CN105791225A - Bogus source address filtering configuration verifying method and system - Google Patents
Bogus source address filtering configuration verifying method and system Download PDFInfo
- Publication number
- CN105791225A CN105791225A CN201410809106.6A CN201410809106A CN105791225A CN 105791225 A CN105791225 A CN 105791225A CN 201410809106 A CN201410809106 A CN 201410809106A CN 105791225 A CN105791225 A CN 105791225A
- Authority
- CN
- China
- Prior art keywords
- interface
- source address
- configuration
- false source
- described interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The embodiments of the invention disclose a bogus source address filtering configuration verifying method and system. By automatically collecting interface information of routing and switching equipment, and verifying whether interfaces are suitable for (i.e. capable of) carrying out bogus source address filtering configuration or not according to the interface information, which interfaces can carry out bogus source address filtering configuration is verified, and thus the conventional method of one-by-one manual verification of the interfaces is replaced, thereby greatly raising the efficiency of bogus source address filtering configuration of the interfaces.
Description
Technical field
The present invention relates to technical field of network security, particularly relate to a kind of false source address and filter configuration check method and system.
Background technology
The aggressive behavior causing DoS (DenialofService, refusal service) is called DoS attack, its objective is to make computer or network cannot provide normal service.False source address aggression, or claim IP (InternetProtocol, the agreement of interconnection between network) deception, it it is common DoS attack form, this attack is usually by pretending legal IP, force server that the connection of validated user is resetted, affect the connection of validated user, or lure that router sends unnecessary packet to validated user into, or assailant forges a large amount of non-existent source address, SYN (Synchronous is constantly sent to server, TCP/IP sets up the handshake used when connecting) bag, cause that normal SYN request is dropped, goal systems is made to run slowly, network blockage even systemic breakdown is caused time serious.
The method preventing false source address aggression is usually and false source address is filtered, filter for carrying out false source address, the interface of route and switching equipment need to be carried out false source address and filter configuration, such as configure URPF (UnicastReversePathForwarding, reversal path of unicast forwards), the URPF configured can refuse to comprise the message of false source address, it is prevented that false source address aggression.
Ordinary business practice system has multiple route and switching equipment, relates to substantial amounts of interface, but not total interface is suitable for carrying out false source address filtration configuration, for instance the interface do not opened.Therefore usually which interface artificial kinetonucleus on the offensive is looked into and is filtered configuration suitable in false source address, then the interface filtering configuration suitable in falseness source address is configured again.When interface quantity is a lot, the artificial mode verified is by non-normally low.
Summary of the invention
Verifying inefficient problem for overcoming false source address in correlation technique to filter configuration, the application provides a kind of false source address to filter configuration check method and system.
First aspect according to the embodiment of the present application, it is provided that a kind of false source address filters configuration check method, including:
Obtain each interface message of route and switching equipment in operation system;
Verifying whether each interface is applicable to carry out falseness source address filtration configuration according to each interface message described, whether each interface of described verification is applicable to carry out false source address filtration configuration includes:
Whether the state judging described interface is unlatching;
If the state of described interface is for opening, then judging whether described interface is virtual interface, otherwise, described interface is not suitable for carrying out false source address and filters configuration;
If described interface is not virtual interface, then judging whether described interface is many layer interfaces, otherwise, described interface is not suitable for carrying out false source address and filters configuration;
If described interface is not many layer interfaces, then judge that described interface and/or other interfaces associated with it are configured with IP address;
If described interface and/or other interfaces associated with it are configured with IP address, then described interface is applicable to carry out false source address filtration configuration, and otherwise, described interface is not suitable for carrying out false source address and filters configuration.
Optionally, described false source address filters in configuration check method, when described interface is applicable to carry out false source address filtration configuration, also includes:
Judge whether described interface exists false source address and filter configuration keyword;
If the false source address of described interface existence filters configuration keyword, then described interface has configured false source address filtration, otherwise, points out described interface not configure false source address and filters.
Optionally, described false source address filters in configuration check method, the interface message of route and switching equipment in described acquisition operation system, including:
The distributed interior network routeing with switching equipment of operation system of concurrently setting up connects;
Type according to route and switching equipment, obtains relevant interface message.
Optionally, described false source address filters in configuration check method, and the described type according to route and switching equipment obtains relevant interface message, including:
Gather the configuration information of route and switching equipment;
Each interface message obtaining route and switching equipment is separated according to described configuration information.
Optionally, described false source address filters configuration check method, also includes:
Generate false source address and filter configuration verification result form.
Corresponding to the first aspect of the embodiment of the present application, according to the embodiment of the present application second aspect, it is provided that a kind of false source address filters configuration checking system, including:
Interface message acquiring unit, for obtaining the interface message of route and switching equipment in operation system;
False source address filters to configure verifies unit, for verifying whether each interface is applicable to carry out false source address filtration configuration according to each interface message described;
Described false source address filters configuration verification unit and includes:
Whether the first judgment sub-unit, be unlatching for judging the state of described interface;
Second judgment sub-unit, if the state for described interface is unlatching, then judges whether described interface is virtual interface;
3rd judgment sub-unit, if not being virtual interface for described interface, then judges whether described interface is many layer interfaces;
4th judgment sub-unit, if not being many layer interfaces for described interface, then judges that described interface and/or other interfaces associated with it are configured with IP address,
Wherein, if the state of described interface is for closing, or described interface is virtual interface, or described interface is many layer interfaces, or described interface is configured without IP address and other interfaces associated with it are configured without IP address, then described interface is not suitable for carrying out falseness source address filtration configuration, and otherwise, described interface is applicable to carry out false source address filtration and configures.
Optionally, described false source address filters configuration checking system, also includes:
5th judging unit, for when described interface is applicable to carry out false source address filtration configuration, judge whether described interface exists false source address and filter configuration keyword, if there is false source address in described interface filters configuration keyword, then described interface has configured false source address filtration, otherwise, described interface does not configure false source address filtration.
Optionally, described false source address filters in configuration checking system, described interface message acquiring unit, including:
Connexon unit, connects for the distributed network concurrently setting up in operation system route and switching equipment;
Gather subelement, for the type according to route and switching equipment, obtain relevant interface message.
Optionally, described false source address filters in configuration checking system, described collection subelement, including:
Configuration information acquisition module, for gathering the configuration information of route and switching equipment;
Interface message separation module, for separating each interface message obtaining route and switching equipment according to described configuration information.
Optionally, described false source address filters configuration checking system, also includes:
Verify report generation unit, be used for generating false source address and filter configuration verification result form.
The technical scheme that the embodiment of the present application provides can include following beneficial effect: automatically gathers the interface message of route and switching equipment, and verify whether interface is applicable to carry out false source address filtration configuration according to interface message, namely whether interface can carry out false source address filtration configuration, which substitute artificial docking port to carry out investigation one by one and verify interface and can carry out false source address and filter configuration, thus being greatly improved interface falseness source address to filter the efficiency of configuration.
It should be appreciated that it is only exemplary and explanatory that above general description and details hereinafter describe, the application can not be limited.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present application or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, for those of ordinary skills, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the schematic flow sheet that a kind of false source address shown in the application one exemplary embodiment filters configuration check method;
Fig. 2 is the schematic flow sheet that a kind of false source address shown in the application another exemplary embodiment filters configuration check method;
Fig. 3 is the block diagram that a kind of false source address shown in the application one exemplary embodiment filters configuration checking system;
Fig. 4 is the block diagram that a kind of false source address shown in the application another exemplary embodiment filters configuration checking system.
Detailed description of the invention
Here in detail exemplary embodiment being illustrated, its example representation is in the accompanying drawings.When as explained below relates to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous key element.Embodiment described in following exemplary embodiment does not represent all embodiments consistent with the application.On the contrary, they only with in appended claims describe in detail, the application some in the example of consistent system and method.
The application in order to understand the application comprehensively, refer to numerous concrete details in the following detailed description, it will be appreciated by those skilled in the art that can realize without these details.In other embodiments, being not described in detail known method, process, assembly and circuit, obscuring in order to avoid undesirably resulting in embodiment.
First aspect according to the embodiment of the present application, it is provided that a kind of false source address filters configuration check method.Fig. 1 is the schematic flow sheet that a kind of false source address shown in the application one exemplary embodiment filters configuration check method, as it is shown in figure 1, described method includes:
Step S101, obtains each interface message of route and switching equipment in operation system.
Wherein, multiple route and switching equipment is generally had in operation system, and it route the heterogeneous with switching equipment, the interface related to is also a lot, when route and switching equipment are few, individually to each route and switching equipment acquisition interface information, and can gather respectively according to the situation of interface each in each route and switching equipment, finally the total interface information of collection is collected.But the efficiency of this mode is low, particularly in when routeing many with switching equipment.In a kind of possible embodiment, the distributed interior network routeing with switching equipment of operation system of concurrently setting up connects, before setting up described network and connecting, gather the type of route and the switching equipment being attached in advance, after setting up the connection of described network, type according to the route connected and switching equipment, gather the interface message of each route and switching equipment respectively simultaneously, the distributed interior network routeing with switching equipment of operation system of concurrently setting up is used to connect, type acquisition interface information according to route and switching equipment, the interface message of total interface can be collected rapidly, there is higher efficiency.
But it is a lot of in route and switching equipment type, when involved interface is also various, the interface message that concurrent type frog gathers is likely to mixed in together, it is difficult to clearly respectively obtain the information of each interface, therefore, in a kind of possible embodiment, the distributed interior network routeing with switching equipment of operation system of concurrently setting up connects, after setting up the connection of described network, type according to the route connected and switching equipment, gather the configuration information of each route and switching equipment respectively simultaneously, acquisition configuration information can use the configuration information acquisition method of routine, owing to each different types of route or its configuration information of switching equipment understand some difference, conventional configuration information acquisition method be the route to each type or switching equipment gather relevant configuration information successively after collect.Namely when gathering, the type of each route and switching equipment is judged simultaneously, then gather necessary configuration information according to the type of each route and switching equipment.The judgement of each route and the type of switching equipment can be mated with the type information gathered in advance according to the type information comprised in the device id of the route connected and switching equipment and realize.The configuration information gathered includes the interface name in route and switching equipment, interface type and interface configuration information etc..After gathering the configuration information of different types of route and switching equipment, further according to the interface characteristics separator of distinct device, isolate each interface message in configuration information, to avoid the interface message gathered to occur mixing.
Operation system route different with the type of switching equipment, the information of each interface obtained would be likely to occur some differences, the part that there are differences can be standardized, represent similar interface message in the same format, for instance use unified form to represent interface name.Although some differences can be there are in the interface message of each route and switching equipment, but the interface message required for the application such as interface name, interface type and interface configuration information are for different types of route and switching equipment, generally do not have the difference of materially affect.
According to each interface message described, step S102, verifies whether each interface is applicable to carry out falseness source address filtration configuration, whether each interface of described verification is applicable to carry out false source address filtration configuration includes:
Step S1021, it is judged that whether the state of described interface is unlatching;
Step S1022, if the state of described interface is for opening, then judges whether described interface is virtual interface, and otherwise, described interface is not suitable for carrying out false source address and filters configuration;
Step S1023, if described interface is not virtual interface, then judges whether described interface is many layer interfaces, and otherwise, described interface is not suitable for carrying out false source address and filters configuration;
Step S1024, if described interface is not many layer interfaces, then judges that described interface and/or other interfaces associated with it are configured with IP address;
If described interface and/or other interfaces associated with it are configured with IP address, then described interface is applicable to carry out false source address filtration configuration, and otherwise, described interface is not suitable for carrying out false source address and filters configuration.
Wherein, according to whether existing in the interface message of interface to close keyword or open keyword, step S1021 can judge whether the state of interface is unlatching.Interface message such as, exists shutdown keyword then Interface status for closing, exist undoshutdown keyword then for Interface status for opening, or the statement of only interface name in interface message, it does not have other keywords, then Interface status is closedown.
Wherein, in step S1022, when the step S1021 result judged to be Interface status be open time, determine whether whether interface is virtual interface.Virtual interface is the actual physical interface being absent from correspondence, automatically generate without according to physical interface, manual creation according to actual needs, state is the interface of UP forever, such as loopback, null, tunnel, virtual-template interface etc., the virtual interface of each route or switching equipment according to the type of route or switching equipment different and different (virtual interface title is different or number is different), can judge whether interface is several virtual interfaces under the type according to the type of route or switching equipment, if not being, then described interface is not virtual interface, if a certain kind of virtual interface under the type, then described interface is virtual interface.If the result that step S1021 judges is Interface status is closedown, then described interface is not suitable for carrying out false source address filtration configuration, say, that described interface can not carry out false source address and filter configuration.
Wherein, in step S1023, when step S1022 judge result be interface be not virtual interface time, it is judged that whether described interface is many layer interfaces.By judging that whether there is many layer interfaces key row in the interface message of described interface judges whether described interface is many layer interfaces, described many layer interfaces critical behavior route and switching equipment can be used for being configured to interface the order of many layer interfaces.Such as by judging whether interface message exists switchport key row or portswitch key row (conventional interface configuration command, for interface being configured to two layers or three tiers model, switchport key row or portswitch key row is used to determine according to the type of equipment) judge whether interface is two layers or three layer interfaces, if there is switchport key row or portswitch key row in described interface, then illustrate that described interface is two layers or three layer interfaces, if described interface is absent from switchport key row or portswitch key row, then illustrate that described interface is not two layers or three layer interfaces.If the result that step S1022 judges is interface is virtual interface, then described interface is not suitable for carrying out false source address filtration configuration.
In a kind of embodiment, in step S1024, when the step S1023 result judged be interface be not many layer interfaces time, it is judged that whether described interface is configured with whether IP (InternetProtocol, the agreement of interconnection between network) address or other interfaces associated with it are configured with IP address.For judging whether described interface is configured with IP address, specifically can judge whether interface is configured with IP address by the value of interface keyword IPAddress in interface message, if IPAddress has valid ip address value, then described interface is configured with IP address, otherwise, described interface is configured without IP address.If interface is configured with IP address, then described interface is applicable to carry out false source address filtration configuration.If interface is configured without IP address, then judge whether other interfaces with this interface conjunctionn are configured with IP address, such as can pass through the portdefaultvlan (VLAN default interface) in interface message, ip-trunk (Wide Area Network interface), the associating key word such as eth-trunk (Ethernet interface), find other interfaces with interface conjunctionn, the i.e. associated interface of this interface, and judge associated interface whether configuration of IP address, if associated interface is also without configuration of IP address, then described interface is not suitable for carrying out false source address filtration configuration, if associated interface is configured with IP address, then described interface is applicable to carry out false source address filtration configuration.
In another embodiment, in step S1024, when step S1023 judge result be interface be not many layer interfaces time, can also first judge whether other interfaces with interface conjunctionn are configured with IP address, if being configured with IP address with other interfaces of interface conjunctionn, then described interface is applicable to carry out false source address filtration configuration;If being configured without IP address with other interfaces of interface conjunctionn, then judge whether interface self is configured with IP address, if interface is configured with IP address, then described interface is applicable to carry out false source address filtration configuration, if interface self is also without configuration of IP address, then described interface is not suitable for carrying out false source address filtration configuration.
In a further embodiment, in step S1024, it is also possible to judge whether interface is configured with IP address and whether other interfaces associated with it are configured with IP address simultaneously.If interface is configured with IP address, also provided IP address with other interfaces of this interface conjunctionn, then described interface is applicable to carry out false source address filtration configuration.When interface is configured without IP address, during with other interfaces of this interface conjunctionn also without configuration of IP address, described interface is not suitable for carrying out false source address and filters configuration.
After above-mentioned judgement processes, filter the interface automatic inspection of configuration out by being applicable to carry out false source address.After the false source address automatic inspection of route and switching device interface, false source address can be generated and filter configuration automatic inspection result form, record and show whether each interface is applicable to carry out false source address and filters the situation of configuration, judging for technical staff and select interface to carry out false source address to filter configuration.
Fig. 2 is the schematic flow sheet that a kind of false source address shown in the application one exemplary embodiment filters configuration check method, as in figure 2 it is shown, described method includes:
Step S201, obtains each interface message of route and switching equipment in operation system;
According to each interface message described, step S202, verifies whether each interface is applicable to carry out falseness source address filtration configuration, whether each interface of described verification is applicable to carry out false source address filtration configuration includes:
Step S2021, it is judged that whether the state of described interface is unlatching;
Step S2022, if the state of described interface is for opening, then judges whether described interface is virtual interface, and otherwise, described interface is not suitable for carrying out false source address and filters configuration;
Step S2023, if described interface is not virtual interface, then judges whether described interface is many layer interfaces, and otherwise, described interface is not suitable for carrying out false source address and filters configuration;
Step S2024, if described interface is not many layer interfaces, then judges whether described interface and/or other interfaces associated with it are configured with IP address;
If described interface and/or other interfaces associated with it are configured with IP address, then described interface is applicable to carry out false source address filtration configuration, and otherwise, described interface is not suitable for carrying out false source address and filters configuration.
Step S203, when described interface is applicable to carry out false source address filtration configuration, it is judged that whether described interface exists false source address is filtered configuration keyword;
If the false source address of described interface existence filters configuration keyword, then described interface has configured false source address filtration, otherwise, points out described interface not configure false source address and filters.
Step S204, generates false source address and filters configuration verification result form.
Wherein, step S201, step S202 (step S2021 to step S2024) are identical with step S101, step S102 (step S1021 to step S1024).
Wherein, when described interface is applicable to carry out false source address filtration configuration, if namely step S202 verifies the result obtained is that described interface is applicable to carry out false source address filtration configuration, then step S203 determines whether whether described interface has been configured with false source address and has filtered.Step S203 can pass through to judge that whether there is false source address in interface message filters configuration keyword, such as URPF keyword or UNICAST (clean culture) keyword, there is URPF keyword then specification interface and be configured with URPF, there is UNICAST keyword then specification interface and be configured with UNICAST.And the open mode that false source address filters can be inquired about further, for instance URPF is Loose (loose pattern) or Strict (rigorous model).By judging whether interface has been configured with false source address and has filtered, it is possible to saving technique personnel's docking port carries out the workload that false source address filters.
It is applicable to carry out false source address verifying which interface through step S202 filters and those are not suitable for after false source address filters, and judge which is applicable to carry out the interface that false source address filters and has been configured with after false source address filters through step S203, verification form can be generated according to the result verified by step S204, record and the false source address of displaying filter self-supervisory result, for technical staff's reference.Described verification form can include equipment sum in operation system, interface sum, device name, interface name, interface type, inspection result, deadline etc..
The false source address that the embodiment of the present application provides filters configuration check method, automatically the interface message of route and switching equipment is gathered, and verify whether interface is applicable to carry out false source address filtration configuration according to interface message, namely whether interface can carry out false source address filtration configuration, which substitute artificial docking port to carry out investigation one by one and verify interface and can carry out false source address and filter configuration, thus being greatly improved interface falseness source address to filter the efficiency of configuration, and also can further to the interface that can carry out falseness source address filtration configuration verifies whether be configured with false source address filtration, reduce interface falseness source address further and filter the workload of configuration, improve allocative efficiency.
Description by above embodiment of the method, those skilled in the art is it can be understood that can add the mode of required general hardware platform by software to the application and realize, hardware can certainly be passed through, but in a lot of situation, the former is embodiment more preferably.Based on such understanding, the part that prior art is contributed by the technical scheme of the application substantially in other words can embody with the form of software product, and it is stored in a storage medium, including some instructions with so that a smart machine performs all or part of step of method described in each embodiment of the application.And aforesaid storage medium includes: the various media that can store data and program code such as read only memory (ROM), random access memory (RAM), magnetic disc or CDs.
Corresponding to the first aspect of the embodiment of the present application, according to the embodiment of the present application second aspect, it is provided that a kind of false source address filters configuration checking system.Fig. 3 is the block diagram that a kind of false source address shown in the application one exemplary embodiment filters configuration checking system.As it is shown on figure 3, described system includes:
Interface message acquiring unit U301, for obtaining the interface message of route and switching equipment in operation system;
False source address filters to configure verifies unit U302, for verifying whether each interface is applicable to carry out false source address filtration configuration according to each interface message described;
Described false source address filters configuration verification unit and includes:
Whether the first judgment sub-unit U3021, be unlatching for judging the state of described interface;
Second judgment sub-unit U3022, if the state for described interface is unlatching, then judges whether described interface is virtual interface;
3rd judgment sub-unit U3023, if not being virtual interface for described interface, then judges whether described interface is many layer interfaces;
4th judgment sub-unit U3024, if not being many layer interfaces for described interface, then judges that described interface and/or other interfaces associated with it are configured with IP address.
Wherein, if the state of described interface is for closing, or described interface is virtual interface, or described interface is many layer interfaces, or described interface is configured without IP address and other interfaces associated with it are configured without IP address, then described interface is not suitable for carrying out falseness source address filtration configuration, and otherwise, described interface is applicable to carry out false source address filtration and configures.
Wherein, described interface message acquiring unit U301, in a kind of possible embodiment, it is possible to including:
Connexon unit, for distributed concurrently set up in operation system route and switching equipment network connect;
Gather subelement, for the type according to route and switching equipment, gather relevant interface message.
Wherein, described collection subelement, it is possible to including:
Configuration information acquisition module, for gathering the configuration information of route and switching equipment;
Interface message separation module, for separating each interface message obtaining route and switching equipment according to described configuration information.
Fig. 4 is the block diagram that a kind of false source address shown in the application one exemplary embodiment filters configuration checking system.As shown in Figure 4, described system includes:
Interface message acquiring unit U401, for obtaining the interface message of route and switching equipment in operation system;
False source address filters to configure verifies unit U402, for verifying whether each interface is applicable to carry out false source address filtration configuration according to each interface message described;
Described false source address filters configuration verification unit and includes:
Whether the first judgment sub-unit U4021, be unlatching for judging the state of described interface;
Second judgment sub-unit U4022, if the state for described interface is unlatching, then judges whether described interface is virtual interface;
3rd judgment sub-unit U4023, if not being virtual interface for described interface, then judges whether described interface is many layer interfaces;
4th judgment sub-unit U4024, if not being many layer interfaces for described interface, then judges that described interface and/or other interfaces associated with it are configured with IP address;
5th judging unit U403, for when described interface is applicable to carry out false source address filtration configuration, judge whether described interface exists false source address and filter configuration keyword, if there is false source address in described interface filters configuration keyword, then described interface has configured false source address filtration, otherwise, described interface does not configure false source address filtration;
Verify report generation unit U404, be used for generating false source address and filter configuration verification result form.
For convenience of description, it is divided into various unit to be respectively described with function when describing system above.Certainly, the function of each unit can be realized in same or multiple softwares or hardware when implementing the application.
Each embodiment in this specification all adopts the mode gone forward one by one to describe, between each embodiment identical similar part mutually referring to, what each embodiment stressed is the difference with other embodiments.Especially for system or system embodiment, owing to it is substantially similar to embodiment of the method, so describing fairly simple, relevant part illustrates referring to the part of embodiment of the method.System described above and system embodiment are merely schematic, the wherein said unit illustrated as separating component can be or may not be physically separate, the parts shown as unit can be or may not be physical location, namely may be located at a place, or can also be distributed on multiple NE.Some or all of module therein can be selected according to the actual needs to realize the purpose of the present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
It should be noted that, in this article, the such as relational terms of " first " and " second " or the like is used merely to separate an entity or operation with another entity or operating space, and there is relation or the backward of any this reality between not necessarily requiring or imply these entities or operating.And, term " includes ", " comprising " or its any other variant are intended to comprising of nonexcludability, so that include the process of a series of key element, method, system or equipment not only include those key elements, but also include other key elements being not expressly set out, or also include the key element intrinsic for this process, method, system or equipment.When there is no more restriction, statement " including ... " key element limited, it is not excluded that there is also other identical element in including the process of described key element, method, system or equipment.
The above is only the detailed description of the invention of the application, makes to skilled artisans appreciate that or realize the application.The multiple amendment of these embodiments be will be apparent to one skilled in the art, and generic principles defined herein when without departing from spirit herein or scope, can realize in other embodiments.Therefore, the application is not intended to be limited to the embodiments shown herein, and is to fit to the widest scope consistent with principles disclosed herein and features of novelty.
Claims (10)
1. a false source address filters configuration check method, it is characterised in that including:
Obtain each interface message of route and switching equipment in operation system;
Verifying whether each interface is applicable to carry out falseness source address filtration configuration according to each interface message described, whether each interface of described verification is applicable to carry out false source address filtration configuration includes:
Whether the state judging described interface is unlatching;
If the state of described interface is for opening, then judging whether described interface is virtual interface, otherwise, described interface is not suitable for carrying out false source address and filters configuration;
If described interface is not virtual interface, then judging whether described interface is many layer interfaces, otherwise, described interface is not suitable for carrying out false source address and filters configuration;
If described interface is not many layer interfaces, then judge whether described interface and/or other interfaces associated with it are configured with IP address;
If described interface and/or other interfaces associated with it are configured with IP address, then described interface is applicable to carry out false source address filtration configuration, and otherwise, described interface is not suitable for carrying out false source address and filters configuration.
2. falseness source address as claimed in claim 1 filters configuration check method, it is characterised in that when described interface is applicable to carry out false source address filtration configuration, also include:
Judge whether described interface exists false source address and filter configuration keyword;
If the false source address of described interface existence filters configuration keyword, then described interface has configured false source address filtration, otherwise, points out described interface not configure false source address and filters.
3. false source address as claimed in claim 1 filters configuration check method, it is characterised in that the interface message of route and switching equipment in described acquisition operation system, including:
The distributed interior network routeing with switching equipment of operation system of concurrently setting up connects;
Type according to route and switching equipment, obtains relevant interface message.
4. false source address as claimed in claim 3 filters configuration check method, it is characterised in that the described type according to route and switching equipment, obtains relevant interface message, including:
Gather the configuration information of route and switching equipment;
Each interface message obtaining route and switching equipment is separated according to described configuration information.
5. the false source address as described in any one of Claims 1-4 filters configuration check method, it is characterised in that also include:
Generate false source address and filter configuration verification result form.
6. a false source address filters configuration checking system, it is characterised in that including:
Interface message acquiring unit, for obtaining the interface message of route and switching equipment in operation system;
False source address filters to configure verifies unit, for verifying whether each interface is applicable to carry out false source address filtration configuration according to each interface message described;
Described false source address filters configuration verification unit and includes:
Whether the first judgment sub-unit, be unlatching for judging the state of described interface;
Second judgment sub-unit, if the state for described interface is unlatching, then judges whether described interface is virtual interface;
3rd judgment sub-unit, if not being virtual interface for described interface, then judges whether described interface is many layer interfaces;
4th judgment sub-unit, if not being many layer interfaces for described interface, then judges that described interface and/or other interfaces associated with it are configured with IP address,
Wherein, if the state of described interface is for closing, or described interface is virtual interface, or described interface is many layer interfaces, or described interface is configured without IP address and other interfaces associated with it are configured without IP address, then described interface is not suitable for carrying out falseness source address filtration configuration, and otherwise, described interface is applicable to carry out false source address filtration and configures.
7. false source address as claimed in claim 6 filters configuration checking system, it is characterised in that also include:
5th judging unit, for when described interface is applicable to carry out false source address filtration configuration, judge whether described interface exists false source address and filter configuration keyword, if there is false source address in described interface filters configuration keyword, then described interface has configured false source address filtration, otherwise, described interface does not configure false source address filtration.
8. false source address as claimed in claim 6 filters configuration checking system, it is characterised in that described interface message acquiring unit, including:
Connexon unit, connects for the distributed network concurrently setting up in operation system route and switching equipment;
Gather subelement, for the type according to route and switching equipment, obtain relevant interface message.
9. false source address as claimed in claim 8 filters configuration checking system, it is characterised in that described collection subelement, including:
Configuration information acquisition module, for gathering the configuration information of route and switching equipment;
Interface message separation module, for separating each interface message obtaining route and switching equipment according to described configuration information.
10. the false source address as described in any one of claim 6 to 9 filters configuration checking system, it is characterised in that also include:
Verify report generation unit, be used for generating false source address and filter configuration verification result form.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410809106.6A CN105791225B (en) | 2014-12-23 | 2014-12-23 | False source address filtering configuration check method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410809106.6A CN105791225B (en) | 2014-12-23 | 2014-12-23 | False source address filtering configuration check method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105791225A true CN105791225A (en) | 2016-07-20 |
| CN105791225B CN105791225B (en) | 2019-03-26 |
Family
ID=56385468
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410809106.6A Active CN105791225B (en) | 2014-12-23 | 2014-12-23 | False source address filtering configuration check method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105791225B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1953373A (en) * | 2006-09-19 | 2007-04-25 | 清华大学 | A method to filter and verify open real IPv6 source address |
| CN102006289A (en) * | 2010-08-05 | 2011-04-06 | 清华大学 | Spoofed source address filtering method and device |
| US20120201246A1 (en) * | 2009-07-27 | 2012-08-09 | Media Patents, S.L. | Multicast Traffic Management in a Network Interface |
| US20140331308A1 (en) * | 2013-05-03 | 2014-11-06 | Centurylink Intellectual Property Llc | Combination of Remote Triggered Source and Destination Blackhole Filtering |
-
2014
- 2014-12-23 CN CN201410809106.6A patent/CN105791225B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1953373A (en) * | 2006-09-19 | 2007-04-25 | 清华大学 | A method to filter and verify open real IPv6 source address |
| US20120201246A1 (en) * | 2009-07-27 | 2012-08-09 | Media Patents, S.L. | Multicast Traffic Management in a Network Interface |
| CN102006289A (en) * | 2010-08-05 | 2011-04-06 | 清华大学 | Spoofed source address filtering method and device |
| US20140331308A1 (en) * | 2013-05-03 | 2014-11-06 | Centurylink Intellectual Property Llc | Combination of Remote Triggered Source and Destination Blackhole Filtering |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105791225B (en) | 2019-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105684391A (en) | Automated generation of label-based access control rules | |
| CN106161451A (en) | The method of defence CC attack, Apparatus and system | |
| CN105721188A (en) | Firewall strategy check method and system | |
| CN101917434B (en) | Method for verifying intra-domain Internet protocol (IP) source address | |
| CN109981355A (en) | Security defend method and system, computer readable storage medium for cloud environment | |
| US20220400116A1 (en) | Systems and methods for resilient ztna micro-segmentation policy generation | |
| CN107395461A (en) | A kind of safe condition method for expressing and system based on access relation | |
| US11757888B2 (en) | Systems and methods for fine grained forward testing for a ZTNA environment | |
| CN103973476A (en) | Gateway, and gateway hot backup system and method | |
| CN110381006A (en) | Message processing method, device, storage medium and processor | |
| CN105915426A (en) | Failure recovery method and device of ring network | |
| CN108449324A (en) | The secure exchange method and system of data between a kind of net | |
| CN114172731A (en) | Method, device, equipment and medium for quickly verifying and tracing IPv6 address | |
| CN106371771A (en) | Disk management method and system in storage system | |
| CN104468818B (en) | A kind of internet of things service processing system and its method | |
| CN101753376A (en) | Method and equipment for detecting link state | |
| CN101707535B (en) | Method and device for detecting counterfeit network equipment | |
| CN105791225A (en) | Bogus source address filtering configuration verifying method and system | |
| CN103986600B (en) | One kind is found automatically based on multi-protocols business network and filter method, system | |
| CN103888481A (en) | Method and system for filtering DHCP data package of local area network | |
| CN108881181A (en) | A kind of filter method and device of message | |
| CN103279423B (en) | The addressing method of a kind of content adressable memory and equipment | |
| CN108965006A (en) | A kind of communication reliability improvement method and device | |
| CN108900543A (en) | The method and apparatus of managing firewall rule | |
| CN106533809A (en) | Operation and maintenance method and operation and maintenance client side for server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder |
Address after: Room 813, 8 / F, 34 Haidian Street, Haidian District, Beijing 100080 Patentee after: BEIJING ULTRAPOWER INFORMATION SAFETY TECHNOLOGY Co.,Ltd. Address before: 100107 Beijing city Haidian District wanquanzhuang Road No. 28 Wanliu new building block A room 604 Patentee before: BEIJING ULTRAPOWER INFORMATION SAFETY TECHNOLOGY Co.,Ltd. |
|
| CP02 | Change in the address of a patent holder |