CN106131063A - A kind of network security processing method and device - Google Patents

A kind of network security processing method and device Download PDF

Info

Publication number
CN106131063A
CN106131063A CN201610715055.XA CN201610715055A CN106131063A CN 106131063 A CN106131063 A CN 106131063A CN 201610715055 A CN201610715055 A CN 201610715055A CN 106131063 A CN106131063 A CN 106131063A
Authority
CN
China
Prior art keywords
outer net
checking information
public network
state
network address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610715055.XA
Other languages
Chinese (zh)
Other versions
CN106131063B (en
Inventor
王国利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201610715055.XA priority Critical patent/CN106131063B/en
Publication of CN106131063A publication Critical patent/CN106131063A/en
Application granted granted Critical
Publication of CN106131063B publication Critical patent/CN106131063B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This application provides a kind of network security processing method and device, wherein, described method includes: when receiving the outer net request of data message sent by outer net sender, it is judged that whether there is the public network address of described outer net sender in the first checking information;If existing, and state corresponding with the public network address of described outer net sender in described first checking information is the first state, then forward described outer net request of data message;If not existing, then update described first checking information according to the session status between described outer net sender and Intranet recipient;When state corresponding with the public network address of described outer net sender in the first checking information after described renewal is described first state, forward described outer net request of data message.The problem that the assailant existed by present application addresses existing NAT scheme is easy to, by NAT table item, intranet host is carried out network attack.

Description

A kind of network security processing method and device
Technical field
The application relates to communication technical field, particularly relates to a kind of network security processing method and device.
Background technology
Along with the development of communication technology, the interactive mode of data also gets more and more, and the safety of the network environment of communication is also Become more and more important.
Such as, a kind of common network safety managing method can realize (Network Address based on NAT technology Translation, network address translation).NAT technology can (Internet Protocol interconnects between network solving lP Agreement) be effectively prevented from the attack from external network while address shortage, effectively hide and protect the meter of network internal Calculation machine.Wherein, the scene that is applied particularly to of NAT technology may is that when already distributing at some main frames within private network Arrive local ip address (private address the most only used in this private network), but needed and other outer net main frame on network Communication.
The NAT flow process when implementing can be such that and enables NAT by the interface in Intranet side, and fire wall can make Replace the source address in former message with a legal public network address, and this conversion is carried out record;Afterwards, when message from When outer net side returns, original conversion record searched by fire wall, and the destination address of message is replaced back original private net address, and And issue Intranet side main frame.Private net address in the NAT table item of equipment record and public network address and port can in this process To be relation one to one.Wherein, private net address may refer to the IP address of internal network or main frame, and public network address can be Refer to globally unique IP address on the internet.
But, existing NAT scheme there is also problems when concrete application: existing NAT scheme is initiated at outer net In the case of side coupling NAT is successfully established ATT item, the source address (public network address) of outer net initiator can be indifferent to, And directly using the ATT item set up to carry out address conversion, outer net initiator can be by the NAT table that there is currently Arbitrarily access corresponding intranet host equipment, and then cause assailant to be easy to by NAT table item intranet host is carried out net Network is attacked.
Summary of the invention
This application provides a kind of network security processing method and device, to solve the attack that existing NAT scheme exists The problem that person is easy to, by NAT table item, intranet host is carried out network attack.
In order to solve the problems referred to above, this application discloses a kind of network security processing method, including:
When receiving the outer net request of data message sent by outer net sender, it is judged that whether the first checking information deposits Public network address described outer net sender;
If existing, and state corresponding with the public network address of described outer net sender in described first checking information is first State, then forward described outer net request of data message;
If not existing, then update described first according to the session status between described outer net sender and Intranet recipient and test Card information;Wherein, when described session status is full connection status, the public network address of described outer net sender is updated to described First checking information, and in described first checking information, state corresponding for the public network address of described outer net sender is configured to First state;When described session status is non-full connection status, the public network address of described outer net sender is updated to described First checking information, and in described first checking information, state corresponding for the public network address of described outer net sender is configured to Second state;
When state corresponding with the public network address of described outer net sender in the first checking information after described renewal is institute When stating the first state, forward described outer net request of data message.
Disclosed herein as well is a kind of network safety processing equipment, including:
First judge module, for when receiving the outer net request of data message sent by outer net sender, it is judged that the Whether one checking information exists the public network address of described outer net sender;
If there is the public network address of described outer net sender in the first checking information and described in the first forwarding module State corresponding with the public network address of described outer net sender in first checking information is the first state, then forward described outer netting index According to request message;
, if there is not the public network address of described outer net sender in the first checking information, then according to institute in more new module State the session status between outer net sender and Intranet recipient and update described first checking information;Wherein, when described session shape When state is full connection status, the public network address of described outer net sender is updated to described first checking information, and described State corresponding for the public network address of described outer net sender is configured to the first state by one checking information;When described session status During for non-full connection status, the public network address of described outer net sender is updated to described first checking information, and described State corresponding for the public network address of described outer net sender is configured to the second state by one checking information;
Second forwarding module, for when in the first checking information after described renewal with the public network of described outer net sender ground When state corresponding to location is described first state, forward described outer net request of data message.
Compared with prior art, the application has the advantage that
A kind of network security processing scheme disclosed in the present application, please when receiving the outer network data sent by outer net sender First the public network address of described outer net sender can be judged when seeking message, when the first checking information exists described outer net In the public network address of sender and described first checking information, the state corresponding with the public network address of described outer net sender is During one state, described outer net request of data message can be forwarded;When the first checking information does not exist described outer net sender's During public network address, then can update described first checking according to the session status between described outer net sender and Intranet recipient Information, and after described first verifies that information updating is complete, when the first checking information after described renewal is sent out with described outer net When the state that the public network address of the side of sending is corresponding is described first state, forward described outer net request of data message.Visible, in this Shen In please, the public network address of outer net sender can be judged, when the judged result that the public network address of outer net sender is corresponding (e.g., the first checking information exist the public network address of described outer net sender and described first checking letter when meeting certain requirements State corresponding with the public network address of described outer net sender in breath is the first state;Or, in the first checking information after renewal The state corresponding with the public network address of described outer net sender is described first state) carry out turning of outer net request of data message Send out, in other words, when the judged result that the public network address of outer net sender is corresponding is unsatisfactory for above-mentioned requirements, then can not carry out The forwarding of outer net request of data message.Visible, in this application, based on the first checking information, outer net sender is verified And screening, the outer net request of data message sending the outer net sender being verified forwards, and effectively limits and does not passes through The outer net sending direction Intranet recipient of checking sends outer net request of data message, and then it is internal to avoid any outer net sender The access of net recipient, effectively prevent Intranet user and is subjected to the network attack of outer net sender.
Accompanying drawing explanation
Fig. 1 is the flow chart of steps of a kind of network security processing method in the embodiment of the present application;
Fig. 2 is the flow chart of steps of another network security processing method in the embodiment of the present application;
Fig. 3 is the Establishing process schematic diagram of a kind of address table in the embodiment of the present application;
Fig. 4 is the structured flowchart of a kind of network safety processing equipment in the embodiment of the present application;
Fig. 5 is the structured flowchart of a kind of preferred network safety processing equipment in the embodiment of the present application.
Detailed description of the invention
Understandable for enabling the above-mentioned purpose of the application, feature and advantage to become apparent from, real with concrete below in conjunction with the accompanying drawings The application is described in further detail by mode of executing.
With reference to Fig. 1, it is shown that the flow chart of steps of a kind of network security processing method in the embodiment of the present application.In this enforcement In example, described network security processing method can but be not limited only to be applied to outer net equipment (outer net sender) and interior external equipment Data interaction between (Intranet recipient).
Wherein, described network security processing method includes:
Step 102, when receiving the outer net request of data message sent by outer net sender, it is judged that the first checking information In whether there is the public network address of described outer net sender.
Usually, outer net equipment and Intranet equipment include the biography of data message of both direction when carrying out data interaction Defeated: to be sent intranet data request message by Intranet equipment to outer net equipment, and, outer net equipment send outer netting index to Intranet equipment According to request message.
In the present embodiment, described outer network data message can carry described outer net equipment (that is, outer net sends Just) corresponding public network address.When receiving the outer net request of data message sent by outer net sender, it can be determined that first tests Whether card information exists the public network address of described outer net sender.
Wherein, when described first checking information exists the public network address of described outer net sender and described first checking When state corresponding with the public network address of described outer net sender in information is the first state, following step 104 can be performed;When When described first checking information does not exist the public network address of described outer net sender, following step 106 can be performed.
Step 104, forwards described outer net request of data message.
Usually, if outer net sender is the main process equipment that a true access is legal, outer net sender and Intranet receive Having normal mutual message between side, session status corresponding between outer net sender and Intranet recipient is entirely to connect shape State.In the present embodiment, described first state can serve to indicate that session corresponding between outer net sender and Intranet recipient State is full connection status, therefore, when the public network address and described that there is described outer net sender in described first checking information When state corresponding with the public network address of described outer net sender in one checking information is the first state, described outer net can be forwarded Request of data message.
Wherein, when forwarding described outer net request of data message, can but be not limited only to come real based on NAT session entry Existing.For example, it is possible to according to NAT session entry, determine the private net address corresponding to public network address of described outer net sender;So After, the destination address of described outer net request of data message is replaced with the described private net address determined;Finally, determine according to described Private net address, described outer net request of data message is forwarded to described Intranet recipient.
Step 106, updates described first checking according to the session status between described outer net sender and Intranet recipient Information.
In the present embodiment, the first checking information can pre-build, the checking item in described first checking information Dynamically can update according to practical situation;Wherein, in described first checking information can but be not limited only to include: each outer net is sent out The each self-corresponding public network address in the side of sending and corresponding status information.
Such as, when described first checking information does not exist the public network address of described outer net sender, can be the most right Described first checking information is updated, and public network address corresponding for described outer net sender and state is updated to described first and tests In card information.Specifically, can but be not limited only to according to the session status between described outer net sender and Intranet recipient more The most described first checking information: when described session status is full connection status, by the public network address of described outer net sender more New to described first checking information, and by shape corresponding for the public network address of described outer net sender in described first checking information State is configured to the first state;When described session status is non-full connection status, by the public network address of described outer net sender more New to described first checking information, and by shape corresponding for the public network address of described outer net sender in described first checking information State is configured to the second state.
Step 108, when corresponding with the public network address of described outer net sender in the first checking information after described renewal When state is described first state, forward described outer net request of data message.
In the present embodiment, after verifying that information updating completes when described first, then can be according to the first checking after updating Checking item in information determines whether that external network data request message forwards: when the first checking information after described renewal In the state corresponding with the public network address of described outer net sender when being described first state, forward described outer net request of data report Literary composition.
In sum, a kind of network security processing method described in the present embodiment, send by outer net sender when receiving Outer net request of data message time can first the public network address of described outer net sender be judged, when in the first checking information There is the public network address pair with described outer net sender in the public network address of described outer net sender and described first checking information When the state answered is the first state, described outer net request of data message can be forwarded;It is described when the first checking information does not exist During the public network address of outer net sender, then can update according to the session status between described outer net sender and Intranet recipient Described first checking information, and after described first verifies that information updating is complete, when in the first checking information after described renewal When the state corresponding with the public network address of described outer net sender is described first state, forward described outer net request of data report Literary composition.Visible, in the present embodiment, the public network address of outer net sender can be judged, when the public network ground of outer net sender When judged result corresponding to location meets certain requirements (e.g., the first checking information exists described outer net sender public network address, And the state corresponding with the public network address of described outer net sender is the first state in described first checking information;Or, after renewal The first checking information in the state corresponding with the public network address of described outer net sender be described first state) carry out outer netting index According to the forwarding of request message, in other words, it is unsatisfactory for above-mentioned requirements when the judged result that the public network address of outer net sender is corresponding Time, then can not carry out the forwarding of outer net request of data message.
From the above mentioned, in the present embodiment, based on the first checking information outer net sender verified and screened, right The outer net request of data message that the outer net sender being verified sends forwards, and effectively limits not verified outer net Sending direction Intranet recipient sends outer net request of data message, and then avoids any outer net sender to Intranet recipient's Access, effectively prevent Intranet user and be subjected to the network attack of outer net sender.
With reference to Fig. 2, it is shown that the flow chart of steps of another network security processing method in the embodiment of the present application.In this reality Execute in example, it should be noted that usually, if outer net sender is the main process equipment of a true access, outer net sender and Normal mutual message is had, the outer net sender recorded in NAT session entry and Intranet recipient between Intranet recipient Between session status be the state of a full connection.If outer net sender is one attacks end, then outer net sender only can be to Intranet recipient sends attack message, the session between the outer net sender and the Intranet recipient that record in NAT session entry State is the state of a non-full connection.Wherein, the first checking information can preserve the public affairs that multiple outer net sender is corresponding Net address and corresponding state.Wherein, described state may include that the first state and the second state.Described first state is permissible For indicating the session status between described outer net sender and Intranet recipient to be full connection status, described second state is permissible For indicating the session status between described outer net sender and Intranet recipient to be non-full connection status.In second checking information Then can preserve the public network address of each outer net sender that corresponding states is the second state.
Wherein, described network security processing method includes:
Step 202, receives the outer net request of data message sent by outer net sender.
In the present embodiment, described outer net request of data message can carry the public network that described outer net sender is corresponding Address.
Step 204, when receiving the outer net request of data message sent by outer net sender, it is judged that the second checking information In whether there is the public network address of described outer net sender.
As it was previously stated, the public network address of corresponding storage is all public network ground corresponding to the second state in described second checking information Location, memory data output is less, in order to improve the treatment effeciency of the network security processing method described in the present embodiment, can first judge Whether the second checking information exists and the public network address of described outer net sender.
Wherein, if described second checking information existing the public network address with described outer net sender, then according to aforesaid: Second checking information preserves be corresponding states be the public network address of each outer net sender of the second state, and the second state Session status between corresponding instruction outer net sender and Intranet recipient is non-full connection status, it may be determined that outer net sender It is one and attacks end, now can perform following step 206.
If described second checking information does not exist and the public network address of described outer net sender, then can perform following step Rapid 208.
Step 206, abandons described outer net request of data message.
Step 208, it is judged that whether there is the public network address of described outer net sender in the first checking information.
In the present embodiment, if described first checking information exists the public network address of described outer net sender, the most permissible Perform following step 210;If described first checking information does not exist the public network address of described outer net sender, then can perform Following step 214.
Step 210, determines state corresponding with the public network address of described outer net sender in described first checking information.
In the present embodiment, when state corresponding with the public network address of described outer net sender in described first checking information When being the first state, following step 212 can be performed;When in described first checking information with the public network of described outer net sender ground When state corresponding to location is described second state, above-mentioned steps 206 can be performed.
Step 212, forwards described outer net request of data message.
Step 214, it is judged that whether the memory data output of described first checking information reaches predetermined threshold value.
In the present embodiment, in order to ensure the service bearer ability of equipment, can pre-set described according to practical situation The threshold value of the memory data output that the first checking information is corresponding.Wherein, if the memory data output of described first checking information reaches pre- If threshold value, then can perform following step 216;If the memory data output of described first checking information is not up to predetermined threshold value, then Following step 220 can be performed;.
Step 216, it is judged that whether there is the public network address that state is the second state of correspondence in described first checking information.
In the present embodiment, if described first checking information does not exist the public network that state is the second state ground of correspondence Location, then now the first checking information of illustrating can not receive the public network address to more outer net sender and corresponding states Preserve, it is impossible to realizing the judgement to outer net sender, now the outer network data in order to avoid malice outer net sender being sent please Ask message to send to Intranet recipient, can directly abandon described outer net request of data message, that is, above-mentioned steps can be performed 206。
If described first checking information exists the public network address that state is the second state of correspondence, then can perform following Step 218.
Step 218, tests the public network address that state is the second state of described correspondence and the state of correspondence from described first Card information removes, and the public network address that state is the second state of described correspondence is added to the second checking information.
In the present embodiment, the public network address that state is the second state of described correspondence is being added to the second checking information Afterwards, the memory data output of described first checking information will reduce, less than described predetermined threshold value, now, and described first checking letter Breath can receive the public network address to more outer net sender and the preservation of corresponding states, can perform following step 220.
Step 220, updates described first checking according to the session status between described outer net sender and Intranet recipient Information.
As it was previously stated, NAT session entry can record the session status between outer net sender and Intranet recipient. In the present embodiment, can but be not limited only to obtain described outer net sender and Intranet recipient from described NAT session entry Between session status.When described session status is full connection status, the public network address of described outer net sender is updated to Described first checking information, and in described first checking information, state corresponding for the public network address of described outer net sender is joined It is set to the first state;When described session status is non-full connection status, the public network address of described outer net sender is updated to Described first checking information, and in described first checking information, state corresponding for the public network address of described outer net sender is joined It is set to the second state.
Step 222, determines in the first checking information after described renewal corresponding with the public network address of described outer net sender State.
In the present embodiment, in the first checking information after determining described renewal with the public network of described outer net sender ground When state corresponding to location is described first state, above-mentioned steps 212 can be performed.The first checking letter after determining described renewal When state corresponding with the public network address of described outer net sender in breath is described second state, above-mentioned steps 206 can be performed.
Wherein it is desired to explanation, in a preferred version of the present embodiment, at another preferred version of the present embodiment In, the accounting for for a long time the first checking information in order to avoid invalid public network address and state corresponding to described invalid public network address With, and, it is to avoid invalid public network address takies for a long time to the second checking information, can be pre-configured with described first checking letter Breath and the described second checking each self-corresponding ageing time of information.Based on configuration ageing time realize to first checking information and The cleaning of the second checking information updates.Specifically, described method can also include:
Step 224, is pre-configured with described first checking information and the described second each self-corresponding ageing time of checking information.
In the present embodiment, described first checking information and the described second checking each self-corresponding ageing time of information are permissible Determine according to practical situation.Wherein, described step 224 can be held before or after the arbitrary steps of above-mentioned steps 202-222 OK, this is not restricted by the present embodiment.
It is further preferred that described method can also include:
Step 226, deletes from described first checking information and there is the time and reach corresponding old of described first checking information The public network address of change time and state corresponding to public network address;Delete from described second checking information and there is the time and reach described The public network address of the ageing time that the second checking information is corresponding.
In the present embodiment, described step 226 can be held before or after the arbitrary steps after above-mentioned steps 224 OK, this is not restricted by the present embodiment.
In sum, a kind of network security processing method described in the present embodiment, send by outer net sender when receiving Outer net request of data message time can first the public network address of described outer net sender be judged, when in the first checking information There is the public network address pair with described outer net sender in the public network address of described outer net sender and described first checking information When the state answered is the first state, described outer net request of data message can be forwarded;It is described when the first checking information does not exist During the public network address of outer net sender, then can update according to the session status between described outer net sender and Intranet recipient Described first checking information, and after described first verifies that information updating is complete, when in the first checking information after described renewal When the state corresponding with the public network address of described outer net sender is described first state, forward described outer net request of data report Literary composition.Visible, in the present embodiment, the public network address of outer net sender can be judged, when the public network ground of outer net sender When judged result corresponding to location meets certain requirements (e.g., the first checking information exists described outer net sender public network address, And the state corresponding with the public network address of described outer net sender is the first state in described first checking information;Or, after renewal The first checking information in the state corresponding with the public network address of described outer net sender be described first state) carry out outer netting index According to the forwarding of request message, in other words, it is unsatisfactory for above-mentioned requirements when the judged result that the public network address of outer net sender is corresponding Time, then can not carry out the forwarding of outer net request of data message.
From the above mentioned, in the present embodiment, based on the first checking information outer net sender verified and screened, right The outer net request of data message that the outer net sender being verified sends forwards, and effectively limits not verified outer net Sending direction Intranet recipient sends outer net request of data message, and then avoids any outer net sender to Intranet recipient's Access, effectively prevent Intranet user and be subjected to the network attack of outer net sender.
Secondly, in the present embodiment, by configuring the first checking information and the ageing time of the second checking information, Yi Jipei Put the size of the first checking information, it is to avoid the first checking information or second are tested by public network address corresponding to a certain outer net sender Taking for a long time of card information, it is ensured that the checking to other outer net sender, can remove the first checking information and in time Aging (out of date) checking item in two checking information, it is ensured that the legal hosts equipment of outer net passes through NAT reversible table The internal normal access of host's machine equipment, it is to avoid between external host's machine equipment and intranet host equipment, normal data is mutual Impact.
In conjunction with above-described embodiment, described network security processing method is said by the present embodiment by an instantiation Bright.In the present embodiment, can be realized Intranet equipment by foundation and the first checking information of maintenance and the second checking information Security protection, it is to avoid Intranet equipment suffer attack (e.g., DDos attack, Distributed denial of service Attack, distributed denial of service attack is attacked).Wherein, outer net request of data message is sent at outer net equipment to Intranet equipment Time, described outer net equipment can send described outer net request of data message as outer net sender, and described Intranet equipment is permissible Described outer net request of data message is received as Intranet recipient.
Further, for the ease of the first checking information and second are verified management and the maintenance of information, described first tests Card information and the second checking information can but be not limited only to presented in tables of data.Such as, described first checking information tool Body can be presented in address table, and described second checking information can be presented in attacking table specifically.
Foundation to address table and attack table illustrates respectively the most respectively.
1, the foundation of address table
Such as table 1 below, it is a kind of address table in the embodiment of the present application:
Public network address State
20.1.1.10 Open
30.1.1.10 Close
Table 1
In Table 1, public network address can be the public network address that outer net recipient is corresponding, and state Open (the second state) is permissible Refer to that the session status between sender and recipient is that non-full connection status, state Close (the first state) may be used for referring to Show that session status is full connection status.Wherein, when the state that the public network address of storage in address table is corresponding is Close state, It is believed that the legal hosts that the outer net sender matched with this public network address in described address table is a necessary being sets Standby.When the state that the public network address of storage in address table is corresponding is Open state, it is believed that with these public affairs in described address table The outer net sender that net address matches is one and attacks end.
The idiographic flow that address table is set up can be such that
With reference to Fig. 3, it is shown that the Establishing process schematic diagram of a kind of address table in the embodiment of the present application.
Wherein, user1 be Intranet equipment (Intranet recipient), HTTP server be that the server of outer net, user100 are Outer net equipment (the true legal hosts equipment accessed, outer net sender A), attacker are that attack end (outer net sender B) can With the simulation attack source of 33.33.33.1~33.33.33.250, Firewall as firewall box.
In the present embodiment, on the Intranet outgoing interface G1/0/2 of firewall box configure NO-PAT (do not do port translation, Only do the conversion of IP address), and reference address pond, public network address is: 202.12.5.10-202.12.5.11, and enables Reversible function.When user1 to HTTP Server carry out web page browse time, firewall box can create oppositely The NAT Reversible list item of location conversion, described NAT Reversible list item specifically can be such that
The private net address of Local IP:192.168.1.11-----user1
Public network address after Global IP:202.12.5.10----conversion
Reversible:Y----supports Reversible function
Type:Outbound----open type
In the present embodiment, user100 or attacker end as outer net sender by NAT Reversible table When item accesses user1, all can set up the NAT session entry of correspondence.Wherein, NAT session entry at least can include believing as follows Breath: the address of outer net sender (user100 or attacker end) and port, the address of recipient (user1) and port, NAT Address after conversion and port, the time of conversation establishing, the state of session, the statistical number etc. of matching message.
In the present embodiment, when user100 accesses user1 by NAT Reversible list item, owing to user100 is The legal hosts equipment of one true access, has normal mutual message between user1 and user100, so NAT conversational list In Xiang, the session status of record is the state of a full connection, at this point it is possible to added by the public network address 100.1.1.10 of user100 Enter in address table, and state corresponding for 100.1.1.10 is set to close (such as above-mentioned table 1).
When attacker end simulation public network address 33.33.33.2 initiates to attack to user1 by NAT Reversible list item When hitting, attack end owing to 33.33.33.2 is one, only can send DDos to user1 and attack, so record in NAT session entry Session status be the state of a non-full connection, at this point it is possible to the public network address 33.33.33.2 that attacker end is simulated Join in address table, and state corresponding for 33.33.33.2 is set to open (such as above-mentioned table 1).
It should be noted that in the present embodiment, after user100 Yu user1 disconnects, corresponding NAT conversational list Item also will be deleted, and now can also be deleted by the list item that user100 is corresponding in described address table.When attacker end is temporary transient the most not When attacking, corresponding NAT session entry also will be deleted, the public network address now can simulated by attacker end 33.33.33.2 corresponding in described address table list item is also deleted.By the timely cleaning to address list item, reduce equipment Burden, it is ensured that the session status of more outer net equipment can be recorded by described address table, improve service bearer ability.
2, the foundation of table is attacked
In the present embodiment, in order to reduce the maintenance and management difficulty of address table, the size of address table can be joined Put.For example, it is possible to but be not limited only to specify address table size be 1000.If the size of address table is 1000, then illustrate same One moment at most allowed for 1000 connections and removes to access the Intranet equipment of NAT Reversible list item.If NAT List item in the address table that Reversible list item is corresponding has arrived at 1000, now also has this NAT of other matching connections Reversible list item, then can realize the load balancing of business by attack table.
Specifically, first, the list item whether having state to be Open in all (1000) list items in address table is determined, if Have, then the list item that state is Open can be removed from described address table, and add to attacking in table.If the institute in address table The state having (1000) list item is Close, then can abandon new connection, during until the list item in address table is less than 1000, Other matching connections NAT Reversible list item is just allowed to access Intranet equipment.
It should be noted that in the present embodiment, address table and attack table are equipped with the ageing time of correspondence, work as address When the existence time of the list item in table (or attacking table) reaches described ageing time, corresponding list item directly can be removed.
In the present embodiment, address table based on above-mentioned foundation and attack table achieve the security protection to Intranet equipment, Idiographic flow can be such that
Step S31, Intranet equipment makes requests on to external network server, and firewall box creates NAT reversible table ?.
Step S32, outer net equipment sends outer net request of data message to Intranet equipment, by coupling NAT reversible List item item accesses Intranet equipment.
Step S33, it is judged that whether the public network address carried in described outer net request of data message mates with attack table.
In the present embodiment, if coupling, then described outer net request of data message can directly be abandoned.If not mating, then may be used To perform following step S34.
Step S34, it is judged that whether the public network address carried in described outer net request of data message mates with address table.
In the present embodiment, it is judged that whether the public network address carried in described outer net request of data message mates with address table Namely: judge whether address table exists the public network address of described outer net sender.If existing, then can perform following step S36;If not existing, following step S38 can be performed.
Step S36, when state corresponding with the public network address of described outer net sender in described address table is the first state Time, forward described outer net request of data message;When shape corresponding with the public network address of described outer net sender in described address table When state is the second state, abandon described outer net request of data message.
Step S38, updates described address table according to the session status between described outer net sender and Intranet recipient.
In the present embodiment, updating described according to the session status between described outer net sender and Intranet recipient Before the table of location, it is also possible to first judge whether the memory data output of described address table reaches predetermined threshold value.Wherein, if described address table Memory data output be not up to predetermined threshold value, then can perform according to the session between described outer net sender and Intranet recipient State updates the step of described address table;If the memory data output of described address table reaches predetermined threshold value, then can sentence further Whether disconnected described address table existing the public network address that state is the second state of correspondence, if not existing, then can directly abandon Described outer net request of data message;If existing, then can be by public network address that the state of described correspondence is the second state and correspondence State remove from described address table, and the public network address that state is the second state of described correspondence is added to attack table, Then the step performing to update described address table according to the session status between described outer net sender and Intranet recipient it is further continued for Suddenly.
Wherein it is desired to explanation, described according to the session status between described outer net sender and Intranet recipient more New described address table may include that when described session status is full connection status when implementing, by described outer network packet Corresponding public network address adds to address table, and state corresponding for described public network address is configured in described address table the One state (e.g., Close);When described session status is non-full connection status, by public network address corresponding for described outer network packet Add to described address table, and in described address table, (e.g., state corresponding for described public network address is configured to the second state Open)。
Step S310, when state corresponding with the public network address of described outer net sender in the address table after described renewal is During described first state, forward described outer net request of data message;When the address table after described renewal sends with described outer net When the state that square public network address is corresponding is described second state, abandon described outer net request of data message.
In sum, a kind of network security processing method described in the present embodiment, send by outer net sender when receiving Outer net request of data message time can first the public network address of described outer net sender be judged, when in the first checking information There is the public network address pair with described outer net sender in the public network address of described outer net sender and described first checking information When the state answered is the first state, described outer net request of data message can be forwarded;It is described when the first checking information does not exist During the public network address of outer net sender, then can update according to the session status between described outer net sender and Intranet recipient Described first checking information, and after described first verifies that information updating is complete, when in the first checking information after described renewal When the state corresponding with the public network address of described outer net sender is described first state, forward described outer net request of data report Literary composition.Visible, in the present embodiment, the public network address of outer net sender can be judged, when the public network ground of outer net sender When judged result corresponding to location meets certain requirements (e.g., the first checking information exists described outer net sender public network address, And the state corresponding with the public network address of described outer net sender is the first state in described first checking information;Or, after renewal The first checking information in the state corresponding with the public network address of described outer net sender be described first state) carry out outer netting index According to the forwarding of request message, in other words, it is unsatisfactory for above-mentioned requirements when the judged result that the public network address of outer net sender is corresponding Time, then can not carry out the forwarding of outer net request of data message.
From the above mentioned, in the present embodiment, based on the first checking information outer net sender verified and screened, right The outer net request of data message that the outer net sender being verified sends forwards, and effectively limits not verified outer net Sending direction Intranet recipient sends outer net request of data message, and then avoids any outer net sender to Intranet recipient's Access, effectively prevent Intranet user and be subjected to the network attack of outer net sender.
Secondly, in the present embodiment, by configuring the first checking information and the ageing time of the second checking information, Yi Jipei Put the size of the first checking information, it is to avoid the first checking information or second are tested by public network address corresponding to a certain outer net sender Taking for a long time of card information, it is ensured that the checking to other outer net sender, can remove the first checking information and in time Aging (out of date) checking item in two checking information, it is ensured that the legal hosts equipment of outer net passes through NAT reversible table The internal normal access of host's machine equipment, it is to avoid between external host's machine equipment and intranet host equipment, normal data is mutual Impact.
It should be noted that for aforesaid embodiment of the method, in order to be briefly described, therefore it is all expressed as a series of Combination of actions, but those skilled in the art should know, and the application is not limited by described sequence of movement, because depending on According to the application, some step can use other orders or carry out simultaneously.Secondly, those skilled in the art also should know, Embodiment described in this description belongs to preferred embodiment, necessary to involved action not necessarily the application.
On the basis of said method embodiment, with reference to Fig. 4, it is shown that in the embodiment of the present application, a kind of network security processes The structured flowchart of device.In the present embodiment, described network safety processing equipment includes:
First judge module 402, for when receiving the outer net request of data message sent by outer net sender, it is judged that Whether the first checking information exists the public network address of described outer net sender.
First forwarding module 404, if there is the public network address of described outer net sender in the first checking information, and institute Stating state corresponding with the public network address of described outer net sender in the first checking information is the first state, then forward described outer net Request of data message.
, if there is not the public network address of described outer net sender, then basis in the first checking information in more new module 406 Session status between described outer net sender and Intranet recipient updates described first checking information.
In the present embodiment, when described session status is full connection status, by the public network address of described outer net sender It is updated to described first checking information, and by corresponding for the public network address of described outer net sender in described first checking information State is configured to the first state;When described session status is non-full connection status, by the public network address of described outer net sender It is updated to described first checking information, and by corresponding for the public network address of described outer net sender in described first checking information State is configured to the second state.
Second forwarding module 408, for when public affairs with described outer net sender in the first checking information after described renewal When the state that net address is corresponding is described first state, forward described outer net request of data message.
Visible, in the present embodiment, based on the first checking information outer net sender verified and screened, to checking The outer net request of data message that the outer net sender passed through sends forwards, and effectively limits not verified outer net and sends Direction Intranet recipient sends outer net request of data message, and then avoids any outer net sender visit to Intranet recipient Ask, effectively prevent Intranet user and be subjected to the network attack of outer net sender.
In a preferred embodiment of the application, with reference to Fig. 5, it is shown that a kind of preferably network peace in the embodiment of the present application The structured flowchart of full processing means.
One preferably, and described network safety processing equipment can also include:
First discard module 408, for described first judge module 402 judge whether the first checking information exists with After the public network address of described outer net sender, if the first checking information exists the public network address of described outer net sender, and When state corresponding with the public network address of described outer net sender in described first checking information is described second state, abandon institute State outer net request of data message.
Second discard module 410, for described more new module 406 according to described outer net sender and Intranet recipient it Between session status update after described first checking information, when the first checking information after described renewal is sent out with described outer net When the state that the public network address of the side of sending is corresponding is described second state, abandon described outer net request of data message.
Another is preferred, and described network safety processing equipment can also include:
Second judge module 412, for described more new module 406 according to described outer net sender and Intranet recipient it Between session status update before described first checking information, it is judged that whether the memory data output of described first checking information reaches Predetermined threshold value.
3rd judge module 414, if the memory data output for described first checking information reaches predetermined threshold value, then judges Whether described first checking information exists the public network address that state is the second state of correspondence.
In the present embodiment, if described first checking information exists the public network address that state is the second state of correspondence, Then the public network address that state is the second state of described correspondence and the state of correspondence are removed from described first checking information, and The public network address that state is the second state of described correspondence is added to the second checking information, more new module 406 described in execution;If Do not exist, then abandon described outer net request of data message.Wherein, if the memory data output of described first checking information is the most pre- If threshold value, then more new module 406 described in execution.
Another preferably, described network safety processing equipment can also include:
4th judge module 416, for judging whether there is institute in the first checking information at described first judge module 402 Before stating the public network address of outer net sender, it is judged that whether the second checking information exists the public network ground with described outer net sender Location.
, if there is the public network ground with described outer net sender in described second checking information in the 3rd discard module 418 Location, then abandon described outer net request of data message.
In the present embodiment, if described second checking information does not exist the public network address of described outer net sender, then hold Described first judge module 402 of row.
Another preferred, described network safety processing equipment can also include:
Configuration module 420, is used for being pre-configured with described first checking information and described second checking information is each self-corresponding Ageing time.
, the time is there is and reaches described first checking information in removing module 422 for deleting from described first checking information The public network address of corresponding ageing time and state corresponding to public network address;And, delete from described second checking information and deposit The public network address of ageing time corresponding to described second checking information is reached in the time.
In sum, a kind of network safety processing equipment described in the present embodiment, send by outer net sender when receiving Outer net request of data message time can first the public network address of described outer net sender be judged, when in the first checking information There is the public network address pair with described outer net sender in the public network address of described outer net sender and described first checking information When the state answered is the first state, described outer net request of data message can be forwarded;It is described when the first checking information does not exist During the public network address of outer net sender, then can update according to the session status between described outer net sender and Intranet recipient Described first checking information, and after described first verifies that information updating is complete, when in the first checking information after described renewal When the state corresponding with the public network address of described outer net sender is described first state, forward described outer net request of data report Literary composition.Visible, in the present embodiment, the public network address of outer net sender can be judged, when the public network ground of outer net sender When judged result corresponding to location meets certain requirements (e.g., the first checking information exists described outer net sender public network address, And the state corresponding with the public network address of described outer net sender is the first state in described first checking information;Or, after renewal The first checking information in the state corresponding with the public network address of described outer net sender be described first state) carry out outer netting index According to the forwarding of request message, in other words, it is unsatisfactory for above-mentioned requirements when the judged result that the public network address of outer net sender is corresponding Time, then can not carry out the forwarding of outer net request of data message.
From the above mentioned, in the present embodiment, based on the first checking information outer net sender verified and screened, right The outer net request of data message that the outer net sender being verified sends forwards, and effectively limits not verified outer net Sending direction Intranet recipient sends outer net request of data message, and then avoids any outer net sender to Intranet recipient's Access, effectively prevent Intranet user and be subjected to the network attack of outer net sender.
Each embodiment in this specification all uses the mode gone forward one by one to describe, what each embodiment stressed is with The difference of other embodiments, between each embodiment, identical similar part sees mutually.For device embodiment For, due to itself and embodiment of the method basic simlarity, so describe is fairly simple, relevant part sees the portion of embodiment of the method Defend oneself bright.
Those skilled in the art are it should be appreciated that embodiments herein can be provided as method, device or computer program Product.Therefore, the reality in terms of the application can use complete hardware embodiment, complete software implementation or combine software and hardware Execute the form of example.And, the application can use at one or more computers wherein including computer usable program code The upper computer program product implemented of usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.) The form of product.
The application is with reference to method, equipment (device) and the flow process of computer program according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that can the most first-class by computer program instructions flowchart and/or block diagram Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided Instruction arrives the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce A raw machine so that the instruction performed by the processor of computer or other programmable data processing device is produced for real The device of the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame now.
These computer program instructions may be alternatively stored in and computer or other programmable data processing device can be guided with spy Determine in the computer-readable memory that mode works so that the instruction being stored in this computer-readable memory produces and includes referring to Make the manufacture of device, this command device realize at one flow process of flow chart or multiple flow process and/or one square frame of block diagram or The function specified in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that at meter Perform sequence of operations step on calculation machine or other programmable devices to produce computer implemented process, thus at computer or The instruction performed on other programmable devices provides for realizing at one flow process of flow chart or multiple flow process and/or block diagram one The step of the function specified in individual square frame or multiple square frame.
Although having been described for the preferred embodiment of the application, but those skilled in the art once know basic creation Property concept, then can make other change and amendment to these embodiments.So, claims are intended to be construed to include excellent Select embodiment and fall into all changes and the amendment of the application scope.
Above a kind of network security processing method provided herein and device are described in detail, herein should Being set forth principle and the embodiment of the application by specific case, the explanation of above example is only intended to help reason Solve the present processes and core concept thereof;Simultaneously for one of ordinary skill in the art, according to the thought of the application, All will change in detailed description of the invention and range of application, in sum, this specification content should not be construed as this Shen Restriction please.

Claims (10)

1. a network security processing method, it is characterised in that including:
When receiving the outer net request of data message sent by outer net sender, it is judged that whether the first checking information exists institute State the public network address of outer net sender;
If existing, and state corresponding with the public network address of described outer net sender in described first checking information is the first shape State, then forward described outer net request of data message;
If not existing, then update described first checking letter according to the session status between described outer net sender and Intranet recipient Breath;Wherein, when described session status is full connection status, the public network address of described outer net sender is updated to described first Checking information, and in described first checking information, state corresponding for the public network address of described outer net sender is configured to first State;When described session status is non-full connection status, the public network address of described outer net sender is updated to described first Checking information, and in described first checking information, state corresponding for the public network address of described outer net sender is configured to second State;
When state corresponding with the public network address of described outer net sender in the first checking information after described renewal is described During one state, forward described outer net request of data message.
Method the most according to claim 1, it is characterised in that
Whether exist in judging the first checking information with the step of the public network address of described outer net sender after, described method Also include: if existing, and state corresponding with the public network address of described outer net sender in described first checking information is described During the second state, abandon described outer net request of data message;
In the step updating described first checking information according to the session status between described outer net sender and Intranet recipient Afterwards, described method also includes: when public network address pair with described outer net sender in the first checking information after described renewal When the state answered is described second state, abandon described outer net request of data message.
Method the most according to claim 1, it is characterised in that described according to described outer net sender and Intranet recipient Between session status update described first checking information step before, described method also includes:
Judge whether the memory data output of described first checking information reaches predetermined threshold value;
Update described first test if it is not, then perform the described session status according between described outer net sender and Intranet recipient The step of card information;
The most then judge whether described first checking information exists the public network address that state is the second state of correspondence;Wherein, If existing, then by the public network address that state is the second state of described correspondence and the state of correspondence from described first checking information Remove, and the public network address that state is the second state of described correspondence is added to the second checking information, perform described according to institute State the session status between outer net sender and Intranet recipient and update the step of described first checking information;If not existing, then Abandon described outer net request of data message.
Method the most according to claim 1, it is characterised in that described judge whether the first checking information exists described Before the step of the public network address of outer net sender, described method also includes:
Judge whether the second checking information exists the public network address of described outer net sender;
If existing, then abandon described outer net request of data message;
If not existing, then perform the described step judging whether to there is the public network address of described outer net sender in the first checking information Suddenly.
Method the most according to claim 3, it is characterised in that described method also includes:
It is pre-configured with described first checking information and the described second each self-corresponding ageing time of checking information;
Delete from described first checking information and there is the time and reach the public network of ageing time corresponding to described first checking information Address and state corresponding to public network address;
Delete from described second checking information and there is the time and reach the public network of ageing time corresponding to described second checking information Address.
6. a network safety processing equipment, it is characterised in that including:
First judge module, for when receiving the outer net request of data message sent by outer net sender, it is judged that first tests Whether card information exists the public network address of described outer net sender;
First forwarding module, if there is the public network address of described outer net sender in the first checking information, and described first State corresponding with the public network address of described outer net sender in checking information is the first state, then forward described outer network data to ask Seek message;
, if there is not the public network address of described outer net sender in the first checking information, then according to outside described in more new module Session status between net sender and Intranet recipient updates described first checking information;Wherein, when described session status it is During full connection status, the public network address of described outer net sender is updated to described first checking information, and tests described first State corresponding for the public network address of described outer net sender is configured to the first state by card information;When described session status is non- During full connection status, the public network address of described outer net sender is updated to described first checking information, and tests described first State corresponding for the public network address of described outer net sender is configured to the second state by card information;
Second forwarding module, for when public network address pair with described outer net sender in the first checking information after described renewal When the state answered is described first state, forward described outer net request of data message.
Device the most according to claim 6, it is characterised in that also include:
Whether the first discard module, for existing in described first judge module judges the first checking information send out with described outer net After the public network address of the side of sending, if there is the public network address of described outer net sender in the first checking information, and described first tests When state corresponding with the public network address of described outer net sender in card information is described second state, abandon described outer network data Request message;
Second discard module, is used in described more new module according to the session shape between described outer net sender and Intranet recipient State updates after described first checking information, when public network with described outer net sender in the first checking information after described renewal When state corresponding to address is described second state, abandon described outer net request of data message.
Device the most according to claim 6, it is characterised in that also include:
Second judge module, is used in described more new module according to the session shape between described outer net sender and Intranet recipient Before state updates described first checking information, it is judged that whether the memory data output of described first checking information reaches predetermined threshold value;
3rd judge module, if the memory data output for described first checking information reaches predetermined threshold value, then judges described the Whether one checking information exists the public network address that state is the second state of correspondence;Wherein, if existing, then by described correspondence State is the public network address of the second state and the state of correspondence removes from described first checking information, and by the shape of described correspondence State is that the public network address of the second state adds to the second checking information, more new module described in execution;If not existing, then abandon described Outer net request of data message;
Wherein, if the memory data output of described first checking information is not up to predetermined threshold value, then more new module described in execution.
Device the most according to claim 6, it is characterised in that also include:
4th judge module, for whether there is described outer net in described first judge module judges the first checking information sends Before the public network address of side, it is judged that whether the second checking information exists and the public network address of described outer net sender;
3rd discard module, if there is the public network address with described outer net sender in described second checking information, then loses Abandon described outer net request of data message;
Wherein, if described second checking information does not exist the public network address of described outer net sender, then perform described first and sentence Disconnected module.
Device the most according to claim 8, it is characterised in that also include:
Configuration module, be used for being pre-configured with described first checking information and described second checking information each self-corresponding aging time Between;
, the time is there is and reaches corresponding old of described first checking information in removing module for deleting from described first checking information The public network address of change time and state corresponding to public network address;And, delete from described second checking information and there is the time and reach Public network address to described second checking ageing time corresponding to information.
CN201610715055.XA 2016-08-23 2016-08-23 A kind of network security processing method and device Active CN106131063B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610715055.XA CN106131063B (en) 2016-08-23 2016-08-23 A kind of network security processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610715055.XA CN106131063B (en) 2016-08-23 2016-08-23 A kind of network security processing method and device

Publications (2)

Publication Number Publication Date
CN106131063A true CN106131063A (en) 2016-11-16
CN106131063B CN106131063B (en) 2019-05-31

Family

ID=57274114

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610715055.XA Active CN106131063B (en) 2016-08-23 2016-08-23 A kind of network security processing method and device

Country Status (1)

Country Link
CN (1) CN106131063B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110708301A (en) * 2019-09-24 2020-01-17 贝壳技术有限公司 User request processing method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070091902A1 (en) * 2005-10-24 2007-04-26 Stewart Randall R Securely managing network element state information in transport-layer associations
CN101136917A (en) * 2007-07-12 2008-03-05 中兴通讯股份有限公司 Transmission control protocol blocking module and soft switch method
CN101163041A (en) * 2007-08-17 2008-04-16 中兴通讯股份有限公司 Method of preventing syn flood and router equipment
CN101188612A (en) * 2007-12-10 2008-05-28 中兴通讯股份有限公司 A blacklist real time management method and device
CN105323259A (en) * 2015-12-07 2016-02-10 上海斐讯数据通信技术有限公司 Method and device for preventing synchronous packet attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070091902A1 (en) * 2005-10-24 2007-04-26 Stewart Randall R Securely managing network element state information in transport-layer associations
CN101136917A (en) * 2007-07-12 2008-03-05 中兴通讯股份有限公司 Transmission control protocol blocking module and soft switch method
CN101163041A (en) * 2007-08-17 2008-04-16 中兴通讯股份有限公司 Method of preventing syn flood and router equipment
CN101188612A (en) * 2007-12-10 2008-05-28 中兴通讯股份有限公司 A blacklist real time management method and device
CN105323259A (en) * 2015-12-07 2016-02-10 上海斐讯数据通信技术有限公司 Method and device for preventing synchronous packet attack

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110708301A (en) * 2019-09-24 2020-01-17 贝壳技术有限公司 User request processing method and device, electronic equipment and storage medium
CN110708301B (en) * 2019-09-24 2022-06-24 贝壳找房(北京)科技有限公司 User request processing method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN106131063B (en) 2019-05-31

Similar Documents

Publication Publication Date Title
KR101460589B1 (en) Server for controlling simulation training in cyber warfare
CN111130931B (en) Detection method and device for illegal external connection equipment
CN106453215B (en) A kind of defence method of network attack, apparatus and system
CN105991595A (en) Network security protection method and device
CN104683293A (en) SYN attack defense method based on logic device
JP2014506045A (en) Network stimulation engine
CN106034104A (en) Verification method, verification device and verification system for network application accessing
CN103347016A (en) Attack defense method
CN104253820A (en) Software defined network safety control system and control method
CN105959282A (en) Protection method and device for DHCP attack
CN110832824A (en) Method for bidirectional data packet switching on node path
CN111131448B (en) Edge management method, edge proxy equipment and computer readable storage medium for ADSL Nat operation and maintenance management
CN105812318B (en) For preventing method, controller and the system of attack in a network
CN108900549A (en) A kind of safe block chain networking technology
US20210312472A1 (en) Method and system for prediction of smart contract violation using dynamic state space creation
Calvet et al. The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet
CN108605264A (en) Network management
Krit et al. Overview of firewalls: Types and policies: Managing windows embedded firewall programmatically
CN101286978B (en) TCP connection separation with complete semantic, control method and system
CN106101088B (en) The method of cleaning equipment, detection device, routing device and prevention DNS attack
Goutam The problem of attribution in cyber security
CN107306255A (en) Defend flow attacking method, the presets list generation method, device and cleaning equipment
CN106230781A (en) The method and device preventing network attack of sing on web authentication techniques
CN106131063A (en) A kind of network security processing method and device
CN106878302B (en) Cloud platform system and setting method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou science and Technology Development Zone, Zhejiang high tech park, No. six and road, No. 310

Applicant before: Huasan Communication Technology Co., Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant