CN101350743A - By-path interdiction UDP session - Google Patents

By-path interdiction UDP session Download PDF

Info

Publication number
CN101350743A
CN101350743A CNA2007101307267A CN200710130726A CN101350743A CN 101350743 A CN101350743 A CN 101350743A CN A2007101307267 A CNA2007101307267 A CN A2007101307267A CN 200710130726 A CN200710130726 A CN 200710130726A CN 101350743 A CN101350743 A CN 101350743A
Authority
CN
China
Prior art keywords
udp
network
conversion
data packet
blocking
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2007101307267A
Other languages
Chinese (zh)
Inventor
尹志超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
REX INFORMATION TECHNOLOGY (BEIJING) Co Ltd
Original Assignee
REX INFORMATION TECHNOLOGY (BEIJING) Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by REX INFORMATION TECHNOLOGY (BEIJING) Co Ltd filed Critical REX INFORMATION TECHNOLOGY (BEIJING) Co Ltd
Priority to CNA2007101307267A priority Critical patent/CN101350743A/en
Publication of CN101350743A publication Critical patent/CN101350743A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a method, which is used for blocking UDP conversion of a network in the bypass way. The method can be used in the fields of network security, network management, network access control, and so on. A monitoring device is arranged in a local area network, which is used for monitoring for the network through a hub or the mirror port of an exchanger. When the UDP conversion needs blocking, an imitative ICMP data packet is assembled according to the monitored information of the UDP data packet; the imitative data packet is then directly transmitted to a link layer. The machine which has the UDP conversion to be blocked receives the imitative ICMP data packet, and considers that the other end of the conversion has transmitted the information of mistaken notification. According to standard protocols, the operating system can notify the application program that the UDP transmission of the data packet is mistaken. Thus the application program with the conversion can disconnect the UDP conversion, which achieves the purpose of blocking the illegal network visit.

Description

By-pass blockage UDP session
Specific technical field
The present invention is a kind of method of under bypass mode the UDP session on the network being blocked.Can be used for fields such as network security, network management and access to netwoks control.
Background technology
At present, in medium-sized and small enterprises internal office work network, to employee's access to netwoks control, information filtering, content auditing, and in the field such as network security, need monitor the network operating position.The mode of general employing monitor bypass alleviates the burden of gateway or router.But the controlled function of bypass is made a discount.The present invention can be implemented in the function of the specific UDP session of bypass blocking-up by the mode of data falsification bag, thereby has solved the functional defect of monitor bypass mode.
Summary of the invention
The objective of the invention is to solve the problem that connection can't be blocked to UDP under the monitor bypass mode of network.
Ordinary circumstance if disconnect the session of a UDP, has only server end, client, and these three positions of network exit such as gateway and router.And the position that is suitable for for fields such as the network security of local area network (LAN), access to netwoks control, network behavior record, network audits is a network egress.But a defective of making is the performance that can influence equipment such as router like this.Therefore, the network behavior record, functions such as network audit are in order to alleviate the burden of equipment such as router, and the mode of using monitor bypass realizes (running environment such as Fig. 1).But the mode of monitor bypass but lacks control ability to packet so simultaneously.If the burden of router just can be both shared in session that can blockage UDP under the mode of monitor bypass, has the network control ability again.The present invention has just solved this problem.
Introduce in detail:
The realization of this bypass blocking way needs three prerequisites:
At first, must be able to listen to packet on the network.
Secondly, the packet of oneself forging can be written to link layer.
The 3rd, according to the requirement of udp protocol: if after sending a UDP bag, the other side does not have corresponding receiving process, the other side can return an icmp packet and notify transmit leg.
Hence one can see that, if we are according to the UDP information that listens to, forge a satisfactory appropriate ICMP packet and send, and can receive by a connected end, just can be implemented in the purpose of bypass blocking-up.
Detailed process is, listens to information such as IP address port number among the UDP message bag P1 of an A-->B by audiomonitor.
The information of P1 packet is as follows:
Source ip:ipA
Purpose ip ipB
Source port portA
Destination interface portB
Blocking-up if desired, as follows according to the icmp reply packet P2 of a reverse B-->A of the information structuring among the P1:
The information of P2 packet is as follows:
The ICMP type: port is unreachable
ICMP load:
Source ip:ipA
Purpose ip ipB
Source port portA
Destination interface portB
(raw socket) is written to link layer to packet P2 by raw socket.At this moment, the packet P2 of this forgery can be used as correct packet by the network equipment and transmit, and can be received by A at last.A can think that B does not open corresponding service.So A closes a UDP session.So far, reached purpose at by-pass blockage UDP session.
Description of drawings
Fig. 1: system construction drawing
Embodiment
System implementation mode Fig. 1.
1. the mirror port of audiomonitor labour-intensive industry L2TP or switch is monitored.
2. in the packet that listens to, tell the UDP message bag that needs blocking-up.
3. the UDP session information of blocking is as required constructed the ICMP packet of forging.
4. the packet of forging is sent to link layer with raw socket.Thereby blockage UDP session.

Claims (1)

  1. The method that by-pass blockage UDP is used is the application based on UDP by network to be blocked according to strategy in the mode in bypass to dispose.
    Concrete feature is as follows:
    1. the reflection port at hub or switch inserts audiomonitor.
    2. after listening to the UDP message that needs blocking-up on the audiomonitor, construct a blocking-up data flow.
    3. data flow is sent to target machine.
    4. after target machine is received this packet, disconnect corresponding UDP and use.
CNA2007101307267A 2007-07-20 2007-07-20 By-path interdiction UDP session Pending CN101350743A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2007101307267A CN101350743A (en) 2007-07-20 2007-07-20 By-path interdiction UDP session

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2007101307267A CN101350743A (en) 2007-07-20 2007-07-20 By-path interdiction UDP session

Publications (1)

Publication Number Publication Date
CN101350743A true CN101350743A (en) 2009-01-21

Family

ID=40269339

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2007101307267A Pending CN101350743A (en) 2007-07-20 2007-07-20 By-path interdiction UDP session

Country Status (1)

Country Link
CN (1) CN101350743A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102904902A (en) * 2012-10-31 2013-01-30 北京锐安科技有限公司 Dynamic host configuration protocol (DHCP)-based bypass blocking method
CN112436978A (en) * 2020-10-28 2021-03-02 格力电器(南京)有限公司 Communication interface monitoring system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102904902A (en) * 2012-10-31 2013-01-30 北京锐安科技有限公司 Dynamic host configuration protocol (DHCP)-based bypass blocking method
CN102904902B (en) * 2012-10-31 2015-08-19 北京锐安科技有限公司 A kind of based on DHCP method for blocking bypass by
CN112436978A (en) * 2020-10-28 2021-03-02 格力电器(南京)有限公司 Communication interface monitoring system

Similar Documents

Publication Publication Date Title
EP2033370B1 (en) Service-centric communication network monitoring
CN101350746A (en) By-path interdiction TCP connection
US8856372B2 (en) Method and system for local Peer-to-Peer traffic
CA2665297C (en) Lawful interception in wireline broadband networks
ES2356848T3 (en) METHOD AND SYSTEM OF MANAGEMENT OF LOCAL NETWORKS DISTANCE THROUGH A COMMUNICATION DEVICE.
US9401891B2 (en) Network address translation traversals for peer-to-peer networks
FR2925247A1 (en) CONTROLLING THE TRANSMITTING INTERFAC OF A SIP RESPONSE MESSAGE
US20070133520A1 (en) Dynamically adapting peer groups
CN101043430B (en) Method for converting network address between equipments
US8769111B2 (en) IP network service redirector device and method
CN102404229A (en) System, device and method for load balancing
CN101345741A (en) Proxy system and proxy connecting method based on internet
CN1917512B (en) Method for establishing direct connected peer-to-peer channel
JP2002518885A5 (en)
VanderSloot et al. Running refraction networking for real
CN104104596B (en) A kind of IRF divides treating method and apparatus
CN101350743A (en) By-path interdiction UDP session
CN102136988A (en) Multicast data message transferring method and device
Ferreira et al. A transport layer abstraction for peer-to-peer networks
US7562151B2 (en) Peer tunnels and peer group targets
CN102546670B (en) The multicast listener discovery agreement of safety is spied upon method and apparatus
CN101359998B (en) Network element route establishing method and apparatus
US10693673B2 (en) Method and apparatus for routing data to cellular network
CN101378309A (en) Test system, test processing equipment and test processing method
KR20170111305A (en) A network bridging method and computer network system thereof seamlessly supporting UDP protocols between the separated networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20090121