CN104023036A - TCP (transmission control protocol) bypass blocking method and device - Google Patents
TCP (transmission control protocol) bypass blocking method and device Download PDFInfo
- Publication number
- CN104023036A CN104023036A CN201410295161.8A CN201410295161A CN104023036A CN 104023036 A CN104023036 A CN 104023036A CN 201410295161 A CN201410295161 A CN 201410295161A CN 104023036 A CN104023036 A CN 104023036A
- Authority
- CN
- China
- Prior art keywords
- bypass
- handshake
- jamming equipment
- server
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses a TCP (transmission control protocol) bypass blocking method and device. The TCP bypass blocking method performs TCP blocking by a bypass interference device which is connected between a client and a server in an off-path mode. The TCP blocking method comprises the following steps that the bypass interference device acquires a first time handshaking signal from a client, generates a second time handshaking signal according to the first time handshaking signal so as to obtain the second time handshaking signal from the bypass interference device, and transmits the second time handshaking signal from the bypass interference device to the client before the second time handshaking signal from the server reaches the client, wherein the second time handshaking signal from the server is different from the second time handshaking signal from the bypass interference device. According to the invention, the problem of instability of a transmission data packet between the blocking client and the server in the prior art is solved, and further the effect of improving the stability of the transmission data packet between the blocking client and the server is reached.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of TCP method for blocking bypass by and device.
Background technology
As everyone knows, between client and server, dispose audiomonitor, utilizing transmission control protocol (Transmission Control Protocol, be called for short TCP) set up after the connection between client and server, forge RST (one of six market bit in TCP stem, represent to reset connect, resetting connects) data send RST message to client or server that the connection of client and server is disconnected, thereby reach the object that blocking-up client and server communicate.
Existing TCP blocking-up method, is transmit data after utilizing TCP to connect between client and server time, to forge the data blocking-up that the mode of RST realizes, but this method is easy to be cracked and cause blocking-up to lose efficacy.
For the transmission instability problem of blocking packet between client and server in prior art, effective solution is not yet proposed at present.
Summary of the invention
Main purpose of the present invention is to provide a kind of TCP method for blocking bypass by and device, to solve the easily problem of inefficacy of transmission of blocking packet between client and server in prior art.
To achieve these goals, according to an aspect of the present invention, provide a kind of TCP method for blocking bypass by.TCP method for blocking bypass by according to the present invention comprises: carry out TCP blocking-up by bypass jamming equipment, wherein, bypass jamming equipment is other to be connected between client and server, and TCP method for blocking bypass by comprises: bypass jamming equipment obtains the handshake for the first time from client; Bypass jamming equipment, according to the second handshake of handshake generation for the first time signal, obtains the second handshake signal from bypass jamming equipment; And bypass jamming equipment is before the second handshake signal from server arrives client, send second handshake signal from bypass jamming equipment to client, wherein, server is the second handshake signal from server according to handshake generation for the first time, different from the second handshake signal from bypass jamming equipment from the second handshake signal of server.
Further, bypass jamming equipment disposes blocking strategy, wherein, blocking strategy is for determining the server and client side who carries out data blocking-up, before bypass jamming equipment obtains the handshake for the first time from client, TCP method for blocking bypass by also comprises: bypass jamming equipment obtains the packet from client; Bypass jamming equipment is analyzed packet, obtains analysis result; Whether bypass jamming equipment detects client according to analysis result and matches with blocking strategy; And if bypass jamming equipment is judged client and is mated with blocking strategy, the packet of bypass jamming equipment using packet as handshake for the first time to be obtained.
Further, bypass jamming equipment is analyzed packet, obtaining analysis result comprises: bypass jamming equipment is analyzed packet, obtain source IP, object IP, source port, the destination interface of packet, for the first time initial sequence number in handshake and the SYN mark of packet, bypass jamming equipment comprises according to the second handshake of handshake generation for the first time signal: add ACK mark, retain SYN mark; Generate and reply sequence number and the initial sequence number from bypass jamming equipment according to the initial sequence number in handshake for the first time; Exchange source IP and object IP, exchange source port and destination interface, obtain exchange data packets, and calculate verification and; According to SYN mark, ACK mark, reply sequence number, initial sequence number, exchange data packets and verification from bypass jamming equipment and obtain the second handshake signal from bypass jamming equipment.
Further, bypass jamming equipment obtains the packet of handshake for the first time and comprises: bypass jamming equipment obtains the packet from client; Bypass jamming equipment judges whether packet has handshake for the first time; And if bypass jamming equipment judges data and be surrounded by handshake for the first time, obtain packet as the packet of handshake for the first time.
Further, TCP method for blocking bypass by also comprises: server receives the handshake for the third time from client, and wherein, handshake comprises the sequence number of replying generating according to the second handshake signal from bypass jamming equipment for the third time; Server judges replys sequence number and replying sequence number and whether mate in second handshake signal from server in handshake for the third time; And if the sequence number of replying that server is judged in handshake for the third time do not mate with the sequence number of replying in second handshake signal from server, server does not respond handshake for the third time.
To achieve these goals, according to a further aspect in the invention, provide a kind of TCP bypass occluding device.TCP bypass occluding device according to the present invention comprises: carry out TCP blocking-up by bypass jamming equipment, wherein, bypass jamming equipment is other to be connected between client and server, TCP bypass occluding device comprises: the first acquiring unit, for making bypass jamming equipment obtain the handshake for the first time from client; The first generation unit, for making bypass jamming equipment according to the second handshake of handshake generation for the first time signal, obtains the second handshake signal from bypass jamming equipment; And transmitting element, for making bypass jamming equipment before the second handshake signal from server arrives client, send second handshake signal from bypass jamming equipment to client, wherein, server is the second handshake signal from server according to handshake generation for the first time, different from the second handshake signal from bypass jamming equipment from the second handshake signal of server.
Further, bypass jamming equipment disposes blocking strategy, wherein, blocking strategy is for determining the server and client side who carries out data blocking-up, TCP bypass occluding device also comprises: second acquisition unit, for before bypass jamming equipment obtains the handshake for the first time from client, make bypass jamming equipment obtain the packet from client; Analytic unit, for making bypass jamming equipment analyze packet, obtains analysis result; Whether detecting unit, match with blocking strategy for making bypass jamming equipment detect client according to analysis result; And second generation unit, while coupling with blocking strategy for judging client at bypass jamming equipment, make the packet of bypass jamming equipment using packet as handshake for the first time to be obtained.
Further, analytic unit is also for making the analysis of bypass jamming equipment obtain source IP, object IP, source port, the destination interface of packet, the initial sequence number of handshake and the SYN mark of packet for the first time, the first generation unit comprises: add module, be used for adding ACK mark, retain SYN mark; Generation module, for replying sequence number and the initial sequence number from bypass jamming equipment according to the initial sequence number generation of handshake for the first time; Switching Module, for exchanging source IP and object IP, exchange source port and destination interface, obtain exchange data packets, and calculate verification and; Confirm module, for SYN mark, ACK mark, reply sequence number, initial sequence number, exchange data packets and verification from bypass jamming equipment and obtain the second handshake signal from bypass jamming equipment.
Further, second acquisition unit comprises: the second acquisition module, for making bypass jamming equipment obtain the packet from client; Judge module, for making bypass jamming equipment judge whether packet has handshake for the first time; And the 3rd acquisition module, while being surrounded by for the first time handshake for judge data at bypass jamming equipment, obtain from the packet of client as the packet of handshake for the first time.
Further, TCP bypass occluding device also comprises: receiving element, for making server receive the handshake for the third time from client, wherein, handshake comprises the sequence number of replying generating according to the second handshake signal from bypass jamming equipment for the third time; Judging unit, replys sequence number and replying sequence number and whether mate in second handshake signal from server for what make that server judges handshake for the third time; And response unit, for judge replying sequence number and replying sequence number while not mating in second handshake signal from server of handshake for the third time at server, make server not respond handshake for the third time
By the present invention, adopt a kind of TCP method for blocking bypass by, it is characterized in that, carry out TCP blocking-up by bypass jamming equipment, wherein, bypass jamming equipment is other to be connected between client and server, and TCP method for blocking bypass by comprises: bypass jamming equipment obtains the handshake for the first time from client; Bypass jamming equipment, according to the second handshake of handshake generation for the first time signal, obtains the second handshake signal from bypass jamming equipment; And bypass jamming equipment is before the second handshake signal from server arrives client, send second handshake signal from bypass jamming equipment to client, wherein, server is the second handshake signal from server according to handshake generation for the first time, solve to block in prior art and between client and server, transmitted the unsettled problem of packet, and then reached and improve the stabilizing effect that transmits packet between blocking-up client and server.
Brief description of the drawings
The accompanying drawing that forms the application's a part is used to provide a further understanding of the present invention, and schematic description and description of the present invention is used for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is according to the flow chart of the TCP method for blocking bypass by of first embodiment of the invention;
Fig. 2 is according to the flow chart of the TCP method for blocking bypass by of second embodiment of the invention;
Fig. 3 is according to the flow chart of the TCP method for blocking bypass by of third embodiment of the invention;
Fig. 4 is according to the schematic diagram of the TCP bypass occluding device of first embodiment of the invention;
Fig. 5 is according to the schematic diagram of the TCP bypass occluding device of third embodiment of the invention; And
Fig. 6 is according to the schematic diagram of the TCP bypass occluding device of third embodiment of the invention.
Embodiment
It should be noted that, in the situation that not conflicting, the feature in embodiment and embodiment in the application can combine mutually.Describe below with reference to the accompanying drawings and in conjunction with the embodiments the present invention in detail.
In order to make those skilled in the art person understand better the present invention program, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the embodiment of a part of the present invention, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtaining under creative work prerequisite, should belong to the scope of protection of the invention.
It should be noted that, term " first ", " second " etc. in specification of the present invention and claims and above-mentioned accompanying drawing are for distinguishing similar object, and needn't be used for describing specific order or precedence.The data that should be appreciated that such use suitably can exchanged in situation, so as embodiments of the invention described herein can with except diagram here or describe those order enforcement.In addition, term " comprises " and " having " and their any distortion, intention is to cover not exclusive comprising, for example, those steps or unit that process, method, system, product or the equipment that has comprised series of steps or unit is not necessarily limited to clearly list, but can comprise clearly do not list or for these processes, method, product or equipment intrinsic other step or unit.
The invention provides a kind of TCP method for blocking bypass by.This method for blocking bypass by can be blocked the communication between server and client side.For the ease of understanding technical scheme of the present invention, between paper client and server, how to set up communication.Between client and server, adopt three-way handshake to set up a connection.
Shake hands for the first time: user end to server is initiated SYN request (SYN=j), and waiting for server is confirmed.
Second handshake: server is received the SYN request that client sends, replys (SYN=k) to the SYN request of client, and sends ACK bag (ACK=j+1) to client, sends SYN+ACK bag to client.
Shake hands for the third time: the SYN+ACK bag of client server, and send and confirm bag ACK (ACK=k+1) to server.
After server receives the confirmation bag that client sends while shaking hands for the third time, complete three-way handshake, between client and server, start to transmit data.
The embodiment of the present invention is by bypass blocking equipment, during client and server is shaken hands, monitor the handshake of client, forge the response packet of server, thereby destroy the sequence number recognition mechanism of client, make cannot complete communication between client and server, reached the object of blocking-up client and server communication.
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described.
Fig. 1 is according to the flow chart of the TCP method for blocking bypass by of first embodiment of the invention.As shown in the figure, this TCP method for blocking bypass by carries out TCP blocking-up by bypass jamming equipment, and wherein, bypass jamming equipment is other to be connected between client and server, and this TCP method for blocking bypass by comprises the steps:
Step S102, bypass jamming equipment obtains the handshake for the first time from client.
Bypass jamming equipment is other to be connected between client and server, side connects the other geographical position connecing of equipment can be between client and server, for example, client is in Beijing, server is in Guangzhou, bypass jamming equipment may be positioned at Beijing to the monitoring on node of Guangzhou so, and side connects but not is serially connected in the network in Beijing to Guangzhou.
Bypass jamming equipment can be monitored the handshake of client in the time that client and server communicates.User end to server sends handshake for the first time, and handshake is carried initial sequence number ISNa for the first time.After bypass jamming equipment listens to the handshake for the first time of client, obtain the handshake for the first time from client.
Step S104, bypass jamming equipment, according to the second handshake of handshake generation for the first time signal, obtains the second handshake signal from bypass jamming equipment.
After bypass jamming equipment gets for the first time handshake, generate at random the initialize signal of second handshake signal according to handshake for the first time, be that bypass jamming equipment is forged the second handshake signal of second handshake signal as server, the sequence number of replying of carrying from the second handshake signal of bypass jamming equipment is ISNa+1, and random initial sequence number is ISNb.
Step S106, bypass jamming equipment is before the second handshake signal from server arrives client, send second handshake signal from bypass jamming equipment to client, wherein, server is the second handshake signal from server according to handshake generation for the first time, different from the second handshake signal from bypass jamming equipment from the second handshake signal of server.
The second handshake signal from bypass jamming equipment is sent to client by bypass jamming equipment, and client is using second handshake signal the replying as server from bypass jamming equipment.The handshake for the first time that bypass jamming equipment obtains client does not stop handshake for the first time to send to server, server still can receive the handshake for the first time of client, and generate from the second handshake signal of server as to client replying of handshake for the first time according to the handshake for the first time that receives, the answer signal carrying from the second handshake signal of server is ISNa+1, and initial sequence number is ISNc.The second handshake signal from server generating is sent to client by server.But now client has been received the second handshake signal from bypass jamming equipment that bypass jamming equipment generates, and the second handshake signal from bypass jamming equipment is made and being replied.
Bypass jamming equipment is according to the random second handshake signal generating from bypass jamming equipment of handshake for the first time, generation different from the second handshake signal from server from the second handshake signal of bypass jamming equipment.
According to the three-way handshake in Transmission Control Protocol, in the time that client arrives the second handshake signal from bypass jamming equipment of bypass jamming equipment generation, carried out second handshake, because bypass jamming equipment has been forged second handshake signal, after client is received the second handshake signal of forgery, while receiving again the second handshake signal really being sent by server, the initial sequence number of carrying from the second handshake signal of server is ISNc, client is thought and is not inconsistent with the initial sequence number ISNb of expection, return to RST to server, incorrect response is from the second handshake signal of server, so cannot connect between client and server.
Above-described embodiment, in the time that user end to server sends for the first time handshake, bypass jamming equipment obtains handshake for the first time, second handshake signal according to handshake generation for the first time from bypass jamming equipment, and the second handshake signal from bypass jamming equipment is sent to client, make client receive the second handshake signal from bypass jamming equipment before receiving the real second handshake signal from server, thereby the second handshake signal that causes client end response to be forged, and do not respond the really second handshake signal from server, make cannot connect between client and server, and then block the transfer of data between client and server.
Fig. 2 is according to the flow chart of the TCP method for blocking bypass by of second embodiment of the invention.In order to ensure that bypass jamming equipment only obtains the information between the client and server that needs blocking-up, in bypass jamming equipment, dispose blocking strategy, wherein, blocking strategy is for determining the server and client side who carries out data blocking-up, obtain for the first time handshake by bypass jamming equipment before, this TCP method for blocking bypass by also comprises:
Step S202, bypass jamming equipment obtains the packet from client.
Bypass jamming equipment obtains the packet from client, and this packet comprises SYN request message, and initial sequence number.
Step S204, bypass jamming equipment is analyzed packet, obtains analysis result.
Bypass jamming equipment is analyzed packet, analyzes the data in packet so that judge whether the packet of handshake is the client of monitoring for the first time.
Step S206, whether bypass jamming equipment detects client according to analysis result and matches with blocking strategy.
Whether bypass jamming equipment, after obtaining analysis result, detects client according to analysis result and matches with blocking strategy, and bypass jamming equipment judges according to analysis result whether the packet of the handshake for the first time getting is the packet oneself needing.
For example, bypass jamming equipment need to be blocked the network of customer end A, and do not need to block the network of customer end B, so, in the time getting for the first time handshake packet, the packet of handshake is for the first time analyzed, if analysis result be this handshake is corresponding with customer end A for the first time, customer end A and blocking strategy match, and the network of customer end A are blocked; If analysis result is that this second handshake signal is corresponding with customer end B, customer end B is not mated with blocking strategy, the network of customer end B is not blocked.
Can determine by source IP, object IP, source port and the destination interface of analyzing client whether the packet of the handshake for the first time getting matches with blocking strategy.
Step S208, mates with blocking strategy if bypass jamming equipment is judged client, and bypass jamming equipment is using packet as the packet of handshake for the first time.
Mate with blocking strategy if bypass jamming equipment is judged client, bypass jamming equipment is determined and is blocked for this client, using this packet as the packet of handshake for the first time.
Further, bypass jamming equipment is analyzed packet, obtaining analysis result comprises: bypass jamming equipment is analyzed packet, obtain source IP, object IP, source port, the destination interface of packet, for the first time initial sequence number in handshake and the SYN mark of packet, bypass jamming equipment comprises from the second handshake signal of bypass jamming equipment according to handshake generation for the first time: add ACK mark, retain SYN mark; Generate and reply sequence number and the initial sequence number from bypass jamming equipment according to the initial sequence number in handshake for the first time; Exchange source IP and object IP, exchange source port and destination interface, obtain exchange data packets, and calculate verification and; According to SYN mark, ACK mark, reply sequence number, initial sequence number, exchange data packets and verification from bypass jamming equipment and obtain the second handshake signal from bypass jamming equipment.
The packet that bypass jamming equipment obtains is as follows:
Source IP:IPA, object IP:IPB, source port: PORTA, destination interface: PORTB, initial sequence number ISNa, SYN request marks.
Exchange end source IP and object IP, exchange source port and destination interface, treated packet is as follows:
Source IP:IPB, object IP:IPA, source port: PORTB, destination interface: PORTA, initial sequence number ISNb, replys sequence number ISNa+1, SYN/ACK mark.
The packet obtaining is sent to client as the second handshake signal from bypass jamming equipment, comprise SYN/ACK mark, reply sequence number ISNa+1 and initial sequence number ISNb from the second handshake signal of bypass jamming equipment.
Further, bypass jamming equipment obtains the packet of handshake for the first time and comprises: bypass jamming equipment obtains the packet from client.Bypass jamming equipment judges whether packet has handshake for the first time.If bypass jamming equipment is judged data and is surrounded by handshake for the first time, obtain packet as the packet of handshake for the first time.
Bypass jamming equipment obtains the packet from client, the data that send due to client are surrounded by multiple, bypass jamming equipment does not need all packets from client to carry out data processing, therefore, bypass jamming equipment need to judge from whether there being handshake for the first time in the packet of client, if judge from the data of client and be surrounded by handshake for the first time, obtain from the packet of client as the packet of handshake for the first time.
Fig. 3 is according to the flow chart of the TCP method for blocking bypass by of third embodiment of the invention.As shown in the figure, this TCP method for blocking bypass by comprises the steps:
Step S302, server receives the handshake for the third time from client, and wherein, handshake comprises the sequence number of replying generating according to the second handshake signal from bypass jamming equipment for the third time.
According to the above embodiments, the handshake for the first time that client sends is bypassed jamming equipment and obtains, bypass jamming equipment is the second handshake signal from bypass jamming equipment according to handshake generation for the first time, client is made and being replied for the second handshake signal from bypass jamming equipment receiving, and sends to server as handshake for the third time.Server can receive the handshake for the third time from client.The sequence number of replying of handshake is ISNb+1 for the third time.
Step S304, server judges that whether answer signal is consistent with the second handshake signal from server.
Server receives the handshake for the third time from client, the answer signal carrying in the handshake for the third time that server is expected to receive is consistent with the second handshake signal from server that server sends, and therefore server need to judge that whether the answer signal that handshake is carried is for the third time consistent with the second handshake signal from server.
Step S306, if server is judged answer signal with inconsistent from the second handshake signal of server, server does not respond handshake for the third time.
After client sends for the first time handshake, server receives handshake for the first time, and generates second handshake signal from server as replying according to handshake for the first time.Initial sequence number in the second handshake signal that server sends is ISNc, expect that the sequence number of replying obtaining is ISNc+1, but, the second handshake signal from server that server generates is later than from the second handshake signal of bypass jamming equipment and arrives client, and client generates handshake for the third time for the second handshake signal from bypass jamming equipment and issues server.The handshake for the third time that server receives is the second handshake signal of replying from bypass jamming equipment, cannot receive the sequence number of replying of expecting for ISNc+1, and from the corresponding different sequence numbers of replying of the second handshake signal of server and second handshake signal from bypass jamming equipment, server sends expects to obtain the answer signal for the second handshake signal from server after the second handshake signal of server, different from the answer signal of the second handshake signal for from bypass jamming equipment for the answer signal of the second handshake signal from server, causing server to receive handshake and expection is not for the third time inconsistent, server judges that answer signal is with inconsistent from the second handshake signal of server, server does not respond the handshake for the third time from client.
Pass through above-described embodiment, client is after the second handshake signal from server receiving from server, judging second handshake signal and the expection from the server that receive is not inconsistent, return to RST to server, incorrect response causes the second handshake failure of client and server from the second handshake signal of server, and in the time shaking hands for the third time, server receives after the handshake for the third time from client, judging the answer signal that handshake is carried is for the third time not the second handshake signal from server that answering server sends, cause the not data of customer in response end of server, server is received time bag RST based on second handshake signal from client subsequently, because server is not received the sequence number of replying of expecting for ISNc+1, finally cause shaking hands for the third time unsuccessfully, make to disconnect between server and client.The answer signal that bypass jamming equipment is forged makes client and server all occur shaking hands unsuccessfully, makes cannot communicate between client and server, thereby has reached the effect that blocking-up client and server communicates.
In addition, the TCP method for blocking bypass by of the embodiment of the present invention is to carry out second handshake by bypass jamming equipment forgery answer signal and client, thereby communicate between blocking-up client and server, the method is that blocking-up client and server is set up communication, instead of block again, thereby ensured that blocking-up is not easy to be cracked after client and server communicates.
The embodiment of the present invention also provides a kind of TCP bypass occluding device.
The TCP bypass occluding device that the TCP method for blocking bypass by of the embodiment of the present invention can provide by the embodiment of the present invention is carried out, the TCP method for blocking bypass by that the TCP bypass occluding device of the embodiment of the present invention also can provide for carrying out the embodiment of the present invention.
Fig. 4 is according to the schematic diagram of the TCP bypass occluding device of first embodiment of the invention.Carry out TCP blocking-up by bypass jamming equipment, wherein, bypass jamming equipment is other to be connected between client and server, and this TCP bypass occluding device comprises: the first acquiring unit 10, the first generation unit 20 and transmitting element 30.
The first acquiring unit 10 is for making bypass jamming equipment obtain the handshake for the first time from client.
Bypass jamming equipment is other to be connected between client and server, side connects the other geographical position connecing of equipment can be between client and server, for example, client is in Beijing, server is in Guangzhou, bypass jamming equipment may be positioned at Beijing to the monitoring on node of Guangzhou so, and side connects but not is serially connected in the network in Beijing to Guangzhou.
Bypass jamming equipment can be monitored the handshake of client in the time that client and server communicates.User end to server sends handshake for the first time, and handshake is carried initial sequence number ISNa for the first time.After bypass jamming equipment listens to the handshake for the first time of client, obtain the handshake for the first time from client.
The first generation unit 20 is for making the second handshake signal of bypass jamming equipment basis handshake generation for the first time from bypass jamming equipment.
After bypass jamming equipment gets for the first time handshake, generate at random the initialize signal of second handshake signal according to handshake for the first time, be that bypass jamming equipment is forged the answer signal as server from the second handshake signal of bypass jamming equipment, the sequence number of replying of carrying from the second handshake signal of bypass jamming equipment is ISNa+1, and random initial sequence number is ISNb.
Transmitting element 30 is for making bypass jamming equipment before the second handshake signal from server arrives client, send second handshake signal from bypass jamming equipment to client, wherein, the handshake generation for the first time of server basis is from the second handshake signal of server.
The second handshake signal from bypass jamming equipment is sent to client by bypass jamming equipment, and client is using second handshake signal the replying as server from bypass jamming equipment.The handshake for the first time that bypass jamming equipment obtains client does not stop handshake for the first time to send to server, server still can receive the handshake for the first time of client, and generate from the second handshake signal of server as to client replying of handshake for the first time according to the handshake for the first time that receives, the answer signal carrying from the second handshake signal of server is ISNa+1, and initial sequence number is ISNc.The second handshake signal from server generating is sent to client by server.But now client has been received the second handshake signal from bypass jamming equipment that bypass jamming equipment generates, and the second handshake signal from bypass jamming equipment is made and being replied.
Bypass jamming equipment is according to the random second handshake signal generating from bypass jamming equipment of handshake for the first time, generation different from the second handshake signal from server from the second handshake signal of bypass jamming equipment.
According to the three-way handshake in Transmission Control Protocol, in the time that client arrives the second handshake signal from bypass jamming equipment of bypass jamming equipment generation, carried out second handshake, because bypass jamming equipment has been forged second handshake signal, after client is received the second handshake signal of forgery, while receiving again the second handshake signal really being sent by server, receiving initial sequence number is ISNc, client is thought and is not inconsistent with the initial sequence number ISNb of expection, return to RST to server, incorrect response is from the second handshake signal of server, so cannot connect between client and server.
Above-described embodiment, in the time that user end to server sends for the first time handshake, bypass jamming equipment obtains handshake for the first time, generate second handshake signal from bypass jamming equipment as second handshake signal according to handshake for the first time, and second handshake signal is sent to client, make client receive the second handshake signal that bypass jamming equipment sends before receiving the real second handshake signal from server, thereby the second handshake signal that causes client end response to be forged, and do not respond the second handshake signal from client, make cannot connect between client and server, and then block the transfer of data between client and server.
Fig. 5 is according to the schematic diagram of the TCP bypass occluding device of third embodiment of the invention.This TCP bypass occluding device comprises: the first acquiring unit 10, the first generation unit 20 and transmitting element 30, also comprise second acquisition unit 40, analytic unit 50, detecting unit 60 and the second generation unit 70.
Second acquisition unit 40, for before obtaining the handshake for the first time from client at bypass jamming equipment, makes bypass jamming equipment obtain the packet from client.
Bypass jamming equipment disposes blocking strategy, and wherein, blocking strategy is for determining the server and client side who carries out data blocking-up.
Bypass jamming equipment obtains the packet from client, and this packet comprises SYN request message, and initial sequence number.
Analytic unit 50, for making bypass jamming equipment analyze packet, obtains analysis result.
Bypass jamming equipment is analyzed packet, analyzes the data in packet, so that judge whether the packet of handshake is the client of monitoring for the first time.
Whether detecting unit 60 matches with blocking strategy for making bypass jamming equipment detect client according to analysis result.
Whether bypass jamming equipment, after obtaining analysis result, detects client according to analysis result and matches with blocking strategy, and bypass jamming equipment judges according to analysis result whether the packet of the handshake for the first time getting is the packet oneself needing.
For example, bypass jamming equipment need to be blocked the network of customer end A, and do not need to block the network of customer end B, so, in the time getting for the first time handshake packet, the packet of handshake is for the first time analyzed, if analysis result be this handshake is corresponding with customer end A for the first time, customer end A and blocking strategy match, and the network of customer end A are blocked; If analysis result is that this second handshake signal is corresponding with customer end B, customer end B is not mated with blocking strategy, the network of customer end B is not blocked.
Can determine by source IP, object IP, source port and the destination interface of analyzing client whether the packet of the handshake for the first time getting matches with blocking strategy.
When the second generation unit 70 mates with blocking strategy for judging client at bypass jamming equipment, make bypass jamming equipment using packet as the packet of handshake for the first time.
Mate with blocking strategy if bypass jamming equipment is judged client, bypass jamming equipment is determined and is blocked for this client, using this packet as the packet of handshake for the first time.
Further, analytic unit also, for making the analysis of bypass jamming equipment obtain source IP, object IP, source port and the destination interface of packet, adds module, for adding ACK mark, retains SYN mark; Generation module, for replying sequence number and the initial sequence number from bypass jamming equipment according to the initial sequence number generation of handshake for the first time; Switching Module, for exchanging source IP and object IP, exchange source port and destination interface, obtain exchange data packets, and calculate verification and; Confirm module, for SYN mark, ACK mark, reply sequence number, initial sequence number, exchange data packets and verification from bypass jamming equipment and obtain the second handshake signal from bypass jamming equipment.
The packet that bypass jamming equipment obtains is as follows:
Source IP:IPA, object IP:IPB, source port: PORTA, destination interface: PORTB, initial sequence number ISNa, SYN request marks.
Exchange end source IP and object IP, exchange source port and destination interface, treated packet is as follows:
Source IP:IPB, object IP:IPA, source port: PORTB, destination interface: PORTA, initial sequence number ISNb, replys sequence number ISNa+1, SYN/ACK mark.
The packet obtaining is sent to client as the second handshake signal from bypass jamming equipment, comprise SYN/ACK mark, reply sequence number ISNa+1 and initial sequence number ISNb from the second handshake signal of bypass jamming equipment.
Further, second acquisition unit comprises:
The second acquisition module, for making bypass jamming equipment obtain the packet from client.
Judge module, for making bypass jamming equipment judge from the packet of client whether have handshake for the first time.
Second confirms module, for judging at bypass jamming equipment in the time that the data of client are surrounded by for the first time handshake, using the packet from client as the packet of handshake for the first time.
Bypass jamming equipment obtains the packet from client, the data that send due to client are surrounded by multiple, bypass jamming equipment does not need all packets from client to carry out data processing, therefore, bypass jamming equipment need to judge from whether there being handshake for the first time in the packet of client, if judge from the data of client and be surrounded by handshake for the first time, using the packet from client as the packet of handshake for the first time.
Fig. 6 is according to the schematic diagram of the TCP bypass occluding device of third embodiment of the invention.As shown in the figure, this TCP bypass occluding device comprises: the first acquiring unit 10, the first generation unit 20 and transmitting element 30 also comprise receiving element 11, judging unit 22 and response unit 33.
Receiving element 11 is for making server receive the handshake for the third time from client, and wherein, handshake comprises the answer signal generating according to the second handshake signal from bypass jamming equipment for the third time.
According to the above embodiments, the handshake for the first time that client sends is bypassed jamming equipment and obtains, bypass jamming equipment is the second handshake signal from bypass jamming equipment according to handshake generation for the first time, client is made and being replied for the second handshake signal from bypass jamming equipment receiving, and sends to server as handshake for the third time.Server can receive the handshake for the third time from client.
Judging unit 22 is for making server judge that whether answer signal is consistent with the second handshake signal from server.
Server receives the handshake for the third time from client, the answer signal carrying in the handshake for the third time that server is expected to receive is consistent with the second handshake signal from server that server sends, and therefore server need to judge that whether the answer signal that handshake is carried is for the third time consistent with the second handshake signal from server.
Response unit 33, for judging answer signal at server when inconsistent from the second handshake signal of server, makes server not respond handshake for the third time.
After client sends for the first time handshake, server receives handshake for the first time, and generates second handshake signal from server as replying according to handshake for the first time.But, the second handshake signal from server that server generates is later than from the second handshake signal of bypass jamming equipment and arrives client, and client generates handshake for the third time for the second handshake signal from bypass jamming equipment and issues server.The handshake for the third time that server receives is the second handshake signal of replying from bypass jamming equipment, cannot receive the sequence number of replying of expecting for ISNc+1, and from the corresponding different sequence numbers of replying of the second handshake signal of server and second handshake signal from bypass jamming equipment, server sends expects to obtain the answer signal for the second handshake signal from server after the second handshake signal of server, different from the answer signal of the second handshake signal for from bypass jamming equipment for the answer signal of the second handshake signal from server, causing server to receive handshake and expection is not for the third time inconsistent, server judges that answer signal is with inconsistent from the second handshake signal of server, server does not respond the handshake for the third time from client.
Pass through above-described embodiment, client is after the second handshake signal from server receiving from server, judging second handshake signal and the expection from the server that receive is not inconsistent, return to RST to server, do not respond the second handshake failure that causes client and server from the second handshake signal of server, and in the time shaking hands for the third time, server receives after the handshake for the third time from client, judging the answer signal that handshake is carried is for the third time not the second handshake signal from server that answering server sends, cause the not data of customer in response end of server, server is received time bag RST based on second handshake signal from client subsequently, because server is not received the sequence number of replying of expecting for ISNc+1, finally cause shaking hands for the third time unsuccessfully, make to disconnect between server and client.The answer signal that bypass jamming equipment is forged makes client and server all occur shaking hands unsuccessfully, makes cannot communicate between client and server, thereby has reached the effect that blocking-up client and server communicates.
In addition, the TCP bypass occluding device of the embodiment of the present invention, can make bypass jamming equipment forgery answer signal and client carry out second handshake, thereby communicate between blocking-up client and server, this device can be blocked client and server and set up communication, instead of block again, thereby ensured that blocking-up is not easy to be cracked after client and server communicates.
The embodiment of the present invention also provides a kind of computer-readable storage medium.This computer-readable storage medium can have program stored therein, and this program is for carrying out the part or all of step of above-mentioned TCP method for blocking bypass by.
It should be noted that, for aforesaid each embodiment of the method, for simple description, therefore it is all expressed as to a series of combination of actions, but those skilled in the art should know, the present invention is not subject to the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to preferred embodiment, and related action and module might not be that the present invention is necessary.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (10)
1. a TCP method for blocking bypass by, is characterized in that, carries out TCP blocking-up by bypass jamming equipment, and wherein, described bypass jamming equipment is other to be connected between client and server, and described TCP method for blocking bypass by comprises:
Described bypass jamming equipment obtains the handshake for the first time from described client;
Described bypass jamming equipment generates second handshake signal according to described handshake for the first time, obtains the second handshake signal from bypass jamming equipment; And
Described bypass jamming equipment is before the second handshake signal from server arrives described client, send the described second handshake signal from bypass jamming equipment to described client, wherein, described in described client end response from the second handshake signal of bypass jamming equipment, described server generates the described second handshake signal from server according to described handshake for the first time, and the described second handshake signal from server is different from the described second handshake signal from bypass jamming equipment.
2. TCP method for blocking bypass by according to claim 1, it is characterized in that, described bypass jamming equipment disposes blocking strategy, wherein, described blocking strategy is for determining the server and client side who carries out data blocking-up, before described bypass jamming equipment obtains the handshake for the first time from described client, described TCP method for blocking bypass by also comprises:
Described bypass jamming equipment obtains the packet from described client;
Described bypass jamming equipment is analyzed described packet, obtains analysis result;
Whether described bypass jamming equipment detects described client according to described analysis result and matches with described blocking strategy; And
If judging described client, described bypass jamming equipment mates with described blocking strategy, the packet of described bypass jamming equipment using described packet as handshake for the first time to be obtained.
3. TCP method for blocking bypass by according to claim 2, is characterized in that,
Described bypass jamming equipment is analyzed described packet, obtaining analysis result comprises: described bypass jamming equipment is analyzed described packet, obtain initial sequence number in source IP, object IP, source port, destination interface, the described handshake for the first time of described packet and the SYN mark of described packet
Described bypass jamming equipment generates second handshake signal according to described handshake for the first time and comprises: add ACK mark, retain SYN mark; Generate and reply sequence number and the initial sequence number from bypass jamming equipment according to the initial sequence number in described handshake for the first time; Exchange described source IP and described object IP, exchange described source port and described destination interface, obtain exchange data packets, and calculate verification and; According to described SYN mark, described ACK mark, described in reply sequence number, the described initial sequence number from bypass jamming equipment, described exchange data packets and described verification and obtain the described second handshake signal from bypass jamming equipment.
4. TCP method for blocking bypass by according to claim 2, is characterized in that, described in described bypass jamming equipment obtains, the packet of handshake comprises for the first time:
Described bypass jamming equipment obtains the packet from client;
Described bypass jamming equipment judges whether described packet has handshake for the first time; And
If described bypass jamming equipment is judged described data and is surrounded by handshake for the first time, obtain the packet of described packet as described handshake for the first time.
5. TCP method for blocking bypass by according to claim 1, is characterized in that, described TCP method for blocking bypass by also comprises:
Described server receives the handshake for the third time from described client, and wherein, described handshake for the third time comprises the sequence number of replying generating according to the described second handshake signal from bypass jamming equipment;
Described in the judgement of described server for the third time in handshake reply sequence number with described from replying sequence number and whether mate in the second handshake signal of server; And
If described server judge described in for the third time the sequence number of replying in handshake do not mate from the sequence number of replying in the second handshake signal of server with described, described server do not respond described in handshake for the third time.
6. a TCP bypass occluding device, is characterized in that, carries out TCP blocking-up by bypass jamming equipment, and wherein, described bypass jamming equipment is other to be connected between client and server, and described TCP bypass occluding device comprises:
The first acquiring unit, for making described bypass jamming equipment obtain the handshake for the first time from described client;
The first generation unit, for making described bypass jamming equipment generate second handshake signal according to described handshake for the first time, obtains the second handshake signal from bypass jamming equipment; And
Transmitting element, for making described bypass jamming equipment before the second handshake signal from server arrives described client, send the extremely described client of second handshake signal from bypass jamming equipment, wherein, described in described client end response from the second handshake signal of bypass jamming equipment, described server generates the described second handshake signal from server according to described handshake for the first time, and the described second handshake signal from server is different from the described second handshake signal from bypass jamming equipment.
7. TCP bypass occluding device according to claim 6, it is characterized in that, described bypass jamming equipment disposes blocking strategy, wherein, described blocking strategy is for determining the server and client side who carries out data blocking-up, and described TCP bypass occluding device also comprises:
Second acquisition unit, before obtaining the handshake for the first time from described client at described bypass jamming equipment, makes described bypass jamming equipment obtain the packet from described client;
Analytic unit, for making described bypass jamming equipment analyze described packet, obtains analysis result;
Whether detecting unit, match with described blocking strategy for making described bypass jamming equipment detect described client according to described analysis result; And
The second generation unit, while coupling, makes the packet of described bypass jamming equipment using described packet as handshake for the first time to be obtained for judging described client at described bypass jamming equipment with described blocking strategy.
8. TCP bypass occluding device according to claim 7, is characterized in that,
Described analytic unit is also for making the analysis of described bypass jamming equipment obtain source IP, object IP, source port, destination interface, the initial sequence number of described handshake for the first time and the SYN mark of described packet of described packet,
Described the first generation unit comprises: add module, for adding ACK mark, retain SYN mark; Generation module, for generating and reply sequence number and the initial sequence number from bypass jamming equipment according to the initial sequence number of described handshake for the first time; Switching Module, for exchanging described source IP and described object IP, exchanges described source port and described destination interface, obtains exchange data packets, and calculate verification and; Confirm module, for described SYN mark, described ACK mark, described in reply sequence number, the described initial sequence number from bypass jamming equipment, described exchange data packets and described verification and obtain the described second handshake signal from bypass jamming equipment.
9. TCP bypass occluding device according to claim 7, is characterized in that, described second acquisition unit comprises:
The second acquisition module, for making described bypass jamming equipment obtain the packet from client;
Judge module, for making described bypass jamming equipment judge whether described packet has handshake for the first time; And
The 3rd acquisition module, while being surrounded by for the first time handshake, obtains the packet of the described packet from client as described handshake for the first time for judge described data at described bypass jamming equipment.
10. TCP bypass occluding device according to claim 6, is characterized in that, described TCP bypass occluding device also comprises:
Receiving element, for making described server receive the handshake for the third time from described client, wherein, described handshake for the third time comprises the sequence number of replying generating according to the described second handshake signal from bypass jamming equipment;
Judging unit, for make described in the judgement of described server handshake for the third time reply sequence number with described from replying sequence number and whether mate in the second handshake signal of server; And
Response unit, for described in described server is judged for the third time handshake reply sequence number with described from replying sequence number while not mating in the second handshake signal of server, make described server do not respond described in handshake for the third time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410295161.8A CN104023036A (en) | 2014-06-25 | 2014-06-25 | TCP (transmission control protocol) bypass blocking method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410295161.8A CN104023036A (en) | 2014-06-25 | 2014-06-25 | TCP (transmission control protocol) bypass blocking method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104023036A true CN104023036A (en) | 2014-09-03 |
Family
ID=51439606
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410295161.8A Pending CN104023036A (en) | 2014-06-25 | 2014-06-25 | TCP (transmission control protocol) bypass blocking method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104023036A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110691063A (en) * | 2018-07-06 | 2020-01-14 | 山东华软金盾软件股份有限公司 | TCP blocking method under single inbound in stream mirror mode |
| CN111490961A (en) * | 2019-01-25 | 2020-08-04 | 阿里巴巴集团控股有限公司 | Communication connection blocking system, method, device and equipment |
| CN111917682A (en) * | 2019-05-07 | 2020-11-10 | 阿里巴巴集团控股有限公司 | Access behavior identification method, performance detection method, device, equipment and system |
| CN113890769A (en) * | 2021-11-30 | 2022-01-04 | 南京开博信达科技有限公司 | TCP blocking method |
| CN114915497A (en) * | 2022-07-13 | 2022-08-16 | 杭州云缔盟科技有限公司 | Network access blocking method, device and application for Windows process |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1630248A (en) * | 2003-12-19 | 2005-06-22 | 北京航空航天大学 | SYN flooding attack defence method based on connection request authentication |
| CN101035035A (en) * | 2007-04-02 | 2007-09-12 | 华为技术有限公司 | Method, device, system and communication method for detecting the host number |
| CN101159683A (en) * | 2007-10-15 | 2008-04-09 | 华为技术有限公司 | Method and apparatus for controlling data flow |
| CN101350746A (en) * | 2007-07-20 | 2009-01-21 | 莱克斯信息技术(北京)有限公司 | By-path interdiction TCP connection |
| CN103200091A (en) * | 2013-03-29 | 2013-07-10 | 北京蓝汛通信技术有限责任公司 | Anti-interference method |
-
2014
- 2014-06-25 CN CN201410295161.8A patent/CN104023036A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1630248A (en) * | 2003-12-19 | 2005-06-22 | 北京航空航天大学 | SYN flooding attack defence method based on connection request authentication |
| CN101035035A (en) * | 2007-04-02 | 2007-09-12 | 华为技术有限公司 | Method, device, system and communication method for detecting the host number |
| CN101350746A (en) * | 2007-07-20 | 2009-01-21 | 莱克斯信息技术(北京)有限公司 | By-path interdiction TCP connection |
| CN101159683A (en) * | 2007-10-15 | 2008-04-09 | 华为技术有限公司 | Method and apparatus for controlling data flow |
| CN103200091A (en) * | 2013-03-29 | 2013-07-10 | 北京蓝汛通信技术有限责任公司 | Anti-interference method |
Non-Patent Citations (2)
| Title |
|---|
| 朱平,贾卓生: "TCP/IP通信的监听与阻断", 《计算机工程》 * |
| 贾大智: "内网安全产品中的旁路阻断技术分析", 《计算机安全》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110691063A (en) * | 2018-07-06 | 2020-01-14 | 山东华软金盾软件股份有限公司 | TCP blocking method under single inbound in stream mirror mode |
| CN111490961A (en) * | 2019-01-25 | 2020-08-04 | 阿里巴巴集团控股有限公司 | Communication connection blocking system, method, device and equipment |
| CN111490961B (en) * | 2019-01-25 | 2022-06-21 | 阿里巴巴集团控股有限公司 | Communication connection blocking system, method, device and equipment |
| CN111917682A (en) * | 2019-05-07 | 2020-11-10 | 阿里巴巴集团控股有限公司 | Access behavior identification method, performance detection method, device, equipment and system |
| CN111917682B (en) * | 2019-05-07 | 2023-01-24 | 阿里巴巴集团控股有限公司 | Access behavior identification method, performance detection method, device, equipment and system |
| CN113890769A (en) * | 2021-11-30 | 2022-01-04 | 南京开博信达科技有限公司 | TCP blocking method |
| CN113890769B (en) * | 2021-11-30 | 2022-04-08 | 南京开博信达科技有限公司 | TCP blocking method |
| CN114915497A (en) * | 2022-07-13 | 2022-08-16 | 杭州云缔盟科技有限公司 | Network access blocking method, device and application for Windows process |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105516080B (en) | The processing method of TCP connection, apparatus and system | |
| CN104023036A (en) | TCP (transmission control protocol) bypass blocking method and device | |
| CN100514921C (en) | Network flow abnormal detecting method and system | |
| CN107360247B (en) | The method and the network equipment of processing business | |
| CN105578463B (en) | A kind of method and device of dual link safety communication | |
| CN106453376B (en) | A kind of stateless scanning filter method based on TCP packet feature | |
| CN101252584B (en) | Authentication method, system and equipment for bidirectional forwarding detection protocol conversation | |
| CN109819527B (en) | Data transmission method, device, equipment and storage medium for cloud printing | |
| CN103795632A (en) | Data message transmission method, related equipment and system | |
| CN103763156A (en) | Network speed measurement method and system | |
| CN106688218A (en) | Method and apparatus for controlling handshake in a packet transmission network | |
| CN106850502A (en) | Service request retransmission method, storage method, apparatus and system based on connection long | |
| CN102573111A (en) | Method and device for releasing transfer control protocol resources | |
| CN102404345A (en) | Distributed attack prevention method and device | |
| CN105721509B (en) | A kind of server system | |
| CN106131039A (en) | The processing method and processing device of SYN flood attack | |
| CN100495993C (en) | Method, device, system and communication method for detecting the host number | |
| CN101567891B (en) | Source address verification method, device and system | |
| CN106170949B (en) | Fail reciprocity body detecting method, IPsec peer-to-peer and the network equipment | |
| CN112822208A (en) | Internet of things equipment identification method and system based on block chain | |
| CN106302846B (en) | A kind of communication connection method for building up and device, system | |
| CN106411677A (en) | Method and device for determining optimal maximum transmission unit (MTU) of virtual private network (VPN) data channel | |
| CN106534046A (en) | Mimicry data transmission server and data transmission method | |
| CN105391720A (en) | User terminal login method and device | |
| CN107104892A (en) | The method and apparatus of network acceleration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140903 |