CN108574694A - A kind of Modbus TCP safety protecting methods and device - Google Patents

A kind of Modbus TCP safety protecting methods and device Download PDF

Info

Publication number
CN108574694A
CN108574694A CN201810358879.5A CN201810358879A CN108574694A CN 108574694 A CN108574694 A CN 108574694A CN 201810358879 A CN201810358879 A CN 201810358879A CN 108574694 A CN108574694 A CN 108574694A
Authority
CN
China
Prior art keywords
data packet
address
legitimacy
coil
register
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810358879.5A
Other languages
Chinese (zh)
Inventor
马纳
罗冰
陈银桃
王有为
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Supcon Technology Co Ltd
Original Assignee
Zhejiang Supcon Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Supcon Technology Co Ltd filed Critical Zhejiang Supcon Technology Co Ltd
Priority to CN201810358879.5A priority Critical patent/CN108574694A/en
Publication of CN108574694A publication Critical patent/CN108574694A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40228Modbus

Abstract

The invention discloses the safety protecting methods and device of a kind of Modbus TCP communications, including:When receiving Modbus TCP data packets, the legitimacy of preset multiple tuple informations of data packet transport layer is checked;The legitimacy of detection data packet application layer data format;The legitimacy of function code in detection data packet;Detect the legitimacy of Current communications conversation affair access rate;The register of detection data packet or the legitimacy of coil.It can thus be appreciated that, it is defined by the access rate to ModbusTCP conversational communications, when access rate has been more than preset access rate threshold value, blocks the data packet during Current communications, security protection has been carried out to the flood attack of access in this way, ensure that the safety of conversational communication.Also, camouflage information, illegal transactions access function code are intercepted, and prevents the write-in of illegal register value or coil value.

Description

A kind of Modbus TCP safety protecting methods and device
Technical field
The present invention relates to data security arts more particularly to a kind of Modbus TCP safety protecting methods and device.
Background technology
With information-based and industrialization depth integration fast development, industrial control system use more and more standard, Open communication protocol, the security risk present in communication protocol become increasingly conspicuous.Wherein Modbus Transmission Control Protocol is as a kind of work Industry standard is field device, automatically controls and provides open, unified standard between application, business administration application software software and connect Mouthful, and the Modbus Transmission Control Protocol is widely used in control field.But with Modbus Transmission Control Protocol It is widely used, the safety problem of Modbus Transmission Control Protocol is also more and more widely paid close attention to.
In the prior art, during carrying out security protection to Modbus Transmission Control Protocol, the flood of access is not attacked Carry out security protection is hit, i.e., when main website is excessively high to the data access rate of slave station, the data processing of slave station may be influenced Can, even result in slave station collapse, to influence main website and slave station ModbusTCP communication.
Invention content
In view of this, the invention discloses a kind of Modbus TCP safety protecting methods and devices, by communications access The limitation of rate has carried out security protection to the flood attack of access, ensure that the safety of conversational communication.
A kind of safety protecting method of Modbus TCP communications, which is characterized in that including:
During ModbusTCP conversational communications, when receiving Modbus TCP data packets, the data packet is passed The legitimacy of the defeated preset multiple tuple informations of layer is checked;
Detect the legitimacy of the data packet application layer data format;
Detect the legitimacy of function code in the data packet;
Detect the legitimacy of Current communications conversation affair access rate;
Detect the register of the data packet or the legitimacy of coil.
Optionally, described pair the legitimacy of the preset multiple tuple informations of the data packet transport layer is checked, is wrapped It includes:
Obtain the source IP address of the data packet, source MAC, purpose IP address, target MAC (Media Access Control) address, destination interface, source Port, transport layer protocol type;
According to the relation table of preset IP address and MAC Address, pair of the source IP address and the source MAC is judged Whether legal, and judge whether the correspondence of the destination IP address and the target MAC (Media Access Control) address is legal if should be related to;
If the correspondence of the source IP address and the source MAC is legal, the source MAC is legal , if the correspondence of the destination IP address and the target MAC (Media Access Control) address is legal, the target MAC (Media Access Control) address is to close Method;
According to preset security strategy table, respectively to the source IP address of the data packet, purpose IP address, destination interface, Source port, transport layer protocol type legitimacy be detected.
Optionally, the legitimacy of the detection data packet application layer data format, including:
Obtain the function code, master ip address and slave station IP address of the data packet;
By the function code, the master ip address and slave station IP address, carried out with preset function code access control list Matching;The function code access control list include each function code, the main website IP information with the permission for executing the function code, And permission main website executes the IP information of the slave station of the function code;
If successful match, then it represents that the main website for sending the data packet has the permission for executing the function code.
Optionally, further include:
Custom feature code is added in the access control list;
Add the corresponding main website IP information of the custom feature code and slave station IP information.
Optionally, the legitimacy of the detection Current communications conversation affair access rate, including:
Obtain the access rate of Current communications conversation affair;
Judge whether the access rate of Current communications conversation affair has been more than preset access rate threshold value;
If the access rate of Current communications conversation affair has been more than preset access rate threshold value, the data will be blocked Packet.
Optionally, the legitimacy of the register or coil of the detection data packet, including:
Obtain the value of the register of the data packet either address of coil, register or coil;
According to the inspection table of the preset register either coil to the legal of the address of the register or coil Property is detected;
If either coil is institute in the legal inspection table based on the preset register or coil to the register State register either coil the corresponding value range in address determine the register or coil value legitimacy.
Optionally, further include:
When detecting that the data packet is illegal data packet, the data packet is blocked;
Reseting data packet is sent to the main website and slave station of Current communications session.
The embodiment of the invention discloses a kind of Modbus TCP safety devices, including:
Tuple information detection unit, for during ModbusTCP conversational communications, when receiving Modbus TCP numbers When according to packet, the legitimacy of the preset multiple tuple informations of the data packet transport layer is checked;
Application layer detection unit, the legitimacy for detecting the data packet application layer data format;
Function code detection unit, the legitimacy for detecting function code in the data packet;
Access rate detection unit, the legitimacy for detecting Current communications conversation affair access rate;
The detection unit of register or coil, the legitimacy of register or coil for detecting the data packet.
The embodiment of the invention also discloses a kind of storage medium, the storage medium includes the program of storage,
Wherein, the equipment where the storage medium is controlled when described program is run is executed as appointed in claim 1-7 The method of the security protection to Modbus TCP communications described in one.
The embodiment of the invention also discloses a kind of processor, the processor is used to run program,
Wherein, being communicated to Modbus TCP as described in any one of claim 1-7 is executed when described program is run The method of security protection.
The embodiment of the invention discloses a kind of safety protecting methods of Modbus TCP communications, including:When receiving When Modbus TCP data packets, the legitimacy of preset multiple tuple informations of the data packet transport layer is checked;Inspection Survey the legitimacy of the data packet application layer data format;Detect the legitimacy of function code in the data packet;Detection is current logical Interrogate the legitimacy of conversation affair access rate;Detect the register of the data packet or the legitimacy of coil.It follows that logical It crosses and the access rate of ModbusTCP conversational communications is defined, when access rate has been more than preset access rate threshold value, The data packet during Current communications is blocked, security protection has been carried out to the flood attack of access in this way, ensure that conversational communication Safety.
Also, the present embodiment also to 7 tuple informations, ModbusTCP Protocol integrities, is measured in real time, and intercepts camouflage Information, lopsided data packet.By establishing ModbusTCP transactions access function code access control rules, intercepts illegal affairs and visit Ask function code;In addition to this, by the way that register, either the legitimacy of coil checks and prevents illegal register value or line The write-in of circle value.
Further, when it is illegal data packet to detect data packet, by main website to Current communications session and from It stands and sends reseting data packet, to notify main website and the slave station data packet as invalid data packet, that is, inform that main website and slave station communication lose It loses, so that main website and slave station, which reappear, establishes communication connection.In this way, further ensuring the safety of Modbus TCP communications.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 shows a kind of flow signal of the safety protecting method of Modbus TCP communications provided in an embodiment of the present invention Figure;
Fig. 2 shows a kind of another flows of the safety protecting method of Modbus TCP communications provided in an embodiment of the present invention Schematic diagram;
Fig. 3 shows a kind of structural representation of the safety device of Modbus TCP communications provided in an embodiment of the present invention Figure;
Fig. 4 shows a kind of another structure of the safety device of Modbus TCP communications provided in an embodiment of the present invention Schematic diagram.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
With reference to figure 1, a kind of stream of the safety protecting method of Modbus TCP communications provided in an embodiment of the present invention is shown Journey schematic diagram, in the present embodiment, this method includes:
S101:During ModbusTCP conversational communications, when receiving Modbus TCP data packets, to the number It is checked according to the legitimacy of preset multiple tuple informations of packet transport layer;
In the present embodiment, the transport layer of data packet includes multiple tuple informations, such as including:Target MAC (Media Access Control) address, source MAC Address, purpose IP address, source IP address, destination interface, source port, transport layer protocol etc..In order to ensure data packet transport layer Legitimacy needs the legitimacy to multiple tuple informations of transport layer to be detected, specifically, including:
Obtain source IP address in the data packet, source MAC, purpose IP address, target MAC (Media Access Control) address, destination interface, Source port, transport layer protocol type;
According to the relation table of preset IP address and MAC Address, pair of the source IP address and the source MAC is judged Whether legal, and judge whether the correspondence of the destination IP address and the target MAC (Media Access Control) address is legal if should be related to;
When the correspondence of the source IP address and the source MAC is legal, and the destination IP address and institute The correspondence for stating target MAC (Media Access Control) address is legal, then the source MAC and the target MAC (Media Access Control) address are legal;
According to preset security strategy table, respectively to the source IP address of the data packet, purpose IP address, destination interface, Source port, transport layer protocol type legitimacy be detected.
In the present embodiment, the relation table of preset IP address and MAC Address is what technical staff pre-set, can be with table IP-MAC binding tables are shown as, which includes each MAC Address with legitimacy and pair of different IP addresses It should be related to.
Wherein, to the source IP address of data packet and the relationship of MAC Address and purpose IP address and target MAC (Media Access Control) address When relationship is detected, source IP address and source MAC can be matched with the information in IP-MAC binding tables, if can be with Successful match indicates that the source MAC is legal, that is to say, that the source of the data packet is legal, reliable.Same side Method is also used for being detected purpose IP address and target MAC (Media Access Control) address.
In the present embodiment, security strategy table includes:Legal source IP address, legal purpose IP address, legal purpose Port, legal source port and legal transport layer protocol type.
Wherein, application security strategy table in data packet source IP address, purpose IP address, destination interface, source port, Transport layer protocol type carry out legitimacy detection when, can by this 5 tuple information of data packet with it is legal in security strategy table 5 tuple informations matched, any one in 5 tuple informations is directed to, if successful match, then it represents that the tuple information is Legal.However, it is desirable to which explanation, above in the present embodiment without limiting to the detection method of 5 tuple information The matched detection method mentioned, the one such embodiment being only to provide.
S102:Detect the legitimacy of the data packet application layer data format;
In the present embodiment, the legitimacy of data packet application layer data format is detected, may include a variety of a variety of lattice of detection Formula information, such as including:The integrality of application layer data header message, ModbusTCP agreement application layer datas length scale, difference Mistake value etc..
S103:Detect the legitimacy of function code in the data packet;
In the present embodiment, legitimacy is being carried out to detecting function code in the data packet, it can be understood as detection sends number Whether there is the permission for executing correlation function according to the main website of packet, specifically, can be detected by the function code in data packet, has Body, S102 includes:
Obtain the function code, master ip address and slave station IP address of the data packet;
By the volume function code, the master ip address and slave station IP address, with preset function code access control list into Row matching;The function code access control list includes each function code, the main website IP letters with the permission for executing the function code Breath and permission main website execute the IP information of the slave station of the function code;
If successful match, then it represents that the main website for sending the data packet has the permission for executing the function code.
In the present embodiment, it is directed to the execution of function code, different main websites has different power relative to different slave stations Therefore limit when the legitimacy of the function code of the application layer to data packet is detected, particularly detects transmission data packet Whether main website has the permission for executing the function code, and whether the slave station communicated with the main website allows the main website to hold The row function code.
It illustrates:As shown in table 1 below, show the relevant information of function code access control list, wherein the IP of main website Information can be indicated by master ip address and main website IP masks, the IP information of slave station can by the IP address of slave station and The IP masks of slave station are indicated:
Table 1
In addition to this, technical staff can also modify to function code access control list, you can customized to add Function code, specifically, further including:
Custom feature code is added in the access control list;
Add the corresponding main website IP information of the custom feature code and slave station IP information.
S104:Detect the legitimacy of Current communications conversation affair access rate;
In the present embodiment, during current ModbusTCP conversational communications, if Current communications conversation affair access rate It is excessive, Current communications conversation failure is may result in, the data-handling efficiency of slave station is influenced, is arranged or slave station is caused to collapse, because This, needs access rate of the main website to the conversational communication affairs of slave station, specifically, S104 includes:
Obtain the access rate of Current communications conversation affair;
Judge whether the access rate of current sessions affairs has been more than preset access rate threshold value;
If the access rate of Current communications conversation affair has been more than preset access rate threshold value, the data will be blocked Packet.
It in the present embodiment, is defined by the access rate to ModbusTCP conversational communications, is more than in access rate When preset access rate threshold value, the data packet during Current communications is blocked, the flood attack of access is pacified in this way Full protection ensure that the safety of conversational communication.
S105:Detect the register of the data packet or the legitimacy of coil;
In the present embodiment, register and coil indicate a kind of data type of Modbus Transmission Control Protocol respectively, wherein to posting The legitimacy of storage or coil is detected, and is directed to for register, can be address to register, register value Legitimacy be detected, being directed to for coil is detected to the address of coil, the legitimacy of coil, specifically , S105 includes:
Obtain the value of the register of the data packet either address of coil, register or coil;
According to the inspection table of the preset register either coil to the legal of the address of the register or coil Property is detected;
If either coil is institute in the legal inspection table based on the preset register or coil to the register State register either coil the corresponding value range in address determine the register or coil value legitimacy.
In the present embodiment, the inspection table of register or coil includes:The address of legal register or coil, with And the corresponding legal value in address of legal register or coil, for example, as shown in table 2:
Table 2
It, can be first by data when checking the register of data packet or the legitimacy of coil in the present embodiment Either the address of coil is matched the register of packet with the address of register or coil in inspection table, if successful match, Indicate that the address of the register of the data packet either coil is legal address again according to checking the register or coil in table The corresponding register in address maximum value and minimum value the legitimacy of the register of data packet or the value of coil is examined It surveys, if the value of the register of data packet or coil is before the minimum value and maximum value, then it represents that the register of the data packet Either the value of coil is legal while indicating that the register of the data packet or coil are legal.But if register or The illegal either register in address of person's coil or the value of coil are illegal, then it represents that the register or coil of the data packet It is illegal.
In the present embodiment, it should be noted that in the present embodiment to S101-105 the step of sequencing be not into Row limit, user can according to actual demand, change S101-105 the step of sequencing.
In the present embodiment, when carrying out security protection to Modbus TCP communications, including:When receiving Modbus TCP numbers When according to packet, the legitimacy of preset multiple tuple informations of the data packet transport layer is checked;Detect the data packet The legitimacy of application layer data format;Detect the legitimacy of function code in the data packet;Current communications conversation affair is detected to visit Ask the legitimacy of rate;Detect the register of the data packet or the legitimacy of coil.It follows that by right The access rate of ModbusTCP conversational communications is defined, and when access rate has been more than preset access rate threshold value, is blocked Data packet during Current communications has carried out security protection to the flood attack of access in this way, ensure that the peace of conversational communication Entirely.
Also, the present embodiment also to 7 tuple informations, ModbusTCP Protocol integrities, is measured in real time, and intercepts camouflage Information, lopsided data packet.By establishing ModbusTCP transactions access function code access control rules, intercepts illegal affairs and visit Ask function code;In addition to this, by the way that register, either the legitimacy of coil checks and prevents illegal register value or line The write-in of circle value.
With reference to figure 2, a kind of safety protecting method of Modbus TCP communications provided in an embodiment of the present invention is shown again One flow diagram, in the present embodiment, this method includes:
S201:When it is illegal data packet to monitor the data packet, the data packet is blocked;
In the present embodiment, any one step being directed in S101-S105 monitors that the data packet is illegal data Packet, blocks the invalid data packet.
S202:Reseting data packet is sent to the main website and slave station of Current communications session.
In the present embodiment, if the data packet in Current communications session is illegal data packet, and data packet is blocked It cuts, if main website and slave station do not know the data packet that the data packet is illegal, the transmission of data packet, such shadow may be carried out again Therefore the normal communication of Xiang Liao main websites and slave station in the present embodiment, is monitoring the case where data packet is illegal data packet Under, data packet is blocked, and reseting data packet is sent to the main website of conversational communication and slave station, to notify main website and the slave station data packet For invalid data packet, the i.e. Communications failure of main website and slave station, connected so that main website and slave station reappear to establish to communicate.
In the present embodiment, when it is illegal data packet to detect data packet, by main website to Current communications session and Slave station sends reseting data packet, to notify main website and the slave station data packet as invalid data packet, that is, informs main website and slave station communication Failure, so that main website and slave station, which reappear, establishes communication connection.In this way, further ensuring the safety of Modbus TCP communications.
The structure for the safety device that a kind of Modbus TCP provided in an embodiment of the present invention are communicated is shown with reference to figure 3 Schematic diagram, in the present embodiment, which includes:
Tuple information detection unit 301, for during ModbusTCP conversational communications, when receiving Modbus When TCP data packet, the legitimacy of the preset multiple tuple informations of the data packet transport layer is checked;
Application layer detection unit 302, the legitimacy for detecting the data packet application layer data format;
Function code detection unit 303, the legitimacy for detecting function code in the data packet;
Access rate detection unit 304, the legitimacy for detecting Current communications conversation affair access rate;
The detection unit 305 of register or coil, the legitimacy of register or coil for detecting the data packet.
Optionally, the tuple information detection unit, including:
Tuple information obtains subelement, for obtain the source IP address of the data packet, source MAC, purpose IP address, Target MAC (Media Access Control) address, destination interface, source port, transport layer protocol type;
Judgment sub-unit judges the source IP address and institute for the relation table according to preset IP address and MAC Address Whether the correspondence for stating source MAC is legal, and judges the correspondence of the destination IP address and the target MAC (Media Access Control) address It is whether legal;
First determination subelement, if the correspondence for the source IP address and the source MAC is legal, The source MAC is legal, if the correspondence of the destination IP address and the target MAC (Media Access Control) address is legal, The target MAC (Media Access Control) address is legal;
Tuple information detection sub-unit is used for according to preset security strategy table, respectively to the source IP of the data packet Location, purpose IP address, destination interface, source port, transport layer protocol type legitimacy be detected.
Optionally, the function code detection unit, including:
Function code acquisition of information subelement, function code, master ip address and slave station IP for obtaining the data packet Location;
Coupling subelement is used for by the function code, the master ip address and slave station IP address, with preset function code Access control list is matched;The function code access control list includes each function code, with the power for executing the function code The main website IP information and permission main website of limit execute the IP information of the slave station of the function code;
Second determination subelement, if being used for successful match, then it represents that the main website for sending the data packet has described in execution The permission of function code.
Optionally, further include:
Custom feature code adds subelement, for adding custom feature code in the access control list;
IP information adds subelement, for adding the corresponding main website IP information of the custom feature code and slave station IP letters Breath.
Optionally, access rate detection unit, including:
Access rate obtains subelement, the access rate for obtaining Current communications conversation affair;
Second judgment sub-unit, for judging whether the access rate of Current communications conversation affair has been more than preset access Rate-valve value;
Subelement is blocked, if the access rate for Current communications conversation affair has been more than preset access rate threshold value, The data packet will then be blocked.
Optionally, the detection unit of the register or coil, including:
Register or coil acquisition of information subelement, the address of register or coil for obtaining the data packet, The value of register or coil;
Register or Coil Detector subelement, for the inspection table according to the preset register or coil, to institute The legitimacy for stating the address of register or coil is detected;
Third determination subelement is based on the preset register if being legal for the register or coil Either the corresponding value range in address of the either coil of register described in the inspection table of coil determines the register or line The legitimacy of the value of circle.
In the present embodiment, it is defined by the access rate to ModbusTCP conversational communications, is more than in access rate When preset access rate threshold value, the data packet during Current communications is blocked, in this way the flood attack of access is carried out Security protection ensure that the safety of conversational communication.
Also, the present embodiment also to 7 tuple informations, ModbusTCP Protocol integrities, is measured in real time, and intercepts camouflage Information, lopsided data packet.By establishing ModbusTCP transactions access function code access control rules, intercepts illegal affairs and visit Ask function code;In addition to this, by the way that register, either the legitimacy of coil checks and prevents illegal register value or line The write-in of circle value.
The another of the safety device that a kind of Modbus TCP provided in an embodiment of the present invention are communicated is shown with reference to figure 4 Structural schematic diagram, in the present embodiment, which includes:
Blocking unit 401, for when detecting that the data packet is illegal data packet, blocking the data packet;
Transmission unit 402, for sending main website from reseting data packet to Current communications session and slave station.
Device through this embodiment, when it is illegal data packet to detect data packet, by Current communications session Main website and slave station send reseting data packet, to notify main website and the slave station data packet as invalid data packet, i.e. main website and slave station Communications failure so that main website and slave station, which reappear, establishes communication connection.In this way, further ensuring the peace of Modbus TCP communications Quan Xing.
An embodiment of the present invention provides a kind of storage mediums, are stored thereon with program, real when which is executed by processor The safety protecting method of the existing Modbus TCP communications.
An embodiment of the present invention provides a kind of processor, the processor is for running program, wherein described program is run The safety protecting method that Modbus TCP described in Shi Zhihang are communicated.
An embodiment of the present invention provides a kind of equipment, equipment include processor, memory and storage on a memory and can The program run on a processor, processor realize following steps when executing program:
During ModbusTCP conversational communications, when receiving Modbus TCP data packets, the data packet is passed The legitimacy of the defeated preset multiple tuple informations of layer is checked;
Detect the legitimacy of the data packet application layer data format;
Detect the legitimacy of function code in the data packet;
Detect the legitimacy of Current communications conversation affair access rate;
Detect the register of the data packet or the legitimacy of coil.
Optionally, described pair the legitimacy of the preset multiple tuple informations of the data packet transport layer is checked, is wrapped It includes:
Obtain the source IP address of the data packet, source MAC, purpose IP address, target MAC (Media Access Control) address, destination interface, source Port, transport layer protocol type;
According to the relation table of preset IP address and MAC Address, pair of the source IP address and the source MAC is judged Whether legal, and judge whether the correspondence of the destination IP address and the target MAC (Media Access Control) address is legal if should be related to;
If the correspondence of the source IP address and the source MAC is legal, the source MAC is legal , if the correspondence of the destination IP address and the target MAC (Media Access Control) address is legal, the target MAC (Media Access Control) address is to close Method;
According to preset security strategy table, respectively to the source IP address of the data packet, purpose IP address, destination interface, Source port, transport layer protocol type legitimacy be detected.
Optionally, the legitimacy of the detection data packet application layer data format, including:
Obtain the function code, master ip address and slave station IP address of the data packet;
By the function code, the master ip address and slave station IP address, carried out with preset function code access control list Matching;The function code access control list include each function code, the main website IP information with the permission for executing the function code, And permission main website executes the IP information of the slave station of the function code;
If successful match, then it represents that the main website for sending the data packet has the permission for executing the function code.
Optionally, further include:
Custom feature code is added in the access control list;
Add the corresponding main website IP information of the custom feature code and slave station IP information.
Optionally, the legitimacy of the detection Current communications conversation affair access rate, including:
Obtain the access rate of Current communications conversation affair;
Judge whether the access rate of Current communications conversation affair has been more than preset access rate threshold value;
If the access rate of Current communications conversation affair has been more than preset access rate threshold value, the data will be blocked Packet.
Optionally, the legitimacy of the register or coil of the detection data packet, including:
Obtain the value of the register of the data packet either address of coil, register or coil;
According to the inspection table of the preset register either coil to the legal of the address of the register or coil Property is detected;
If either coil is institute in the legal inspection table based on the preset register or coil to the register State register either coil the corresponding value range in address determine the register or coil value legitimacy.
Optionally, further include:
When detecting that the data packet is illegal data packet, the data packet is blocked;
Reseting data packet is sent to the main website and slave station of Current communications session.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology realizes information storage.Information can be computer-readable instruction, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), Digital versatile disc (DVD) or other optical storages, magnetic tape cassette, tape magnetic disk storage or other magnetic storage apparatus Or any other non-transmission medium, it can be used for storage and can be accessed by a computing device information.As defined in this article, it calculates Machine readable medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
It should be noted that each embodiment in this specification is described in a progressive manner, each embodiment weight Point explanation is all difference from other examples, and the same or similar parts between the embodiments can be referred to each other.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest range caused.

Claims (10)

1. a kind of safety protecting method of Modbus TCP communications, which is characterized in that including:
During ModbusTCP conversational communications, when receiving Modbus TCP data packets, to the data packet transport layer The legitimacy of preset multiple tuple informations is checked;
Detect the legitimacy of the data packet application layer data format;
Detect the legitimacy of function code in the data packet;
Detect the legitimacy of Current communications conversation affair access rate;
Detect the register of the data packet or the legitimacy of coil.
2. according to the method described in claim 1, it is characterized in that, described pair to the preset multiple members of the data packet transport layer The legitimacy of group information checked, including:
Obtain the source IP address of the data packet, source MAC, purpose IP address, target MAC (Media Access Control) address, destination interface, source Mouth, transport layer protocol type;
According to the relation table of preset IP address and MAC Address, judge that the source IP address and the corresponding of the source MAC close Whether system is legal, and judges whether the correspondence of the destination IP address and the target MAC (Media Access Control) address is legal;
If the correspondence of the source IP address and the source MAC is legal, the source MAC be it is legal, If the correspondence of the destination IP address and the target MAC (Media Access Control) address is legal, the target MAC (Media Access Control) address is legal 's;
According to preset security strategy table, respectively to the source IP address of the data packet, purpose IP address, destination interface, source Mouthful, the legitimacy of transport layer protocol type is detected.
3. according to the method described in claim 1, it is characterized in that, the conjunction of the detection data packet application layer data format Method, including:
Obtain the function code, master ip address and slave station IP address of the data packet;
By the function code, the master ip address and slave station IP address, matched with preset function code access control list; The function code access control list include each function code, the main website IP information with the permission for executing the function code and Main website is allowed to execute the IP information of the slave station of the function code;
If successful match, then it represents that the main website for sending the data packet has the permission for executing the function code.
4. according to the method described in claim 3, it is characterized in that, further including:
Custom feature code is added in the access control list;
Add the corresponding main website IP information of the custom feature code and slave station IP information.
5. according to the method described in claim 1, it is characterized in that, the detection Current communications conversation affair access rate Legitimacy, including:
Obtain the access rate of Current communications conversation affair;
Judge whether the access rate of Current communications conversation affair has been more than preset access rate threshold value;
If the access rate of Current communications conversation affair has been more than preset access rate threshold value, the data packet will be blocked.
6. according to the method described in claim 1, it is characterized in that, the register or coil of the detection data packet Legitimacy, including:
Obtain the value of the register of the data packet either address of coil, register or coil;
According to the preset register either coil inspection table to the legitimacy of the address of the register or coil into Row detection;
If either coil is posted described in the legal inspection table based on the preset register or coil to the register The corresponding value range in address of storage either coil determines the legitimacy of the value of the register or coil.
7. according to the method described in any one of claim 1-6, which is characterized in that further include:
When detecting that the data packet is illegal data packet, the data packet is blocked;
Reseting data packet is sent to the main website and slave station of Current communications session.
8. a kind of Modbus TCP safety devices, which is characterized in that including:
Tuple information detection unit, for during ModbusTCP conversational communications, when receiving Modbus TCP data packets When, the legitimacy of the preset multiple tuple informations of the data packet transport layer is checked;
Application layer detection unit, the legitimacy for detecting the data packet application layer data format;
Function code detection unit, the legitimacy for detecting function code in the data packet;
Access rate detection unit, the legitimacy for detecting Current communications conversation affair access rate;
The detection unit of register or coil, the legitimacy of register or coil for detecting the data packet.
9. a kind of storage medium, which is characterized in that the storage medium includes the program of storage,
Wherein, the equipment where the storage medium is controlled when described program is run is executed such as any one of claim 1-7 The method of the security protection to Modbus TCP communications.
10. a kind of processor, which is characterized in that the processor is used to run program,
Wherein, the safety to Modbus TCP communications as described in any one of claim 1-7 is executed when described program is run The method of protection.
CN201810358879.5A 2018-04-20 2018-04-20 A kind of Modbus TCP safety protecting methods and device Pending CN108574694A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810358879.5A CN108574694A (en) 2018-04-20 2018-04-20 A kind of Modbus TCP safety protecting methods and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810358879.5A CN108574694A (en) 2018-04-20 2018-04-20 A kind of Modbus TCP safety protecting methods and device

Publications (1)

Publication Number Publication Date
CN108574694A true CN108574694A (en) 2018-09-25

Family

ID=63574112

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810358879.5A Pending CN108574694A (en) 2018-04-20 2018-04-20 A kind of Modbus TCP safety protecting methods and device

Country Status (1)

Country Link
CN (1) CN108574694A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277546A (en) * 2018-12-05 2020-06-12 陕西思科锐迪网络安全技术有限责任公司 Method for monitoring illegal reading and writing Siemens S7-PLC data
CN111740997A (en) * 2020-06-22 2020-10-02 浙江中控技术股份有限公司 Safety protection method and device based on ModBusRTU
CN112887343A (en) * 2021-05-06 2021-06-01 广东电网有限责任公司佛山供电局 Management system and management method for network big data
CN112968906A (en) * 2021-03-25 2021-06-15 湖南大学 Modbus TCP abnormal communication detection method and system based on multi-tuple

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6952727B1 (en) * 1999-12-07 2005-10-04 Schneider Automation Inc. Method for adapting a computer-to-computer communication protocol for use in an industrial control system
CN101425948A (en) * 2008-10-23 2009-05-06 上海大学 Industrial wireless network access industrial Ethernet, multi-protocol gateway of field bus and protocol conversion method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6952727B1 (en) * 1999-12-07 2005-10-04 Schneider Automation Inc. Method for adapting a computer-to-computer communication protocol for use in an industrial control system
CN101425948A (en) * 2008-10-23 2009-05-06 上海大学 Industrial wireless network access industrial Ethernet, multi-protocol gateway of field bus and protocol conversion method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
彭义淞: "工业控制网络数据访问控制技术研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277546A (en) * 2018-12-05 2020-06-12 陕西思科锐迪网络安全技术有限责任公司 Method for monitoring illegal reading and writing Siemens S7-PLC data
CN111740997A (en) * 2020-06-22 2020-10-02 浙江中控技术股份有限公司 Safety protection method and device based on ModBusRTU
CN112968906A (en) * 2021-03-25 2021-06-15 湖南大学 Modbus TCP abnormal communication detection method and system based on multi-tuple
CN112968906B (en) * 2021-03-25 2022-02-18 湖南大学 Modbus TCP abnormal communication detection method and system based on multi-tuple
CN112887343A (en) * 2021-05-06 2021-06-01 广东电网有限责任公司佛山供电局 Management system and management method for network big data
CN112887343B (en) * 2021-05-06 2021-07-02 广东电网有限责任公司佛山供电局 Management system and management method for network big data

Similar Documents

Publication Publication Date Title
CN108574694A (en) A kind of Modbus TCP safety protecting methods and device
CN100592690C (en) Group judgment device
CN103634786B (en) A kind of method and system for security detection and repair of wireless network
CN104639504B (en) Network cooperating defence method, device and system
WO2008042687A1 (en) Policy fault
CN106470238A (en) It is applied to the connection establishment method and device in server load balancing
CN104936170B (en) Detect the method and apparatus of man-in-the-middle attack
CN106230870B (en) Proprietary protocol document transmission system and method
CN105847251B (en) Using the industrial control system safety protecting method and system of S7 agreements
WO2016045167A1 (en) Data transmission method, apparatus, and system
CN106452894B (en) Failure connecting detection method and apparatus
CN106209837A (en) ARP cheat detecting method and system
CN105812324B (en) The method, apparatus and system of IDC information security management
CN106549784B (en) A kind of data processing method and equipment
CN108966234A (en) The treating method and apparatus of fallacious message
CN107528861A (en) A kind of method and device for determining IP user's access rights
CN109474560A (en) Control method, device and the computer readable storage medium of network access
CN115150209B (en) Data processing method, industrial control system, electronic device, and storage medium
CN107347051A (en) A kind of service message processing method and system
US20220141153A1 (en) Server communication method, broadband access server, and system
CN114356593A (en) Data processing method, device, network equipment and medium
KR20140142276A (en) Communication device and communication method
WO2020113401A1 (en) Data detection method, apparatus and device
KR20130100763A (en) Communication device and communication method
CN104184727B (en) A kind of method and apparatus of message transmission

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180925