CN101350743A - By-path interdiction UDP session - Google Patents
By-path interdiction UDP session Download PDFInfo
- Publication number
- CN101350743A CN101350743A CNA2007101307267A CN200710130726A CN101350743A CN 101350743 A CN101350743 A CN 101350743A CN A2007101307267 A CNA2007101307267 A CN A2007101307267A CN 200710130726 A CN200710130726 A CN 200710130726A CN 101350743 A CN101350743 A CN 101350743A
- Authority
- CN
- China
- Prior art keywords
- udp
- network
- conversion
- data packet
- blocking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a method, which is used for blocking UDP conversion of a network in the bypass way. The method can be used in the fields of network security, network management, network access control, and so on. A monitoring device is arranged in a local area network, which is used for monitoring for the network through a hub or the mirror port of an exchanger. When the UDP conversion needs blocking, an imitative ICMP data packet is assembled according to the monitored information of the UDP data packet; the imitative data packet is then directly transmitted to a link layer. The machine which has the UDP conversion to be blocked receives the imitative ICMP data packet, and considers that the other end of the conversion has transmitted the information of mistaken notification. According to standard protocols, the operating system can notify the application program that the UDP transmission of the data packet is mistaken. Thus the application program with the conversion can disconnect the UDP conversion, which achieves the purpose of blocking the illegal network visit.
Description
Specific technical field
The present invention is a kind of method of under bypass mode the UDP session on the network being blocked.Can be used for fields such as network security, network management and access to netwoks control.
Background technology
At present, in medium-sized and small enterprises internal office work network, to employee's access to netwoks control, information filtering, content auditing, and in the field such as network security, need monitor the network operating position.The mode of general employing monitor bypass alleviates the burden of gateway or router.But the controlled function of bypass is made a discount.The present invention can be implemented in the function of the specific UDP session of bypass blocking-up by the mode of data falsification bag, thereby has solved the functional defect of monitor bypass mode.
Summary of the invention
The objective of the invention is to solve the problem that connection can't be blocked to UDP under the monitor bypass mode of network.
Ordinary circumstance if disconnect the session of a UDP, has only server end, client, and these three positions of network exit such as gateway and router.And the position that is suitable for for fields such as the network security of local area network (LAN), access to netwoks control, network behavior record, network audits is a network egress.But a defective of making is the performance that can influence equipment such as router like this.Therefore, the network behavior record, functions such as network audit are in order to alleviate the burden of equipment such as router, and the mode of using monitor bypass realizes (running environment such as Fig. 1).But the mode of monitor bypass but lacks control ability to packet so simultaneously.If the burden of router just can be both shared in session that can blockage UDP under the mode of monitor bypass, has the network control ability again.The present invention has just solved this problem.
Introduce in detail:
The realization of this bypass blocking way needs three prerequisites:
At first, must be able to listen to packet on the network.
Secondly, the packet of oneself forging can be written to link layer.
The 3rd, according to the requirement of udp protocol: if after sending a UDP bag, the other side does not have corresponding receiving process, the other side can return an icmp packet and notify transmit leg.
Hence one can see that, if we are according to the UDP information that listens to, forge a satisfactory appropriate ICMP packet and send, and can receive by a connected end, just can be implemented in the purpose of bypass blocking-up.
Detailed process is, listens to information such as IP address port number among the UDP message bag P1 of an A-->B by audiomonitor.
The information of P1 packet is as follows:
Source ip:ipA
Purpose ip ipB
Source port portA
Destination interface portB
Blocking-up if desired, as follows according to the icmp reply packet P2 of a reverse B-->A of the information structuring among the P1:
The information of P2 packet is as follows:
The ICMP type: port is unreachable
ICMP load:
Source ip:ipA
Purpose ip ipB
Source port portA
Destination interface portB
(raw socket) is written to link layer to packet P2 by raw socket.At this moment, the packet P2 of this forgery can be used as correct packet by the network equipment and transmit, and can be received by A at last.A can think that B does not open corresponding service.So A closes a UDP session.So far, reached purpose at by-pass blockage UDP session.
Description of drawings
Fig. 1: system construction drawing
Embodiment
System implementation mode Fig. 1.
1. the mirror port of audiomonitor labour-intensive industry L2TP or switch is monitored.
2. in the packet that listens to, tell the UDP message bag that needs blocking-up.
3. the UDP session information of blocking is as required constructed the ICMP packet of forging.
4. the packet of forging is sent to link layer with raw socket.Thereby blockage UDP session.
Claims (1)
- The method that by-pass blockage UDP is used is the application based on UDP by network to be blocked according to strategy in the mode in bypass to dispose.Concrete feature is as follows:1. the reflection port at hub or switch inserts audiomonitor.2. after listening to the UDP message that needs blocking-up on the audiomonitor, construct a blocking-up data flow.3. data flow is sent to target machine.4. after target machine is received this packet, disconnect corresponding UDP and use.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2007101307267A CN101350743A (en) | 2007-07-20 | 2007-07-20 | By-path interdiction UDP session |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2007101307267A CN101350743A (en) | 2007-07-20 | 2007-07-20 | By-path interdiction UDP session |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101350743A true CN101350743A (en) | 2009-01-21 |
Family
ID=40269339
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA2007101307267A Pending CN101350743A (en) | 2007-07-20 | 2007-07-20 | By-path interdiction UDP session |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101350743A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102904902A (en) * | 2012-10-31 | 2013-01-30 | 北京锐安科技有限公司 | Dynamic host configuration protocol (DHCP)-based bypass blocking method |
CN112436978A (en) * | 2020-10-28 | 2021-03-02 | 格力电器(南京)有限公司 | Communication interface monitoring system |
-
2007
- 2007-07-20 CN CNA2007101307267A patent/CN101350743A/en active Pending
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102904902A (en) * | 2012-10-31 | 2013-01-30 | 北京锐安科技有限公司 | Dynamic host configuration protocol (DHCP)-based bypass blocking method |
CN102904902B (en) * | 2012-10-31 | 2015-08-19 | 北京锐安科技有限公司 | A kind of based on DHCP method for blocking bypass by |
CN112436978A (en) * | 2020-10-28 | 2021-03-02 | 格力电器(南京)有限公司 | Communication interface monitoring system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2033370B1 (en) | Service-centric communication network monitoring | |
CN101350746A (en) | By-path interdiction TCP connection | |
US8856372B2 (en) | Method and system for local Peer-to-Peer traffic | |
CA2665297C (en) | Lawful interception in wireline broadband networks | |
ES2356848T3 (en) | METHOD AND SYSTEM OF MANAGEMENT OF LOCAL NETWORKS DISTANCE THROUGH A COMMUNICATION DEVICE. | |
US9401891B2 (en) | Network address translation traversals for peer-to-peer networks | |
FR2925247A1 (en) | CONTROLLING THE TRANSMITTING INTERFAC OF A SIP RESPONSE MESSAGE | |
US20070133520A1 (en) | Dynamically adapting peer groups | |
CN101043430B (en) | Method for converting network address between equipments | |
US8769111B2 (en) | IP network service redirector device and method | |
CN102404229A (en) | System, device and method for load balancing | |
CN101345741A (en) | Proxy system and proxy connecting method based on internet | |
CN1917512B (en) | Method for establishing direct connected peer-to-peer channel | |
JP2002518885A5 (en) | ||
VanderSloot et al. | Running refraction networking for real | |
CN104104596B (en) | A kind of IRF divides treating method and apparatus | |
CN101350743A (en) | By-path interdiction UDP session | |
CN102136988A (en) | Multicast data message transferring method and device | |
Ferreira et al. | A transport layer abstraction for peer-to-peer networks | |
US7562151B2 (en) | Peer tunnels and peer group targets | |
CN102546670B (en) | The multicast listener discovery agreement of safety is spied upon method and apparatus | |
CN101359998B (en) | Network element route establishing method and apparatus | |
US10693673B2 (en) | Method and apparatus for routing data to cellular network | |
CN101378309A (en) | Test system, test processing equipment and test processing method | |
KR20170111305A (en) | A network bridging method and computer network system thereof seamlessly supporting UDP protocols between the separated networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20090121 |