and can be used in attack detection systems to quickly detect and counter unauthorized impacts in computer networks, in particular, in the data network of the "Internet" type, based on the family of communication protocols TCP / IP {Transmission Control Protocol / Internet Protocol) and described in the book by Olifer V., Olifer N. Computer Networks. Principles, technologies, protocols: Textbook for universities. 5th ed. - SPb .: Peter, 2016. - 992 pp., Ill.

Known "Method of protecting a computer network" for the patent of the Russian Federation No. 2422892, class G06F 21/20 (2006.01), Appl. 04/13/2010. The known method includes the following sequence of actions. A gateway computer with a firewall is installed in the communication channels of the protected computer network. They form the base of parameters for legitimate packets and block packets coming from an open network for the period of establishing legitimacy. They remember the recipient's address, analyze packets coming from an open network, for which they compare their parameters with a pre-formed base of legitimate packet parameters. After the analysis is completed, an ICMP receipt is generated in which the sender's address is replaced with the previously stored recipient address. Send it to an illegitimate sender.

The disadvantage of this method is the relatively low security from unauthorized impacts, signs of the presence of which are unauthorized information flows (PI). This is due to the fact that when determining the presence of unauthorized IP in computer networks, the transmission of a message packet is blocked, which is insufficient to protect computer networks from unauthorized impacts. The implementation of this approach to protection forces the intruder to further influence the computer networks and (or) change the impact strategy.

Known "Method (options) for the protection of computer networks" for the patent of the Russian Federation No. 2307392, class G06F 21/00, publ. September 27, 2007. The known method includes the following sequence of actions. Pre-set N≥1 reference identifiers of the authorized IPs containing the senders and recipients of message packets, receive a packet of messages from the communication channel, extract the identifier of the IP from the header of the received message packet, compare the selected identifier with the predefined reference identifiers of the authorized IP and, if they match, send the package messages to the recipient, and if they do not match, the sender's address specified in the identifier of the received message packet is compared with the addresses sent The subscribers specified in the reference identifiers of the authorized entrepreneurships specify P≥1 false addresses of the subscribers of the computer network and the delay time for sending packets of messages t _ass . If the sender's address in the received message packet matches one of the sender addresses of the reference identifiers of the authorized IPs, the address of the recipient in the received message packet is compared with the addresses of the recipients of the reference identifiers of the authorized IP. If the recipient address in the received message packet does not match the recipient addresses of the reference identifiers of the authorized IPs, the recipient address in the received message packet is compared with the predefined false addresses of the subscribers of the computer network. In case of a mismatch of the recipient's address in the received message packet with the pre-specified false addresses of subscribers, the transmission of the message packet is blocked. And if the sender's address in the received message packet does not match with one of the sender addresses of the reference identifiers of the authorized IP or the address of the recipient in the received message packet coincides with the recipient addresses of the reference identifiers of the authorized IP, or if it coincides with the previously specified false addresses of the subscribers of the computer network, a response message packet is generated and then, after a predetermined delay time of sending bursts of messages t _ass, reduce the transmission rate of the generated batch of messages. Transmit it to the sender, and then receive the next batch of messages from the communication channel. To identify the interaction protocol, an identifier of the interaction protocol type is extracted and compared with the standards of the interaction protocol type identifiers. To reduce the transmission rate of the generated message packet, a message packet is fragmented, and a message packet is transmitted after a specified delay in sending message packets t _ass .

The disadvantages of this method are the relatively low performance of the protection of computer networks and the narrow scope of the method of protection. The low effectiveness of the protection is due to the fact that in the prototype an increase in the intensity of unauthorized information flows and the preservation of a predetermined delay time for sending response packets to the sender will lead to an overload of the computer network. The narrow scope is due to the fact that to implement the method of protection, the speed of information exchange with the sender of unauthorized information flows is reduced only by the computer network, that is, unilaterally, and does not take into account the sender’s ability to disconnect.

The closest in technical essence to the claimed, is a way to protect computer networks, described, for example, in the book Grimes, RA Honeypots for Windows // Apress. 2005 424 p. on pp. 191-192. The known method includes the following sequence of actions. Connect network devices to a computer network. After receiving ARP requests (from the English Address Resolution Protocol) to the i-th unused IP address of the network device of the computer network, a response message packet is generated with a single and unchangeable value (00: 00: 0F: FF: FF: FF ) ₁₆ (in hexadecimal notation) MAC addresses (from the English Media Access Control - media access control). Then write down in the "window size" field of the TCP header of the response message packet the value of W _{beginning is} equal to ten bytes and receive the next message packet. Form the response packet of messages and set in the "window size" field of the TCP header of the response packet of messages the value W _yd equal to zero bytes. After that, sent reply message packets are sent to the sender, and to block attempts to terminate the connection from the sender of the message packets, all incoming message packets are ignored until the connection timeout expires.

The known prototype method provides higher security of computer networks against unauthorized impacts compared with counterparts due to misleading the offender regarding the structure of computer networks by simulating the availability of the entire array of IP addresses of the computer network, thereby ensuring the maximum likelihood of redirecting the offender to the trap resource, and by retaining in two-way communication with the sender of the message packets, thereby increasing discomfort the offender and the gain on the time needed to implement responses.

The disadvantage of the prototype method is the relatively low performance of protection due to the high probability of detection by the violator of the fact of using computer network protection tools and identifying their characteristics. This is due to the fact that in the prototype, when accessing any IP address from the range of IP addresses of the computer network, the intruder always receives a response about the availability of the IP address and all its ports, which unmasks the availability and capabilities of the security features. In addition, when answering ARP requests to the i-th unused IP address of the network device of the computer network, the prototype uses a single and unchangeable value (00: 00: 0F: FF: FF: FF) ₁₆ (in hexadecimal number system) addresses regardless of the real address of the network adapter, which allows an attacker to identify false nodes by examining the data link layer addresses.

The purpose of the claimed technical solution is to develop a method of protecting computer networks, providing increased effectiveness of protection and misleading the intruder regarding the structure of the computer network, by reducing the likelihood of the violator detecting the fact of using protection tools and identifying their characteristics achieved by separating the address space of the computer network and port space on the areas that ensure the realistic functioning of the protected computing system and also by forming a set of random values of MAC addresses corresponding to false nodes of the computer network.

This goal is achieved by the fact that in a known method of protecting computer networks, network devices are connected to a computer network and after receiving ARP requests to the i-th unused IP address of the network device of the computer network, they form a response packet of messages. Then write in the "window size" field of the TCP header of the response message packet, the value of W _{beginning is} equal to ten bytes. After that, they receive the next batch of messages and form a response batch of messages. Next, in the "window size" field of the TCP header of the response message packet, the value of W _beats equals zero bytes and sends the generated message response packets to the sender. To block attempts to break a connection from the sender of the message packets, ignore all incoming message packets before the connection timeout expires. In the predefined initial data, the set {M _IP } of all i IP addresses of network devices of the computer network is additionally specified, where i = 1, 2, ..., n, and n is the maximum allowable value of the range of IP addresses for the computer network, the set {A _IP } IP addresses of network devices allowed for use in a computer network, where {A _IP } ∈ {M _IP }, set {D _IP } of IP addresses of network devices forbidden for use in a computer network, where {D _IP } = {M _{IP \ A IP} = {D} IP ∈ M IP ∧ D IP ∉ A IP}, the set {U _I p} allowed and temporarily unconnected IP-address of the network devices in the computer network of a plurality of {A _IP} and the set {R _IP} allowed and connected IP-addresses of network devices on a computer network of a plurality of {A _IP}, wherein _{{U IP} = {A IP} \ R IP} = {U _IP ∈ A _IP ∧ U _IP ∉ R _IP } and {R _IP } = {A _IP \ U _IP } = {R _IP ∈ A _IP R _IP ∉ U _IP }. Then preset the memory array S _MAC for storing the read MAC addresses of network devices in the computer network, the memory array G _MAC for storing the generated MAC addresses and the memory array AG for storing the matrix of the i-th IP address allowed for use in the computer network devices from the set {A _IP } of the j-th formed MAC address from the memory array G _MAC . Next, the set {P} = {1i, 2i, ... Pi} allowed by the software P port numbers i IP addresses of network devices of the computer network, as well as a two-dimensional memory array S for storing the read P software numbers allowed by the software used by each i-th IP address of network devices of the computer network. Set the set {H} = {1i, 2i, ... Hi} forbidden for use by the software N port numbers of the i-th network devices of the computer network and a two-dimensional memory array V for storing N forbidden for use by the software port numbers used by each i-th The IP address of the network's network devices. After that, the set {F} = {1i, 2i, ... Fi} of false F port numbers used by each i-th IP address of network devices of the computer network from the set {U _IP } is specified, as well as a two-dimensional memory array L for storing F false port numbers used by each i-th IP address of network devices of the computer network from the set {U _IP }. After connecting the network devices to the computer network, read the P allowed by the software port numbers ix of the IP addresses of the network devices of the computer network and memorize the P allowed by the software numbers of the port ix IP addresses of the network devices of the computer network in the two-dimensional memory array S. IP addresses of temporarily unconnected network devices in the set {U _IP }. After that, F false port numbers are formed for each i-th IP address from the set {U _IP }, for which the numbers of the port numbers allowed for use by the software for ix IP addresses of network devices of the computer network from the set { U _IP) and storing a few permitted to use the software port numbers for x i-IP-addresses of network devices of the plurality of computer network {U _IP} in the two-dimensional memory array L. Next read MAC addresses of the connected network ustroyst computer network and storing them in memory S _MAC array. Then a random sequence of hexadecimal numbers is generated and J values are formed from it, where J = 1, 2, ..., j, MAC addresses of temporarily unconnected network devices of the computer network. After that, the generated J values of the MAC addresses of temporarily unconnected network devices of the computer network are stored in the memory array G _MAC and the generated J values of the MAC addresses of temporarily unconnected network devices of the network are stored from the memory array G _MAC with the MAC addresses of the temporarily unconnected network devices of the network memory array s _mac . According to the results of the comparison, in case of their coincidence, the j-th MAC address is deleted from the memory array G _MAC , and otherwise, that is, if they do not match, the corresponding i-th IP address allowed for use in the computer network is stored in the memory array AG the address of the network device from the set {A _IP } of the j-th generated MAC address from the memory array G _MAC . After that, an ARP request to any i-th IP address of the network device from the set {M _IP } is received and the IP address of the recipient of the ARP request is compared with the IP addresses of the network devices from the set {D _IP } prohibited for use in the IP computing network -address network devices. According to the results of the comparison, if the IP address of the recipient of the ARP request matches the IP addresses from the set {D _IP } of the network device IP addresses that are prohibited for use in the computer network, the ARP request is ignored. Otherwise, that is, if the IP address of the receiver of the ARP request does not match the IP addresses from the set {D _IP }, the IP address of the receiver of the ARP request is compared with the IP addresses of the network devices from the set {R _IP } allowed and connected IPs -address of network devices, and according to the results of the comparison, if the IP address of the recipient of the ARP request matches the IP addresses from the set {R _IP } of allowed and connected IP addresses, a message about the availability of the node of the message recipient is formed. Otherwise, that is, if the IP address of the receiver of the ARP request does not match the IP addresses from the set {R _IP }, the IP address of the receiver of the ARP request is compared with the IP addresses of network devices from the set of temporarily unconnected IP addresses, and the results of the comparison in case of a mismatch of the IP address of the recipient

ARP requests with IP addresses from the set {U _IP } of temporarily not connected IP addresses form a message about the availability of the message receiver node. Otherwise, that is, if the IP address of the recipient of the ARP request matches the IP addresses from the set {U _IP }, after generating the response packet of messages, false port numbers for ix IP addresses are written in the response header header of the ARP request message network device computer network from a variety of {U _IP}, stored in a two-dimensional array of memory L. Then, after recording in the "window size" TCP header of the response values of W messages package _beginning equal to ten bytes is recorded in the header of the response packet generated by the j-th

The MAC address for the i-th IP address from the G _MAC memory array. After that, the sender is sent a response packet of messages with the values of W _early , j-th generated MAC address for the i-th IP address from the G _MAC memory array, false F port numbers.

In the memory array AG, storing the i-th address of a network device from the set {A _IP } of the j-th generated MAC address from the memory array G _MAC is permitted by writing to the cell | i, j | array of memory AG logical units.

The number P allowed and N prohibited by the software for the port numbers i-x of network devices of the computer network is chosen in the range from 1 to 65535.

S memory of port numbers used by each i-th IP address of network devices of a computer network is stored in a two-dimensional memory array by writing to the cell | i, p | array of memory S logical units.

In a two-dimensional memory array, V numbers of port numbers used by each i-th IP address of network devices of a computer network are stored by writing to the cell | i, h | array of memory V logical units.

In a two-dimensional memory array, L of port numbers used by each i-th IP address of network devices of a computer network is stored by writing to the cell | i, f | array of memory L logical units.

Thanks to a new set of essential features, the claimed method improves the effectiveness of protection and misleads the intruder regarding the structure of the computer network by reducing the likelihood of the violator detecting the fact of using and identifying the characteristics of the protections achieved by dividing the address space of the computer network and port space into areas that provide realism functioning of the protected computer network, as well as by and the set of random values of MAC addresses corresponding to false nodes of the computer network.

The claimed objects of the invention are illustrated by the drawings, which show:

FIG. 1 is the format of the ARP datagram;

FIG. 2 is an example illustrating the protection of a computer network using a network “trap” before and after dividing the address space and port space into regions;

FIG. 3 is a graphical interpretation of the division of the address space of a computer network;

FIG. 4 is a block diagram of a sequence of actions that implement the claimed method of protecting computer networks;

FIG. 5 illustrates the use of a single and immutable value (00: 00: 0F: FF: FF: FF) ₁₆ MAC addresses;

FIG. 6 illustrates the use of a plurality of random MAC address values in a security method.

The implementation of the claimed method is explained as follows. It is known that at present a sufficiently large number of computer attacks is intelligence in order to obtain information about the topology of the computer network that is the object of the attack, as well as about the used means of protecting the computer network. One of the firewalls that operate using fraudulent network strategies to create illusions for the intruder’s vulnerable targets or to foster visibility of a more complex infrastructure than actually exists is network “baits” {honeypots), described, for example, in the book Provos , N., Holz, T, Virtual Honeypots: From Botnet Tracking to Intrusion Detection // Addison Wesley, 2007. 480 p. More sophisticated methods of network fraud include not only providing the enemy with a plausible target, but also so-called proactive protection measures, such as, for example, retaining a connection to the sender of message packets in a two-way manner, which causes the server to deplete connection state, slows down the process of automatic scanning of the attacked computer network and, as a result, imposes a restriction on the computing resource used by the offender, It makes it impossible to carry out information exchange network. The considered methods of proactive protection are implemented in the form of network deception tools, the so-called network “traps” (network tarpits), which are described, for example, in the book Andres, S., Kenyon, B. Birkolz, E. Security Infrastructure // Sungress Publishing, 2004. 608 p., P. 414-416.

In turn, information security violators are also actively developing and improving means of reducing the effectiveness of network “traps”, implementing the following ways to compromise them: detecting unique identifiers (signs) of network “traps”; detailed analysis of network traffic coming from network "traps". Such unmasking features of the network “trap” implemented in the prototype method are the activity of any IP address from the range of IP addresses of the computer network and the availability of all its ports, as well as the use of a single and unchangeable value (00: 00: 0F: FF: FF : FF) ₁₆ (hexadecimal) MAC addresses regardless of the real address of the network adapter when responding to ARP requests to the i-th unused IP address of the network device of the computer network. When one application process establishes a connection with another application process, it indicates the destination of communication. The method commonly used is to determine the transport addresses to which processes can send requests to establish a connection. On the Internet, these endpoints are called ports and are described, for example, in the book Tanenbaum E., Weatherall D. Computer Networks. 5th ed. - SPb .: Peter, 2017. - 960 p., On page 541.

A port is a natural number written in the headers of protocols of the transport layer of the OSI model (TCP, UDP, SCTP, DCCP) and used to determine the process of receiving a packet. These processes are described, for example, on Wikipedia, the free encyclopedia (see “Port” at https://ru.wikipedia.org). If processes are common system services, such as FTP, HTTP, email service, etc., then they are assigned standard assigned numbers, also called “well-known” port numbers. These numbers are fixed and published, for example, in the technical specifications (RFC, Request for Comments) of the Internet (see, for example, https://tools.ietf.org/html/rfc1700, https://tools.ietf.org/ html / rfc3232). Thus, the number 21 is assigned to the server part of the Remote File Access FTP (Fig. 2b). As a means of compromising network "traps" by analyzing the availability of all its ports, uniquely identifying it, the intruder can use various utilities such as, for example, nmap and described, for example, in the book Biryukov A. Information security: protection and attack. - M .: DMK Press, 2016. - 484 p., On pp. 180-181.

The Address Resolution Protocol ARP (Address Resolution Protocol) is designed to determine the link-layer address by a well-known network layer address and is described, for example, in the RFC (see, for example, https://tools.ietf.org/html/rfc826). The format of an ARP datagram is shown in FIG. 1. In local networks, ARP protocol uses broadcast frames of the data link layer protocol to search the network for a node with a specified IP address. The node that needs to be allowed to map (match) an IP address to a local (physical) address generates an ARP request, encapsulates it in a link layer protocol frame, specifies the known IP address, and broadcasts the request. All nodes on the local network receive an ARP request and compare the IP address specified there with their own. If they coincide, the node generates an ARP response, in which it indicates its IP address and its local address and sends it already sent, as the sender indicates its local address in the ARP request.

Various tools (nmap, ethereal, arping, tethreal, etc.) are used as means of compromising network “traps” that use detection of active IP addresses by using intruder requests (nmap, ethereal, arping, tethreal, etc.) for analyzing network traffic and computing network topology, for example, , in the book Andronchik A.N., Bogdanov V.V., Domukhovsky N.A., Kollerov A.S., Sinadsky N.I., Khorkov D.A., Scherbakov M.Yu. Protection of information in computer networks. Practical course: textbook / A.N. Andronchik, V.V. Bogdanov, N.A. Domukhovsky et al .; edited by N.I. Sinadsky. - Ekaterinburg: USTU-UPI, 2008. - 248 p.

Thus, there is a contradiction between the effectiveness of the protection of computer networks and the capabilities of violators to determine the structure of computer networks and the identification of the characteristics of protective equipment with unmasking signs. To eliminate this contradiction directed the claimed method.

The claimed method is implemented as follows. In the general case (Fig. 2a), a computer network is a collection of correspondents 1, 2, 6, 7, which are sources and receivers of network traffic, peripheral and communication equipment 4, 9, relaying network traffic of correspondents, connected by physical lines (channels) of communication 3 , 10 connecting n nodes of a computer network into a single infrastructure, including using an Internet data transmission network 5. At the same time, the IP address space of network devices is occupied by computer network correspondents not By the way: correspondents K ₁ , K ₂ , K ₃ , highlighted in FIG. 2a in the aggregate 1, are connected to the computer network. Whereas the correspondents K ₄ , K ₅ , ... K _n , highlighted in FIG. 2a to 2 (the icons of the PC in Fig. 2a are shown in dotted lines) are not connected to the computer network, that is, the IP addresses of the correspondents K ₄ , K ₅ , ... K _{n are} not occupied (not used).

To protect the computer network and mislead the intruder regarding the structure of the computer network, a network “trap” is installed on one of the dedicated computers 7 of the computer network, intercepting ARP requests to the i-th unused IP address of the network device 2 of the computer network using a packet analyzer 8. After intercepting ARP requests, a batch of messages with a false MAC address is sent to the sender of batch messages and then the connection with it is held in a two-way manner.

FIG. 2b shows a computer network with the division of the address space into areas, ensuring the realistic functioning of the protected computer network when it is scanned by an attacker. FIG. 3 shows a graphical interpretation of the division of the address space of a computer network using mathematical expressions adopted in set theory. The difference {R} of the sets {A} and {U} is an operation whose result is a set consisting of those elements that belong to {A} and do not belong to {U} simultaneously. That is, {R _IP } = {A _IP \ U _I p} = {R _IP ∈ A _IP ∧ R _IP ∉ U _IP }, as shown in FIG. 3

FIG. 4 shows a block diagram of a sequence of actions that implement the claimed method of protecting computer networks, in which the following notation is adopted:

{M _IP } is the set of all i IP addresses of network devices of the computer network, where i = 1, 2, ..., n, and n is the maximum allowable value of the range of IP addresses for the computer network;

{A _IP } is the set of allowed IP addresses of network devices for use in the computer network, where {A _IP } ∈ {M _IP };

{D _IP } is a set of IP addresses of network devices prohibited for use in a computer network, where {D _IP } = {M _IP \ A _IP } = {D _IP ∈ M _IP D _IP A _IP };

{U _IP } - the set of allowed and temporarily unconnected IP addresses of network devices in a computer network from the set A _IP , where {U _IP } = {A _IP \ R _IP } = {U _IP ∈ A _IP U _IP R _IP } ;

{R _IP } is the set of allowed and connected IP addresses of network devices in a computer network from the set A _IP , where {R _IP } = {A _IP \ U _IP } = {R _IP ∈ A _IP ∧ R _IP U _IP };

S _MAC - an array of memory for storing read MAC addresses of network devices in a computer network;

G _MAC is an array of memory for storing the formed MAC addresses;

AG is a memory array for storing the compliance matrix with the i-th IP address of a network device from the A- _IP array of the j-th generated MAC address from the G- _MAC memory array allowed for the computer network;

{P} is the set of allowed by the software K port numbers and IP addresses of network devices of the computer network, where {P} = {1i, 2i, ... Pi};

S is a two-dimensional memory array for storing the readout P numbers of ports allowed by the software for use by each i-th IP address of network devices of the computer network;

{H} is a set of numbers of ports i-x network devices of a computer network that are prohibited by software H, where {H} = {1i, 2i, ... Hi};

V is a two-dimensional memory array for storing N prohibited numbers for use by the software of the ports used by each i-th IP address of network devices of the computer network;

{F} is the set of false F port numbers used by each i-th IP address of network devices of the computer network from the set {U _IP }, where {F} = {1i, 2i, ... Fi};

L is a two-dimensional memory array for storing F false port numbers used by each i-th IP address of network devices of the computer network from the set {U _IP }.

To reduce the likelihood of the violator detecting the fact of use and identifying the characteristics of the security tools, they preliminarily divide the address space of the computer network (Fig. 2b) into sets 1 - allowed and connected IP addresses of network devices, 2 - allowed and temporarily unconnected IP addresses of network devices simulating the functioning of the application software, which is manifested by the initialization of the corresponding ports, 3 - IP addresses that are prohibited for use in a computer network tv, provides realistic functioning of the protected area network.

To do this, preset (see block 1 in Fig. 4) the set {M _IP } = {K ₁ , K ₂ , ... K _n } of all i IP addresses of network devices of the computer network, where i = 1, 2, ..., n, and n - the maximum allowable value of the range of IP-addresses for the computer network.

The set {M _IP } defines the set {A _IP } = {K ₁ , K ₂ , K ₃ , K ₄ , K ₅ , K ₆ } of the IP addresses of network devices permitted for use in a computer network, where {A _IP } ∈ {M _IP }.

Then, in the set {M _IP }, the set {D _IP } = {K ₇ , ... K _n } of the IP addresses of network devices prohibited for use in the computer network is given, where {D _IP } = {M _IP \ A _IP } = {D _IP ∈ M _IP ∧ D _IP A _IP }.

After that, in the set {M _IP }, the set {U _IP } = {K ₄ , K ₅ , K ₆ } of the allowed and temporarily non-connected IP addresses of network devices in the computer network from the set {A _IP }, where {U _IP } = {A _IP \ R _IP } = {U _IP ∈ A _IP ∧ U _IP R _IP }.

Also, the set {R _IP } = {K ₁ , K ₂ , K ₃ } of allowed and connected IP addresses of network devices in the computer network from the set {A _IP }, where {R _IP } = {A _IP \ U _IP } = {R _IP ∈ A _IP ∧ R _IP ∉ U _IP }.

Splitting the address space of the computer network in this way achieves realistic operation of the protected computer network, which makes it possible to reduce the probability of the violator detecting the use of protective equipment and with a high degree of probability to identify the fact that the network intelligence is being conducted by the intruder, which consists in his addressing the IP addresses of temporarily unconnected network devices {U _IP}, and also to reduce network feature information content unmasking "traps" (consisting in the total activity d apazone IP-address area network) exception of IP-address ranges, which refer to intercept "trap", a plurality of IP-addresses {D _IP}.

To reduce the likelihood of identifying the characteristics of the protection in the claimed method, the information content of the unmasking attribute of the network “trap” is reduced, which consists in using a single and unchangeable value (00: 00: 0F: FF: FF: FF) ₁₆ MAC addresses regardless of the real address of the network adapter , when responding to ARP requests to the i-th unused IP address of the network device of the computer network. For this purpose, random values of the MAC addresses of network adapters are used.

Applying random values of the MAC addresses of network adapters is achieved by setting (see block 1 in FIG. 4) the _MAC memory array for storing the read MAC addresses of network devices in the computer network, the _MAC memory array G for storing the generated MAC addresses and An array of memory AG for storing a matrix of correspondence to the i-th IP address of a network device from the set {A _IP } of the j-th generated MAC address from the memory array G _MAC allowed for the computer network.

In addition, to reduce the likelihood of identifying the characteristics of security tools in the inventive method, the information content of another unmasking attribute of the network “trap” is reduced, consisting in the responses of the receiver of message packets to requests to the entire port space. To do this, they separate the port space into areas of temporarily unconnected network devices of the computer network and simulate the functioning of application software, which manifests itself by initializing the corresponding ports of IP addresses of temporarily unconnected network devices from the set {U _IP }, as shown in FIG. 2b (K ₄ correspondents are a web server imitating the availability of ports 80 and 8080; K ₅ is an email server imitating the availability of ports 25, 110, 143; K ₆ is an FTP server imitating the availability of ports 20 and 21). This is achieved by pre-setting (see block 1 in Fig. 4) the set {P} = {1i, 2i, ... Pi} allowed by the software P numbers of ports i IP addresses of network devices of the computer network and a two-dimensional memory array S to store the readout P allowed by the software for the port numbers used by each i-th IP address of the network devices of the computer network. And also many {N} = {1i, 2i, ... Hi} prohibited by the software N port numbers ix network devices of the computer network, a two-dimensional array of memory V for storing N forbidden for use by the software port numbers used by each i-th IP -address of network devices of a computer network. Also, the set {F} = {1i, 2i, ... Fi} of false F port numbers used by each i-th IP address of network devices of the network from the set {U _JP } and a two-dimensional memory array L for storing F false port numbers are specified, used by each i-th IP address of network devices of the computer network from the set {U _IP }.

Then, after connecting the network devices to the computer network (see block 2 in Fig. 4), read (see block 3 in Fig. 4) P allowed for use by the software of port numbers ix IP addresses of network devices of the computer network, remember (see block 4 in Fig. 4) P allowed by the software for the port number ix of the IP addresses of network devices of the computer network in a two-dimensional memory array S. Next, the IP addresses of temporarily unconnected network devices are stored in the set {U _IP } (see block 5 in Fig. 4).

After that, form (see block 6 in Fig. 4) F spurious port numbers for each i-th IP address from the set {U _IP } are formed, for which read (see block 7 in Fig. 4) from the two-dimensional memory array S The numbers of the allowed for use by the software of port numbers for ix IP addresses of network devices of a computer network from the set {U _IP } and remember (see block 8 in Fig. 4) the number of ports allowed for use by the software for i-th IP addresses network devices of the computer network from the set {U _IP } in a two-dimensional array of memory L.

Next, read (see block 9 in Fig. 4) the MAC addresses of the connected network devices of the computer network and memorize them (see block 10 in Fig. 4) in the memory array S _MAC . Next, generate (see block 11 in Fig. 4) a random sequence of hexadecimal numbers (see block 6 in Fig. 4), for example, as described in the book by Donald E. Knut Random Numbers // Programming Art. 3rd ed. - M .: Williams, 2000. T. 2. The computed algorithms. - 832 s., And form from it (see block 12 in Fig. 4) J values, where J = 1, 2, ..., j, MAC addresses of temporarily unconnected network devices of the computer network.

After that, remember (see block 13 in Fig. 4) the generated J values of the MAC addresses of temporarily unconnected network devices of the computer network in the memory array G _MAC and, to exclude the appearance in the computer network of two network devices with the same MAC addresses, see block 15 in Fig. 4) formed J values of the MAC addresses of temporarily unconnected network devices of the computer network from the memory array G _MAC with the MAC addresses of the temporarily unconnected network devices of the computer network from the memory array S _MAC . According to the results of the comparison, if they coincide, the j-th MAC address is deleted (see block 14 in Fig. 4) from the memory array G _MAC , and otherwise, that is, if they do not match, remember (see block 16 on Fig. 4) in the memory array AG corresponding to the i-th IP address of the network device from the set {A _IP } of the j-th generated MAC address from the memory array G _MAC allowed for the computer network.

Next, receive (see block 17 in Fig. 4) ARP request to any i-th IP address of the network device from the set {M _IP } and compare (see block 18 in Fig. 4) the IP address of the receiver of the ARP request with IP addresses of network devices from the set {D _IP } of IP addresses of network devices prohibited for use in a computer network. According to the results of the comparison, if the IP address of the recipient of the ARP request matches the IP addresses from the set {D _IP } of the network device IP addresses that are prohibited for use in the computer network, the ARP request is ignored (see block 19 in Fig. 4) .

Otherwise, that is, if the IP address of the receiver of the ARP request does not match the IP addresses from the set {D _IP }, compare the IP address of the receiver of the ARP request with the IP addresses of network devices from the set {R _IP } of allowed and connected IP addresses of network devices, and by the results of the comparison in case of coincidence of the IP address of the recipient

ARP requests with IP addresses from the set {R _IP } of allowed and connected IP addresses form (see block 23 in Fig. 4) a message about the availability of the message receiving node, which corresponds to the access of the legitimate subscriber to the network device of the computer network.

Otherwise, that is, if the IP address of the receiver of the ARP request does not match the IP addresses from the set {R _IP }, the IP address of the receiver of the ARP request is compared with the IP addresses of network devices from the set {U _IP } of temporarily unconnected IP addresses, and according to the results of the comparison, if the IP address of the recipient of the ARP request does not match the IP addresses from the set {U _IP } of the temporarily unconnected IP addresses, see block 23 in FIG. 4) message about the availability of the node of the recipient of message packets.

Otherwise, that is, if the IP address of the recipient of the ARP request matches the IP addresses from the set {U _IP }, after forming the response message packet (see block 22 in Fig. 4) and recording (see block 24 in FIG. . 4) in the "window size" TCP header of the response packet messages values W _nach equal ten bytes are recorded (see. the block 25 in FIG. 4) in the header of the response message packet recipient ARP-request false port numbers for ix IP-address network devices of the computer network from the set {U _IP }, stored in a two-dimensional array of memory L. Then write (see block 26 in Fig. 4) in the header of the response packet, the j-th generated MAC address for the i-th IP address from the memory array G _MAC . After that, send (see block 27 in FIG. 4) to the sender a response packet of messages with values of W _init , j-th generated MAC address for the i-th IP address from the G _MAC memory array, false F port numbers.

Then another packet of messages is received (see block 28 in FIG. 4) and is set (see block 29 in FIG. 4) in the “window size” field of the response packet header W _beats = 0, and then formed (see block 30 on Fig. 4) the response packets with W _beats = 0 and send (see block 31 in Fig. 4) the sender response packets with W _beats = 0. To block attempts to break the connection from the sender of the message packets, ignore (see block 32 in Fig. 4) all incoming message packets until the connection times out.

In the memory array AG, storing the i-th address of a network device from the set {A _IP } of the j-th generated MAC address from the memory array G _MAC is permitted by writing to the cell | i, j | two-dimensional array of memory AG logical unit. The resulting two-dimensional memory array contains a simple matrix containing zeros and ones. A unit in the matrix cell means that the i-th IP address of the network device corresponds to the j-th MAC address.

The number P allowed and N prohibited by the software for the port numbers i-x of network devices of the computer network is chosen in the range from 1 to 65535.

S memory of port numbers used by each i-th IP address of network devices of a computer network is stored in a two-dimensional memory array by writing to the cell | i, p | array of memory S logical units.

In a two-dimensional memory array, V numbers of port numbers used by each i-th IP address of network devices of a computer network are stored by writing to the cell | i, h | array of memory V logical units.

In a two-dimensional memory array, L of port numbers used by each i-th IP address of network devices of a computer network is stored by writing to the cell | i, f | array of memory L logical units.

The effectiveness of the stated technical result was verified by software implementation of the claimed method and conducting a field experiment. The essence of the experiment is a comparison of the detection performance of the network “trap” implemented in the prototype method with the detection performance of the network “trap” in the software implementation of the claimed method. To identify the network “trap”, that is, to identify the characteristics of protective equipment during the experiment, intercepting ARP requests from the network traffic using the Wireshark packet analyzer described in, for example, (Abbhinav, Singh. Instant Wireshark Starter. Pakt Publishing, UK . 69 p. ISBN 978-1-84969-564-0). FIG. 5 shows a screen form illustrating the results of the first stage of the experiment. The result of network traffic analysis is the use of a single and unchangeable value (00: 00: 0F: FF: FF: FF) ₁₆ MAC addresses. Detection of this MAC address allows you to uniquely identify the fact that a network “trap” is being used as a means of protecting a computer network.

At the second stage of the experiment, the software implementation of the claimed method was used. The result of randomly generating the MAC addresses of network devices of a computer network and analyzing network traffic using the Wireshark packet analyzer is shown in FIG. 6. The use of such MAC addresses when responding to requests using the ARP protocol made it possible to completely eliminate the unmasking attribute of the network “trap” and thus hide the type of protection used in the computer network.

The table in FIG. 6 contains the following main elements. The table shows the alternation of broadcast (Broadcast) requests (an odd line, for example, No. 465) using the ARP protocol and responses to them. The intruder makes requests through the AsustekC router. The essence of the request is reflected in the column in the "Contents of the ARP request." Consider an example. In line No. 465, the AsustekC router requests the physical address (MAC address) of the device with the IP address 10.0.0.40. In line No. 466, a p / p device with a physical address (MAC address) is: 97: a6: 1c: 2a: ef responds to the AsustekC router with its correspondence to the requested

IP address. A similar dialogue takes place in the remaining pairs of rows in the table. At the same time, all responses to ARP requests are sent by the network “trap” implemented by the claimed method, establishing the correspondence of false nodes of the computer network to the requested AsustekC router

IP addresses.

Thus, the claimed method achieves the stated goal of improving the effectiveness of protection and misleading the intruder regarding the structure of the computer network, by reducing the probability of the fact that the intruder detects the use of protection and identifies their characteristics achieved by separating the address space of the computer network and space ports to areas that provide realistic operation of the protected computer network, as well as forming a plurality of random values of the MAC addresses corresponding to the false network computing nodes.

Claims (6)

1. A way to protect computer networks, which consists in connecting network devices to a computer network and after receiving ARP requests to the i-th unused IP address of the network device of the computer network, form a response packet of messages, write TCP- in the "window size" field header of the response packet messages _nach value W equal to ten bytes, taking another message packet, form a response message packet is set in the "window size» TCP-header of the response message value W _ud packet is zero bytes, apravlyayut sender generated response message packets, and for blocking attempts to break the connection from the communications packet sender to ignore all incoming message packets before the expiration of the timeout compound, characterized in that the pre-set set {M _IP} all i IP-addresses of network computing devices in the network where i = 1, 2, ..., n, and n is the maximum allowable value of the range of IP addresses for a computer network, the set {A _IP } of IP addresses of network devices allowed for use in a computer network, where {A _IP } ∈ {M _IP }, the set {D _IP } of IP addresses of network devices prohibited for use in a computer network, where

, the set {U _IP } of allowed and temporarily unconnected IP addresses of network devices in a computer network from the set {A _IP } and the set {R _IP } of allowed and connected IP addresses of network devices in a computer network from the set {A _IP }, where

and

, memory array S _MAC for storing the read MAC addresses of network devices in the computer network, memory array G _MAC for storing the generated MAC addresses, memory array AG for storing the compliance matrix with the i-th IP address of the network device allowed for use in the computer network set {A _IP } of j-th formed MAC address from memory array G _MAC , set {P} = {1i, 2i, ..., Pi} allowed for use by software P port numbers i IP addresses of network devices of a computer network, two-dimensional storage array s read P allowed for use by the software port numbers used by each i-th IP address of network devices of the network, set {H} = {1i, 2i, ..., Hi} prohibited by the software N port numbers ix network devices of the network , a two-dimensional memory array V for storing N prohibited by the software port numbers used by each i-th IP address of network devices of the computer network, the set {F} = {1i, 2i, ..., Fi} false F port numbers used as with the i-th IP address of the network devices of the computer network from the set {U _IP }, a two-dimensional memory array L for storing F false port numbers used by each i-th IP address of the network devices of the computer network from the set {U _IP }, and after connection of network devices to the computer network reads the P allowed by the software port numbers ix IP addresses of the network devices of the computer network, remembers the P allowed by the software numbers of the port ix IP addresses of network devices -inflammatory network in the memory a two-dimensional array S, stored IP-address temporarily unconnected network devices in the set {U _IP}, form F false port numbers for each i-th IP-addresses of a plurality of {U _IP}, what is read from the two-dimensional memory array S numbers allowed for use by software port numbers ix IP-addresses of network devices of the plurality of computer network {U _IP} and stored matter allowed to use software port numbers for ix IP-addresses of network devices of computer second network of a plurality of {U _IP} in the two-dimensional array of memory L, is read MAC-addresses of the connected network computing devices in the network and storing them in the S _MAC memory array, and then generate a random sequence of hexadecimal numbers and generating therefrom J values where J = 1, 2, ..., j, MAC addresses of temporarily unconnected network devices of a computer network, remember generated J values of MAC addresses of temporarily unconnected network devices of a computer network in memory array G _MAC and compare generated J values of MAC addresses of times but unconnected network devices of the computer network from the memory array G _MAC with the MAC addresses of temporarily unconnected network devices of the computer network from the memory array S _MAC , and the j-th MAC address is removed from the memory array G _MAC , according to the results of the comparison case, that is, if they do not match, the correspondence to the i-th IP address of the network device from the set {A _IP } of the j-th generated MAC address from the memory array G _MAC allowed in the computer network is stored in the memory array AG, and then ARP for request any i-th IP address of the network device from the set {M _IP } and compare the IP address of the receiver of the ARP request with the IP addresses of the network devices from the set {D _IP } of the network devices IP addresses that are prohibited for use in a computer network, and according to the results of the comparison, if the IP address of the recipient of the ARP request matches the IP addresses from the set {D _IP } of the network devices' IP addresses that are prohibited for use in the computer network, they ignore the ARP request, and otherwise, that is, if the IP does not match -address of an ARP request with IP addresses from a set The properties {D _IP } compare the IP address of the receiver of the ARP request with the IP addresses of network devices from the set {R _IP } of the allowed and connected IP addresses of the network devices and by the results of the comparison if the IP address of the receiver of the ARP request matches the IP -adresses from the set {R _IP } of allowed and connected IP addresses form a message about the availability of the message receiver node, and otherwise, that is, if the IP address of the recipient of the ARP request does not match the IP addresses from the set {R _IP }, compare the recipient's ARP request IP address with the network IP addresses oystv from the set {U _IP} temporarily unconnected IP-address and the results of comparison in the case of discrepancy between the IP-addresses of the ARP-request recipient with IP-addresses from the set {U _IP} temporarily unconnected IP-address form the message of message packets destination host availability, otherwise, that is, if the IP address of the recipient of the ARP request matches the IP addresses from the set {U _IP }, after generating the response message packet, the port numbers for ix IP addresses are written in the response message header of the ARP request recipient networked stroystv computer network of a plurality of {U _IP}, stored in the memory a two-dimensional array L, and after the recording in the "window size» TCP-header messages values W _nach response packet equal to ten bytes is recorded in the header of the response packet j-th generated MAC -address for the i-th IP address from the memory array G _MAC , send to the sender a response packet of messages with the values of W _initial , j-th generated MAC address for the i-th IP address from the memory array G _MAC , false F port numbers. 2. The method according to claim 1, characterized in that storing in the memory array AG of compliance with the i-th IP address of a network device from the set {A _IP } of the j-th generated MAC address from the memory array G _MAC allowed for the computer network carried out by writing to the cell | i, j | array of memory AG logical units. 3. The method according to p. 1, characterized in that the number of P allowed and N prohibited by the software port numbers i-x network devices of the computer network is chosen in the range from 1 to 65535. 4. The method according to claim 1, wherein storing the port numbers used by each i-th IP address of network devices of the computer network in a two-dimensional memory array S is written to the cell | i, p | array of memory S logical units. 5. A method according to claim 1, characterized in that the storage in the two-dimensional memory array of V port numbers used by each i-th IP address of network devices of the computer network is performed by writing to the cell | i, h | array of memory V logical units. 6. The method according to claim 1, wherein storing in the two-dimensional memory array L the port numbers used by each i-th IP address of the network devices of the computer network is performed by writing to the cell | i, | array of memory L logical units.

Images