CN107528847A - A kind of guard method based on MAC shuntings - Google Patents
A kind of guard method based on MAC shuntings Download PDFInfo
- Publication number
- CN107528847A CN107528847A CN201710780983.9A CN201710780983A CN107528847A CN 107528847 A CN107528847 A CN 107528847A CN 201710780983 A CN201710780983 A CN 201710780983A CN 107528847 A CN107528847 A CN 107528847A
- Authority
- CN
- China
- Prior art keywords
- message
- mac
- address
- link
- sent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
Abstract
The invention provides a kind of guard method based on MAC shuntings, including following content:After upper united mouth receives message, second line of a couplet mouth is copied to by message is intact;After second line of a couplet mouth receives message, message protocol type is analyzed, if exception be present, modification message target MAC (Media Access Control) address is the MAC Address of protection link device, and message is sent on protection link, sent;If in the absence of exception, the MAC Address that the purpose MAC in message is acquiescence link is changed, message is sent from acquiescence link.The present invention has the advantage that:This invention ensures that user normally surf the Net service quality while; the workload of webmaster can be reduced; when user for borrowing source IP address accesses the behavior of software against regulation; the exception of the IP can be automatically detected; and on the premise of user source IP is not sealed off; MAC of the message target MAC (Media Access Control) address for protection link device is changed, abnormal flow is automatically switched on protection link and handled.
Description
Technical field
The invention belongs to communication technique field, more particularly, to a kind of guard method based on MAC shuntings.
Background technology
At present, when Internet service provider externally provides service, some malicious users can borrow the source IP of Internet service provider's offer
Address accesses software against regulation, the presence of abnormal flow is caused, if taken no action to, then these are by malice
The source IP that user uses will by title, for the such nervous and precious resource of IP address, this to Internet Service Provider without
It is doubtful to cause very big loss.Have before by VLANID the technology that is shunted, it is complicated that the technology needs interchanger to carry out
Deployment and configuration, the requirement to webmaster is too high.
The content of the invention
In view of this, the present invention is directed to propose a kind of guard method based on MAC shuntings, with for borrowing source IP address
When user accesses the behavior of software against regulation, the exception of the IP can be automatically detected, abnormal flow is automatically switched
Handled on to protection link.
To reach above-mentioned purpose, the technical proposal of the invention is realized in this way:
A kind of guard method based on MAC shuntings, including following content:
After upper united mouth receives message, second line of a couplet mouth is copied to by message is intact;
After second line of a couplet mouth receives message, message protocol type is analyzed, if exception be present, modification message target MAC (Media Access Control) address is
The MAC Address of link device is protected, message is sent on protection link, sent;If in the absence of exception, message is changed
In purpose MAC be acquiescence link MAC Address, make message from acquiescence link on send.
Further, after second line of a couplet mouth receives message, following steps are specifically carried out:
Step a, judge whether it is 802.1q messages, if not being then sent directly to outgoing interface, terminate this process;If then
Go to step b;
Step b, continue to determine whether it is IP messages, if then going to step c, if not then going to step e;
Step c, continue to judge source IP address in IP headings whether in blacklist, if then going to step h,
If not then go to step d;
Step d, continue to judge whether the IP type of messages are TCP messages, if not step i is then gone to, if then going to
Step g;
Step e, continue to judge whether message is ARP messages, if not step i is then gone to, if then going to step f;
Step f. continues to judge source IP address in message whether in blacklist, if then going to step h, if not
It is to go to step i;
Step g, further handled by rule match module, specifically, being carried out by rule match module to TCP message
Parsing, when the TCP message head parsed meets specific length, then its content is matched;If in matching, illustrate that flow is different
Often, someone have accessed probe software, then recorded source IP address in blacklist, go to step h;If in not matching, go to
Step i;
Step h, modification message target MAC (Media Access Control) address are the MAC Address of protection link device, and message is sent into protection link
On, send, terminate this process.
Step i, the MAC Address that the purpose MAC in message is acquiescence link is changed, message is sent out from acquiescence link
Go, terminate this process.
Further, the second line of a couplet mouth Message processing process is mainly handled by following three module:
Second line of a couplet task configuration module:Processing CLI or WEB issues parameter configuration order, including two monitoring interfaces, protection
The MAC of the link and MAC of acquiescence link, blacklist refresh interval;
Message identification module:Message protocol type is analyzed by message identification module;
Rule match module, when the TCP message head parsed meets specific length, for being matched to its content.
Relative to prior art, the present invention has the advantage that:
(1) when the present invention accesses software against regulation to abnormal user using source IP address, message purpose MAC is changed
The MAC of protection link device is in address, modification message target MAC (Media Access Control) address when normal users access outer net flow using source IP address
For the MAC of normal link equipment.Avoid the need for being shunted according to VLANID when message is externally sent, interchanger is also without examining
Consider VLAN allocation problems.
(2) this invention ensures that user normally surf the Net service quality while, the workload of webmaster can be reduced, for
When the user of borrow source IP address accesses the behavior of software against regulation, the exception of the IP can be automatically detected, and
On the premise of user source IP is not sealed off, modification message target MAC (Media Access Control) address is protects the MAC of link device, by abnormal flow certainly
Dynamic be switched on protection link is handled.
Brief description of the drawings
The accompanying drawing for forming the part of the present invention is used for providing a further understanding of the present invention, schematic reality of the invention
Apply example and its illustrate to be used to explain the present invention, do not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is that upper united mouth described in the embodiment of the present invention receives Message processing flow chart;
Fig. 2 is that second line of a couplet mouth described in the embodiment of the present invention receives Message processing flow chart;
Fig. 3 is the process chart of message identification module described in the embodiment of the present invention;
Fig. 4 is upper united mouth message processing module (MPM) described in the embodiment of the present invention;
Fig. 5 is second line of a couplet mouth message processing module (MPM) described in the embodiment of the present invention;
Fig. 6 is second line of a couplet task configuration module figure described in the embodiment of the present invention;
Fig. 7 is the network topological diagram of the embodiment of the present invention;
Fig. 8 is that figure is realized in the web configurations of the embodiment of the present invention.
Embodiment
It should be noted that in the case where not conflicting, the feature in embodiment and embodiment in the present invention can phase
Mutually combination.
Describe the present invention in detail below with reference to the accompanying drawings and in conjunction with the embodiments.
A kind of guard method based on MAC shuntings, including following content:
After upper united mouth receives message, it is not necessary to modify, be copied to second line of a couplet mouth by message is intact, upper united mouth connects
Literary handling process of receiving telegraph is as shown in Figure 1;
Because upper united mouth receives message and does not need IP protections, so-called IP protection, protection be Intranet user online row
For.So the task of upper united mouth exactly by message is intact be copied to second line of a couplet mouth after, Intranet user is sent to, equivalent to bridge
Message is sent to opposite end by pattern, as shown in figure 4, upper united mouth processing procedure mainly passes through following three module.
(1) first line of a couplet task configures:The parameter that processing CLI (Command Line Interface (Command Line Interface)) is issued
Configuration order, interface is monitored in configuration, similar with the configuration module of second line of a couplet task, is all two monitoring interfaces of configuration.
(2) message monitoring:When the event that listens to is that second line of a couplet mouth writes event, illustrate that the message that second line of a couplet mouth receives needs to carry out
Modification.
(3) message copies:The message that second line of a couplet mouth receives need not modify, and be exactly that the message of upper united mouth is untouched in fact
The motionless second line of a couplet mouth that is copied to is sent.
After second line of a couplet mouth receives message, matched after analyzing message protocol type-collection message source IP by message, according to matching
Which link message is sent on by results verification, and second line of a couplet mouth receives Message processing flow as shown in Fig. 2 specific flow is as schemed
Shown in 3, comprise the following steps:
Step a, judge whether it is 802.1q messages, if not being then sent directly to outgoing interface, terminate this process;If then
Go to step b;
Step b, continue to determine whether it is IP messages, if then going to step c, if not then going to step e;
Step c, continue to judge source IP address in IP headings whether in blacklist, if then going to step h,
If not then go to step d;
Step d, continue to judge whether the IP type of messages are TCP messages, if not step i is then gone to, if then going to
Step g;
Step e, continue to judge whether message is ARP messages, if not step i is then gone to, if then going to step f;
Step f. continues to judge source IP address in message whether in blacklist, if then going to step h, if not
It is to go to step i;
Step g, further handled by rule match module, specifically, being carried out by rule match module to TCP message
Parsing, when the TCP message head parsed meets specific length, then its content is matched;If in matching, illustrate that flow is different
Often, someone have accessed probe software, then recorded source IP address in blacklist, go to step h;If in not matching, go to
Step i;
Step h, modification message target MAC (Media Access Control) address are the MAC Address of protection link device, and message is sent into protection link
On, send, terminate this process.
Step i, the MAC Address that the purpose MAC in message is acquiescence link is changed, message is sent out from acquiescence link
Go, terminate this process;
Wherein:The second line of a couplet mouth message processing module (MPM) is as shown in figure 5, the processing procedure of second line of a couplet mouth mainly passes through such as Fig. 3 institutes
Three main process modules shown are handled:
Second line of a couplet task configuration module:Processing CLI or WEB issues parameter configuration order, as shown in fig. 6, including two prisons
Interface is listened, protects the MAC of link and the MAC (i.e. normal link) of acquiescence link, blacklist refresh interval.
Message identification module:Message protocol type is analyzed by message identification module.
Rule match module, when the TCP message head parsed meets specific length, for being matched to its content.
The network topological diagram of the embodiment of the present invention as shown in Figure 7, mainly divides three parts:
A. client's equipment for surfing the net of the PC of 31 mouthfuls of interchanger equivalent to deployment in a network is connected;
B.openwrt equipment is the equipment for being deployed in computer room, the divided current equipment that all user's online have to pass through;
C. the two vyatta equipment disposed in addition are after analyzing user's surfing flow, stream is passed through different chains
The equipment that road is sent, vyatta1 are protection link devices, and vyatta2 is normal link equipment (giving tacit consent to link device),
Configuration consistency on the MAC Address and web of equipment.
The web configurations of the present embodiment are realized as shown in Figure 8:
Shunting configuration second line of a couplet mouth:Equipment sends the incoming interface of message from Intranet to outer net
Upper united mouth:Equipment sends the outgoing interface of message from Intranet to outer net
The interface MAC of shunting device:Message is walked to shunt the MAC Address of link device
The interface MAC of normal device:Message walks the MAC Address of normal link equipment
Blacklist refresh interval:Source IP records refresh interval.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
God any modification, equivalent substitution and improvements made etc., should be included in the scope of the protection with principle.
Claims (4)
1. a kind of guard method based on MAC shuntings, it is characterised in that including following content:
After upper united mouth receives message, second line of a couplet mouth is copied to by message is intact;
After second line of a couplet mouth receives message, message protocol type is analyzed, if exception be present, modification message target MAC (Media Access Control) address is protection
The MAC Address of link device, message is sent on protection link and sent;If in the absence of exception, change in message
Purpose MAC is the MAC Address of acquiescence link, message is sent from acquiescence link.
2. the guard method according to claim 1 based on MAC shuntings, it is characterised in that:After second line of a couplet mouth receives message, tool
Body carries out following steps:
Step a, judge whether it is 802.1q messages, if not being then sent directly to outgoing interface, terminate this process;If then go to
Step b;
Step b, continue to determine whether it is IP messages, if then going to step c, if not then going to step e;
Step c, continue to judge source IP address in IP headings whether in blacklist, if then going to step h, if not
It is to go to step d;
Step d, continue to judge whether the IP type of messages are TCP messages, if not step i is then gone to, if then going to step
g;
Step e, continue to judge whether message is ARP messages, if not step i is then gone to, if then going to step f;
Step f. continues to judge source IP address in message whether in blacklist, if then going to step h, if not then
Go to step i;
Step g, further handled by rule match module, specifically, being solved by rule match module to TCP message
Analysis, when the TCP message head parsed meets specific length, then its content is matched;If in matching, illustrate that flow is different
Often, someone have accessed probe software, then recorded source IP address in blacklist, go to step h;If in not matching, go to
Step i;
Step h, modification message target MAC (Media Access Control) address are the MAC Address of protection link device, and message is sent on protection link,
Send, terminate this process.
Step i, the MAC Address that the purpose MAC in message is acquiescence link is changed, message is sent from acquiescence link,
Terminate this process.
3. the guard method according to claim 2 based on MAC shuntings, it is characterised in that:The second line of a couplet mouth Message processing
Process is mainly handled by following three module:
Second line of a couplet task configuration module:Processing CLI or WEB issues parameter configuration order, including two monitoring interfaces, protects link
MAC and acquiescence link MAC, blacklist refresh interval;
Message identification module:Message protocol type is analyzed by message identification module;
Rule match module, when the TCP message head parsed meets specific length, for being matched to its content.
A kind of 4. protection system based on MAC shuntings, it is characterised in that the divided current being had to pass through including all users online
Equipment, protection link device and acquiescence link device, by being abnormal flow after divided current device analysis, then are revised as protecting
The MAC Address of link, and be sent to protection link device and be transmitted;Otherwise it is revised as giving tacit consent to the MAC Address of link, and sends
It is transmitted to acquiescence link device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710780983.9A CN107528847B (en) | 2017-09-01 | 2017-09-01 | Protection method based on MAC shunting |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710780983.9A CN107528847B (en) | 2017-09-01 | 2017-09-01 | Protection method based on MAC shunting |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107528847A true CN107528847A (en) | 2017-12-29 |
| CN107528847B CN107528847B (en) | 2020-10-27 |
Family
ID=60683301
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710780983.9A Active CN107528847B (en) | 2017-09-01 | 2017-09-01 | Protection method based on MAC shunting |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107528847B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112235175A (en) * | 2020-09-01 | 2021-01-15 | 深圳市共进电子股份有限公司 | Access method and access device of network bridge equipment and network bridge equipment |
| CN113162815A (en) * | 2020-10-22 | 2021-07-23 | 广州市汇聚支付电子科技有限公司 | Flow switching method, system, equipment and medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1622546A (en) * | 2003-11-25 | 2005-06-01 | 华为技术有限公司 | A method for checking IP message stream security |
| CN103944912A (en) * | 2014-04-28 | 2014-07-23 | 东华大学 | Method for preventing various newly-developing and unknown aggressive behaviors in network |
| WO2016086721A1 (en) * | 2014-12-03 | 2016-06-09 | 中兴通讯股份有限公司 | Method, device and system for transmitting multicast data in trill network |
| WO2017036288A1 (en) * | 2015-09-02 | 2017-03-09 | 华为技术有限公司 | Network element upgrading method and device |
-
2017
- 2017-09-01 CN CN201710780983.9A patent/CN107528847B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1622546A (en) * | 2003-11-25 | 2005-06-01 | 华为技术有限公司 | A method for checking IP message stream security |
| CN103944912A (en) * | 2014-04-28 | 2014-07-23 | 东华大学 | Method for preventing various newly-developing and unknown aggressive behaviors in network |
| WO2016086721A1 (en) * | 2014-12-03 | 2016-06-09 | 中兴通讯股份有限公司 | Method, device and system for transmitting multicast data in trill network |
| WO2017036288A1 (en) * | 2015-09-02 | 2017-03-09 | 华为技术有限公司 | Network element upgrading method and device |
Non-Patent Citations (1)
| Title |
|---|
| 李晶等: ""有效改善WAP网关负荷的分流技术创新"", 《电信技术》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112235175A (en) * | 2020-09-01 | 2021-01-15 | 深圳市共进电子股份有限公司 | Access method and access device of network bridge equipment and network bridge equipment |
| CN112235175B (en) * | 2020-09-01 | 2022-03-18 | 深圳市共进电子股份有限公司 | Access method and access device of network bridge equipment and network bridge equipment |
| CN113162815A (en) * | 2020-10-22 | 2021-07-23 | 广州市汇聚支付电子科技有限公司 | Flow switching method, system, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107528847B (en) | 2020-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10091167B2 (en) | Network traffic analysis to enhance rule-based network security | |
| US9407602B2 (en) | Methods and apparatus for redirecting attacks on a network | |
| CA2480455A1 (en) | System and method for detecting an infective element in a network environment | |
| US7738403B2 (en) | Method for determining the operations performed on packets by a network device | |
| CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
| US9660833B2 (en) | Application identification in records of network flows | |
| CN104601570A (en) | Network security monitoring method based on bypass monitoring and software packet capturing technology | |
| CN107370715B (en) | Network security protection method and device | |
| WO2014067043A1 (en) | Method, system, device and controller for detecting network traffic | |
| CN107864062B (en) | Container firewall system deployment method | |
| EP3590061A1 (en) | Managing data encrypting application | |
| CN107528847A (en) | A kind of guard method based on MAC shuntings | |
| TW201616386A (en) | Cloud virtual network security protection method and system | |
| CN114885332A (en) | Traffic processing method and device, storage medium and electronic equipment | |
| CN111970233B (en) | Analysis and identification method for network violation external connection scene | |
| CN108156043A (en) | A kind of video monitoring safety cut-in method based on white list and constraint set flow control | |
| CN105959289A (en) | Self-learning-based safety detection method for OPC Classic protocol | |
| CN106572103B (en) | hidden port detection method based on SDN network architecture | |
| CN107395643A (en) | A kind of source IP guard method based on scanning probe behavior | |
| CN106161386A (en) | A kind of method and apparatus realizing that IPsec shunts | |
| JP2008219149A (en) | Traffic control system and traffic control method | |
| CN109889552A (en) | Power marketing terminal abnormal flux monitoring method, system and Electric Power Marketing System | |
| CN114244626A (en) | Message processing method and device based on MACSec network | |
| CN113242255A (en) | Intelligent flow analysis method and system based on enterprise security | |
| CN113055397A (en) | Configuration method and device of security access control policy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |