CN106302456A - Session keeping method and device - Google Patents

Session keeping method and device Download PDF

Info

Publication number
CN106302456A
CN106302456A CN201610673308.1A CN201610673308A CN106302456A CN 106302456 A CN106302456 A CN 106302456A CN 201610673308 A CN201610673308 A CN 201610673308A CN 106302456 A CN106302456 A CN 106302456A
Authority
CN
China
Prior art keywords
equipment
safety equipment
service end
service
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610673308.1A
Other languages
Chinese (zh)
Other versions
CN106302456B (en
Inventor
周迪
王军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Uniview Technologies Co Ltd
Original Assignee
Zhejiang Uniview Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Uniview Technologies Co Ltd filed Critical Zhejiang Uniview Technologies Co Ltd
Priority to CN201610673308.1A priority Critical patent/CN106302456B/en
Publication of CN106302456A publication Critical patent/CN106302456A/en
Application granted granted Critical
Publication of CN106302456B publication Critical patent/CN106302456B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1083In-session procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/143Termination or inactivation of sessions, e.g. event-controlled end of session
    • H04L67/145Termination or inactivation of sessions, e.g. event-controlled end of session avoiding end of session, e.g. keep-alive, heartbeats, resumption message or wake-up for inactive or interrupted session

Abstract

The present invention is about session keeping method and device, and described method includes: after described safety equipment are switched to service equipment, receives the sync message that upper one chosen service equipment sends;Wherein, described sync message carries session information mutual between chosen service equipment and upstream service end and a downstream client;Keep and described upstream service end and the session of downstream client based on the described session information carried in described sync message.The application present invention can on the basis of not affecting upper-layer service switching at runtime link so that penetration attack etc. cannot persistently be carried out for the attack of link, efficiently solve correlation technique problem of protective capacities difference when protection is for the attack of link.

Description

Session keeping method and device
Technical field
The present invention relates to communication technical field, particularly relate to a kind of session keeping method and device.
Background technology
Along with the development of IP technology, IP-based attack is also becoming increasingly rampant.In order to protect IP-based attack, correlation technique Propose agency from the detection degree of depth and detection frequency two aspect of message or add the settling mode of fort machine.Act on behalf of or add Although the mode of fort machine can filter out part attack content by the data of transmission to Target IP carry out detection, but The identification and the protective capacities that penetration attack etc. are seemed to the attack of " normally " are poor.Therefore, when malicious user is by even Connecing the link of Target IP when carrying out the attack that penetration attack realizes Target IP, correlation technique cannot be carried out effectively protecting.
Summary of the invention
For overcoming problem present in correlation technique, the invention provides session keeping method and device.
The present invention provides a kind of session keeping method, is applied to include some safety equipment, upstream service end and descending Arbitrary safety equipment in the network safety system of client, wherein, the safety equipment in described some safety equipment are based in advance If cycle switched to service equipment at random, and keep and described upstream service end and described descending visitor in handoff procedure Session between the end of family is constant, described some safety equipment are the most pre-configured identical with described upstream service end downstream IP ground Location, and all it is configured with the identical up IP address corresponding to described upstream service end;Described method includes:
After described safety equipment are switched to service equipment, receive the synchronization report that upper one chosen service equipment sends Literary composition;Wherein, described sync message carries and hands between chosen service equipment and upstream service end and a downstream client Mutual session information;
Keep and described upstream service end and descending client based on the described session information carried in described sync message The session of end.
As improvement, described method also includes:
When described safety equipment are switched to service equipment, MAC Address based on described safety equipment and described on Row IP address generates ARP message;
Described ARP message is sent, so that described upstream service end group is in the ARP message received to described upstream service end Update MAC address entries.
As improvement, described method also includes:
When described safety equipment are switched to service equipment, MAC Address based on described safety equipment and described under Row IP address generates ARP message;
Described ARP message is sent, so that described downstream client is based on the ARP message received to described downstream client Update MAC address entries.
As improvement, described some safety equipment include different operating system.
As improvement, described in be switched between the safety equipment of service equipment and described upper one chosen service equipment Described session information is synchronized by two layers of Ethernet message.
The present invention also provides for a kind of session holding means simultaneously, be applied to include some safety equipment, upstream service end with And the arbitrary safety equipment in the network safety system of downstream client, wherein, the safety equipment in described some safety equipment Switched to service equipment at random based on the default cycle, and kept in handoff procedure and described upstream service end and described Session between downstream client is constant, and it is identical with described upstream service end descending that described some safety equipment are the most pre-configured IP address, and all it is configured with the identical up IP address corresponding to described upstream service end;Described device includes:
Sync message receiver module, for after described safety equipment are switched to service equipment, receive upper one and is selected Service equipment send sync message;Wherein, described sync message carries chosen service equipment and a upstream service Session information mutual between end and downstream client;
Session keeps module, for keeping and described up clothes based on the described session information carried in described sync message Business end and the session of downstream client.
As improvement, described device also includes:
First generation module, for when described safety equipment are switched to service equipment, based on described safety equipment MAC Address and described up IP address generate ARP message;
First sending module, for sending described ARP message to described upstream service end, so that described upstream service end group MAC address entries is updated in the ARP message received.
As improvement, described device also includes:
Second generation module, for when described safety equipment are switched to service equipment, based on described safety equipment MAC Address and described downstream IP address generate ARP message;
Second sending module, for sending described ARP message to described downstream client, so that described downstream client base MAC address entries is updated in the ARP message received.
As improvement, described some safety equipment include different operating system.
As improvement, described in be switched between the safety equipment of service equipment and described upper one chosen service equipment Described session information is synchronized by two layers of Ethernet message.
In the present invention, when the safety equipment in the network equipment are switched to service equipment, one can be received selected The sync message that fixed service equipment sends, wherein, this sync message can carry a chosen service equipment with up Session information mutual between service end and downstream client, then, the above-mentioned safety equipment being switched to service equipment can To keep and upstream service end and the session of downstream client based on the session information carried in above-mentioned sync message.
The application present invention can on the basis of not affecting upper-layer service switching at runtime link so that penetration attack etc. Attack for link cannot persistently be carried out, and efficiently solves correlation technique protective capacities when protection is for the attack of link The problem of difference.
Accompanying drawing explanation
Accompanying drawing herein is merged in description and constitutes the part of this specification, it is shown that meet the enforcement of the present invention Example, and for explaining the principle of the present invention together with description.
Fig. 1 is the networking diagram of a kind of network safety system illustrated;
Fig. 2 is the flow chart of a kind of session keeping method shown in one embodiment of the invention;
Fig. 3 is the part socket hum pattern that a kind of TCP illustrated connects;
Fig. 4 is the session label information figure of a kind of SIP session illustrated;
Fig. 5 is the hardware block diagram of session holding means in the embodiment of the present invention;
Fig. 6 is the present invention block diagram according to a kind of session holding means shown in an exemplary embodiment.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Explained below relates to During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous key element.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the present invention.On the contrary, they are only with the most appended The example of the apparatus and method that some aspects that described in detail in claims, the present invention are consistent.
Refer to Fig. 1, the networking diagram of a kind of network safety system for illustrating.
In the network safety system shown in Fig. 1, including client, switch, service end and be arranged at service end, friendship Some safety equipment between changing planes.Wherein, these some safety equipment can may be contained between service end and switch.
Data interaction can be carried out, in order to prevent above-mentioned client from will not conform between above-mentioned client and above-mentioned service end Method, attack and unauthorized etc. may damage the hostile content of above-mentioned service end and send to above-mentioned service end, network security system System adds safety equipment the data of above-mentioned client transmission to above-mentioned service end are carried out safety detection.
After the data of above-mentioned client transmission to above-mentioned service end are confirmed as normal data by safety equipment, above-mentioned client End can set up a link based on the data sent to above-mentioned service end with above-mentioned service end.This link can be always maintained at, Until above-mentioned client or above-mentioned service end close this link.During this link keeps, malicious user can pass through This link carries out penetration attack, thus reaches to attack the purpose of above-mentioned service end.
Correlation technique use the mode acting on behalf of or adding fort machine above-mentioned service end is protected, but, due to generation Reason or to add the mode of fort machine be to the detection degree of depth of message and detection frequency come, therefore, correlation technique substantially without Method detects penetration attack, also cannot effectively protect penetration attack.Therefore, correlation technique is protection oozing for link When thoroughly attacking, protective capacities is poor.
In view of this, the invention provides a kind of session keeping method and device, solve correlation technique protection for The problem of protective capacities difference during the attack of link.In the present invention, set when the safety equipment in the network equipment are switched to service Time standby, can receive the sync message that a chosen service equipment sends, wherein, this sync message can carry a quilt Session information mutual between selected service equipment and upstream service end and downstream client, then, above-mentioned is switched to The safety equipment of service equipment can based on the session information that carries in above-mentioned sync message keep with upstream service end and under The session of row client.
The application present invention can on the basis of not affecting upper-layer service switching at runtime link so that penetration attack etc. Attack for link cannot persistently be carried out, and efficiently solves correlation technique protective capacities when protection is for the attack of link The problem of difference.
Seeing Fig. 2, for the flow chart of a kind of session keeping method shown in one embodiment of the invention, this embodiment is applied to Including the arbitrary safety equipment in the network safety system of some safety equipment, comprise the following steps:
Step 201: after described safety equipment are switched to service equipment, receives upper one chosen service equipment and sends Sync message;Wherein, described sync message carries a chosen service equipment and upstream service end and descending client Session information mutual between end.
In the present invention, above-mentioned network safety system can include some safety equipment, upstream service end and descending visitor Family end.Wherein, downstream client can be one or more, and the present invention is without limitation.
Certainly, this network safety system can also include switch, and wherein, above-mentioned some safety equipment can may be contained within Between upstream service end and switch.
It should be noted that these some safety equipment can include different operating system, such as these some safety equipment In can there are the safety equipment that operating system is windows, it is also possible to there are the safety equipment that operating system is linux, this Invent without limitation.
In the present invention, above-mentioned some safety equipment can the most preset and above-mentioned upstream service end identical downstream IP ground Location, and the most preset identical up IP address corresponding to above-mentioned upstream service end.
In the embodiment illustrated, it can be assumed that the IP address of above-mentioned upstream service end is 192.168.1.1, then this The downstream IP address of the some safety equipment of Shi Shangshu can be each configured to 192.168.1.1.When client to IP address is 192.168.1.1, when upstream service end sends data, above-mentioned some safety equipment can receive these data, and to this number After carrying out safety detection, these data are forwarded to upstream service end.
When carrying out data interaction with upstream service end, above-mentioned some safety equipment can all configure identical correspondence with upper State the up IP address of upstream service end.Now, these some safety equipment can be based on this identical up IP address with up Service end carries out data interaction, such as the data etc. after up service end transmission safety detection.
After being prefixed identical up IP address and downstream IP address, the safety equipment in these some safety equipment can To be switched to service equipment at random based on the default cycle, and keep in handoff procedure with above-mentioned upstream service end and on State the session between downstream client constant, wherein, this preset cycle can be system default value or by user according to reality Situation carries out self-defined setting, for example, it is possible to be 3 minutes.
In the embodiment illustrated, the safety equipment in these some safety equipment can pass through random algorithm and time The combinational algorithm of stamp is switched to service equipment at random, and wherein, this random algorithm can be hash algorithm, and this is not done by the present invention Limit.
It should be noted that in once switching, these some safety equipment have and only safety equipment can be by Switch to service equipment.
In the present invention, when the safety equipment in these some safety equipment are switched to service equipment, these safety equipment Can based on its MAC Address and above-mentioned up IP address generate an ARP (Address Reso lution Protocol, Address resolution protocol) message, then an ARP message can be sent to above-mentioned upstream service end by these safety equipment, so that This upstream service end group updates local mac list item in the ARP message received.
In the embodiment illustrated, it can be assumed that the MAC Address of the safety equipment being switched to service equipment is 00- 23-5A-15-99-42, up IP address are 22.22.22.22, the MAC Address of above-mentioned upstream service end is 05-31-13-25- 19-36, IP address is 33.33.33.33, then these safety equipment can be such as table 1 institute to up service end transmission the oneth ARP message Show:
Source MAC Source IP address Target MAC (Media Access Control) address Purpose IP address
00-23-5A-15-99-42 22.22.22.22 05-31-13-25-19-36 33.33.33.33
Table 1
It should be noted that table 1 can only show the partial information of an above-mentioned ARP message, the letter shown except table 1 Outside breath, an above-mentioned ARP message can also include the header information etc. of message, and the present invention is without limitation.
Receive above-mentioned safety equipment send an ARP message after, above-mentioned upstream service end can according to this first ARP message updates local mac list item.
In the present invention, similarly, when the safety equipment in these some safety equipment are switched to service equipment, this peace Full equipment can generate the 2nd ARP message based on its MAC Address and above-mentioned downstream IP address, and then these safety equipment can be by 2nd ARP message sends to above-mentioned downstream client, so that this downstream client updates this locality based on the ARP message received MAC address entries.
In the embodiment illustrated, it can be assumed that the MAC Address of the safety equipment being switched to service equipment is 00- 23-5A-15-99-42, downstream IP address are 192.168.1.1, the MAC Address of above-mentioned downstream client is 05-22-14-52- 12-11, IP address is 192.137.3.1, then these safety equipment can be such as table 2 to the 2nd ARP message that downstream client sends Shown in:
Source MAC Source IP address Target MAC (Media Access Control) address Purpose IP address
00-23-5A-15-99-42 192.168.1.1 05-22-14-52-12-11 192.137.3.1
Table 2
Needing also exist for explanation, table 2 can only show the partial information of above-mentioned 2nd ARP message, except table 2 shows Information outside, above-mentioned 2nd ARP message can also include header information etc., and this is not limited by the present invention.
Certainly, when above-mentioned network safety system includes switch and gateway device, above-mentioned safety equipment can be at quilt When switching to service equipment, send the 2nd ARP message to switch and gateway device.
When receiving the 2nd ARP message that above-mentioned safety equipment send, above-mentioned downstream client, switch and gateway Equipment etc. can update local mac list item according to the 2nd ARP message.
In the present invention, when the above-mentioned safety equipment being switched to service equipment send ARP message, above-mentioned some safety Other safety equipment in equipment equally receive ARP message, and determine according to the ARP message received and be switched to The safety equipment of service equipment.
Continuing with seeing Fig. 1, in the embodiment illustrated, it can be assumed that in the safety equipment of 3 shown in Fig. 1, peace Full equipment 3 is switched to service equipment, and the most now safety equipment 3 can send ARP message, and now safety equipment 1 and safety set According to the source MAC in ARP message, standby 2 can determine that safety equipment 3 are switched to service after receiving ARP message Equipment.
In the present invention, after the safety equipment in these some safety equipment are switched to service equipment, these safety equipment Can receive the sync message that a chosen service equipment sends, wherein, this sync message can carry one and be selected Service equipment and upstream service end and downstream client between mutual session information.
Continuing with seeing Fig. 1, in the embodiment illustrated, it can be assumed that in the safety equipment of 3 shown in Fig. 1, peace Full equipment 3 is switched to service equipment, and safety equipment 1 are upper one chosen service equipment.Then safety equipment 1 are receiving peace After the ARP message that full equipment 3 sends, it may be determined that safety equipment 3 are switched to service equipment.Now, safety equipment 1 can be to Safety equipment 3 send sync message, wherein, this sync message can with equipment safe to carry 1 and above-mentioned upstream service end and under Session information mutual between row client.
In the present invention, the session information that above-mentioned sync message carries can include above-mentioned upper one chosen service equipment (Transmission Control Protocol, transmission controls to set up TCP with above-mentioned upstream service end and downstream client Agreement) or the socket information that connects of UDP (User Datagram Protocol, UDP) and based on TCP Or the session label information of the session connection of UDP connection establishment.
In the embodiment illustrated, it can be assumed that above-mentioned upper one chosen service equipment and above-mentioned upstream service end And downstream client sets up session even based on SIP (Session Initiation Protocol, session initiation protocol) agreement Connect, then go up a chosen service equipment and can extract the session label information of this session connection, i.e. CALL-ID information, and incite somebody to action This session label information is synchronized to be switched to the safety equipment of service equipment by above-mentioned sync message.
When the host-host protocol carrying this SIP session is Transmission Control Protocol, above-mentioned upper one chosen service equipment can incited somebody to action When this session label information is synchronized to the safety equipment being switched to service equipment, the socket information connected by this TCP is also same Step is to the safety equipment being switched to service equipment.And synchronize TCP connect socket information time, above-mentioned upper one be selected Five-tuple information that this TCP can be connected by service equipment and serial number and response sequence information are all synchronized to be switched to The safety equipment of service equipment.
When the host-host protocol carrying this SIP session is udp protocol, above-mentioned upper one chosen service equipment can incited somebody to action When this session label information is synchronized to the safety equipment being switched to service equipment, the socket information connected by this UDP is also same Step is to the safety equipment being switched to service equipment.And synchronize UDP connect socket information time, above-mentioned upper one be selected Source port number that this UDP can be connected by service equipment and destination slogan synchronizing information are to the safety switching to service equipment Equipment.
It should be noted that owing to the IP address of these some safety equipment is identical, therefore, above-mentioned it is switched to service equipment Safety equipment and above-mentioned upper one chosen service equipment between can be by two layers of Ethernet message Tong Bus above-mentioned sessions letter Breath, the most above-mentioned sync message can be two layers of Ethernet message.
Below with carry this SIP session host-host protocol as Transmission Control Protocol as a example by, above-mentioned upper one chosen clothes are discussed in detail Mutual session information between above-mentioned upstream service end or downstream client is synchronized to be switched to service equipment by business equipment The process of safety equipment:
Refer to Fig. 3, the part socket hum pattern that a kind of TCP for illustrating connects.Wherein, this TCP connection can be The TCP that upper one chosen service equipment is set up with above-mentioned upstream service end is connected, it is also possible to set for upper one chosen service The standby TCP set up with above-mentioned downstream client is connected.Upper one chosen service equipment can be from the socket information shown in Fig. 3 Figure extracts five-tuple information and serial number and response sequence information that this TCP connects, and according to the information structure extracted Build connection table to be sent as shown in table 3:
Source IP address Purpose IP address Source port number
202.100.10.168 10.220.4.45 54098
Destination slogan Sequence (sequence) number Respond Sequence (sequence) number
49159 1363601166 3405140802
Table 3
Refer to Fig. 4, the session label information figure of a kind of SIP session for illustrating.Wherein, this SIP session can be upper The SIP session that one chosen service equipment is set up with above-mentioned upstream service end, it is also possible to for upper one chosen service equipment The SIP session set up with above-mentioned downstream client.Upper one chosen service equipment can be from the session label information shown in Fig. 4 Figure extracts the session label information (i.e. CALL-ID shown in Fig. 4) of this session connection, and according to the information architecture extracted such as Session identification table to be sent shown in table 4:
CALL-ID 424efb833e4efb833e4efb83ef4efb834@202.100.10.168
Table 4
Then, upper one chosen service equipment can generate sync message according to the content shown in table 3 and table 4, due to Upper one service equipment being selected is identical with the IP address of the safety equipment being switched to service equipment, and therefore, upper one is selected Service equipment cannot to be switched to service equipment safety equipment send IP message.Due to, upper one chosen service sets For being successfully transmitted two layers of Ethernet message, therefore, upper one chosen clothes to the safety equipment being switched to service equipment Business equipment can be by generating the data interaction that two layers of Ethernet message realized and be switched to the safety equipment of service equipment.
In an example assumed, the message of two layers of Ethernet sync message that upper one chosen service equipment generates Information can be as shown in table 5:
Table 5
Wherein, the first row in table 5 can be the MAC Address of the safety equipment being switched to service equipment;In table 5 Two row can be the MAC Address of upper one chosen service equipment;The 3rd row in table 5 can be self-defining types value, this Invent without limitation;The 4th row in table 5 can be that upper one chosen service equipment needs to be synchronized to be switched to clothes The session information of the safety equipment of business equipment, wherein, the 4th row can include above-mentioned session label information CALL-ID to be sent And the five-tuple information that connects of the i.e. TCP of link information to be sent and serial number and response sequence information.
Upper one chosen service equipment, can after generating two layers of Ethernet sync message that message information is as shown in table 5 So that these two layers of Ethernet sync messages are sent to the safety equipment being switched to service equipment.
Step 202: based on the described session information that carries in described sync message keep with described upstream service end and The session of downstream client.
It is switched to the safety equipment sync message that chosen safety equipment send on receiving of service equipment After, can keep and above-mentioned upstream service end and the meeting of downstream client based on the session information carried in this sync message Words.
After receiving sync message, the safety equipment being switched to service equipment can obtain synchronization from sync message Information, and keep and above-mentioned upstream service end and the session of downstream client according to this synchronizing information.
From above-described embodiment, in the present invention, when the safety equipment in the network equipment are switched to service equipment, Can receive the sync message that a chosen service equipment sends, wherein, this sync message can carry one and be selected Service equipment and upstream service end and downstream client between mutual session information, then, above-mentioned be switched to service The safety equipment of equipment can keep and upstream service end and descending visitor based on the session information carried in above-mentioned sync message The session of family end.
The application present invention can on the basis of not affecting upper-layer service switching at runtime link so that penetration attack etc. Attack for link cannot persistently be carried out, and efficiently solves correlation technique protective capacities when protection is for the attack of link The problem of difference.
Based on the inventive concept same with said method, the embodiment of the present invention additionally provides the enforcement of session holding means Example.
Session holding means of the present invention can apply to the arbitrary peace including in the network safety system of some safety equipment On full equipment.Wherein, this session holding means can be realized by software, it is also possible to by hardware or the side of software and hardware combining Formula realizes.As a example by implemented in software, as the device on a logical meaning, it is the processor by its place, by non-volatile Property memorizer in corresponding computer program instructions read internal memory runs and formed.For application, such as Fig. 5 institute Show, be the hardware block diagram of session holding means in the embodiment of the present invention, except the processor shown in Fig. 5, network interface, interior Deposit and outside nonvolatile memory, it is also possible to include other hardware, such as camera head, be responsible for processing the forwarding chip of message Deng.
As shown in Figure 6, for the present invention according to the block diagram of a kind of session holding means shown in an exemplary embodiment.Described Device includes: sync message receiver module 610 and session keep module 620.
Wherein, sync message receiver module 610, it is used for after described safety equipment are switched to service equipment, in reception The sync message that one chosen service equipment sends;Wherein, described sync message carry a chosen service equipment with Session information mutual between upstream service end and downstream client;
Session keeps module 620, for keeping with described based on the described session information carried in described sync message Row service end and the session of downstream client.
In an optional implementation, described device can also include (not shown in Fig. 6):
First generation module, for when described safety equipment are switched to service equipment, based on described safety equipment MAC Address and described up IP address generate ARP message;
First sending module, for sending described ARP message to described upstream service end, so that described upstream service end group MAC address entries is updated in the ARP message received.
In an optional implementation, described device can also include (not shown in Fig. 6):
Second generation module, for when described safety equipment are switched to service equipment, based on described safety equipment MAC Address and described downstream IP address generate ARP message;
Second sending module, for sending described ARP message to described downstream client, so that described downstream client base MAC address entries is updated in the ARP message received.
In an optional implementation, some safety equipment include different operating system.
In an optional implementation, described in be switched to the safety equipment of service equipment chosen with described upper one Service equipment between synchronize described session informations by two layers of Ethernet message.
In the present invention, when the safety equipment in the network equipment are switched to service equipment, one can be received selected The sync message that fixed service equipment sends, wherein, this sync message can carry a chosen service equipment with up Session information mutual between service end and downstream client, then, the above-mentioned safety equipment being switched to service equipment can To keep and upstream service end and the session of downstream client based on the session information carried in above-mentioned sync message.
The application present invention can on the basis of not affecting upper-layer service switching at runtime link so that penetration attack etc. Attack for link cannot persistently be carried out, and efficiently solves correlation technique protective capacities when protection is for the attack of link The problem of difference.
Those skilled in the art, after considering the invention that description and practice are invented here, will readily occur to its of the present invention Its embodiment.It is contemplated that contain any modification, purposes or the adaptations of the present invention, these modification, purposes or Person's adaptations is followed the general principle of the present invention and includes the common knowledge in the art that the present invention does not invents Or conventional techniques means.Description and embodiments is considered only as exemplary, and true scope and spirit of the invention are by following Claim is pointed out.
It should be appreciated that the invention is not limited in precision architecture described above and illustrated in the accompanying drawings, and And various modifications and changes can carried out without departing from the scope.The scope of the present invention is only limited by appended claim.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all essences in the present invention Within god and principle, any modification, equivalent substitution and improvement etc. done, within should be included in the scope of protection of the invention.

Claims (10)

1. a session keeping method, is applied to include some safety equipment, upstream service end and the network of downstream client Arbitrary safety equipment in security system, wherein, the safety equipment in described some safety equipment based on the default cycle by with Machine switches to service equipment, and keeps the meeting between described upstream service end and described downstream client in handoff procedure Talk about constant, it is characterised in that described some safety equipment the are the most pre-configured downstream IP address identical with described upstream service end, And all it is configured with the identical up IP address corresponding to described upstream service end;Described method includes:
After described safety equipment are switched to service equipment, receive the sync message that upper one chosen service equipment sends; Wherein, described sync message carries between chosen service equipment and upstream service end and a downstream client mutual Session information;
Keep and described upstream service end and downstream client based on the described session information that carries in described sync message Session.
Method the most according to claim 1, it is characterised in that described method also includes:
When described safety equipment are switched to service equipment, MAC Address based on described safety equipment and described up IP Address generates ARP message;
Described ARP message is sent, so that described upstream service end group updates in the ARP message received to described upstream service end MAC address entries.
Method the most according to claim 1, it is characterised in that described method also includes:
When described safety equipment are switched to service equipment, MAC Address based on described safety equipment and described downstream IP Address generates ARP message;
Described ARP message is sent, so that described downstream client updates based on the ARP message received to described downstream client MAC address entries.
Method the most according to claim 1, it is characterised in that described some safety equipment include different operating system.
Method the most according to claim 1, it is characterised in that described in be switched to the safety equipment of service equipment with described Described session information is synchronized by two layers of Ethernet message between upper one chosen service equipment.
6. a session holding means, is applied to include some safety equipment, upstream service end and the network of downstream client Arbitrary safety equipment in security system, wherein, the safety equipment in described some safety equipment based on the default cycle by with Machine switches to service equipment, and keeps the meeting between described upstream service end and described downstream client in handoff procedure Talk about constant, it is characterised in that described some safety equipment the are the most pre-configured downstream IP address identical with described upstream service end, And all it is configured with the identical up IP address corresponding to described upstream service end;Described device includes:
Sync message receiver module, for after described safety equipment are switched to service equipment, receives upper one chosen clothes The sync message that business equipment sends;Wherein, described sync message carry a chosen service equipment and upstream service end with And mutual session information between downstream client;
Session keeps module, for keeping and described upstream service end based on the described session information carried in described sync message And the session of downstream client.
Device the most according to claim 6, it is characterised in that described device also includes:
First generation module, is used for when described safety equipment are switched to service equipment, MAC based on described safety equipment ground Location and described up IP address generate ARP message;
First sending module, for sending described ARP message to described upstream service end, so that described upstream service end group is in connecing The ARP message received updates MAC address entries.
Device the most according to claim 6, it is characterised in that described device also includes:
Second generation module, is used for when described safety equipment are switched to service equipment, MAC based on described safety equipment ground Location and described downstream IP address generate ARP message;
Second sending module, for sending described ARP message to described downstream client, so that described downstream client is based on connecing The ARP message received updates MAC address entries.
Device the most according to claim 6, it is characterised in that described some safety equipment include different operating system.
Device the most according to claim 6, it is characterised in that described in be switched to safety equipment and the institute of service equipment State and synchronize described session information by two layers of Ethernet message between a chosen service equipment.
CN201610673308.1A 2016-08-15 2016-08-15 Session keeping method and device Active CN106302456B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610673308.1A CN106302456B (en) 2016-08-15 2016-08-15 Session keeping method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610673308.1A CN106302456B (en) 2016-08-15 2016-08-15 Session keeping method and device

Publications (2)

Publication Number Publication Date
CN106302456A true CN106302456A (en) 2017-01-04
CN106302456B CN106302456B (en) 2020-01-14

Family

ID=57671401

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610673308.1A Active CN106302456B (en) 2016-08-15 2016-08-15 Session keeping method and device

Country Status (1)

Country Link
CN (1) CN106302456B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110035039A (en) * 2018-01-12 2019-07-19 华为技术有限公司 A kind of method and apparatus that session is kept
CN112165483A (en) * 2020-09-24 2021-01-01 Oppo(重庆)智能科技有限公司 ARP attack defense method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296238A (en) * 2008-06-17 2008-10-29 杭州华三通信技术有限公司 Method and equipment for remaining persistency of security socket layer conversation
US20100217882A1 (en) * 2007-10-29 2010-08-26 Huawei Technologies Co., Ltd. Method, system and apparatus for accessing a Layer-3 session
CN103475727A (en) * 2013-09-18 2013-12-25 浪潮电子信息产业股份有限公司 Database auditing method based on bridged mode
CN103797769A (en) * 2011-09-19 2014-05-14 思科技术公司 Services controlled session based flow interceptor
WO2014198229A1 (en) * 2013-06-14 2014-12-18 华为技术有限公司 Packet processing method, device, and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100217882A1 (en) * 2007-10-29 2010-08-26 Huawei Technologies Co., Ltd. Method, system and apparatus for accessing a Layer-3 session
CN101296238A (en) * 2008-06-17 2008-10-29 杭州华三通信技术有限公司 Method and equipment for remaining persistency of security socket layer conversation
CN103797769A (en) * 2011-09-19 2014-05-14 思科技术公司 Services controlled session based flow interceptor
WO2014198229A1 (en) * 2013-06-14 2014-12-18 华为技术有限公司 Packet processing method, device, and system
CN103475727A (en) * 2013-09-18 2013-12-25 浪潮电子信息产业股份有限公司 Database auditing method based on bridged mode

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110035039A (en) * 2018-01-12 2019-07-19 华为技术有限公司 A kind of method and apparatus that session is kept
CN110035039B (en) * 2018-01-12 2020-09-18 华为技术有限公司 Method and equipment for maintaining session
CN112165483A (en) * 2020-09-24 2021-01-01 Oppo(重庆)智能科技有限公司 ARP attack defense method, device, equipment and storage medium
CN112165483B (en) * 2020-09-24 2022-09-09 Oppo(重庆)智能科技有限公司 ARP attack defense method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN106302456B (en) 2020-01-14

Similar Documents

Publication Publication Date Title
CN107306214B (en) Method, system and related equipment for connecting terminal with virtual private network
US9686279B2 (en) Method and system for providing GPS location embedded in an IPv6 address using neighbor discovery
JP2011193477A (en) Agile network protocol for secure communication with assured system availability
CN106982234A (en) A kind of ARP attack defense methods and device
Dunlop et al. The blind man's bluff approach to security using IPv6
CN101635628A (en) Method and device for preventing ARP attacks
CN102244651A (en) Method for preventing attack of illegal neighbor discovery protocol message and access equipment
CN102438028A (en) Method, device and system for preventing fraud of dynamic host configuration protocol (DHCP) server
CN108243176A (en) Data transmission method and device
CN114844729B (en) Network information hiding method and system
KR20130005973A (en) A network security system and network security method
CN111131448B (en) Edge management method, edge proxy equipment and computer readable storage medium for ADSL Nat operation and maintenance management
Rehman et al. Rule-based mechanism to detect Denial of Service (DoS) attacks on Duplicate Address Detection process in IPv6 link local communication
CN109089263A (en) A kind of message processing method and device
CN106302456A (en) Session keeping method and device
CN111740943A (en) Anti-attack method, device, equipment and machine readable storage medium
CN108259460A (en) Apparatus control method and device
CN102752266B (en) Access control method and equipment thereof
CN103067411A (en) Method and device for preventing DoS (denial of service) attack in DS-Lite (dual stack-Lite) networking
US9338183B2 (en) Session hopping
US8271678B2 (en) Independent detection and filtering of undesirable packets
WO2015136842A1 (en) Network management device, network system, network management method, and recording medium
Pandey et al. Counter measures to combat misuses of mac address spoofing techniques
CN104601459A (en) Method and device for processing messages in group-domain virtual private network
Kang et al. ARP modification for prevention of IP spoofing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant