CN107948195A - A kind of method and device of protection Modbus attacks - Google Patents

A kind of method and device of protection Modbus attacks Download PDF

Info

Publication number
CN107948195A
CN107948195A CN201711424133.1A CN201711424133A CN107948195A CN 107948195 A CN107948195 A CN 107948195A CN 201711424133 A CN201711424133 A CN 201711424133A CN 107948195 A CN107948195 A CN 107948195A
Authority
CN
China
Prior art keywords
message
abnormal
list item
exception
address list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711424133.1A
Other languages
Chinese (zh)
Other versions
CN107948195B (en
Inventor
贾新奎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201711424133.1A priority Critical patent/CN107948195B/en
Publication of CN107948195A publication Critical patent/CN107948195A/en
Application granted granted Critical
Publication of CN107948195B publication Critical patent/CN107948195B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40228Modbus

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides the method and device that a kind of protection Modbus is attacked, applied to safety means, the described method includes:The first message is received, determines whether the source IP of first message hits default IP blacklists;If not, determine whether first message is exception message;If first message is exception message, abnormal address list item corresponding with first message in default abnormal address table is updated based on first message;Wherein, the abnormal address table includes IP address and the mapping relations of abnormal number;Based on the default cycle, determine whether the abnormal number in each abnormal address list item of the abnormal address table reaches default threshold value;If any exception number reaches the threshold value, the corresponding IP address of the exception number is added to the IP blacklists.The application has blocked attacker's broadcast request message to collect the behavior of the performance parameter for the equipment for enabling Modbus agreements, realizes and attacker is thoroughly protected.

Description

A kind of method and device of protection Modbus attacks
Technical field
This application involves safety protection field, more particularly to a kind of method and device of protection Modbus attacks.
Background technology
Modbus communication protocols are a kind of bus communication protocols of the C/S frameworks applied to industrial environment.Based on Modbus Communication process generally initiated from client to server-side, server-side responds client again.Modbus agreements are not related to logical in itself Believe the certification of both sides, do not support Content of Communication to encrypt, security has shortcoming.
Attacker can determine to enable Modbus associations by broadcasting Modbus request messages to multiple equipment come scanning device The equipment of view, subsequently continues to send request message to the equipment for enabling Modbus agreements, receives the response message of return to receive again Collect the performance parameter of equipment.Follow-on attack person can initiate the equipment for enabling Modbus agreements by the performance parameter being collected into Attack.
The prior art can usually configure protection rule on a security device and Modbus messages are filtered, however, attacking The Modbus request messages of the person's of hitting broadcast are large number of, and actually protection rule is difficult to be adequately filtered out above-mentioned request message.
The content of the invention
In view of this, the application provides a kind of method and device of protection Modbus attacks, for blocking attacker to collect The performance parameter of the equipment of Modbus is enabled, to prevent the follow-up attack of attacker.
Specifically, the application is achieved by the following technical solution:
A kind of method of protection Modbus attacks, applied to safety means, including:
The first message is received, determines whether the source IP of first message hits default IP blacklists;
If not, determine whether first message is exception message;
If first message is exception message, based on first message update in default abnormal address table with institute State the corresponding abnormal address list item of the first message;Wherein, the abnormal address table includes IP address and the mapping relations of abnormal number;
Based on the default cycle, determine whether the abnormal number in each abnormal address list item of the abnormal address table reaches pre- If threshold value;
If any exception number reaches the threshold value, the corresponding IP address of the exception number is added to the black names of the IP It is single.
In the method for protection Modbus attacks, the method further includes:
Before whether definite first message is exception message, determine whether first message is Modbus messages;
If not, forwarding first message;
If so, perform follow-up process.
It is described to determine whether first message is exception message in the method for protection Modbus attacks, including:
If first message is sent by session setup side, check whether first message carries the function code specified;
If so, determine that first message is the exception message;
If first message is sent by conversational response side, check whether first message carries the exception response specified Code;
If so, determine that first message is the exception message.
It is described that default abnormal address table is updated based on first message in the method for protection Modbus attacks In abnormal address list item corresponding with first message, including:
If first message is sent by the session setup side, the source IP based on first message searches the exception Address table, determines corresponding abnormal address list item;
If there is no corresponding abnormal address list item, abnormal address list item is created based on the source IP, and will be described different Abnormal number in normal address list item is set to 1;
It is that the abnormal number in the abnormal address list item adds 1 if there is corresponding abnormal address list item;
If first message is sent by the conversational response side, the destination IP based on first message is searched described different Normal address table, determines corresponding abnormal address list item, and adds 1 for the abnormal number in the abnormal address list item.
In the method for protection Modbus attacks, the method further includes:
After the corresponding IP address of the exception number is added to the IP blacklists, the abnormal address table is emptied.
A kind of device of protection Modbus attacks, applied to safety means, including:
Receiving unit, for receiving the first message, determines whether the source IP of first message hits the black names of default IP It is single;
First determination unit, for if not, determining whether first message is exception message;
Updating block, if being exception message for first message, is updated default different based on first message Abnormal address list item corresponding with first message in normal address table;Wherein, the abnormal address table includes IP address and different The mapping relations of constant;
Second determination unit, in each abnormal address list item for based on the default cycle, determining the abnormal address table Abnormal number whether reach default threshold value;
Unit is added, if reaching the threshold value for any abnormal number, the corresponding IP address of the exception number is added To the IP blacklists.
In the device of protection Modbus attacks, first determination unit, is further used for:
Before whether definite first message is exception message, determine whether first message is Modbus messages;
If not, forwarding first message;
If so, perform follow-up process.
In the device of protection Modbus attacks, first determination unit, is further used for:
If first message is sent by session setup side, check whether first message carries the function code specified;
If so, determine that first message is the exception message;
If first message is sent by conversational response side, check whether first message carries the exception response specified Code;
If so, determine that first message is the exception message.
In the device of protection Modbus attacks, the updating block, is further used for:
If first message is sent by the session setup side, the source IP based on first message searches the exception Address table, determines corresponding abnormal address list item;
If there is no corresponding abnormal address list item, abnormal address list item is created based on the source IP, and will be described different Abnormal number in normal address list item is set to 1;
It is that the abnormal number in the abnormal address list item adds 1 if there is corresponding abnormal address list item;
If first message is sent by the conversational response side, the destination IP based on first message is searched described different Normal address table, determines corresponding abnormal address list item, and adds 1 for the abnormal number in the abnormal address list item.
In the device of protection Modbus attacks, described device further includes:
Unit is emptied, after the corresponding IP address of the exception number is added to the IP blacklists, is emptied described different Normal address table.
In the embodiment of the present application, after safety means receive the first message, IP blacklists is primarily based on and carry out deleting choosing, abandoned The message of IP blacklists is hit, it is then determined that whether above-mentioned first message is exception message, if so, renewal is default singularly Abnormal address list item corresponding with above-mentioned first message in the table of location;Wherein, above-mentioned abnormal address table includes IP address and abnormal number Mapping relations;
Safety means can determine the exception in each abnormal address list item of above-mentioned abnormal address table based on the default cycle Whether number reaches default threshold value, and the corresponding IP address of abnormal number for being then up to threshold value is added in IP blacklists;
Since above-mentioned safety means after exception message is determined, can update the corresponding exception of IP address of session setup side Number, so as to determine the IP address of attacker when abnormal number reaches threshold value, and carries out thoroughly for the IP address of attacker Protection, blocked attacker's broadcast request message to collect the behavior of the performance parameter for the equipment for enabling Modbus agreements, into And prevent the follow-up attack of attacker.
Brief description of the drawings
Fig. 1 is a kind of form schematic diagram of the application data of Modbus shown in the application;
Fig. 2 is a kind of interaction schematic diagram of Modbus/TCP agreements shown in the application;
Fig. 3 is the interaction schematic diagram of another Modbus/TCP agreements shown in the application;
Fig. 4 is a kind of flow chart of the method for protection Modbus attacks shown in the application;
Fig. 5 is a kind of embodiment block diagram of the device of protection Modbus attacks shown in the application;
Fig. 6 is a kind of hardware structure diagram of the device of protection Modbus attacks shown in the application.
Embodiment
In order to make those skilled in the art more fully understand the technical solution in the embodiment of the present invention, and make of the invention real Apply the above-mentioned purpose of example, feature and advantage can be more obvious understandable, below in conjunction with the accompanying drawings to prior art and the present invention Technical solution in embodiment is described in further detail.
Referring to Fig. 1, application data (ADU, the Application Data for being a kind of Modbus shown in the application Unit form schematic diagram), as shown in Figure 1, protocol Data Unit (PDU, the Protocol Data in application layer data unit Unit there is function code (function code) field, wherein several function as defined in Modbus agreements can be inserted in) Code, each function code indicate respectively different actions.The general equipment for enabling Modbus agreements can be supported based on the configuration of itself Several function codes therein.
Modbus can be subdivided into Modbus/TCP, and (Transmission Control Protocol, pass transport control protocol View), Modbus/UDP (User Datagram Protocol, User Datagram Protocol), Modbus/RTU (Remote Terminal Unit, remote-terminal unit), Modbus/ASCII (American Standard Code for Information Interchange, ASCII) etc. protocol type.
It is a kind of interaction schematic diagram of Modbus/TCP agreements shown in the application, as shown in Fig. 2, client referring to Fig. 2 After request to create message, the request message is sent to server-side;Wherein, carrying function code in the request message.Server-side receives To after above-mentioned request message, after the action for performing above-mentioned function code instruction, create and send response message to client.Wherein, The function code identical with above-mentioned request message is carried in the response message.
It is the interaction schematic diagram of another Modbus/TCP agreements shown in the application, as shown in figure 3, client referring to Fig. 3 After holding request to create message, the request message is sent to server-side;Wherein, carrying function code in the request text.Server-side receives To after above-mentioned request message, the action of above-mentioned function code instruction is performed, mistake is detected in operation, can create and send sound Message is answered to client.Wherein, exception response code (exception function code) is carried in the response message, this is different Normal answer code instruction type of error.
Above-mentioned exception response code can be including 0x01,0x02 and 0x03 etc..Wherein, 0x01 represents that server-side is not supported to receive To message in function code;0x02 represents that server-side does not support the operation address in operation requests message;0x03 represents service There are illegal content for the data field for terminating in received message.In practical applications, if enabling setting for Modbus agreements Standby is programmable logic controller (PLC) (PLC, Programmable Logic Controller), and aforesaid operations address is reported in request It can be the coding of the pin of an expression programmable logic controller (PLC) in text.
It presently, there are PLC Scan (Programmable Logic Controller Scan, programmable logic controller (PLC) Scanning), the scanning tools such as ModScan32, the information of the equipment of Modbus agreements can be enabled scanning.Specifically, Ke Yixiang Multiple equipment broadcast carries the request message of 0x2B/0x0E function codes, if receiving the response message of any appliance return, really The fixed equipment enables Modbus agreements.Wherein, the destination interface of above-mentioned request message can be the silent of Modbus/TCP agreements Recognize port 502.
Attacker can continue up after determining to enable the equipment of Modbus agreements and state equipment transmission carrying difference in functionality The request message of code, so as to collect the performance parameter of the said equipment according to the response message of return.Wherein, above-mentioned performance parameter bag Include the function code of equipment support, the operation address in the corresponding equipment of function code, functional parameter for being preserved in operation address etc..Attack After the person of hitting collects the performance parameter of the said equipment, can subsequently it launch a offensive to equipment.Above-mentioned functional parameter is propped up with equipment The function of holding is related;For example if equipment can control the switch of fan, functional parameter can be the ginseng for indicating fan swicth Number, if equipment can be with the on off state of control valve, functional parameter can be 0 to 100% opening degree.
Specifically, attacker can send the request message for carrying various functions code to the equipment for enabling Modbus agreements, And the response message by receiving determines the function code that equipment is supported, and if what is carried in response message is exception response code 0x01, then illustrate that equipment does not support the function code in the request message that sends before this.
Attacker can send the request message for accessing different operating address repeatedly to the equipment for enabling Modbus agreements, and The operable operation address of equipment institute is determined by the response message received, and if what is carried in response message is exception response Code 0x02, then illustrate that equipment does not support the operation address in the request message that sends before this.
Attacker can set the request of the functional parameter in each operation address repeatedly to the equipment for enabling Modbus agreements Message, above-mentioned request message carry functional parameter to be written.Attacker determines that equipment is propped up by the response message received The functional parameter held, and if that carried in response message is exception response code 0x03, the failure of functions parameter setting.Attack Person can obtain the scope that functional parameter is supported in each operation address by sending above-mentioned request message repeatedly.
Usually configuration protection rule filters Modbus messages to the prior art on a security device, above-mentioned protection rule The fields such as function code, operation address can be based on to be protected, such as, taking for the several operation address specified can be abandoned Band specifies the request message of several function codes.
However, the Modbus request messages of attacker's broadcast are large number of, protection rule can not will filter out above-mentioned completely Request message.In this case, attacker can still enable the performance parameter of the equipment of Modbus agreements with persistent collection, so that Attacked in subsequent execution Modbus.
In view of this, this application provides a kind of method of protection Modbus attacks, enabled for blocking attacker to collect The performance parameter of the equipment of Modbus, further prevents follow-up attack.
Referring to Fig. 4, for a kind of flow chart of the method for protection Modbus attacks shown in the application, this method is applied to peace Full equipment, comprises the following steps:
Step 401:The first message is received, determines whether the source IP of first message hits default IP blacklists.
Wherein, above-mentioned safety means can be firewall box or the gateway device with function of safety protection.
Above-mentioned first message refers to any message received, its name simply carried out for ease of description, does not limit The application.
The IP address that IP address in above-mentioned IP blacklists needs to protect for above-mentioned safety means, determines above-mentioned first message Source IP whether hit above-mentioned IP blacklists, as check above-mentioned first message source IP whether there is above-mentioned IP blacklists in. In an initial condition, the IP address in above-mentioned IP blacklists is sky.
On the one hand, if the source IP of above-mentioned first message hits above-mentioned IP blacklists, above-mentioned first message can be determined Sent by attacker, directly abandon above-mentioned first message;
On the other hand, if the miss above-mentioned IP blacklists of above-mentioned first message, above-mentioned first report is not can determine that even Text is sent by attacker, and follow-up process is performed to above-mentioned first message.
Step 402:If not, determine whether first message is exception message.
In a kind of embodiment shown, above-mentioned safety means can determine whether above-mentioned first message is exception message Before, it can determine whether above-mentioned first message is Modbus messages first.
On the one hand, if above-mentioned first message is not Modbus messages, not in the protective range of technical scheme Within, it can directly forward above-mentioned first message;
On the other hand, if above-mentioned first message is Modbus messages, follow-up process can be performed, that is, is determined if For exception message.
By the measure, above-mentioned safety means can reduce follow-up message amount to be processed, reduce protection attack message The resource consumption brought.
In a kind of embodiment shown, above-mentioned safety means are in the flow for the message that processing receives, Ke Yi Session setup side and conversational response side are determined during the session establishment connection of TCP three-way handshake, and can record meeting respectively Talk about the IP address of initiator and the IP address of conversational response side.
Above-mentioned safety means can be primarily based in source IP judgement when whether definite above-mentioned first message is exception message State being sent by session setup side or being sent by conversational response side for the first message.
Since attacker can actively send a large amount of request messages, attacker is necessarily session setup side.
If above-mentioned first message is sent by session setup side, check whether above-mentioned first message carries the function code specified. Wherein, the above-mentioned function code specified includes the function code whether attacker usually enables Modbus agreements to detecting devices 0x2B。
If, it may be determined that above-mentioned first message is exception message.It is pointed out that exception message refers to attacking The message that person may send, but not necessarily sent by attacker, it is also necessary to which follow-up flow determines attacker.
If it is not, then it can directly forward above-mentioned first message.
If above-mentioned first message is sent by conversational response side, check whether above-mentioned first message carries the exception response specified Code.Wherein, the above-mentioned exception response code specified includes server-side may return when receiving attacker and sending request message repeatedly Multiple exception response code 0x01,0x02 and 0x03.
If, it may be determined that above-mentioned first message is exception message.
If it is not, then it can directly forward above-mentioned first message.
Step 403:If first message is exception message, default abnormal address is updated based on first message Abnormal address list item corresponding with first message in table;Wherein, the abnormal address table includes IP address and abnormal number Mapping relations.
IP address in the abnormal address table of above-mentioned safety means renewal is all the IP address of session setup side, subsequently can be with The IP address of attacker is determined according to above-mentioned abnormal address table.
When updating above-mentioned abnormal address list item, if above-mentioned first message is sent by session setup side, can be based on upper The source IP for stating the first message searches above-mentioned abnormal address table, determines corresponding abnormal address list item.
On the one hand, if there is no corresponding abnormal address list item, then above-mentioned first message is first for above-mentioned session setup side The message of secondary transmission, above-mentioned safety means can create abnormal address list item based on the source IP of above-mentioned first message, and will be above-mentioned Abnormal number in abnormal address list item is set to 1.
On the other hand, if there is corresponding abnormal address list item, then above-mentioned session setup side has been transmitted across reporting before this Abnormal number in above-mentioned abnormal address list item can be added 1 by text, above-mentioned safety means.
If above-mentioned first message is sent by conversational response side, can be searched based on the destination IP of above-mentioned first message above-mentioned Abnormal address table, determines corresponding abnormal address list item, and adds 1 for the abnormal number in above-mentioned abnormal address list item.
As a kind of embodiment, above-mentioned safety means can using default totalization formula 1+2+3+ ... (n-1)+n come Update abnormal number, wherein, n represents to receive the number of the exception message related with same session setup side;
Alternatively, can using default totalization formula 1+2+4+ ...+2* (n-1)+2*n come update abnormal number, wherein, n Expression receives the number of the exception message related with same session setup side.
In such an embodiment, the growth rate of the abnormal number in abnormal address list item can faster, represent receive with together The number of the exception message of one session setup side is more, then session setup Fang Yue is likely to be attacker.
Above-mentioned safety means can forward above-mentioned first message after update abnormal address table.
Step 404:Based on the default cycle, determine that the abnormal number in each abnormal address list item of the abnormal address table is It is no to reach default threshold value.
Can be with pre-configured threshold value, the critical value of threshold value characterization abnormal number corresponding with attacker on above-mentioned safety means. It can be configured based on actual application environment, such as, if flow is more in network environment, threshold value can be larger, if network Flow is less in environment, then threshold value can be smaller.It is of course also possible to be configured according to other strategies, the application does not make this It is specific to limit.
The above-mentioned default cycle can equally be configured based on actual application environment, such as, if flow in network environment More, then predetermined period can be shorter, easy to protect attacker in time.It is of course also possible to configured according to other strategies, this Application is not especially limited this.
In a kind of embodiment shown, above-mentioned safety means can start default timer, be reached in the timer To after predetermined period, above-mentioned abnormal address table is traveled through, by the abnormal number in each abnormal address list item compared with threshold value, is determined Whether the threshold value is reached.
Step 405:If any exception number reaches the threshold value, the corresponding IP address of the exception number is added to described IP blacklists.
Above-mentioned safety means are checking whether above-mentioned abnormal number reaches threshold value, so that it is determined that the IP address of attacker.
On the one hand, if abnormal number is not up to threshold value, it can determine that the corresponding IP address of exception number is not attacker IP address.
On the other hand, if any exception number reaches threshold value, the corresponding IP address of exception number can be determined for attack The IP address of attacker can be added in IP blacklists by the IP address of person, above-mentioned safety means, so as to subsequently directly lose Abandon the message of attacker's transmission.
By the measure, above-mentioned safety means can detect attacker, and effective protection is realized to attacker.
In addition, above-mentioned safety means are traveling through above-mentioned abnormal address table, and the IP address of attacker is added to the black names of IP After list, above-mentioned abnormal address table can be emptied.
Certainly, if not finding the IP address of attacker after the above-mentioned abnormal address table of above-mentioned safety means traversal, also need Empty above-mentioned abnormal address table.
By the measure, above-mentioned safety means can be determined in each measurement period based on brand-new abnormal address table Attacker, prevents the content of abnormal address table from taking excessive memory headroom after being continuously increased.
In conclusion in technical scheme, after safety means receive the first message, it is first determined above-mentioned first Whether the source IP of message hits default IP blacklists, and only handles the message of miss IP blacklists;Further, set safely It is standby to determine whether above-mentioned first message is exception message, and update its correspondence in the case of being exception message in above-mentioned first message Abnormal address list item;Safety means continue through the message update abnormal address table received, can subsequently be based on singularly Location table determines attacker;
Above-mentioned safety means can be based on the default cycle, determine the exception in each exception address list item in abnormal address table Whether number reaches default threshold value, and the corresponding IP address of abnormal number for being up to threshold value is added in IP blacklists;
Since above-mentioned safety means after exception message is determined, can update the corresponding exception of IP address of session setup side Number, so as to determine the IP address of attacker when abnormal number reaches threshold value, and carries out thoroughly for the IP address of attacker Protection, blocked attacker's broadcast request message to collect the behavior of the performance parameter for the equipment for enabling Modbus agreements, into And prevent the follow-up attack of attacker.
Corresponding with the embodiment of the method for previous protective Modbus attacks, present invention also provides protection Modbus attacks Device embodiment.
Referring to Fig. 5, for a kind of embodiment block diagram of the device of protection Modbus attacks shown in the application:
As shown in figure 5, the device 50 of protection Modbus attacks, including:
Receiving unit 510, for receiving the first message, determining the source IP of first message, whether to hit default IP black List.
First determination unit 520, for if not, determining whether first message is exception message.
Updating block 530, if being exception message for first message, is updated default based on first message Abnormal address list item corresponding with first message in abnormal address table;Wherein, the abnormal address table include IP address and The mapping relations of abnormal number.
Second determination unit 540, for based on the default cycle, determining each abnormal address list item of the abnormal address table In abnormal number whether reach default threshold value.
Unit 550 is added, if reaching the threshold value for any abnormal number, the corresponding IP address of the exception number is added Enter to the IP blacklists.
In this example, first determination unit 520, is further used for:
Before whether definite first message is exception message, determine whether first message is Modbus messages;
If not, forwarding first message;
If so, perform follow-up process.
In this example, first determination unit 520, is further used for:
If first message is sent by session setup side, check whether first message carries the function code specified;
If so, determine that first message is the exception message;
If first message is sent by conversational response side, check whether first message carries the exception response specified Code;
If so, determine that first message is the exception message.
In this example, the updating block 530, is further used for:
If first message is sent by the session setup side, the source IP based on first message searches the exception Address table, determines corresponding abnormal address list item;
If there is no corresponding abnormal address list item, abnormal address list item is created based on the source IP, and will be described different Abnormal number in normal address list item is set to 1;
It is that the abnormal number in the abnormal address list item adds 1 if there is corresponding abnormal address list item;
If first message is sent by the conversational response side, the destination IP based on first message is searched described different Normal address table, determines corresponding abnormal address list item, and adds 1 for the abnormal number in the abnormal address list item.
In this example, described device further includes:
560 (not shown) of unit is emptied, for the corresponding IP address of the exception number to be added to the black names of the IP Dan Hou, empties the abnormal address table.
The application protects the embodiment of the device of Modbus attacks to apply on a security device.Device embodiment can be with Realized, can also be realized by way of hardware or software and hardware combining by software.Exemplified by implemented in software, patrolled as one Device in volume meaning, is by corresponding computer program in nonvolatile memory by the processors of safety means where it Instruction reads what operation in memory was formed.For hardware view, as shown in fig. 6, protecting Modbus attacks for the application A kind of hardware structure diagram of safety means where device, except the processor shown in Fig. 6, memory, network interface and non-volatile Outside property memory, actual functional capability that the safety means in embodiment where device are attacked generally according to protection Modbus, It can also include other hardware, this is repeated no more.
The function of unit and effect realizes that process specifically refers to step is corresponded in the above method in above device Realize process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related part is real referring to method Apply the part explanation of example.Device embodiment described above is only schematical, wherein described be used as separating component The unit of explanation may or may not be physically separate, can be as the component that unit is shown or can also It is not physical location, you can with positioned at a place, or can also be distributed in multiple network unit.Can be according to reality Need to select some or all of module therein to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The foregoing is merely the preferred embodiment of the application, not limiting the application, all essences in the application God and any modification, equivalent substitution, improvement and etc. within principle, done, should be included within the scope of the application protection.

Claims (10)

  1. A kind of 1. method of protection Modbus attacks, applied to safety means, it is characterised in that including:
    The first message is received, determines whether the source IP of first message hits default IP blacklists;
    If not, determine whether first message is exception message;
    If first message is exception message, updated based on first message in default abnormal address table with described the The corresponding abnormal address list item of one message;Wherein, the abnormal address table includes IP address and the mapping relations of abnormal number;
    Based on the default cycle, determine whether the abnormal number in each abnormal address list item of the abnormal address table reaches default Threshold value;
    If any exception number reaches the threshold value, the corresponding IP address of the exception number is added to the IP blacklists.
  2. 2. according to the method described in claim 1, it is characterized in that, the method further includes:
    Before whether definite first message is exception message, determine whether first message is Modbus messages;
    If not, forwarding first message;
    If so, perform follow-up process.
  3. 3. according to the method described in claim 1, it is characterized in that, it is described determine first message whether be exception message, Including:
    If first message is sent by session setup side, check whether first message carries the function code specified;
    If so, determine that first message is the exception message;
    If first message is sent by conversational response side, check whether first message carries the exception response code specified;
    If so, determine that first message is the exception message.
  4. It is 4. according to the method described in claim 3, it is characterized in that, described default singularly based on first message renewal Abnormal address list item corresponding with first message in the table of location, including:
    If first message is sent by the session setup side, the source IP based on first message searches the abnormal address Table, determines corresponding abnormal address list item;
    If there is no corresponding abnormal address list item, abnormal address list item is created based on the source IP, and by described in singularly Abnormal number in the list item of location is set to 1;
    It is that the abnormal number in the abnormal address list item adds 1 if there is corresponding abnormal address list item;
    If first message is sent by the conversational response side, described in the destination IP lookup based on first message singularly Location table, determines corresponding abnormal address list item, and adds 1 for the abnormal number in the abnormal address list item.
  5. 5. according to the method described in claim 4, it is characterized in that, the method further includes:
    After the corresponding IP address of the exception number is added to the IP blacklists, the abnormal address table is emptied.
  6. A kind of 6. device of protection Modbus attacks, applied to safety means, it is characterised in that including:
    Receiving unit, for receiving the first message, determines whether the source IP of first message hits default IP blacklists;
    First determination unit, for if not, determining whether first message is exception message;
    Updating block, it is default singularly based on first message renewal if being exception message for first message Abnormal address list item corresponding with first message in the table of location;Wherein, the abnormal address table includes IP address and abnormal number Mapping relations;
    Second determination unit, for based on the default cycle, determining different in each abnormal address list item of the abnormal address table Whether constant reaches default threshold value;
    Unit is added, if reaching the threshold value for any abnormal number, the corresponding IP address of the exception number is added to institute State IP blacklists.
  7. 7. device according to claim 6, it is characterised in that first determination unit, is further used for:
    Before whether definite first message is exception message, determine whether first message is Modbus messages;
    If not, forwarding first message;
    If so, perform follow-up process.
  8. 8. device according to claim 6, it is characterised in that first determination unit, is further used for:
    If first message is sent by session setup side, check whether first message carries the function code specified;
    If so, determine that first message is the exception message;
    If first message is sent by conversational response side, check whether first message carries the exception response code specified;
    If so, determine that first message is the exception message.
  9. 9. device according to claim 8, it is characterised in that the updating block, is further used for:
    If first message is sent by the session setup side, the source IP based on first message searches the abnormal address Table, determines corresponding abnormal address list item;
    If there is no corresponding abnormal address list item, abnormal address list item is created based on the source IP, and by described in singularly Abnormal number in the list item of location is set to 1;
    It is that the abnormal number in the abnormal address list item adds 1 if there is corresponding abnormal address list item;
    If first message is sent by the conversational response side, described in the destination IP lookup based on first message singularly Location table, determines corresponding abnormal address list item, and adds 1 for the abnormal number in the abnormal address list item.
  10. 10. device according to claim 9, it is characterised in that described device further includes:
    Empty unit, after the corresponding IP address of the abnormal number is added to the IP blacklists, empty it is described singularly Location table.
CN201711424133.1A 2017-12-25 2017-12-25 Method and device for protecting Modbus attack Active CN107948195B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711424133.1A CN107948195B (en) 2017-12-25 2017-12-25 Method and device for protecting Modbus attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711424133.1A CN107948195B (en) 2017-12-25 2017-12-25 Method and device for protecting Modbus attack

Publications (2)

Publication Number Publication Date
CN107948195A true CN107948195A (en) 2018-04-20
CN107948195B CN107948195B (en) 2020-12-04

Family

ID=61939066

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711424133.1A Active CN107948195B (en) 2017-12-25 2017-12-25 Method and device for protecting Modbus attack

Country Status (1)

Country Link
CN (1) CN107948195B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413037A (en) * 2018-09-12 2019-03-01 北京奇安信科技有限公司 A kind of Modbus method for processing business and device
CN110233831A (en) * 2019-05-21 2019-09-13 深圳壹账通智能科技有限公司 The detection method and device of malicious registration
CN111131192A (en) * 2019-12-10 2020-05-08 杭州迪普科技股份有限公司 Bypass protection method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1874303A (en) * 2006-03-04 2006-12-06 华为技术有限公司 Method for implementing black sheet
CN101188612A (en) * 2007-12-10 2008-05-28 中兴通讯股份有限公司 A blacklist real time management method and device
CN105681353A (en) * 2016-03-22 2016-06-15 浙江宇视科技有限公司 Method and device of defending port scanning invasion
CN105847249A (en) * 2016-03-22 2016-08-10 英赛克科技(北京)有限公司 Safety protection system and method for Modbus network
CN106027511A (en) * 2016-05-13 2016-10-12 北京工业大学 Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol)
CN106130986A (en) * 2016-06-30 2016-11-16 湘潭大学 A kind of wind energy turbine set active safety defence method based on automated decision-making

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1874303A (en) * 2006-03-04 2006-12-06 华为技术有限公司 Method for implementing black sheet
CN100471172C (en) * 2006-03-04 2009-03-18 华为技术有限公司 Method for implementing black sheet
CN101188612A (en) * 2007-12-10 2008-05-28 中兴通讯股份有限公司 A blacklist real time management method and device
CN105681353A (en) * 2016-03-22 2016-06-15 浙江宇视科技有限公司 Method and device of defending port scanning invasion
CN105847249A (en) * 2016-03-22 2016-08-10 英赛克科技(北京)有限公司 Safety protection system and method for Modbus network
CN106027511A (en) * 2016-05-13 2016-10-12 北京工业大学 Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol)
CN106130986A (en) * 2016-06-30 2016-11-16 湘潭大学 A kind of wind energy turbine set active safety defence method based on automated decision-making

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413037A (en) * 2018-09-12 2019-03-01 北京奇安信科技有限公司 A kind of Modbus method for processing business and device
CN109413037B (en) * 2018-09-12 2021-11-16 奇安信科技集团股份有限公司 Modbus service processing method and device
CN110233831A (en) * 2019-05-21 2019-09-13 深圳壹账通智能科技有限公司 The detection method and device of malicious registration
CN111131192A (en) * 2019-12-10 2020-05-08 杭州迪普科技股份有限公司 Bypass protection method and device

Also Published As

Publication number Publication date
CN107948195B (en) 2020-12-04

Similar Documents

Publication Publication Date Title
CN105991595B (en) Network security protection method and device
CN113612784B (en) Dynamic service processing using honeypots
US7610624B1 (en) System and method for detecting and preventing attacks to a target computer system
KR101404312B1 (en) Soc-based device for packet filtering and packet filtering method thereof
US20030084322A1 (en) System and method of an OS-integrated intrusion detection and anti-virus system
CN111526121B (en) Intrusion prevention method and device, electronic equipment and computer readable medium
CN112738071B (en) Method and device for constructing attack chain topology
CN102035793B (en) Botnet detecting method, device and network security protective equipment
CN107948195A (en) A kind of method and device of protection Modbus attacks
WO2008040223A1 (en) Method for filtering harmfulness data transferred between terminal and destination host in network
CN108183884B (en) Network attack determination method and device
CN112787985B (en) Vulnerability processing method, management equipment and gateway equipment
Al Sukkar et al. Address resolution protocol (ARP): Spoofing attack and proposed defense
CN110022319B (en) Attack data security isolation method and device, computer equipment and storage equipment
KR101657180B1 (en) System and method for process access control system
US20050086512A1 (en) Worm blocking system and method using hardware-based pattern matching
JP2005293550A (en) Method and system for monitoring and protecting private network against attack from public network
CN108989275A (en) A kind of attack prevention method and device
JP2018073397A (en) Communication device
KR100543664B1 (en) system for protecting of network and operation method thereof
CN111901284B (en) Flow control method and system
KR100468374B1 (en) Device and method for controlling network harmful traffic
CN109474560A (en) Control method, device and the computer readable storage medium of network access
Al-Saadoon et al. A comparison of trojan virus behavior in Linux and Windows operating systems
Lin et al. Secure and transparent network traffic replay, redirect, and relay in a dynamic malware analysis environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant