CN107948195A - A kind of method and device of protection Modbus attacks - Google Patents
A kind of method and device of protection Modbus attacks Download PDFInfo
- Publication number
- CN107948195A CN107948195A CN201711424133.1A CN201711424133A CN107948195A CN 107948195 A CN107948195 A CN 107948195A CN 201711424133 A CN201711424133 A CN 201711424133A CN 107948195 A CN107948195 A CN 107948195A
- Authority
- CN
- China
- Prior art keywords
- message
- abnormal
- list item
- exception
- address list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40208—Bus networks characterized by the use of a particular bus standard
- H04L2012/40228—Modbus
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides the method and device that a kind of protection Modbus is attacked, applied to safety means, the described method includes:The first message is received, determines whether the source IP of first message hits default IP blacklists;If not, determine whether first message is exception message;If first message is exception message, abnormal address list item corresponding with first message in default abnormal address table is updated based on first message;Wherein, the abnormal address table includes IP address and the mapping relations of abnormal number;Based on the default cycle, determine whether the abnormal number in each abnormal address list item of the abnormal address table reaches default threshold value;If any exception number reaches the threshold value, the corresponding IP address of the exception number is added to the IP blacklists.The application has blocked attacker's broadcast request message to collect the behavior of the performance parameter for the equipment for enabling Modbus agreements, realizes and attacker is thoroughly protected.
Description
Technical field
This application involves safety protection field, more particularly to a kind of method and device of protection Modbus attacks.
Background technology
Modbus communication protocols are a kind of bus communication protocols of the C/S frameworks applied to industrial environment.Based on Modbus
Communication process generally initiated from client to server-side, server-side responds client again.Modbus agreements are not related to logical in itself
Believe the certification of both sides, do not support Content of Communication to encrypt, security has shortcoming.
Attacker can determine to enable Modbus associations by broadcasting Modbus request messages to multiple equipment come scanning device
The equipment of view, subsequently continues to send request message to the equipment for enabling Modbus agreements, receives the response message of return to receive again
Collect the performance parameter of equipment.Follow-on attack person can initiate the equipment for enabling Modbus agreements by the performance parameter being collected into
Attack.
The prior art can usually configure protection rule on a security device and Modbus messages are filtered, however, attacking
The Modbus request messages of the person's of hitting broadcast are large number of, and actually protection rule is difficult to be adequately filtered out above-mentioned request message.
The content of the invention
In view of this, the application provides a kind of method and device of protection Modbus attacks, for blocking attacker to collect
The performance parameter of the equipment of Modbus is enabled, to prevent the follow-up attack of attacker.
Specifically, the application is achieved by the following technical solution:
A kind of method of protection Modbus attacks, applied to safety means, including:
The first message is received, determines whether the source IP of first message hits default IP blacklists;
If not, determine whether first message is exception message;
If first message is exception message, based on first message update in default abnormal address table with institute
State the corresponding abnormal address list item of the first message;Wherein, the abnormal address table includes IP address and the mapping relations of abnormal number;
Based on the default cycle, determine whether the abnormal number in each abnormal address list item of the abnormal address table reaches pre-
If threshold value;
If any exception number reaches the threshold value, the corresponding IP address of the exception number is added to the black names of the IP
It is single.
In the method for protection Modbus attacks, the method further includes:
Before whether definite first message is exception message, determine whether first message is Modbus messages;
If not, forwarding first message;
If so, perform follow-up process.
It is described to determine whether first message is exception message in the method for protection Modbus attacks, including:
If first message is sent by session setup side, check whether first message carries the function code specified;
If so, determine that first message is the exception message;
If first message is sent by conversational response side, check whether first message carries the exception response specified
Code;
If so, determine that first message is the exception message.
It is described that default abnormal address table is updated based on first message in the method for protection Modbus attacks
In abnormal address list item corresponding with first message, including:
If first message is sent by the session setup side, the source IP based on first message searches the exception
Address table, determines corresponding abnormal address list item;
If there is no corresponding abnormal address list item, abnormal address list item is created based on the source IP, and will be described different
Abnormal number in normal address list item is set to 1;
It is that the abnormal number in the abnormal address list item adds 1 if there is corresponding abnormal address list item;
If first message is sent by the conversational response side, the destination IP based on first message is searched described different
Normal address table, determines corresponding abnormal address list item, and adds 1 for the abnormal number in the abnormal address list item.
In the method for protection Modbus attacks, the method further includes:
After the corresponding IP address of the exception number is added to the IP blacklists, the abnormal address table is emptied.
A kind of device of protection Modbus attacks, applied to safety means, including:
Receiving unit, for receiving the first message, determines whether the source IP of first message hits the black names of default IP
It is single;
First determination unit, for if not, determining whether first message is exception message;
Updating block, if being exception message for first message, is updated default different based on first message
Abnormal address list item corresponding with first message in normal address table;Wherein, the abnormal address table includes IP address and different
The mapping relations of constant;
Second determination unit, in each abnormal address list item for based on the default cycle, determining the abnormal address table
Abnormal number whether reach default threshold value;
Unit is added, if reaching the threshold value for any abnormal number, the corresponding IP address of the exception number is added
To the IP blacklists.
In the device of protection Modbus attacks, first determination unit, is further used for:
Before whether definite first message is exception message, determine whether first message is Modbus messages;
If not, forwarding first message;
If so, perform follow-up process.
In the device of protection Modbus attacks, first determination unit, is further used for:
If first message is sent by session setup side, check whether first message carries the function code specified;
If so, determine that first message is the exception message;
If first message is sent by conversational response side, check whether first message carries the exception response specified
Code;
If so, determine that first message is the exception message.
In the device of protection Modbus attacks, the updating block, is further used for:
If first message is sent by the session setup side, the source IP based on first message searches the exception
Address table, determines corresponding abnormal address list item;
If there is no corresponding abnormal address list item, abnormal address list item is created based on the source IP, and will be described different
Abnormal number in normal address list item is set to 1;
It is that the abnormal number in the abnormal address list item adds 1 if there is corresponding abnormal address list item;
If first message is sent by the conversational response side, the destination IP based on first message is searched described different
Normal address table, determines corresponding abnormal address list item, and adds 1 for the abnormal number in the abnormal address list item.
In the device of protection Modbus attacks, described device further includes:
Unit is emptied, after the corresponding IP address of the exception number is added to the IP blacklists, is emptied described different
Normal address table.
In the embodiment of the present application, after safety means receive the first message, IP blacklists is primarily based on and carry out deleting choosing, abandoned
The message of IP blacklists is hit, it is then determined that whether above-mentioned first message is exception message, if so, renewal is default singularly
Abnormal address list item corresponding with above-mentioned first message in the table of location;Wherein, above-mentioned abnormal address table includes IP address and abnormal number
Mapping relations;
Safety means can determine the exception in each abnormal address list item of above-mentioned abnormal address table based on the default cycle
Whether number reaches default threshold value, and the corresponding IP address of abnormal number for being then up to threshold value is added in IP blacklists;
Since above-mentioned safety means after exception message is determined, can update the corresponding exception of IP address of session setup side
Number, so as to determine the IP address of attacker when abnormal number reaches threshold value, and carries out thoroughly for the IP address of attacker
Protection, blocked attacker's broadcast request message to collect the behavior of the performance parameter for the equipment for enabling Modbus agreements, into
And prevent the follow-up attack of attacker.
Brief description of the drawings
Fig. 1 is a kind of form schematic diagram of the application data of Modbus shown in the application;
Fig. 2 is a kind of interaction schematic diagram of Modbus/TCP agreements shown in the application;
Fig. 3 is the interaction schematic diagram of another Modbus/TCP agreements shown in the application;
Fig. 4 is a kind of flow chart of the method for protection Modbus attacks shown in the application;
Fig. 5 is a kind of embodiment block diagram of the device of protection Modbus attacks shown in the application;
Fig. 6 is a kind of hardware structure diagram of the device of protection Modbus attacks shown in the application.
Embodiment
In order to make those skilled in the art more fully understand the technical solution in the embodiment of the present invention, and make of the invention real
Apply the above-mentioned purpose of example, feature and advantage can be more obvious understandable, below in conjunction with the accompanying drawings to prior art and the present invention
Technical solution in embodiment is described in further detail.
Referring to Fig. 1, application data (ADU, the Application Data for being a kind of Modbus shown in the application
Unit form schematic diagram), as shown in Figure 1, protocol Data Unit (PDU, the Protocol Data in application layer data unit
Unit there is function code (function code) field, wherein several function as defined in Modbus agreements can be inserted in)
Code, each function code indicate respectively different actions.The general equipment for enabling Modbus agreements can be supported based on the configuration of itself
Several function codes therein.
Modbus can be subdivided into Modbus/TCP, and (Transmission Control Protocol, pass transport control protocol
View), Modbus/UDP (User Datagram Protocol, User Datagram Protocol), Modbus/RTU (Remote
Terminal Unit, remote-terminal unit), Modbus/ASCII (American Standard Code for
Information Interchange, ASCII) etc. protocol type.
It is a kind of interaction schematic diagram of Modbus/TCP agreements shown in the application, as shown in Fig. 2, client referring to Fig. 2
After request to create message, the request message is sent to server-side;Wherein, carrying function code in the request message.Server-side receives
To after above-mentioned request message, after the action for performing above-mentioned function code instruction, create and send response message to client.Wherein,
The function code identical with above-mentioned request message is carried in the response message.
It is the interaction schematic diagram of another Modbus/TCP agreements shown in the application, as shown in figure 3, client referring to Fig. 3
After holding request to create message, the request message is sent to server-side;Wherein, carrying function code in the request text.Server-side receives
To after above-mentioned request message, the action of above-mentioned function code instruction is performed, mistake is detected in operation, can create and send sound
Message is answered to client.Wherein, exception response code (exception function code) is carried in the response message, this is different
Normal answer code instruction type of error.
Above-mentioned exception response code can be including 0x01,0x02 and 0x03 etc..Wherein, 0x01 represents that server-side is not supported to receive
To message in function code;0x02 represents that server-side does not support the operation address in operation requests message;0x03 represents service
There are illegal content for the data field for terminating in received message.In practical applications, if enabling setting for Modbus agreements
Standby is programmable logic controller (PLC) (PLC, Programmable Logic Controller), and aforesaid operations address is reported in request
It can be the coding of the pin of an expression programmable logic controller (PLC) in text.
It presently, there are PLC Scan (Programmable Logic Controller Scan, programmable logic controller (PLC)
Scanning), the scanning tools such as ModScan32, the information of the equipment of Modbus agreements can be enabled scanning.Specifically, Ke Yixiang
Multiple equipment broadcast carries the request message of 0x2B/0x0E function codes, if receiving the response message of any appliance return, really
The fixed equipment enables Modbus agreements.Wherein, the destination interface of above-mentioned request message can be the silent of Modbus/TCP agreements
Recognize port 502.
Attacker can continue up after determining to enable the equipment of Modbus agreements and state equipment transmission carrying difference in functionality
The request message of code, so as to collect the performance parameter of the said equipment according to the response message of return.Wherein, above-mentioned performance parameter bag
Include the function code of equipment support, the operation address in the corresponding equipment of function code, functional parameter for being preserved in operation address etc..Attack
After the person of hitting collects the performance parameter of the said equipment, can subsequently it launch a offensive to equipment.Above-mentioned functional parameter is propped up with equipment
The function of holding is related;For example if equipment can control the switch of fan, functional parameter can be the ginseng for indicating fan swicth
Number, if equipment can be with the on off state of control valve, functional parameter can be 0 to 100% opening degree.
Specifically, attacker can send the request message for carrying various functions code to the equipment for enabling Modbus agreements,
And the response message by receiving determines the function code that equipment is supported, and if what is carried in response message is exception response code
0x01, then illustrate that equipment does not support the function code in the request message that sends before this.
Attacker can send the request message for accessing different operating address repeatedly to the equipment for enabling Modbus agreements, and
The operable operation address of equipment institute is determined by the response message received, and if what is carried in response message is exception response
Code 0x02, then illustrate that equipment does not support the operation address in the request message that sends before this.
Attacker can set the request of the functional parameter in each operation address repeatedly to the equipment for enabling Modbus agreements
Message, above-mentioned request message carry functional parameter to be written.Attacker determines that equipment is propped up by the response message received
The functional parameter held, and if that carried in response message is exception response code 0x03, the failure of functions parameter setting.Attack
Person can obtain the scope that functional parameter is supported in each operation address by sending above-mentioned request message repeatedly.
Usually configuration protection rule filters Modbus messages to the prior art on a security device, above-mentioned protection rule
The fields such as function code, operation address can be based on to be protected, such as, taking for the several operation address specified can be abandoned
Band specifies the request message of several function codes.
However, the Modbus request messages of attacker's broadcast are large number of, protection rule can not will filter out above-mentioned completely
Request message.In this case, attacker can still enable the performance parameter of the equipment of Modbus agreements with persistent collection, so that
Attacked in subsequent execution Modbus.
In view of this, this application provides a kind of method of protection Modbus attacks, enabled for blocking attacker to collect
The performance parameter of the equipment of Modbus, further prevents follow-up attack.
Referring to Fig. 4, for a kind of flow chart of the method for protection Modbus attacks shown in the application, this method is applied to peace
Full equipment, comprises the following steps:
Step 401:The first message is received, determines whether the source IP of first message hits default IP blacklists.
Wherein, above-mentioned safety means can be firewall box or the gateway device with function of safety protection.
Above-mentioned first message refers to any message received, its name simply carried out for ease of description, does not limit
The application.
The IP address that IP address in above-mentioned IP blacklists needs to protect for above-mentioned safety means, determines above-mentioned first message
Source IP whether hit above-mentioned IP blacklists, as check above-mentioned first message source IP whether there is above-mentioned IP blacklists in.
In an initial condition, the IP address in above-mentioned IP blacklists is sky.
On the one hand, if the source IP of above-mentioned first message hits above-mentioned IP blacklists, above-mentioned first message can be determined
Sent by attacker, directly abandon above-mentioned first message;
On the other hand, if the miss above-mentioned IP blacklists of above-mentioned first message, above-mentioned first report is not can determine that even
Text is sent by attacker, and follow-up process is performed to above-mentioned first message.
Step 402:If not, determine whether first message is exception message.
In a kind of embodiment shown, above-mentioned safety means can determine whether above-mentioned first message is exception message
Before, it can determine whether above-mentioned first message is Modbus messages first.
On the one hand, if above-mentioned first message is not Modbus messages, not in the protective range of technical scheme
Within, it can directly forward above-mentioned first message;
On the other hand, if above-mentioned first message is Modbus messages, follow-up process can be performed, that is, is determined if
For exception message.
By the measure, above-mentioned safety means can reduce follow-up message amount to be processed, reduce protection attack message
The resource consumption brought.
In a kind of embodiment shown, above-mentioned safety means are in the flow for the message that processing receives, Ke Yi
Session setup side and conversational response side are determined during the session establishment connection of TCP three-way handshake, and can record meeting respectively
Talk about the IP address of initiator and the IP address of conversational response side.
Above-mentioned safety means can be primarily based in source IP judgement when whether definite above-mentioned first message is exception message
State being sent by session setup side or being sent by conversational response side for the first message.
Since attacker can actively send a large amount of request messages, attacker is necessarily session setup side.
If above-mentioned first message is sent by session setup side, check whether above-mentioned first message carries the function code specified.
Wherein, the above-mentioned function code specified includes the function code whether attacker usually enables Modbus agreements to detecting devices
0x2B。
If, it may be determined that above-mentioned first message is exception message.It is pointed out that exception message refers to attacking
The message that person may send, but not necessarily sent by attacker, it is also necessary to which follow-up flow determines attacker.
If it is not, then it can directly forward above-mentioned first message.
If above-mentioned first message is sent by conversational response side, check whether above-mentioned first message carries the exception response specified
Code.Wherein, the above-mentioned exception response code specified includes server-side may return when receiving attacker and sending request message repeatedly
Multiple exception response code 0x01,0x02 and 0x03.
If, it may be determined that above-mentioned first message is exception message.
If it is not, then it can directly forward above-mentioned first message.
Step 403:If first message is exception message, default abnormal address is updated based on first message
Abnormal address list item corresponding with first message in table;Wherein, the abnormal address table includes IP address and abnormal number
Mapping relations.
IP address in the abnormal address table of above-mentioned safety means renewal is all the IP address of session setup side, subsequently can be with
The IP address of attacker is determined according to above-mentioned abnormal address table.
When updating above-mentioned abnormal address list item, if above-mentioned first message is sent by session setup side, can be based on upper
The source IP for stating the first message searches above-mentioned abnormal address table, determines corresponding abnormal address list item.
On the one hand, if there is no corresponding abnormal address list item, then above-mentioned first message is first for above-mentioned session setup side
The message of secondary transmission, above-mentioned safety means can create abnormal address list item based on the source IP of above-mentioned first message, and will be above-mentioned
Abnormal number in abnormal address list item is set to 1.
On the other hand, if there is corresponding abnormal address list item, then above-mentioned session setup side has been transmitted across reporting before this
Abnormal number in above-mentioned abnormal address list item can be added 1 by text, above-mentioned safety means.
If above-mentioned first message is sent by conversational response side, can be searched based on the destination IP of above-mentioned first message above-mentioned
Abnormal address table, determines corresponding abnormal address list item, and adds 1 for the abnormal number in above-mentioned abnormal address list item.
As a kind of embodiment, above-mentioned safety means can using default totalization formula 1+2+3+ ... (n-1)+n come
Update abnormal number, wherein, n represents to receive the number of the exception message related with same session setup side;
Alternatively, can using default totalization formula 1+2+4+ ...+2* (n-1)+2*n come update abnormal number, wherein, n
Expression receives the number of the exception message related with same session setup side.
In such an embodiment, the growth rate of the abnormal number in abnormal address list item can faster, represent receive with together
The number of the exception message of one session setup side is more, then session setup Fang Yue is likely to be attacker.
Above-mentioned safety means can forward above-mentioned first message after update abnormal address table.
Step 404:Based on the default cycle, determine that the abnormal number in each abnormal address list item of the abnormal address table is
It is no to reach default threshold value.
Can be with pre-configured threshold value, the critical value of threshold value characterization abnormal number corresponding with attacker on above-mentioned safety means.
It can be configured based on actual application environment, such as, if flow is more in network environment, threshold value can be larger, if network
Flow is less in environment, then threshold value can be smaller.It is of course also possible to be configured according to other strategies, the application does not make this
It is specific to limit.
The above-mentioned default cycle can equally be configured based on actual application environment, such as, if flow in network environment
More, then predetermined period can be shorter, easy to protect attacker in time.It is of course also possible to configured according to other strategies, this
Application is not especially limited this.
In a kind of embodiment shown, above-mentioned safety means can start default timer, be reached in the timer
To after predetermined period, above-mentioned abnormal address table is traveled through, by the abnormal number in each abnormal address list item compared with threshold value, is determined
Whether the threshold value is reached.
Step 405:If any exception number reaches the threshold value, the corresponding IP address of the exception number is added to described
IP blacklists.
Above-mentioned safety means are checking whether above-mentioned abnormal number reaches threshold value, so that it is determined that the IP address of attacker.
On the one hand, if abnormal number is not up to threshold value, it can determine that the corresponding IP address of exception number is not attacker
IP address.
On the other hand, if any exception number reaches threshold value, the corresponding IP address of exception number can be determined for attack
The IP address of attacker can be added in IP blacklists by the IP address of person, above-mentioned safety means, so as to subsequently directly lose
Abandon the message of attacker's transmission.
By the measure, above-mentioned safety means can detect attacker, and effective protection is realized to attacker.
In addition, above-mentioned safety means are traveling through above-mentioned abnormal address table, and the IP address of attacker is added to the black names of IP
After list, above-mentioned abnormal address table can be emptied.
Certainly, if not finding the IP address of attacker after the above-mentioned abnormal address table of above-mentioned safety means traversal, also need
Empty above-mentioned abnormal address table.
By the measure, above-mentioned safety means can be determined in each measurement period based on brand-new abnormal address table
Attacker, prevents the content of abnormal address table from taking excessive memory headroom after being continuously increased.
In conclusion in technical scheme, after safety means receive the first message, it is first determined above-mentioned first
Whether the source IP of message hits default IP blacklists, and only handles the message of miss IP blacklists;Further, set safely
It is standby to determine whether above-mentioned first message is exception message, and update its correspondence in the case of being exception message in above-mentioned first message
Abnormal address list item;Safety means continue through the message update abnormal address table received, can subsequently be based on singularly
Location table determines attacker;
Above-mentioned safety means can be based on the default cycle, determine the exception in each exception address list item in abnormal address table
Whether number reaches default threshold value, and the corresponding IP address of abnormal number for being up to threshold value is added in IP blacklists;
Since above-mentioned safety means after exception message is determined, can update the corresponding exception of IP address of session setup side
Number, so as to determine the IP address of attacker when abnormal number reaches threshold value, and carries out thoroughly for the IP address of attacker
Protection, blocked attacker's broadcast request message to collect the behavior of the performance parameter for the equipment for enabling Modbus agreements, into
And prevent the follow-up attack of attacker.
Corresponding with the embodiment of the method for previous protective Modbus attacks, present invention also provides protection Modbus attacks
Device embodiment.
Referring to Fig. 5, for a kind of embodiment block diagram of the device of protection Modbus attacks shown in the application:
As shown in figure 5, the device 50 of protection Modbus attacks, including:
Receiving unit 510, for receiving the first message, determining the source IP of first message, whether to hit default IP black
List.
First determination unit 520, for if not, determining whether first message is exception message.
Updating block 530, if being exception message for first message, is updated default based on first message
Abnormal address list item corresponding with first message in abnormal address table;Wherein, the abnormal address table include IP address and
The mapping relations of abnormal number.
Second determination unit 540, for based on the default cycle, determining each abnormal address list item of the abnormal address table
In abnormal number whether reach default threshold value.
Unit 550 is added, if reaching the threshold value for any abnormal number, the corresponding IP address of the exception number is added
Enter to the IP blacklists.
In this example, first determination unit 520, is further used for:
Before whether definite first message is exception message, determine whether first message is Modbus messages;
If not, forwarding first message;
If so, perform follow-up process.
In this example, first determination unit 520, is further used for:
If first message is sent by session setup side, check whether first message carries the function code specified;
If so, determine that first message is the exception message;
If first message is sent by conversational response side, check whether first message carries the exception response specified
Code;
If so, determine that first message is the exception message.
In this example, the updating block 530, is further used for:
If first message is sent by the session setup side, the source IP based on first message searches the exception
Address table, determines corresponding abnormal address list item;
If there is no corresponding abnormal address list item, abnormal address list item is created based on the source IP, and will be described different
Abnormal number in normal address list item is set to 1;
It is that the abnormal number in the abnormal address list item adds 1 if there is corresponding abnormal address list item;
If first message is sent by the conversational response side, the destination IP based on first message is searched described different
Normal address table, determines corresponding abnormal address list item, and adds 1 for the abnormal number in the abnormal address list item.
In this example, described device further includes:
560 (not shown) of unit is emptied, for the corresponding IP address of the exception number to be added to the black names of the IP
Dan Hou, empties the abnormal address table.
The application protects the embodiment of the device of Modbus attacks to apply on a security device.Device embodiment can be with
Realized, can also be realized by way of hardware or software and hardware combining by software.Exemplified by implemented in software, patrolled as one
Device in volume meaning, is by corresponding computer program in nonvolatile memory by the processors of safety means where it
Instruction reads what operation in memory was formed.For hardware view, as shown in fig. 6, protecting Modbus attacks for the application
A kind of hardware structure diagram of safety means where device, except the processor shown in Fig. 6, memory, network interface and non-volatile
Outside property memory, actual functional capability that the safety means in embodiment where device are attacked generally according to protection Modbus,
It can also include other hardware, this is repeated no more.
The function of unit and effect realizes that process specifically refers to step is corresponded in the above method in above device
Realize process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related part is real referring to method
Apply the part explanation of example.Device embodiment described above is only schematical, wherein described be used as separating component
The unit of explanation may or may not be physically separate, can be as the component that unit is shown or can also
It is not physical location, you can with positioned at a place, or can also be distributed in multiple network unit.Can be according to reality
Need to select some or all of module therein to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The foregoing is merely the preferred embodiment of the application, not limiting the application, all essences in the application
God and any modification, equivalent substitution, improvement and etc. within principle, done, should be included within the scope of the application protection.
Claims (10)
- A kind of 1. method of protection Modbus attacks, applied to safety means, it is characterised in that including:The first message is received, determines whether the source IP of first message hits default IP blacklists;If not, determine whether first message is exception message;If first message is exception message, updated based on first message in default abnormal address table with described the The corresponding abnormal address list item of one message;Wherein, the abnormal address table includes IP address and the mapping relations of abnormal number;Based on the default cycle, determine whether the abnormal number in each abnormal address list item of the abnormal address table reaches default Threshold value;If any exception number reaches the threshold value, the corresponding IP address of the exception number is added to the IP blacklists.
- 2. according to the method described in claim 1, it is characterized in that, the method further includes:Before whether definite first message is exception message, determine whether first message is Modbus messages;If not, forwarding first message;If so, perform follow-up process.
- 3. according to the method described in claim 1, it is characterized in that, it is described determine first message whether be exception message, Including:If first message is sent by session setup side, check whether first message carries the function code specified;If so, determine that first message is the exception message;If first message is sent by conversational response side, check whether first message carries the exception response code specified;If so, determine that first message is the exception message.
- It is 4. according to the method described in claim 3, it is characterized in that, described default singularly based on first message renewal Abnormal address list item corresponding with first message in the table of location, including:If first message is sent by the session setup side, the source IP based on first message searches the abnormal address Table, determines corresponding abnormal address list item;If there is no corresponding abnormal address list item, abnormal address list item is created based on the source IP, and by described in singularly Abnormal number in the list item of location is set to 1;It is that the abnormal number in the abnormal address list item adds 1 if there is corresponding abnormal address list item;If first message is sent by the conversational response side, described in the destination IP lookup based on first message singularly Location table, determines corresponding abnormal address list item, and adds 1 for the abnormal number in the abnormal address list item.
- 5. according to the method described in claim 4, it is characterized in that, the method further includes:After the corresponding IP address of the exception number is added to the IP blacklists, the abnormal address table is emptied.
- A kind of 6. device of protection Modbus attacks, applied to safety means, it is characterised in that including:Receiving unit, for receiving the first message, determines whether the source IP of first message hits default IP blacklists;First determination unit, for if not, determining whether first message is exception message;Updating block, it is default singularly based on first message renewal if being exception message for first message Abnormal address list item corresponding with first message in the table of location;Wherein, the abnormal address table includes IP address and abnormal number Mapping relations;Second determination unit, for based on the default cycle, determining different in each abnormal address list item of the abnormal address table Whether constant reaches default threshold value;Unit is added, if reaching the threshold value for any abnormal number, the corresponding IP address of the exception number is added to institute State IP blacklists.
- 7. device according to claim 6, it is characterised in that first determination unit, is further used for:Before whether definite first message is exception message, determine whether first message is Modbus messages;If not, forwarding first message;If so, perform follow-up process.
- 8. device according to claim 6, it is characterised in that first determination unit, is further used for:If first message is sent by session setup side, check whether first message carries the function code specified;If so, determine that first message is the exception message;If first message is sent by conversational response side, check whether first message carries the exception response code specified;If so, determine that first message is the exception message.
- 9. device according to claim 8, it is characterised in that the updating block, is further used for:If first message is sent by the session setup side, the source IP based on first message searches the abnormal address Table, determines corresponding abnormal address list item;If there is no corresponding abnormal address list item, abnormal address list item is created based on the source IP, and by described in singularly Abnormal number in the list item of location is set to 1;It is that the abnormal number in the abnormal address list item adds 1 if there is corresponding abnormal address list item;If first message is sent by the conversational response side, described in the destination IP lookup based on first message singularly Location table, determines corresponding abnormal address list item, and adds 1 for the abnormal number in the abnormal address list item.
- 10. device according to claim 9, it is characterised in that described device further includes:Empty unit, after the corresponding IP address of the abnormal number is added to the IP blacklists, empty it is described singularly Location table.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711424133.1A CN107948195B (en) | 2017-12-25 | 2017-12-25 | Method and device for protecting Modbus attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711424133.1A CN107948195B (en) | 2017-12-25 | 2017-12-25 | Method and device for protecting Modbus attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107948195A true CN107948195A (en) | 2018-04-20 |
CN107948195B CN107948195B (en) | 2020-12-04 |
Family
ID=61939066
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711424133.1A Active CN107948195B (en) | 2017-12-25 | 2017-12-25 | Method and device for protecting Modbus attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107948195B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109413037A (en) * | 2018-09-12 | 2019-03-01 | 北京奇安信科技有限公司 | A kind of Modbus method for processing business and device |
CN110233831A (en) * | 2019-05-21 | 2019-09-13 | 深圳壹账通智能科技有限公司 | The detection method and device of malicious registration |
CN111131192A (en) * | 2019-12-10 | 2020-05-08 | 杭州迪普科技股份有限公司 | Bypass protection method and device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1874303A (en) * | 2006-03-04 | 2006-12-06 | 华为技术有限公司 | Method for implementing black sheet |
CN101188612A (en) * | 2007-12-10 | 2008-05-28 | 中兴通讯股份有限公司 | A blacklist real time management method and device |
CN105681353A (en) * | 2016-03-22 | 2016-06-15 | 浙江宇视科技有限公司 | Method and device of defending port scanning invasion |
CN105847249A (en) * | 2016-03-22 | 2016-08-10 | 英赛克科技(北京)有限公司 | Safety protection system and method for Modbus network |
CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
CN106130986A (en) * | 2016-06-30 | 2016-11-16 | 湘潭大学 | A kind of wind energy turbine set active safety defence method based on automated decision-making |
-
2017
- 2017-12-25 CN CN201711424133.1A patent/CN107948195B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1874303A (en) * | 2006-03-04 | 2006-12-06 | 华为技术有限公司 | Method for implementing black sheet |
CN100471172C (en) * | 2006-03-04 | 2009-03-18 | 华为技术有限公司 | Method for implementing black sheet |
CN101188612A (en) * | 2007-12-10 | 2008-05-28 | 中兴通讯股份有限公司 | A blacklist real time management method and device |
CN105681353A (en) * | 2016-03-22 | 2016-06-15 | 浙江宇视科技有限公司 | Method and device of defending port scanning invasion |
CN105847249A (en) * | 2016-03-22 | 2016-08-10 | 英赛克科技(北京)有限公司 | Safety protection system and method for Modbus network |
CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
CN106130986A (en) * | 2016-06-30 | 2016-11-16 | 湘潭大学 | A kind of wind energy turbine set active safety defence method based on automated decision-making |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109413037A (en) * | 2018-09-12 | 2019-03-01 | 北京奇安信科技有限公司 | A kind of Modbus method for processing business and device |
CN109413037B (en) * | 2018-09-12 | 2021-11-16 | 奇安信科技集团股份有限公司 | Modbus service processing method and device |
CN110233831A (en) * | 2019-05-21 | 2019-09-13 | 深圳壹账通智能科技有限公司 | The detection method and device of malicious registration |
CN111131192A (en) * | 2019-12-10 | 2020-05-08 | 杭州迪普科技股份有限公司 | Bypass protection method and device |
Also Published As
Publication number | Publication date |
---|---|
CN107948195B (en) | 2020-12-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105991595B (en) | Network security protection method and device | |
CN113612784B (en) | Dynamic service processing using honeypots | |
US7610624B1 (en) | System and method for detecting and preventing attacks to a target computer system | |
KR101404312B1 (en) | Soc-based device for packet filtering and packet filtering method thereof | |
US20030084322A1 (en) | System and method of an OS-integrated intrusion detection and anti-virus system | |
CN111526121B (en) | Intrusion prevention method and device, electronic equipment and computer readable medium | |
CN112738071B (en) | Method and device for constructing attack chain topology | |
CN102035793B (en) | Botnet detecting method, device and network security protective equipment | |
CN107948195A (en) | A kind of method and device of protection Modbus attacks | |
WO2008040223A1 (en) | Method for filtering harmfulness data transferred between terminal and destination host in network | |
CN108183884B (en) | Network attack determination method and device | |
CN112787985B (en) | Vulnerability processing method, management equipment and gateway equipment | |
Al Sukkar et al. | Address resolution protocol (ARP): Spoofing attack and proposed defense | |
CN110022319B (en) | Attack data security isolation method and device, computer equipment and storage equipment | |
KR101657180B1 (en) | System and method for process access control system | |
US20050086512A1 (en) | Worm blocking system and method using hardware-based pattern matching | |
JP2005293550A (en) | Method and system for monitoring and protecting private network against attack from public network | |
CN108989275A (en) | A kind of attack prevention method and device | |
JP2018073397A (en) | Communication device | |
KR100543664B1 (en) | system for protecting of network and operation method thereof | |
CN111901284B (en) | Flow control method and system | |
KR100468374B1 (en) | Device and method for controlling network harmful traffic | |
CN109474560A (en) | Control method, device and the computer readable storage medium of network access | |
Al-Saadoon et al. | A comparison of trojan virus behavior in Linux and Windows operating systems | |
Lin et al. | Secure and transparent network traffic replay, redirect, and relay in a dynamic malware analysis environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |