CN107948195B - Method and device for protecting Modbus attack - Google Patents
Method and device for protecting Modbus attack Download PDFInfo
- Publication number
- CN107948195B CN107948195B CN201711424133.1A CN201711424133A CN107948195B CN 107948195 B CN107948195 B CN 107948195B CN 201711424133 A CN201711424133 A CN 201711424133A CN 107948195 B CN107948195 B CN 107948195B
- Authority
- CN
- China
- Prior art keywords
- abnormal
- message
- address table
- address
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40208—Bus networks characterized by the use of a particular bus standard
- H04L2012/40228—Modbus
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a method and a device for protecting Modbus attack, which are applied to safety equipment, wherein the method comprises the following steps: receiving a first message, and determining whether a source IP of the first message hits a preset IP blacklist; if not, determining whether the first message is an abnormal message; if the first message is an abnormal message, updating an abnormal address table item corresponding to the first message in a preset abnormal address table based on the first message; the abnormal address table comprises a mapping relation between an IP address and an abnormal number; determining whether the abnormal number in each abnormal address table entry of the abnormal address table reaches a preset threshold value or not based on a preset period; and if any abnormal constant reaches the threshold value, adding the IP address corresponding to the abnormal number into the IP blacklist. The method and the device for preventing the Modbus protocol from being used for preventing the attacker from broadcasting the request message to collect the performance parameters of the Modbus protocol-enabled equipment, and thoroughly protecting the attacker.
Description
Technical Field
The application relates to the field of safety protection, in particular to a method and a device for protecting Modbus attack.
Background
The Modbus communication protocol is a bus communication protocol applied to a C/S architecture of an industrial environment. The communication process based on the Modbus is generally initiated from the client to the server, and the server responds to the client. The Modbus protocol does not relate to authentication of both communication parties, does not support communication content encryption, and has a defect in safety.
An attacker can scan the equipment by broadcasting Modbus request messages to a plurality of equipment, determine the equipment which enables the Modbus protocol, then continuously send the request messages to the equipment which enables the Modbus protocol, and receive returned response messages to collect the performance parameters of the equipment. And a subsequent attacker can attack the Modbus protocol-enabled device through the collected performance parameters.
In the prior art, protection rules can be configured on security equipment to filter Modbus messages, however, the number of Modbus request messages broadcast by an attacker is large, and in practice, it is difficult for the protection rules to completely filter the request messages.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for protecting against Modbus attacks, so as to prevent an attacker from collecting performance parameters of devices that enable Modbus, so as to prevent the attacker from subsequent attacks.
Specifically, the method is realized through the following technical scheme:
a method for protecting Modbus attack is applied to a safety device and comprises the following steps:
receiving a first message, and determining whether a source IP of the first message hits a preset IP blacklist;
if not, determining whether the first message is an abnormal message;
if the first message is an abnormal message, updating an abnormal address table item corresponding to the first message in a preset abnormal address table based on the first message; the abnormal address table comprises a mapping relation between an IP address and an abnormal number;
determining whether the abnormal number in each abnormal address table entry of the abnormal address table reaches a preset threshold value or not based on a preset period;
and if any abnormal constant reaches the threshold value, adding the IP address corresponding to the abnormal number into the IP blacklist.
In the method for protecting against Modbus attacks, the method further comprises:
before determining whether the first message is an abnormal message, determining whether the first message is a Modbus message;
if not, forwarding the first message;
if so, executing the subsequent flow.
In the method for protecting against Modbus attack, the determining whether the first packet is an abnormal packet includes:
if the first message is sent by a session initiator, checking whether the first message carries a specified function code;
if so, determining that the first message is the abnormal message;
if the first message is sent by a session responder, checking whether the first message carries an appointed abnormal response code;
if so, determining that the first message is the abnormal message.
In the method for protecting Modbus attack, the updating, based on the first packet, an abnormal address table entry corresponding to the first packet in a preset abnormal address table includes:
if the first message is sent by the session initiator, searching the abnormal address table based on the source IP of the first message, and determining a corresponding abnormal address table item;
if the corresponding abnormal address table entry does not exist, establishing an abnormal address table entry based on the source IP, and setting the abnormal number in the abnormal address table entry to be 1;
if the corresponding abnormal address table entry exists, adding 1 to the abnormal number in the abnormal address table entry;
if the first message is sent by the session responder, searching the abnormal address table based on the destination IP of the first message, determining a corresponding abnormal address table item, and adding 1 to the abnormal number in the abnormal address table item.
In the method for protecting against Modbus attacks, the method further comprises:
and after the IP address corresponding to the abnormal number is added into the IP blacklist, clearing the abnormal address table.
The utility model provides a device of protection Modbus attack, is applied to security equipment, includes:
the receiving unit is used for receiving a first message and determining whether a source IP of the first message hits a preset IP blacklist;
a first determining unit, configured to determine whether the first packet is an abnormal packet if the first packet is not an abnormal packet;
an updating unit, configured to update an abnormal address table entry corresponding to the first packet in a preset abnormal address table based on the first packet if the first packet is an abnormal packet; the abnormal address table comprises a mapping relation between an IP address and an abnormal number;
a second determining unit, configured to determine, based on a preset period, whether an exception number in each exception address table entry of the exception address table reaches a preset threshold;
and the adding unit is used for adding the IP address corresponding to the abnormal number into the IP blacklist if any abnormal constant reaches the threshold value.
In the apparatus for protecting against Modbus attack, the first determining unit is further configured to:
before determining whether the first message is an abnormal message, determining whether the first message is a Modbus message;
if not, forwarding the first message;
if so, executing the subsequent flow.
In the apparatus for protecting against Modbus attack, the first determining unit is further configured to:
if the first message is sent by a session initiator, checking whether the first message carries a specified function code;
if so, determining that the first message is the abnormal message;
if the first message is sent by a session responder, checking whether the first message carries an appointed abnormal response code;
if so, determining that the first message is the abnormal message.
In the apparatus for protecting against Modbus attack, the updating unit is further configured to:
if the first message is sent by the session initiator, searching the abnormal address table based on the source IP of the first message, and determining a corresponding abnormal address table item;
if the corresponding abnormal address table entry does not exist, establishing an abnormal address table entry based on the source IP, and setting the abnormal number in the abnormal address table entry to be 1;
if the corresponding abnormal address table entry exists, adding 1 to the abnormal number in the abnormal address table entry;
if the first message is sent by the session responder, searching the abnormal address table based on the destination IP of the first message, determining a corresponding abnormal address table item, and adding 1 to the abnormal number in the abnormal address table item.
In the device for protecting against Modbus attacks, the device further comprises:
and the clearing unit is used for adding the IP address corresponding to the abnormal number into the IP blacklist and clearing the abnormal address table.
In the embodiment of the application, after receiving a first message, the security device firstly performs deletion and selection based on an IP blacklist, discards the message hitting the IP blacklist, then determines whether the first message is an abnormal message, and if so, updates an abnormal address table entry corresponding to the first message in a preset abnormal address table; the abnormal address table comprises a mapping relation between an IP address and an abnormal number;
the safety equipment can determine whether the abnormal number in each abnormal address table entry of the abnormal address table reaches a preset threshold value or not based on a preset period, and then add the IP address corresponding to the abnormal number reaching the threshold value into an IP blacklist;
the safety equipment can update the abnormal number corresponding to the IP address of the session initiator after determining the abnormal message, so that the IP address of an attacker can be determined when the abnormal number reaches a threshold value, the IP address of the attacker can be thoroughly protected, the behavior that the attacker broadcasts a request message to collect the performance parameters of the equipment starting the Modbus protocol is blocked, and the subsequent attack of the attacker is further prevented.
Drawings
FIG. 1 is a schematic format diagram of an application data unit of a Modbus shown in the present application;
FIG. 2 is an interactive schematic diagram of a Modbus/TCP protocol shown in the present application;
FIG. 3 is an interactive schematic diagram of another Modbus/TCP protocol shown in the present application;
FIG. 4 is a flow chart illustrating a method of protecting against Modbus attacks in accordance with the present application;
FIG. 5 is a block diagram of an embodiment of a device for protecting against Modbus attacks, shown in the present application;
fig. 6 is a hardware structure diagram of a device for protecting against Modbus attacks according to the present application.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the embodiments of the present invention more comprehensible, the following description of the prior art and the technical solutions in the embodiments of the present invention with reference to the accompanying drawings is provided.
Referring to fig. 1, which is a schematic format diagram of an Application Data Unit (ADU) of a Modbus shown in the present Application, as shown in fig. 1, a Protocol Data Unit (PDU) in the Application Data Unit has a function code (function code) field, in which several function codes specified by the Modbus Protocol may be filled, and each function code indicates a different action. The Modbus protocol-enabled devices may support several of these function codes based on their own configuration.
Modbus can be subdivided into Modbus/TCP (Transmission Control Protocol), Modbus/UDP (User Datagram Protocol), Modbus/RTU (Remote Terminal Unit), Modbus/ASCII (American Standard Code for Information exchange), and other Protocol types.
Referring to fig. 2, which is an interaction schematic diagram of a Modbus/TCP protocol shown in the present application, as shown in fig. 2, after a client creates a request packet, the client sends the request packet to a server; wherein, the request message carries the function code. And after receiving the request message and executing the action indicated by the function code, the server creates and sends a response message to the client. Wherein, the response message carries the same function code as the request message.
Referring to fig. 3, which is an interaction schematic diagram of another Modbus/TCP protocol shown in the present application, as shown in fig. 3, after a client creates a request packet, the client sends the request packet to a server; wherein, the request message carries the function code. After receiving the request message, the server executes the action indicated by the function code, detects an error in operation, and can create and send a response message to the client. Wherein, the response message carries an exception response code (exception function code), and the exception response code indicates the error type.
The abnormal response code may include 0x01, 0x02, 0x03, and the like. Wherein 0x01 indicates that the server does not support the function code in the received message; 0x02 indicates that the server does not support the operation address in the operation request message; 0x03 indicates that there is illegal content in the data field of the message received by the server. In practical applications, if the device that enables the Modbus protocol is a Programmable Logic Controller (PLC), the operation address may be an encoding indicating a pin of the PLC in the request message.
At present, there are Scan tools such as PLC Scan (Programmable Logic Controller Scan) and ModScan32, which can Scan information of devices that enable Modbus protocol. Specifically, a request message carrying a 0x2B/0x0E function code may be broadcast to a plurality of devices, and if a response message returned by any device is received, it is determined that the device enables the Modbus protocol. The destination port of the request message may be a default port 502 of the Modbus/TCP protocol.
After determining the devices which start the Modbus protocol, the attacker can continue to send request messages carrying different function codes to the devices, so that the performance parameters of the devices are collected according to the returned response messages. The performance parameters include function codes supported by the device, operation addresses on the device corresponding to the function codes, and function parameters stored in the operation addresses. After collecting the performance parameters of the device, the attacker can attack the device in the subsequent process. The function parameter is related to the function supported by the equipment; for example, if the device can control the opening and closing of the fan, the functional parameter may be a parameter indicating the opening and closing of the fan, and if the device can control the opening and closing state of the valve, the functional parameter may be 0 to 100% opening degree.
Specifically, an attacker may send a request message carrying various function codes to a device enabling a Modbus protocol, and determine the function codes supported by the device through the received response message, and if an abnormal response code 0x01 is carried in the response message, it indicates that the device does not support the function codes in the request message sent before.
An attacker can repeatedly send request messages for accessing different operation addresses to the Modbus protocol-enabled device, determine the operation addresses which can be operated by the device through the received response messages, and if the abnormal response codes 0x02 are carried in the response messages, the device does not support the operation addresses in the request messages sent before.
An attacker can repeatedly set a request message of the functional parameters in each operation address to the device which starts the Modbus protocol, wherein the request message carries the functional parameters to be written. The attacker determines the functional parameters supported by the device through the received response message, and if the abnormal response code 0x03 is carried in the response message, the functional parameter setting is failed. The attacker can obtain the range supported by the functional parameters in each operation address by repeatedly sending the request message.
In the prior art, protection rules are generally configured on a security device to filter Modbus messages, and the protection rules may perform protection based on fields such as function codes and operation addresses, for example, request messages carrying several specified function codes for several specified operation addresses may be discarded.
However, the number of Modbus request messages broadcast by an attacker is large, and the protection rules cannot completely filter out the request messages. In this case, the attacker can still continuously collect the performance parameters of the Modbus protocol-enabled devices, thereby subsequently executing the Modbus attack.
In view of this, the present application provides a method for protecting against Modbus attacks, which is used to block an attacker from collecting performance parameters of devices that enable Modbus, and further prevent subsequent attack behaviors.
Referring to fig. 4, a flowchart of a method for protecting against Modbus attacks is shown, where the method is applied to a security device, and includes the following steps:
step 401: receiving a first message, and determining whether a source IP of the first message hits a preset IP blacklist.
The security device may be a firewall device or a gateway device with a security protection function.
The first message generally refers to any received message, and is named for convenience of description only, and is not limited in this application.
And determining whether the source IP of the first message hits the IP blacklist, namely checking whether the source IP of the first message exists in the IP blacklist. In the initial state, the IP address in the IP blacklist is empty.
On one hand, if the source IP of the first message hits the IP blacklist, the first message can be determined to be sent by an attacker, and the first message is directly discarded;
on the other hand, if the first message does not hit the IP blacklist, it is still uncertain that the first message is sent by an attacker, and a subsequent process is performed on the first message.
Step 402: if not, determining whether the first message is an abnormal message.
In an embodiment shown in the drawing, before determining whether the first packet is an abnormal packet, the security device may first determine whether the first packet is a Modbus packet.
On one hand, if the first message is not a Modbus message, the first message may be directly forwarded without being within the protection range of the technical scheme of the present application;
on the other hand, if the first packet is a Modbus packet, the subsequent process may be executed, that is, it is determined whether the first packet is an abnormal packet.
By the measures, the security device can reduce the number of messages to be processed subsequently, and reduce resource consumption brought by protecting attack messages.
In an embodiment shown in the foregoing, in the process of processing a received packet, the security device may determine a session initiator and a session responder in a session establishment connection of a TCP three-way handshake, and may record an IP address of the session initiator and an IP address of the session responder, respectively.
When determining whether the first packet is an abnormal packet, the security device may first determine, based on the source IP, whether the first packet is sent by a session initiator or a session responder.
Since an attacker can actively send a large number of request messages, the attacker is necessarily a session initiator.
If the first message is sent by a session initiator, checking whether the first message carries a specified function code. The specified function codes include a function code 0x2B that an attacker usually uses to detect whether the device enables the Modbus protocol.
If so, the first message can be determined to be an abnormal message. It should be noted that the abnormal packet refers to a packet that may be sent by an attacker, but is not necessarily sent by the attacker, and a subsequent process is also required to determine the attacker.
If not, the first message can be directly forwarded.
And if the first message is sent by a session responder, checking whether the first message carries an appointed abnormal response code. The specified abnormal response codes comprise abnormal response codes 0x01, 0x02 and 0x03 which can be replied by the server when receiving the request message repeatedly sent by the attacker.
If so, the first message can be determined to be an abnormal message.
If not, the first message can be directly forwarded.
Step 403: if the first message is an abnormal message, updating an abnormal address table item corresponding to the first message in a preset abnormal address table based on the first message; the abnormal address table comprises a mapping relation between an IP address and an abnormal constant.
The IP addresses in the abnormal address table updated by the security device are all the IP addresses of the session initiator, and the IP addresses of the attackers can be determined according to the abnormal address table.
When the abnormal address table entry is updated, if the first message is sent by a session initiator, the abnormal address table may be searched based on the source IP of the first message, and a corresponding abnormal address table entry may be determined.
On one hand, if there is no corresponding abnormal address table entry, the first packet is a packet that is first sent by the session initiator, and the security device may create an abnormal address table entry based on the source IP of the first packet, and set the number of exceptions in the abnormal address table entry to 1.
On the other hand, if there is a corresponding abnormal address entry, the session initiator has already sent a message before, and the security device may add 1 to the abnormal number in the abnormal address entry.
If the first message is sent by the session responder, the abnormal address table may be searched based on the destination IP of the first message, a corresponding abnormal address table entry may be determined, and 1 may be added to the abnormal number in the abnormal address table entry.
As an embodiment, the secure device may update the anomaly constant by using a preset accumulation formula 1+2+3+ … … (n-1) + n, where n represents the number of times that the anomaly packet related to the same session initiator is received;
alternatively, the anomaly constant may be updated by using a preset cumulative formula 1+2+4+ … … +2 (n-1) +2 n, where n represents the number of times that the anomaly packets related to the same session initiator are received.
In this embodiment, the growth speed of the exception constant in the exception address table entry is faster, which indicates that the more times the exception packet with the same session initiator is received, the more likely the session initiator is to be an attacker.
And after updating the abnormal address table, the security device can forward the first message.
Step 404: and determining whether the abnormal number in each abnormal address table entry of the abnormal address table reaches a preset threshold value or not based on a preset period.
A threshold value may be preconfigured on the security device, the threshold value characterizing a threshold value of the anomaly corresponding to the attacker. The configuration may be based on an actual application environment, for example, if the traffic in the network environment is high, the threshold may be high, and if the traffic in the network environment is low, the threshold may be low. Of course, the configuration may be performed according to other strategies, which are not specifically limited in this application.
The preset period can also be configured based on the actual application environment, for example, if the traffic in the network environment is more, the preset period can be shorter, which is convenient for protecting an attacker in time. Of course, the configuration may be performed according to other strategies, which are not specifically limited in this application.
In an embodiment shown in the present invention, the security device may start a preset timer, and after the timer reaches a preset period, traverse the abnormal address table, compare the abnormal constants in the various abnormal address table entries with a threshold, and determine whether the threshold is reached.
Step 405: and if any abnormal constant reaches the threshold value, adding the IP address corresponding to the abnormal number into the IP blacklist.
The security device checks whether the abnormal number reaches a threshold value, so as to determine the IP address of the attacker.
In one aspect, if the number of exceptions does not reach the threshold, it may be determined that the IP address to which the number of exceptions corresponds is not the IP address of the attacker.
On the other hand, if any abnormal constant reaches the threshold, the IP address corresponding to the abnormal number can be determined to be the IP address of the attacker, and the security device can add the IP address of the attacker into the IP blacklist, so that the messages sent by the attacker can be directly discarded in the subsequent process.
By the measures, the security device can detect the attacker and effectively protect the attacker.
In addition, the security device may clear the abnormal address table after traversing the abnormal address table and adding the IP address of the attacker to the IP blacklist.
Of course, if the security device does not find the IP address of the attacker after traversing the abnormal address table, the abnormal address table also needs to be cleared.
By the measures, the security device can determine an attacker based on a brand-new abnormal address table in each statistical period, and prevent the content of the abnormal address table from occupying too much memory space after being continuously increased.
In summary, in the technical solution of the present application, after receiving a first message, a security device first determines whether a source IP of the first message hits a preset IP blacklist, and only processes messages that do not hit the IP blacklist; further, the security device determines whether the first message is an abnormal message, and updates an abnormal address table entry corresponding to the first message when the first message is the abnormal message; the security device continuously updates the abnormal address table through the received message, and subsequently, an attacker can be determined based on the abnormal address table;
the security device may determine, based on a preset period, whether the abnormal number in each abnormal address table entry in the abnormal address table reaches a preset threshold, and add an IP address corresponding to the abnormal number reaching the threshold to an IP blacklist;
the safety equipment can update the abnormal number corresponding to the IP address of the session initiator after determining the abnormal message, so that the IP address of an attacker can be determined when the abnormal number reaches a threshold value, the IP address of the attacker can be thoroughly protected, the behavior that the attacker broadcasts a request message to collect the performance parameters of the equipment starting the Modbus protocol is blocked, and the subsequent attack of the attacker is further prevented.
Corresponding to the embodiment of the method for protecting against Modbus attacks, the application also provides an embodiment of a device for protecting against Modbus attacks.
Referring to fig. 5, a block diagram of an embodiment of a device for protecting against Modbus attacks is shown in the present application:
as shown in fig. 5, the apparatus 50 for protecting against Modbus attacks includes:
a receiving unit 510, configured to receive a first packet, and determine whether a source IP of the first packet hits a preset IP blacklist.
A first determining unit 520, configured to determine whether the first packet is an abnormal packet if the first packet is not the abnormal packet.
An updating unit 530, configured to update, based on the first packet, an abnormal address table entry corresponding to the first packet in a preset abnormal address table if the first packet is an abnormal packet; the abnormal address table comprises a mapping relation between an IP address and an abnormal constant.
A second determining unit 540, configured to determine, based on a preset period, whether the number of exceptions in each exception address table entry of the exception address table reaches a preset threshold.
And an adding unit 550, configured to add, if any abnormal constant reaches the threshold, the IP address corresponding to the abnormal number to the IP blacklist.
In this example, the first determining unit 520 is further configured to:
before determining whether the first message is an abnormal message, determining whether the first message is a Modbus message;
if not, forwarding the first message;
if so, executing the subsequent flow.
In this example, the first determining unit 520 is further configured to:
if the first message is sent by a session initiator, checking whether the first message carries a specified function code;
if so, determining that the first message is the abnormal message;
if the first message is sent by a session responder, checking whether the first message carries an appointed abnormal response code;
if so, determining that the first message is the abnormal message.
In this example, the updating unit 530 is further configured to:
if the first message is sent by the session initiator, searching the abnormal address table based on the source IP of the first message, and determining a corresponding abnormal address table item;
if the corresponding abnormal address table entry does not exist, establishing an abnormal address table entry based on the source IP, and setting the abnormal number in the abnormal address table entry to be 1;
if the corresponding abnormal address table entry exists, adding 1 to the abnormal number in the abnormal address table entry;
if the first message is sent by the session responder, searching the abnormal address table based on the destination IP of the first message, determining a corresponding abnormal address table item, and adding 1 to the abnormal number in the abnormal address table item.
In this example, the apparatus further comprises:
an emptying unit 560 (not shown in the figure), configured to empty the abnormal address table after adding the IP address corresponding to the abnormal number to the IP blacklist.
The embodiment of the device for preventing Modbus attack can be applied to safety equipment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for operation through the processor of the security device where the software implementation is located as a logical means. In terms of hardware, as shown in fig. 6, a hardware structure diagram of a security device where the apparatus for protecting Modbus attack is located according to the present application is shown, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 6, the security device where the apparatus is located in the embodiment may also include other hardware according to the actual function of protecting Modbus attack, which is not described again.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A method for protecting Modbus attack is applied to safety equipment and is characterized by comprising the following steps:
receiving a first message, and determining whether a source IP of the first message hits a preset IP blacklist;
if not, determining whether the first message is an abnormal message or not based on whether the first message carries a specified function code or an abnormal response code;
if the first message is an abnormal message, determining the IP address of a session initiator based on the first message, and further updating an abnormal address table item corresponding to the IP address of the session initiator in a preset abnormal address table; the abnormal address table comprises a mapping relation between an IP address and an abnormal constant, and the abnormal number in the abnormal address table item indicates the number of times that the corresponding IP address is determined as a session initiator corresponding to the abnormal message;
determining whether the abnormal number in each abnormal address table entry of the abnormal address table reaches a preset threshold value or not based on a preset period;
and if any abnormal constant reaches the threshold value, adding the IP address corresponding to the abnormal number into the IP blacklist.
2. The method of claim 1, further comprising:
before determining whether the first message is an abnormal message, determining whether the first message is a Modbus message;
if not, forwarding the first message;
if so, executing the subsequent flow.
3. The method according to claim 1, wherein the determining whether the first packet is an abnormal packet based on whether the first packet carries a specified function code or an abnormal response code comprises:
if the first message is sent by a session initiator, checking whether the first message carries a specified function code;
if so, determining that the first message is the abnormal message;
if the first message is sent by a session responder, checking whether the first message carries an appointed abnormal response code;
if so, determining that the first message is the abnormal message.
4. The method according to claim 3, wherein the determining an IP address of a session initiator based on the first packet and further updating an exception address table entry corresponding to the IP address of the session initiator in a preset exception address table comprises:
if the first message is sent by the session initiator, searching the abnormal address table based on the source IP of the first message, and determining a corresponding abnormal address table item;
if the corresponding abnormal address table entry does not exist, establishing an abnormal address table entry based on the source IP, and setting the abnormal number in the abnormal address table entry to be 1;
if the corresponding abnormal address table entry exists, adding 1 to the abnormal number in the abnormal address table entry;
if the first message is sent by the session responder, searching the abnormal address table based on the destination IP of the first message, determining a corresponding abnormal address table item, and adding 1 to the abnormal number in the abnormal address table item.
5. The method of claim 4, further comprising:
and after the IP address corresponding to the abnormal number is added into the IP blacklist, clearing the abnormal address table.
6. The utility model provides a device for protecting Modbus attacks, is applied to security equipment, its characterized in that includes:
the receiving unit is used for receiving a first message and determining whether a source IP of the first message hits a preset IP blacklist;
a first determining unit, configured to determine whether the first packet is an abnormal packet based on whether the first packet carries a specified function code or an abnormal response code if the first packet does not carry the specified function code or the abnormal response code;
an updating unit, configured to determine, based on the first packet, an IP address of a session initiator if the first packet is an abnormal packet, and further update an abnormal address table entry corresponding to the IP address of the session initiator in a preset abnormal address table; the abnormal address table comprises a mapping relation between an IP address and an abnormal constant, and the abnormal number in the abnormal address table item indicates the number of times that the corresponding IP address is determined as a session initiator corresponding to the abnormal message;
a second determining unit, configured to determine, based on a preset period, whether an exception number in each exception address table entry of the exception address table reaches a preset threshold;
and the adding unit is used for adding the IP address corresponding to the abnormal number into the IP blacklist if any abnormal constant reaches the threshold value.
7. The apparatus of claim 6, wherein the first determining unit is further configured to:
before determining whether the first message is an abnormal message, determining whether the first message is a Modbus message;
if not, forwarding the first message;
if so, executing the subsequent flow.
8. The apparatus of claim 6, wherein the first determining unit is further configured to:
if the first message is sent by a session initiator, checking whether the first message carries a specified function code;
if so, determining that the first message is the abnormal message;
if the first message is sent by a session responder, checking whether the first message carries an appointed abnormal response code;
if so, determining that the first message is the abnormal message.
9. The apparatus of claim 8, wherein the updating unit is further configured to:
if the first message is sent by the session initiator, searching the abnormal address table based on the source IP of the first message, and determining a corresponding abnormal address table item;
if the corresponding abnormal address table entry does not exist, establishing an abnormal address table entry based on the source IP, and setting the abnormal number in the abnormal address table entry to be 1;
if the corresponding abnormal address table entry exists, adding 1 to the abnormal number in the abnormal address table entry;
if the first message is sent by the session responder, searching the abnormal address table based on the destination IP of the first message, determining a corresponding abnormal address table item, and adding 1 to the abnormal number in the abnormal address table item.
10. The apparatus of claim 9, further comprising:
and the clearing unit is used for adding the IP address corresponding to the abnormal number into the IP blacklist and clearing the abnormal address table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711424133.1A CN107948195B (en) | 2017-12-25 | 2017-12-25 | Method and device for protecting Modbus attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711424133.1A CN107948195B (en) | 2017-12-25 | 2017-12-25 | Method and device for protecting Modbus attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107948195A CN107948195A (en) | 2018-04-20 |
| CN107948195B true CN107948195B (en) | 2020-12-04 |
Family
ID=61939066
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711424133.1A Active CN107948195B (en) | 2017-12-25 | 2017-12-25 | Method and device for protecting Modbus attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107948195B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109413037B (en) * | 2018-09-12 | 2021-11-16 | 奇安信科技集团股份有限公司 | Modbus service processing method and device |
| CN110233831A (en) * | 2019-05-21 | 2019-09-13 | 深圳壹账通智能科技有限公司 | The detection method and device of malicious registration |
| CN111131192A (en) * | 2019-12-10 | 2020-05-08 | 杭州迪普科技股份有限公司 | Bypass protection method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1874303A (en) * | 2006-03-04 | 2006-12-06 | 华为技术有限公司 | Method for implementing black sheet |
| CN101188612A (en) * | 2007-12-10 | 2008-05-28 | 中兴通讯股份有限公司 | A blacklist real time management method and device |
| CN105681353A (en) * | 2016-03-22 | 2016-06-15 | 浙江宇视科技有限公司 | Method and device of defending port scanning invasion |
| CN105847249A (en) * | 2016-03-22 | 2016-08-10 | 英赛克科技(北京)有限公司 | Safety protection system and method for Modbus network |
| CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
| CN106130986A (en) * | 2016-06-30 | 2016-11-16 | 湘潭大学 | A kind of wind energy turbine set active safety defence method based on automated decision-making |
-
2017
- 2017-12-25 CN CN201711424133.1A patent/CN107948195B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1874303A (en) * | 2006-03-04 | 2006-12-06 | 华为技术有限公司 | Method for implementing black sheet |
| CN100471172C (en) * | 2006-03-04 | 2009-03-18 | 华为技术有限公司 | Method for implementing black sheet |
| CN101188612A (en) * | 2007-12-10 | 2008-05-28 | 中兴通讯股份有限公司 | A blacklist real time management method and device |
| CN105681353A (en) * | 2016-03-22 | 2016-06-15 | 浙江宇视科技有限公司 | Method and device of defending port scanning invasion |
| CN105847249A (en) * | 2016-03-22 | 2016-08-10 | 英赛克科技(北京)有限公司 | Safety protection system and method for Modbus network |
| CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
| CN106130986A (en) * | 2016-06-30 | 2016-11-16 | 湘潭大学 | A kind of wind energy turbine set active safety defence method based on automated decision-making |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107948195A (en) | 2018-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Barbosa et al. | Flow whitelisting in SCADA networks | |
| US10929538B2 (en) | Network security protection method and apparatus | |
| AU2016234999B2 (en) | Path scanning for the detection of anomalous subgraphs and use of dns requests and host agents for anomaly/change detection and network situational awareness | |
| US9288221B2 (en) | Information processing apparatus, method for determining unauthorized activity and computer-readable medium | |
| US9407602B2 (en) | Methods and apparatus for redirecting attacks on a network | |
| CN111010409B (en) | Encryption attack network flow detection method | |
| US10218717B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| CN107948195B (en) | Method and device for protecting Modbus attack | |
| JP6454224B2 (en) | Communication device | |
| CN102035793B (en) | Botnet detecting method, device and network security protective equipment | |
| WO2020118377A1 (en) | Apparatus and process for monitoring network behaviour of internet-of-things (iot) devices | |
| CN107612890B (en) | Network monitoring method and system | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| CN108810008B (en) | Transmission control protocol flow filtering method, device, server and storage medium | |
| WO2019190403A1 (en) | An industrial control system firewall module | |
| CN112073376A (en) | Attack detection method and device based on data plane | |
| CN110912907B (en) | Attack protection method and device in SSL handshake phase | |
| WO2016008212A1 (en) | Terminal as well as method for detecting security of terminal data interaction, and storage medium | |
| CN111049780B (en) | Network attack detection method, device, equipment and storage medium | |
| JP6932375B2 (en) | Communication device | |
| US9298175B2 (en) | Method for detecting abnormal traffic on control system protocol | |
| CN113709129A (en) | White list generation method, device and system based on traffic learning | |
| Alsabbagh et al. | A fully-blind false data injection on PROFINET I/O systems | |
| CN112751801B (en) | Method, device and equipment for filtering denial of service attack based on IP white list | |
| CN106506270B (en) | Ping message processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |