CN107995056A - The method and device of fire wall recessiveness NAT breakdown judges - Google Patents

The method and device of fire wall recessiveness NAT breakdown judges Download PDF

Info

Publication number
CN107995056A
CN107995056A CN201610954638.8A CN201610954638A CN107995056A CN 107995056 A CN107995056 A CN 107995056A CN 201610954638 A CN201610954638 A CN 201610954638A CN 107995056 A CN107995056 A CN 107995056A
Authority
CN
China
Prior art keywords
sessions
ratio
nat
firewall box
recessiveness
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610954638.8A
Other languages
Chinese (zh)
Other versions
CN107995056B (en
Inventor
王业亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Hunan Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Hunan Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Hunan Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201610954638.8A priority Critical patent/CN107995056B/en
Publication of CN107995056A publication Critical patent/CN107995056A/en
Application granted granted Critical
Publication of CN107995056B publication Critical patent/CN107995056B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal

Abstract

The present invention discloses a kind of method and device of fire wall recessiveness NAT breakdown judges, can realize the judgement of fire wall recessiveness NAT failures.This method includes:The TCP number of sessions and UDP number of sessions of S10, periodic statistics firewall box, and calculate the TCP number of sessions of current period statistics and the ratio of UDP number of sessions;S11, according to the ratio determine that the firewall box whether there is recessiveness NAT failures.

Description

The method and device of fire wall recessiveness NAT breakdown judges
Technical field
The present invention relates to mobile communication technology core net field, and in particular to a kind of fire wall recessiveness NAT breakdown judges Method and device.
Background technology
In mobile communication core net field or other fire walls NAT (Network Address Translation, net Network address conversion) application field, due to the application of nat feature so that a small amount of public ip address represents more private ip Address, helps to slow down the exhaustion of available IP address space.But also the attack from network-external can be effectively prevented from, Hide and protect the terminal (or computer) of network internal.The basic flow chart of NAT is as shown in Figure 1.
Due to the application of nat feature so that inevitably there are some NAT transfer problems to cause system resource deficiency Problem, so as to cause fire wall failure, causes the unavailable of business.
And monitoring of the monitoring to fire wall mainly to port alarm at present, some fields have also been introduced to Session The monitoring of (session) quantity.The existing monitoring to fire wall nat feature also rests on the monitoring to session quantity, judges it Whether exceed thresholding, whether increase sharply.But due to reasons such as transcription error, network attack or system mistakes, it may cause to prevent Firearm number of sessions is slowly varying and triggers equipment fault.Lack the method and device for excavating such breakdown judge at present.
The content of the invention
In view of this, the present invention provides a kind of method and device of fire wall recessiveness NAT breakdown judges, can realize fire prevention The judgement of wall recessiveness NAT failures.
On the one hand, the embodiment of the present invention proposes a kind of method of fire wall recessiveness NAT breakdown judges, including:
The TCP number of sessions and UDP number of sessions of S10, periodic statistics firewall box, and calculate current period statistics TCP number of sessions and UDP number of sessions ratio;
S11, according to the ratio determine that the firewall box whether there is recessiveness NAT failures.
On the other hand, the embodiment of the present invention proposes a kind of method of fire wall recessiveness NAT breakdown judges, including:
The half-open number of sessions and half-close number of sessions of S20, periodic statistics firewall box;
S21, according to the half-open number of sessions and half-close number of sessions determine that the firewall box is It is no to there is recessiveness NAT failures.
On the other hand, the embodiment of the present invention proposes a kind of device of fire wall recessiveness NAT breakdown judges, including:
First statistic unit, for the TCP number of sessions and UDP number of sessions of periodic statistics firewall box, and is counted Calculate the TCP number of sessions of current period statistics and the ratio of UDP number of sessions;
First determination unit, for determining that the firewall box whether there is recessiveness NAT failures according to the ratio.
On the other hand, the embodiment of the present invention proposes a kind of device of fire wall recessiveness NAT breakdown judges, including:
Second statistic unit, half-open number of sessions and half-close for periodic statistics firewall box Number of sessions;
Second determination unit, for determining institute according to the half-open number of sessions and half-close number of sessions State firewall box and whether there is recessiveness NAT failures.
In the NAT sessions of fire wall, most important session is TCP and UDP sessions, the quantity and business of both sessions Amount is closely related, while also related to the ageing time of UDP to TCP, but in the application, the ageing time of TCP and UDP are usually protected Hold constant (emergency may adjust).So portfolio determines the quantity of TCP and UDP sessions substantially under normal circumstances.
Inside the conversation type of TCP, in addition to current TCP session, also there are half-open (half-open) and Two kinds of sessions of half-close (semi-closed).Due to network attack (such as syn attacks) or system bugs etc., may cause The increase of half-open sessions.Due to system bugs (such as the long connection of FIN_WAIT state ageing times) etc., may cause The increase of half-close sessions.
Under the portfolio of certain scale, Conversation Model is held essentially constant in the short time, i.e. TCP and UDP sessions account for Than certain ratio can be in, it is possible to judge the operation shape of equipment by the analysis to TCP sessions and UDP session accountings State.And for possessing the equipment for checking half-open and half-close, then can be by analyzing the fluctuation feelings of both sessions Condition judges equipment state.
The present invention has the advantages that:
On the one hand, based on when there are during certain portfolio, TCP and UDP sessions accounting can keep certain ratio substantially, and When the rule for system bugs, network attack etc. occur and causing the fluctuation of TCP and UDP session accountings, statistical analysis can be passed through Method analyzes the accounting of TCP and UDP sessions, can realize the judgement of fire wall recessiveness NAT failures;On the other hand, base It is right in when the rule that system bugs, network attack etc. occur half-open sessions or half-close sessions can be caused to increase sharply , can be by analyzing half-open sessions, half- in possessing the firewall box of checking half-open and half-close The fluctuation situation of close sessions, can realize the judgement of fire wall recessiveness NAT failures.
Brief description of the drawings
Fig. 1 is the basic procedure schematic diagram of NAT;
Fig. 2 is the flow diagram of one embodiment of method of fire wall recessiveness NAT breakdown judges of the present invention;
Fig. 3 is the flow diagram of another embodiment of method of fire wall recessiveness NAT breakdown judges of the present invention;
Fig. 4 is the structure diagram of one embodiment of device of fire wall recessiveness NAT breakdown judges of the present invention;
Fig. 5 is the structure diagram of another embodiment of device of fire wall recessiveness NAT breakdown judges of the present invention.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, the technical solution in the embodiment of the present invention is explicitly described, it is clear that described embodiment be the present invention Part of the embodiment, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not having All other embodiments obtained under the premise of creative work are made, belong to the scope of protection of the invention.
Referring to Fig. 2, the present embodiment discloses a kind of method of fire wall recessiveness NAT breakdown judges, including:
The TCP number of sessions and UDP number of sessions of S10, periodic statistics firewall box, and calculate current period statistics TCP number of sessions and UDP number of sessions ratio;
It should be noted that TCP number of sessions and the UDP sessions of firewall box can be counted by third-party server Quantity.
S11, according to the ratio determine that the firewall box whether there is recessiveness NAT failures.
, can be by judging to work as when progress firewall box whether there is the judgement of recessiveness NAT failures in the present embodiment The TCP number of sessions of preceding cycle statistics compares the TCP number of sessions and UDP of previous cycle statistics with the ratio of UDP number of sessions Whether the increased ratio of ratio of number of sessions is not less than first threshold, the ratio compares preset time period before current period Whether the TCP number of sessions of interior each cycle statistics and the increased ratio of average of the ratio of UDP number of sessions are not less than second Threshold value, and TCP meeting of the ratio compared to other at least one with model with the firewall box current period statistics of configuration Whether the increased ratio of statistical value for talking about the ratio of quantity and UDP number of sessions is realized not less than the 3rd threshold value, when the ratio Compared to previous cycle statistics TCP number of sessions and UDP number of sessions the increased ratio of ratio not less than first threshold, described The ratio of the TCP number of sessions of each cycle statistics and UDP number of sessions in preset time period before ratio compares current period Fire prevention of the increased ratio of average not less than second threshold or the ratio compared to other at least one with model with configuration The TCP number of sessions of wall equipment current period statistics and the increased ratio of statistical value of the ratio of UDP number of sessions are not less than the During three threshold values, determine that the firewall box has recessiveness NAT failures.It should be noted that the preset time period can be In one week, five days etc., can specifically be arranged as required to, details are not described herein again.The statistical value can be arranged as required to, Generally average value, variance.The first threshold, second threshold and the 3rd threshold value can specifically be obtained by testing, and generally be taken It is worth for 30%-60%.
In addition, when determine firewall box exist recessiveness NAT failures when, early warning can also be carried out, with remind user into The processing of row equipment fault, so as to avoid the influence of business.
The method of fire wall recessiveness NAT breakdown judges provided in an embodiment of the present invention, based on when there are during certain portfolio, TCP and UDP sessions accounting can keep certain ratio substantially, and can cause TCP and UDP when there is system bugs, network attack etc. The rule of the fluctuation of session accounting, can analyze the accounting of TCP and UDP sessions by the method for statistical analysis, can Realize the judgement of fire wall recessiveness NAT failures.
Referring to Fig. 3, the present embodiment discloses a kind of method of fire wall recessiveness NAT breakdown judges, including:
The half-open number of sessions and half-close number of sessions of S20, periodic statistics firewall box;
It should be noted that can by third-party server count firewall box half-open number of sessions and Half-close number of sessions.
S21, according to the half-open number of sessions and half-close number of sessions determine that the firewall box is It is no to there is recessiveness NAT failures.
, can be by judging to work as when progress firewall box whether there is the judgement of recessiveness NAT failures in the present embodiment The half-open number of sessions of preceding cycle statistics, which compares the increased ratio of half-open number of sessions that previous cycle counts, is No the 4th threshold value, the half-close number of sessions of current period statistics of being not less than is compared to the half-close that previous cycle counts The increased ratio of number of sessions is pre- before whether comparing current period not less than the 5th threshold value, the half-open number of sessions If in the period the increased ratio of average of the half-open number of sessions of each cycle statistics whether not less than the 6th threshold value, The half-close meetings that each cycle counts in preset time period before the half-close number of sessions compares current period Whether the increased ratio of average for talking about quantity is not less than the 7th threshold value, the half-open number of sessions compares other at least one Platform is with the increased ratio of statistical value of half-open number of sessions of the firewall box current period statistics of configuration with model It is no to be not less than the 8th threshold value, and fire prevention of the half-close number of sessions compared to other at least one with model with configuration Whether the increased ratio of statistical value of the half-close number of sessions of wall equipment current period statistics is real not less than the 9th threshold value It is existing, when the half-open number of sessions is not less than compared to the increased ratio of half-open number of sessions of previous cycle statistics 4th threshold value, the half-close number of sessions compare the increased ratio of half-close number of sessions of previous cycle statistics Each cycle statistics in preset time period before comparing current period not less than the 5th threshold value, the half-open number of sessions The increased ratio of average of half-open number of sessions compared not less than the 6th threshold value, the half-close number of sessions The increased ratio of average of the half-close number of sessions of each cycle statistics is not small in preset time period before current period It is current with the firewall box of configuration with model compared to other at least one in the 7th threshold value, the half-open number of sessions The increased ratio of statistical value of the half-open number of sessions of cycle statistics is not less than the 8th threshold value or the half-close Half-close session of the number of sessions compared to other at least one with model with the firewall box current period statistics of configuration When the increased ratio of statistical value of quantity is not less than nine threshold values, determine that the firewall box has recessiveness NAT failures.Need Illustrate, the preset time period can be a week, five days etc., can specifically be arranged as required to, no longer superfluous herein State.The statistical value can be arranged as required to, generally average value, variance.4th threshold value, the 5th threshold value, the 6th threshold Value, the 7th threshold value, the 8th threshold value and the 9th threshold value can specifically be obtained by testing, and general value is 30%-60%.
, there is system bugs, network based on working as in the method for fire wall recessiveness NAT breakdown judges provided in an embodiment of the present invention Attack etc. can cause the rule that half-open sessions or half-close sessions increase sharply, for possess check half-open and The firewall box of half-close, can be by analyzing the fluctuation situation of half-open sessions, half-close sessions, energy Enough realize the judgement of fire wall recessiveness NAT failures.
Referring to Fig. 4, the present embodiment discloses a kind of device of fire wall recessiveness NAT breakdown judges, including:
First statistic unit 10 and the first determination unit 11;Wherein,
The TCP number of sessions and UDP number of sessions of the meeting of the first statistic unit 10 periodic statistics firewall box, and Calculate the TCP number of sessions of current period statistics and the ratio of UDP number of sessions, the TCP for afterwards counting the current period The ratio of number of sessions and UDP number of sessions is sent to first determination unit 11;
It should be noted that the TCP session numbers of firewall box can be periodically gathered by means of third-party server Amount and UDP number of sessions, and the TCP number of sessions and UDP number of sessions of the first statistic unit 10 statistics are from third-party server Obtain.
First determination unit 11 is receiving the TCP number of sessions and UDP number of sessions of the current period statistics Ratio after, according to the ratio can determine that the firewall box whether there is recessiveness NAT failures.
The device of fire wall recessiveness NAT breakdown judges provided in an embodiment of the present invention, based on when there are during certain portfolio, TCP and UDP sessions accounting can keep certain ratio substantially, and can cause TCP and UDP when there is system bugs, network attack etc. The rule of the fluctuation of session accounting, can analyze the accounting of TCP and UDP sessions by the method for statistical analysis, can Realize the judgement of fire wall recessiveness NAT failures.
On the basis of aforementioned means embodiment, first determination unit, specifically can be used for:
Whether meet a condition in following condition according to firewall box described in the ratio in judgement, if satisfied, then Determine that the firewall box has recessiveness NAT failures;
Wherein, the condition includes:
The ratio compares the increased ratio of ratio of the TCP number of sessions and UDP number of sessions of previous cycle statistics not Less than first threshold;With
The TCP number of sessions of each cycle statistics and UDP meetings in preset time period before the ratio compares current period The increased ratio of average for talking about the ratio of quantity is not less than second threshold;With
TCP session of the ratio compared to other at least one with model with the firewall box current period statistics of configuration The increased ratio of statistical value of the ratio of quantity and UDP number of sessions is not less than the 3rd threshold value.
It should be noted that the preset time period can be a week, five days etc., can specifically set as needed Put, details are not described herein again.The statistical value can be arranged as required to, generally average value, variance.The first threshold, Two threshold values and the 3rd threshold value can specifically be obtained by testing, and general value is 30%-60%.
Referring to Fig. 5, the present embodiment discloses a kind of device of fire wall recessiveness NAT breakdown judges, including:
Second statistic unit 20 and the second determination unit 21;Wherein,
The half-open number of sessions and half- of the meeting of the second statistic unit 20 periodic statistics firewall box Close number of sessions, and the half-open number of sessions and half-close number of sessions are sent to described second and determined Unit 21;
It should be noted that the half-open of firewall box can be periodically gathered by means of third-party server Number of sessions and half-close number of sessions, and the half-open number of sessions and half- of the second statistic unit 20 statistics Close number of sessions is obtained from third-party server.
Second determination unit 21 is receiving the half-open number of sessions and half-close number of sessions Afterwards, it can determine that the firewall box whether there is according to the half-open number of sessions and half-close number of sessions Recessive NAT failures.
, there is system bugs, network based on working as in the device of fire wall recessiveness NAT breakdown judges provided in an embodiment of the present invention Attack etc. can cause the rule that half-open sessions or half-close sessions increase sharply, for possess check half-open and The firewall box of half-close, can be by analyzing the fluctuation situation of half-open sessions, half-close sessions, energy Enough realize the judgement of fire wall recessiveness NAT failures.
On the basis of aforementioned means embodiment, second determination unit, specifically can be used for:
Judge whether the firewall box is full according to the half-open number of sessions and half-close number of sessions A condition in the following condition of foot, if satisfied, then determining that the firewall box has recessiveness NAT failures;
Wherein, the condition includes:
The half-open number of sessions compares the increased ratio of half-open number of sessions of previous cycle statistics not Less than the 4th threshold value;With
The half-close number of sessions compares the increased ratio of half-close number of sessions of previous cycle statistics Not less than the 5th threshold value;With
The half- that each cycle counts in preset time period before the half-open number of sessions compares current period The increased ratio of average of open number of sessions is not less than the 6th threshold value;With
The half- that each cycle counts in preset time period before the half-close number of sessions compares current period The increased ratio of average of close number of sessions is not less than the 7th threshold value;With
Firewall box current period of the half-open number of sessions compared to other at least one with model with configuration The increased ratio of statistical value of the half-open number of sessions of statistics is not less than the 8th threshold value;With
The half-close number of sessions is currently all with the firewall box of configuration with model compared to other at least one The increased ratio of statistical value of the half-close number of sessions of phase statistics is not less than the 9th threshold value.
It should be noted that the preset time period can be a week, five days etc., can specifically set as needed Put, details are not described herein again.The statistical value can be arranged as required to, generally average value, variance.4th threshold value, Five threshold values, the 6th threshold value, the 7th threshold value, the 8th threshold value and the 9th threshold value can specifically be obtained by testing, and general value is 30%-60%.
The period of above statistical analysis is business stationary phase, period in morning, accident date etc. not include statistics Analysis.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program Product.Therefore, the application can use the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware Apply the form of example.Moreover, the application can use the computer for wherein including computer usable program code in one or more The computer program production that usable storage medium is implemented on (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The application is with reference to the flow according to the method for the embodiment of the present application, equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that it can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or square frame in journey and/or square frame and flowchart and/or the block diagram.These computer programs can be provided The processors of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that the instruction performed by computer or the processor of other programmable data processing devices, which produces, to be used in fact The device for the function of being specified in present one flow of flow chart or one square frame of multiple flows and/or block diagram or multiple square frames.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which produces, to be included referring to Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, thus in computer or The instruction performed on other programmable devices is provided and is used for realization in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in a square frame or multiple square frames.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant are intended to Non-exclusive inclusion, so that process, method, article or equipment including a series of elements not only will including those Element, but also including other elements that are not explicitly listed, or further include as this process, method, article or equipment Intrinsic key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that Also there are other identical element in process, method, article or equipment including the key element.Term " on ", " under " etc. refers to The orientation or position relationship shown is based on orientation shown in the drawings or position relationship, is for only for ease of the description present invention and simplifies Description, rather than the device or element of instruction or hint meaning must have specific orientation, with specific azimuth configuration and behaviour Make, therefore be not considered as limiting the invention.Unless otherwise clearly defined and limited, term " installation ", " connected ", " connection " should be interpreted broadly, for example, it may be being fixedly connected or being detachably connected, or be integrally connected;Can be Mechanically connect or be electrically connected;It can be directly connected, can also be indirectly connected by intermediary, can be two Connection inside element.For the ordinary skill in the art, above-mentioned term can be understood at this as the case may be Concrete meaning in invention.
In the specification of the present invention, numerous specific details are set forth.Although it is understood that the embodiment of the present invention can To be put into practice in the case of these no details.In some instances, known method, structure and skill is not been shown in detail Art, so as not to obscure the understanding of this description.Similarly, it will be appreciated that disclose in order to simplify the present invention and helps to understand respectively One or more of a inventive aspect, in the description to the exemplary embodiment of the present invention above, each spy of the invention Sign is grouped together into single embodiment, figure or descriptions thereof sometimes.However, should not be by the method solution of the disclosure Release and be intended in reflection is following:I.e. the present invention for required protection requirement is than the feature that is expressly recited in each claim more More features.More precisely, as the following claims reflect, inventive aspect is to be less than single reality disclosed above Apply all features of example.Therefore, it then follows thus claims of embodiment are expressly incorporated in the embodiment, Wherein each claim is in itself as separate embodiments of the invention.It should be noted that in the case where there is no conflict, this The feature in embodiment and embodiment in application can be mutually combined.The invention is not limited in any single aspect, Any single embodiment is not limited to, is also not limited to any combination and/or the displacement of these aspects and/or embodiment.And And can be used alone the present invention each aspect and/or embodiment or with other one or more aspects and/or its implementation Example is used in combination.
Finally it should be noted that:The above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Pipe is described in detail the present invention with reference to foregoing embodiments, it will be understood by those of ordinary skill in the art that:Its according to Can so modify to the technical solution described in foregoing embodiments, either to which part or all technical characteristic into Row equivalent substitution;And these modifications or replacement, the essence of appropriate technical solution is departed from various embodiments of the present invention technology The scope of scheme, it should all cover among the claim of the present invention and the scope of specification.

Claims (8)

  1. A kind of 1. method of fire wall recessiveness NAT breakdown judges, it is characterised in that including:
    The TCP number of sessions and UDP number of sessions of S10, periodic statistics firewall box, and calculate current period statistics The ratio of TCP number of sessions and UDP number of sessions;
    S11, according to the ratio determine that the firewall box whether there is recessiveness NAT failures.
  2. 2. according to the method described in claim 1, it is characterized in that, the S11, including:
    Whether meet a condition in following condition according to firewall box described in the ratio in judgement, if satisfied, then determining There is recessiveness NAT failures in the firewall box;
    Wherein, the condition includes:
    The ratio is not less than compared to the increased ratio of ratio of the TCP number of sessions and UDP number of sessions of previous cycle statistics First threshold;With
    The TCP number of sessions and UDP session numbers that each cycle counts in preset time period before the ratio compares current period The increased ratio of average of the ratio of amount is not less than second threshold;With
    TCP number of sessions of the ratio compared to other at least one with model with the firewall box current period statistics of configuration It is not less than the 3rd threshold value with the increased ratio of statistical value of the ratio of UDP number of sessions.
  3. A kind of 3. method of fire wall recessiveness NAT breakdown judges, it is characterised in that including:
    The half-open number of sessions and half-close number of sessions of S20, periodic statistics firewall box;
    S21, according to the half-open number of sessions and half-close number of sessions determine whether the firewall box is deposited In recessive NAT failures.
  4. 4. according to the method described in claim 3, it is characterized in that, the S21, including:
    Judge whether the firewall box meets such as according to the half-open number of sessions and half-close number of sessions A condition in lower condition, if satisfied, then determining that the firewall box has recessiveness NAT failures;
    Wherein, the condition includes:
    The half-open number of sessions is not less than compared to the increased ratio of half-open number of sessions of previous cycle statistics 4th threshold value;With
    The half-close number of sessions is not small compared to the increased ratio of half-close number of sessions of previous cycle statistics In the 5th threshold value;With
    The half-open that each cycle counts in preset time period before the half-open number of sessions compares current period The increased ratio of average of number of sessions is not less than the 6th threshold value;With
    The half- that each cycle counts in preset time period before the half-close number of sessions compares current period The increased ratio of average of close number of sessions is not less than the 7th threshold value;With
    Firewall box current period statistics of the half-open number of sessions compared to other at least one with model with configuration The increased ratio of statistical value of half-open number of sessions be not less than the 8th threshold value;With
    Firewall box current period system of the half-close number of sessions compared to other at least one with model with configuration The increased ratio of statistical value of the half-close number of sessions of meter is not less than the 9th threshold value.
  5. A kind of 5. device of fire wall recessiveness NAT breakdown judges, it is characterised in that including:
    First statistic unit, for the TCP number of sessions and UDP number of sessions of periodic statistics firewall box, and calculates and works as The TCP number of sessions of preceding cycle statistics and the ratio of UDP number of sessions;
    First determination unit, for determining that the firewall box whether there is recessiveness NAT failures according to the ratio.
  6. 6. device according to claim 5, it is characterised in that first determination unit, is specifically used for:
    Whether meet a condition in following condition according to firewall box described in the ratio in judgement, if satisfied, then determining There is recessiveness NAT failures in the firewall box;
    Wherein, the condition includes:
    The ratio is not less than compared to the increased ratio of ratio of the TCP number of sessions and UDP number of sessions of previous cycle statistics First threshold;With
    The TCP number of sessions and UDP session numbers that each cycle counts in preset time period before the ratio compares current period The increased ratio of average of the ratio of amount is not less than second threshold;With
    TCP number of sessions of the ratio compared to other at least one with model with the firewall box current period statistics of configuration It is not less than the 3rd threshold value with the increased ratio of statistical value of the ratio of UDP number of sessions.
  7. A kind of 7. device of fire wall recessiveness NAT breakdown judges, it is characterised in that including:
    Second statistic unit, half-open number of sessions and half-close sessions for periodic statistics firewall box Quantity;
    Second determination unit, it is described anti-for being determined according to the half-open number of sessions and half-close number of sessions Wall with flues equipment whether there is recessiveness NAT failures.
  8. 8. device according to claim 7, it is characterised in that second determination unit, is specifically used for:
    Judge whether the firewall box meets such as according to the half-open number of sessions and half-close number of sessions A condition in lower condition, if satisfied, then determining that the firewall box has recessiveness NAT failures;
    Wherein, the condition includes:
    The half-open number of sessions is not less than compared to the increased ratio of half-open number of sessions of previous cycle statistics 4th threshold value;With
    The half-close number of sessions is not small compared to the increased ratio of half-close number of sessions of previous cycle statistics In the 5th threshold value;With
    The half-open that each cycle counts in preset time period before the half-open number of sessions compares current period The increased ratio of average of number of sessions is not less than the 6th threshold value;With
    The half- that each cycle counts in preset time period before the half-close number of sessions compares current period The increased ratio of average of close number of sessions is not less than the 7th threshold value;With
    Firewall box current period statistics of the half-open number of sessions compared to other at least one with model with configuration The increased ratio of statistical value of half-open number of sessions be not less than the 8th threshold value;With
    Firewall box current period system of the half-close number of sessions compared to other at least one with model with configuration The increased ratio of statistical value of the half-close number of sessions of meter is not less than the 9th threshold value.
CN201610954638.8A 2016-10-27 2016-10-27 Method and device for judging hidden NAT fault of firewall Active CN107995056B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610954638.8A CN107995056B (en) 2016-10-27 2016-10-27 Method and device for judging hidden NAT fault of firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610954638.8A CN107995056B (en) 2016-10-27 2016-10-27 Method and device for judging hidden NAT fault of firewall

Publications (2)

Publication Number Publication Date
CN107995056A true CN107995056A (en) 2018-05-04
CN107995056B CN107995056B (en) 2021-04-13

Family

ID=62028595

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610954638.8A Active CN107995056B (en) 2016-10-27 2016-10-27 Method and device for judging hidden NAT fault of firewall

Country Status (1)

Country Link
CN (1) CN107995056B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112787883A (en) * 2020-12-26 2021-05-11 中国农业银行股份有限公司 Method, device and equipment for detecting NAT (network Address translation) fault of equipment
CN115514732A (en) * 2022-09-02 2022-12-23 上海量讯物联技术有限公司 TCP connection number-based source NAT IP allocation method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030188001A1 (en) * 2002-03-27 2003-10-02 Eisenberg Alfred J. System and method for traversing firewalls, NATs, and proxies with rich media communications and other application protocols
CN101686235A (en) * 2008-09-26 2010-03-31 中联绿盟信息技术(北京)有限公司 Device and method for analyzing abnormal network flow
CN103095665A (en) * 2011-11-07 2013-05-08 中兴通讯股份有限公司 Method and device of improving firewall processing performance
JP5380363B2 (en) * 2010-01-19 2014-01-08 アラクサラネットワークス株式会社 Address translation device and address translation table management method
CN103648126A (en) * 2013-12-25 2014-03-19 大唐移动通信设备有限公司 Fault processing method and device
CN105320585A (en) * 2014-07-08 2016-02-10 北京启明星辰信息安全技术有限公司 Method and device for achieving application fault diagnosis

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030188001A1 (en) * 2002-03-27 2003-10-02 Eisenberg Alfred J. System and method for traversing firewalls, NATs, and proxies with rich media communications and other application protocols
CN101686235A (en) * 2008-09-26 2010-03-31 中联绿盟信息技术(北京)有限公司 Device and method for analyzing abnormal network flow
JP5380363B2 (en) * 2010-01-19 2014-01-08 アラクサラネットワークス株式会社 Address translation device and address translation table management method
CN103095665A (en) * 2011-11-07 2013-05-08 中兴通讯股份有限公司 Method and device of improving firewall processing performance
CN103648126A (en) * 2013-12-25 2014-03-19 大唐移动通信设备有限公司 Fault processing method and device
CN105320585A (en) * 2014-07-08 2016-02-10 北京启明星辰信息安全技术有限公司 Method and device for achieving application fault diagnosis

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
BEYOND_CN,: ""UDP/TCP穿越NAT的P2P通信方法研究(UDP/TCP打洞Hole Punching"", 《WWW.BLOGS.CSDN.NET/BEYOND_CN/ARTICLE/DETAILS/38236327.HTML》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112787883A (en) * 2020-12-26 2021-05-11 中国农业银行股份有限公司 Method, device and equipment for detecting NAT (network Address translation) fault of equipment
CN112787883B (en) * 2020-12-26 2022-07-12 中国农业银行股份有限公司 Method, device and equipment for detecting NAT (network Address translation) fault of equipment
CN115514732A (en) * 2022-09-02 2022-12-23 上海量讯物联技术有限公司 TCP connection number-based source NAT IP allocation method and device
CN115514732B (en) * 2022-09-02 2023-08-25 上海量讯物联技术有限公司 Source NAT IP distribution method and device based on TCP connection number

Also Published As

Publication number Publication date
CN107995056B (en) 2021-04-13

Similar Documents

Publication Publication Date Title
AU2019201687B2 (en) Network device vulnerability prediction
US9674046B2 (en) Automatic detection and prevention of network overload conditions using SDN
CN104219218B (en) A kind of method and device of active safety defence
CN110034956A (en) Network Data Control method, apparatus, computer equipment and storage medium
US9325596B2 (en) Adaptive signaling for network performance measurement, access, and control
CN103140859B (en) Monitoring to the safety in computer system
CN108768710A (en) A kind of changeable weight appraisal procedure, model and the device of optical transport network health
CN101951384B (en) Distributed security domain logic boundary protection method
CN105791033A (en) Method, device and system for regulating operating state of server
CN110430225A (en) A kind of industrial equipment monitoring and managing method, device, equipment and readable storage medium storing program for executing
CN108777686B (en) Identification method and system for block chain dust transaction
CN108599995A (en) Network line failure judgment method and server
CN110324323A (en) A kind of new energy plant stand relates to net end real-time, interactive process exception detection method and system
CN112422554B (en) Method, device, equipment and storage medium for detecting abnormal traffic external connection
CN107277100B (en) System and method for near real-time cloud infrastructure policy implementation and management
CN110365674A (en) A kind of method, server and system for predicting network attack face
CN107995056A (en) The method and device of fire wall recessiveness NAT breakdown judges
CN109104335A (en) A kind of industrial control equipment network attack test method and system
CN108415811A (en) A kind of method and device of monitoring service logic
CN106452941A (en) Network anomaly detection method and device
CN117201188B (en) IT safe operation risk prediction method, system and medium based on big data
CN109743339A (en) The network security monitoring method and device of electric power plant stand, computer equipment
CN103326875B (en) A kind of teleservice performance management method based on thresholding, system and webmaster
KR101079036B1 (en) Apparatus and method of detecting anomaly in control system network
CN110224872A (en) A kind of communication means, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant