CN107995056B - Method and device for judging hidden NAT fault of firewall - Google Patents
Method and device for judging hidden NAT fault of firewall Download PDFInfo
- Publication number
- CN107995056B CN107995056B CN201610954638.8A CN201610954638A CN107995056B CN 107995056 B CN107995056 B CN 107995056B CN 201610954638 A CN201610954638 A CN 201610954638A CN 107995056 B CN107995056 B CN 107995056B
- Authority
- CN
- China
- Prior art keywords
- ratio
- sessions
- firewall
- open
- nat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
- H04L43/0817—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for judging hidden NAT faults of a firewall, which can realize the judgment of the hidden NAT faults of the firewall. The method comprises the following steps: s10, periodically counting the number of TCP sessions and the number of UDP sessions of the firewall equipment, and calculating the ratio of the number of TCP sessions and the number of UDP sessions counted in the current period; and S11, determining whether the fire wall equipment has a hidden NAT fault according to the ratio.
Description
Technical Field
The invention relates to the field of core networks of mobile communication technologies, in particular to a method and a device for judging hidden NAT faults of a firewall.
Background
In the field of mobile communication core networks or other fields of firewall NAT (Network Address Translation) application, due to the application of the NAT function, a small number of public IP addresses represent a large number of private IP addresses, which is helpful for slowing down the exhaustion of the available IP Address space. But also can effectively avoid attacks from the outside of the network and hide and protect terminals (or computers) inside the network. The basic flow diagram of NAT is shown in fig. 1.
Due to the application of the NAT function, the problem of insufficient system resources caused by some NAT conversion problems inevitably exists, so that firewall faults are caused, and the unavailability of services is caused.
At present, firewall monitoring is mainly port alarm monitoring, and Session monitoring is also introduced in some fields. The existing monitoring of the firewall NAT function still remains the monitoring of the session number, and whether the session number exceeds a threshold, whether the session number is increased rapidly or not is judged. But may cause the number of firesafe sessions to change slowly and trigger device failure due to a transition error, network attack, or system error, etc. At present, a method and a device for judging the mining type of faults are lacked.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for determining a hidden NAT failure of a firewall, which can achieve the determination of the hidden NAT failure of the firewall.
On one hand, the embodiment of the invention provides a method for judging hidden NAT faults of a firewall, which comprises the following steps:
s10, periodically counting the number of TCP sessions and the number of UDP sessions of the firewall equipment, and calculating the ratio of the number of TCP sessions and the number of UDP sessions counted in the current period;
and S11, determining whether the fire wall equipment has a hidden NAT fault according to the ratio.
On the other hand, the embodiment of the invention provides a method for judging hidden NAT faults of a firewall, which comprises the following steps:
s20, periodically counting the number of half-open sessions and the number of half-close sessions of the firewall equipment;
and S21, determining whether the firewall equipment has hidden NAT faults or not according to the half-open conversation quantity and the half-close conversation quantity.
On the other hand, an embodiment of the present invention provides a device for determining a hidden NAT failure of a firewall, including:
the first statistical unit is used for periodically counting the number of TCP sessions and the number of UDP sessions of the firewall equipment and calculating the ratio of the number of the TCP sessions and the number of the UDP sessions counted in the current period;
and the first determining unit is used for determining whether the fire wall equipment has a recessive NAT fault according to the ratio.
On the other hand, an embodiment of the present invention provides a device for determining a hidden NAT failure of a firewall, including:
the second counting unit is used for periodically counting the half-open session number and the half-close session number of the firewall equipment;
and a second determining unit, configured to determine whether the firewall device has a hidden NAT failure according to the half-open session number and the half-close session number.
In firewall NAT sessions, the most dominant sessions are TCP and UDP sessions, which are both closely related in number and traffic volume and also in aging time of TCP and UDP, but in applications, the aging time of TCP and UDP is usually kept unchanged (emergency may adjust). The amount of traffic generally substantially determines the number of TCP and UDP sessions.
Within the session type of TCP, there are two sessions, half-open and half-close, in addition to current TCP session. An increase in the half-open session may be caused by a network attack (such as a syn attack) or a system BUG, etc. The addition of the half-close session may be caused due to the aging of the system BUG (e.g., FIN _ WAIT state for too long a connection), etc.
Under the condition of a certain scale of traffic, the session model is basically kept unchanged in a short time, namely the ratio of the TCP session to the UDP session is in a certain proportion, so that the running state of the equipment can be judged by analyzing the ratio of the TCP session to the UDP session. For devices with the functions of viewing half-open and half-close, the device state can be judged by analyzing the fluctuation conditions of the two sessions.
The invention has the following beneficial effects:
on one hand, on the basis of the rule that the ratio of the TCP session to the UDP session is basically kept in a certain proportion when certain traffic exists, and the ratio of the TCP session to the UDP session fluctuates due to the occurrence of system BUG, network attack and the like, the ratio of the TCP session to the UDP session can be analyzed by a statistical analysis method, so that the judgment of the hidden NAT fault of the firewall can be realized; on the other hand, based on the rule that a half-open session or a half-close session is increased when a system BUG, a network attack and the like occur, for a firewall device with the function of checking the half-open and the half-close, the hidden NAT fault of the firewall can be judged by analyzing the fluctuation conditions of the half-open session and the half-close session.
Drawings
FIG. 1 is a schematic diagram of a basic flow of NAT;
FIG. 2 is a flowchart illustrating an embodiment of a method for determining hidden NAT failures of a firewall according to the present invention;
fig. 3 is a flowchart illustrating a method for determining a hidden NAT failure of a firewall according to another embodiment of the present invention;
fig. 4 is a schematic structural diagram of an embodiment of the apparatus for determining a hidden NAT failure of a firewall according to the present invention;
fig. 5 is a schematic structural diagram of a firewall implicit NAT failure determination apparatus according to another embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 2, the embodiment discloses a method for judging hidden NAT failure of a firewall, which includes:
s10, periodically counting the number of TCP sessions and the number of UDP sessions of the firewall equipment, and calculating the ratio of the number of TCP sessions and the number of UDP sessions counted in the current period;
it should be noted that the number of TCP sessions and the number of UDP sessions of the firewall device may be counted by the third-party server.
And S11, determining whether the fire wall equipment has a hidden NAT fault according to the ratio.
In this embodiment, when determining whether the firewall device has a hidden NAT failure, the determination may be performed by determining whether a ratio of an increase of a ratio of a TCP session number counted in a current period to a UDP session number counted in a previous period to a ratio of a TCP session number counted in a previous period to a UDP session number counted in the previous period is not less than a first threshold, whether a ratio of an increase of a ratio of a mean value of a ratio of a TCP session number counted in each period to a UDP session number counted in a preset time period before the current period to a ratio of a TCP session number counted in each period to a UDP session number counted in the current period to a UDP session number counted in the same model to a ratio of an increase of a ratio of a TCP session number counted in the previous period to a UDP session number counted in the same model to a UDP session number is not less than a third threshold, and when the ratio of an increase of a TCP session number, And when the ratio of the ratio value to the average value increase of the ratio of the TCP session number to the UDP session number counted in each period in a preset time period before the current period is not less than a second threshold value or the ratio of the ratio value to the average value increase of the ratio of the TCP session number to the UDP session number counted in the current period of at least one firewall device with the same type and configuration is not less than a third threshold value, determining that the hidden NAT fault exists in the firewall device. It should be noted that the preset time period may be one week, five days, and the like, and may be specifically set as required, which is not described herein again. The statistical value can be set according to needs, and is generally an average value and a variance. The first threshold, the second threshold and the third threshold can be obtained through experiments, and the value is generally 30% -60%.
In addition, when determining that the fire wall equipment has a hidden NAT fault, early warning can be carried out to remind a user to process the equipment fault, so that the influence of services is avoided.
The firewall hidden NAT fault judgment method provided by the embodiment of the invention can analyze the ratio of the TCP and the UDP sessions by a statistical analysis method based on the rule that the ratio of the TCP and the UDP sessions can basically keep a certain proportion when a certain traffic exists, and the ratio of the TCP and the UDP sessions can fluctuate when system BUG, network attack and the like occur, so that the firewall hidden NAT fault judgment can be realized.
Referring to fig. 3, the embodiment discloses a method for judging hidden NAT failure of a firewall, which includes:
s20, periodically counting the number of half-open sessions and the number of half-close sessions of the firewall equipment;
it should be noted that the number of half-open sessions and the number of half-close sessions of the firewall device may be counted by the third-party server.
And S21, determining whether the firewall equipment has hidden NAT faults or not according to the half-open conversation quantity and the half-close conversation quantity.
In this embodiment, when determining whether the hidden NAT failure exists in the firewall device, it may be determined whether a ratio of an increase in a number of half-open sessions counted in a current period compared with a number of half-open sessions counted in a previous period is not less than a fourth threshold, a ratio of an increase in a number of half-open sessions counted in a current period compared with a number of half-open sessions counted in a previous period is not less than a fifth threshold, a ratio of an increase in a number of half-open sessions counted in each period in a preset period before the current period compared with a mean value of a number of half-open sessions counted in each period in a preset period before the current period is not less than a sixth threshold, a ratio of an increase in a number of half-open sessions compared with a mean value of a number of half-open sessions counted in each period in a preset period before the current period is not less than a seventh threshold, and a number of half-open sessions compared with a number of half-open sessions counted in a current period of at least one firewall device with the same configuration is not less than a current period counted in the same type Whether the ratio of the increase of the statistical value of the number of open sessions is not less than an eighth threshold value, and whether the ratio of the increase of the statistical value of the number of half-close sessions compared with the statistical value of the number of half-close sessions counted in the current period of at least one firewall device with the same model and the same configuration is not less than a ninth threshold value is realized when the ratio of the increase of the number of half-open sessions compared with the statistical number of half-open sessions in the previous period is not less than a fourth threshold value, the ratio of the increase of the number of half-close sessions compared with the statistical number of half-close sessions in the previous period is not less than a fifth threshold value, the ratio of the increase of the number of half-open sessions compared with the average value of the statistical number of half-open sessions in each period in a preset period before the current period is not less than a sixth threshold value, and the ratio of the increase of the number of half-close sessions compared with the average value of the statistical number of half-close sessions in each period in the preset period before the current period is not less than a sixth threshold value And when the ratio of the increase of the statistical value of the number of half-open sessions compared with the statistical value of the number of half-open sessions counted in the current period of at least one other firewall device with the same type and configuration is smaller than a seventh threshold value and is not smaller than an eighth threshold value or the ratio of the increase of the statistical value of the number of half-close sessions compared with the statistical value of the number of half-close sessions counted in the current period of at least one other firewall device with the same type and configuration is not smaller than a ninth threshold value, determining that the firewall device has a hidden NAT fault. It should be noted that the preset time period may be one week, five days, and the like, and may be specifically set as required, which is not described herein again. The statistical value can be set according to needs, and is generally an average value and a variance. The fourth threshold, the fifth threshold, the sixth threshold, the seventh threshold, the eighth threshold and the ninth threshold can be specifically obtained through experiments, and are generally 30% -60%.
The method for judging the hidden NAT fault of the firewall provided by the embodiment of the invention is based on the rule that the half-open session or the half-close session is increased rapidly when the system BUG, the network attack and the like occur, and can realize the judgment of the hidden NAT fault of the firewall by analyzing the fluctuation conditions of the half-open session and the half-close session for the firewall equipment with the functions of checking the half-open session and the half-close session.
Referring to fig. 4, the embodiment discloses a device for determining hidden NAT failure of a firewall, including:
a first statistical unit 10 and a first determination unit 11; wherein the content of the first and second substances,
the first statistical unit 10 periodically counts the number of TCP sessions and the number of UDP sessions of the firewall device, calculates a ratio of the number of TCP sessions counted in the current period to the number of UDP sessions counted in the current period, and then sends the ratio of the number of TCP sessions counted in the current period to the number of UDP sessions counted in the current period to the first determining unit 11;
it should be noted that the number of TCP sessions and the number of UDP sessions of the firewall device may be periodically collected by means of a third-party server, and the number of TCP sessions and the number of UDP sessions counted by the first statistical unit 10 are obtained from the third-party server.
After receiving the ratio of the number of TCP sessions and the number of UDP sessions counted in the current period, the first determining unit 11 determines whether the firewall device has a hidden NAT failure according to the ratio.
The firewall hidden NAT fault judgment device provided by the embodiment of the invention can analyze the ratio of the TCP and the UDP sessions by a statistical analysis method based on the rule that the ratio of the TCP and the UDP sessions can basically keep a certain proportion when a certain traffic exists, and the ratio of the TCP and the UDP sessions can fluctuate when system BUG, network attack and the like occur, so that the firewall hidden NAT fault judgment can be realized.
On the basis of the foregoing device embodiment, the first determining unit may be specifically configured to:
judging whether the firewall equipment meets one of the following conditions or not according to the ratio, and if so, determining that the firewall equipment has a hidden NAT fault;
wherein the conditions include:
the ratio of the ratio value to the ratio value of the number of TCP sessions counted in the previous period to the number of UDP sessions is not less than a first threshold value; and
the ratio is not less than a second threshold value compared with the ratio increased by the mean value of the ratios of the TCP session number and the UDP session number counted in each period in a preset time period before the current period; and
and the ratio is not less than a third threshold value compared with the statistical value of the ratio of the number of TCP sessions and the number of UDP sessions counted in the current period of at least one firewall device with the same type and configuration.
It should be noted that the preset time period may be one week, five days, and the like, and may be specifically set as required, which is not described herein again. The statistical value can be set according to needs, and is generally an average value and a variance. The first threshold, the second threshold and the third threshold can be obtained through experiments, and the value is generally 30% -60%.
Referring to fig. 5, the embodiment discloses a device for determining hidden NAT failure of a firewall, including:
a second statistical unit 20 and a second determination unit 21; wherein the content of the first and second substances,
the second counting unit 20 periodically counts the number of half-open sessions and the number of half-close sessions of the firewall device, and sends the number of half-open sessions and the number of half-close sessions to the second determining unit 21;
it should be noted that the number of half-open sessions and the number of half-close sessions of the firewall device may be periodically collected by means of a third-party server, and the number of half-open sessions and the number of half-close sessions counted by the second counting unit 20 are obtained from the third-party server.
After receiving the half-open session number and the half-close session number, the second determining unit 21 determines whether the firewall device has an implicit NAT failure according to the half-open session number and the half-close session number.
The device for judging the hidden NAT fault of the firewall provided by the embodiment of the invention can judge the hidden NAT fault of the firewall by analyzing the fluctuation conditions of the half-open session and the half-close session for the firewall equipment with the function of checking the half-open session and the half-close session based on the rule that the half-open session or the half-close session is increased when a system BUG, a network attack and the like occur.
On the basis of the foregoing device embodiment, the second determining unit may be specifically configured to:
judging whether the firewall equipment meets one of the following conditions according to the half-open session number and the half-close session number, and if so, determining that the firewall equipment has a hidden NAT fault;
wherein the conditions include:
the rate of increase of the number of half-open sessions compared with the number of half-open sessions counted in the previous period is not less than a fourth threshold; and
the rate of increase of the number of half-close sessions compared with the number of half-close sessions counted in the previous period is not less than a fifth threshold; and
the ratio of the increase of the number of half-open sessions compared with the average value of the number of half-open sessions counted in each period in a preset time period before the current period is not less than a sixth threshold; and
the ratio of the increase of the number of half-close sessions to the average value of the number of half-close sessions counted in each period in a preset time period before the current period is not less than a seventh threshold; and
the rate of increase of the statistical value of the number of half-open sessions compared with the statistical value of the number of half-open sessions counted in the current period of at least one firewall device with the same model and configuration is not less than an eighth threshold value; and
and the rate of the increase of the number of half-close sessions compared with the statistical value of the number of half-close sessions counted in the current period of at least one other firewall device with the same model and the same configuration is not less than a ninth threshold value.
It should be noted that the preset time period may be one week, five days, and the like, and may be specifically set as required, which is not described herein again. The statistical value can be set according to needs, and is generally an average value and a variance. The fourth threshold, the fifth threshold, the sixth threshold, the seventh threshold, the eighth threshold and the ninth threshold can be specifically obtained through experiments, and are generally 30% -60%.
The time period of the statistical analysis is a service stabilization period, and the early morning time period, the emergency date and the like are not included in the statistical analysis.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element. The terms "upper", "lower", and the like, indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience in describing the present invention and simplifying the description, but do not indicate or imply that the referred devices or elements must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention. Unless expressly stated or limited otherwise, the terms "mounted," "connected," and "connected" are intended to be inclusive and mean, for example, that they may be fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
In the description of the present invention, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description. Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present invention is not limited to any single aspect, nor is it limited to any single embodiment, nor is it limited to any combination and/or permutation of these aspects and/or embodiments. Moreover, each aspect and/or embodiment of the present invention may be utilized alone or in combination with one or more other aspects and/or embodiments thereof.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.
Claims (4)
1. A method for judging hidden NAT fault of firewall is characterized by comprising the following steps:
s10, periodically counting the number of TCP sessions and the number of UDP sessions of the firewall equipment, and calculating the ratio of the number of TCP sessions and the number of UDP sessions counted in the current period;
s11, determining whether the fire wall equipment has a hidden NAT fault according to the ratio;
determining whether the fire wall equipment has a hidden NAT fault according to the ratio specifically includes:
and when the ratio of the ratio to the ratio of the number of TCP sessions counted in the previous period to the number of UDP sessions is not smaller than a first threshold, the ratio of the ratio to the ratio of the number of TCP sessions counted in each period to the number of UDP sessions counted in the preset time period before the current period is not smaller than a second threshold, or the ratio of the ratio to the ratio of the number of TCP sessions counted in the current period to the number of UDP sessions counted in at least one firewall device with the same type and configuration is not smaller than a third threshold, determining that the hidden NAT fault exists in the firewall device.
2. A method for judging hidden NAT fault of firewall is characterized by comprising the following steps:
s20, periodically counting the number of half-open sessions and the number of half-close sessions of the firewall equipment;
s21, determining whether the firewall equipment has hidden NAT faults or not according to the half-open conversation quantity and the half-close conversation quantity;
determining whether the firewall device has a hidden NAT fault according to the half-open session number and the half-close session number, specifically comprising:
when the ratio of the increase of the number of half-open sessions compared with the number of half-open sessions counted in the previous period is not less than a fourth threshold, the ratio of the increase of the number of half-open sessions compared with the number of half-open sessions counted in the previous period is not less than a fifth threshold, the ratio of the increase of the number of half-open sessions compared with the mean value of the number of half-open sessions counted in each period in a preset period before the current period is not less than a sixth threshold, the ratio of the increase of the number of half-open sessions compared with the mean value of the number of half-open sessions counted in each period in a preset period before the current period is not less than a seventh threshold, the ratio of the increase of the number of half-open sessions compared with the mean value of the number of half-open sessions counted in the current period of at least one other firewall device with the same model and configuration is not less than an eighth threshold, or the ratio of the increase of the number of half-open sessions compared with at least one other device with the same model and configuration is not less than the eighth threshold When the ratio of the increase of the statistical value of the number of half-close sessions counted in the current period of the firewall device is not less than a ninth threshold value, determining that the hidden NAT fault exists in the firewall device.
3. A device for judging hidden NAT fault of firewall is characterized by comprising:
the first statistical unit is used for periodically counting the number of TCP sessions and the number of UDP sessions of the firewall equipment and calculating the ratio of the number of the TCP sessions and the number of the UDP sessions counted in the current period;
a first determining unit, configured to determine whether the firewall device has a hidden NAT failure according to the ratio;
determining whether the fire wall equipment has a hidden NAT fault according to the ratio specifically includes:
and when the ratio of the ratio to the ratio of the number of TCP sessions counted in the previous period to the number of UDP sessions is not smaller than a first threshold, the ratio of the ratio to the ratio of the number of TCP sessions counted in each period to the number of UDP sessions counted in the preset time period before the current period is not smaller than a second threshold, or the ratio of the ratio to the ratio of the number of TCP sessions counted in the current period to the number of UDP sessions counted in at least one firewall device with the same type and configuration is not smaller than a third threshold, determining that the hidden NAT fault exists in the firewall device.
4. A device for judging hidden NAT fault of firewall is characterized by comprising:
the second counting unit is used for periodically counting the half-open session number and the half-close session number of the firewall equipment;
a second determining unit, configured to determine whether a hidden NAT failure exists in the firewall device according to the half-open session number and the half-close session number;
determining whether the firewall device has a hidden NAT fault according to the half-open session number and the half-close session number, specifically comprising:
when the ratio of the increase of the number of half-open sessions compared with the number of half-open sessions counted in the previous period is not less than a fourth threshold, the ratio of the increase of the number of half-open sessions compared with the number of half-open sessions counted in the previous period is not less than a fifth threshold, the ratio of the increase of the number of half-open sessions compared with the mean value of the number of half-open sessions counted in each period in a preset period before the current period is not less than a sixth threshold, the ratio of the increase of the number of half-open sessions compared with the mean value of the number of half-open sessions counted in each period in a preset period before the current period is not less than a seventh threshold, the ratio of the increase of the number of half-open sessions compared with the mean value of the number of half-open sessions counted in the current period of at least one other firewall device with the same model and configuration is not less than an eighth threshold, or the ratio of the increase of the number of half-open sessions compared with at least one other device with the same model and configuration is not less than the eighth threshold When the ratio of the increase of the statistical value of the number of half-close sessions counted in the current period of the firewall device is not less than a ninth threshold value, determining that the hidden NAT fault exists in the firewall device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610954638.8A CN107995056B (en) | 2016-10-27 | 2016-10-27 | Method and device for judging hidden NAT fault of firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610954638.8A CN107995056B (en) | 2016-10-27 | 2016-10-27 | Method and device for judging hidden NAT fault of firewall |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107995056A CN107995056A (en) | 2018-05-04 |
| CN107995056B true CN107995056B (en) | 2021-04-13 |
Family
ID=62028595
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610954638.8A Active CN107995056B (en) | 2016-10-27 | 2016-10-27 | Method and device for judging hidden NAT fault of firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107995056B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112787883B (en) * | 2020-12-26 | 2022-07-12 | 中国农业银行股份有限公司 | Method, device and equipment for detecting NAT (network Address translation) fault of equipment |
| CN115514732B (en) * | 2022-09-02 | 2023-08-25 | 上海量讯物联技术有限公司 | Source NAT IP distribution method and device based on TCP connection number |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101686235A (en) * | 2008-09-26 | 2010-03-31 | 中联绿盟信息技术(北京)有限公司 | Device and method for analyzing abnormal network flow |
| CN103095665A (en) * | 2011-11-07 | 2013-05-08 | 中兴通讯股份有限公司 | Method and device of improving firewall processing performance |
| JP5380363B2 (en) * | 2010-01-19 | 2014-01-08 | アラクサラネットワークス株式会社 | Address translation device and address translation table management method |
| CN103648126A (en) * | 2013-12-25 | 2014-03-19 | 大唐移动通信设备有限公司 | Fault processing method and device |
| CN105320585A (en) * | 2014-07-08 | 2016-02-10 | 北京启明星辰信息安全技术有限公司 | Method and device for achieving application fault diagnosis |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003083692A1 (en) * | 2002-03-27 | 2003-10-09 | First Virtual Communications | System and method for traversing firewalls with protocol communications |
-
2016
- 2016-10-27 CN CN201610954638.8A patent/CN107995056B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101686235A (en) * | 2008-09-26 | 2010-03-31 | 中联绿盟信息技术(北京)有限公司 | Device and method for analyzing abnormal network flow |
| JP5380363B2 (en) * | 2010-01-19 | 2014-01-08 | アラクサラネットワークス株式会社 | Address translation device and address translation table management method |
| CN103095665A (en) * | 2011-11-07 | 2013-05-08 | 中兴通讯股份有限公司 | Method and device of improving firewall processing performance |
| CN103648126A (en) * | 2013-12-25 | 2014-03-19 | 大唐移动通信设备有限公司 | Fault processing method and device |
| CN105320585A (en) * | 2014-07-08 | 2016-02-10 | 北京启明星辰信息安全技术有限公司 | Method and device for achieving application fault diagnosis |
Non-Patent Citations (1)
| Title |
|---|
| "UDP/TCP穿越NAT的P2P通信方法研究(UDP/TCP打洞Hole Punching";Beyond_cn,;《www.blogs.csdn.net/beyond_cn/article/details/38236327.html》;20140728;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107995056A (en) | 2018-05-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107623685B (en) | Method and device for rapidly detecting SYN Flood attack | |
| CN108234404B (en) | Defense method, system and related equipment for DDoS attack | |
| CN108076019B (en) | Abnormal flow detection method and device based on flow mirror image | |
| CN108965347B (en) | Distributed denial of service attack detection method, device and server | |
| US9197561B2 (en) | Facilitating network flows | |
| CN107995056B (en) | Method and device for judging hidden NAT fault of firewall | |
| US11336545B2 (en) | Network device measurements employing white boxes | |
| CN112422554B (en) | Method, device, equipment and storage medium for detecting abnormal traffic external connection | |
| CN102752141A (en) | Method and device for detecting accessibility of IP (internet protocol) address | |
| CN107070888A (en) | Gateway security management method and equipment | |
| WO2024021495A1 (en) | Method and apparatus for identifying flooding attack in cloud platform, and device and storage medium | |
| CN107547561B (en) | Method and device for carrying out DDOS attack protection processing | |
| CN112866175B (en) | Method, device, equipment and storage medium for reserving abnormal traffic types | |
| CN111565196A (en) | KNXnet/IP protocol intrusion detection method, device, equipment and medium | |
| Balen et al. | Network performance evaluation of latest windows operating systems | |
| CN107689967B (en) | DDoS attack detection method and device | |
| CN111510443B (en) | Terminal monitoring method and terminal monitoring device based on equipment portrait | |
| CN104540161B (en) | A kind of node state detection method and device | |
| WO2016202025A1 (en) | Trap message processing method and apparatus | |
| CN114157516A (en) | Flow detection method and device, electronic equipment and computer storage medium | |
| CN114189480A (en) | Flow sampling method and device, electronic equipment and medium | |
| CN110049147B (en) | Method for detecting number of hosts after NAT | |
| CN107634944B (en) | Information abnormity judgment method and system and computer device | |
| JP5655049B2 (en) | Determination device, determination method, and determination program | |
| CN110661684A (en) | Flow statistical method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |