Message security check method and system based on survival time
Technical Field
The invention relates to the technical field of data communication, in particular to a message security check method and system based on survival time.
Background
Time To Live (TTL), which is the maximum number of hops an IP packet can forward in a computer network, is set by the sender of the IP packet. When a host on the network is pinged, the local machine sends out a packet, and the packet is transmitted to the destination host through a certain number of routers, but for many reasons, some packets cannot be normally transmitted to the destination host, and if the packets do not have a survival time, the packets are transmitted on the network all the time, which causes the increase of network overhead. After a packet is delivered to a router, the TTL is automatically decremented by 1, and if decremented to 0 or not delivered to the destination host, it is automatically dropped. A GTSM (generalized TTLSissue mechanism) detection mechanism, which achieves the purpose of preventing the CPU from being attacked by the CPU utilization rate type through TTL detection. The GTSM checks the TTL field of the IPV4 message and judges whether the message is generated by a legal opposite-end neighbor, thereby protecting the IP-based unicast routing protocol from being attacked and consuming resources. When an attacker simulates a real routing protocol and attacks one device continuously, the device consumes a large amount of CPU resources due to processing of the attack messages, so that normal protocol messages cannot be processed.
Therefore, a message security check scheme based on the survival time is needed to accurately judge whether the message is generated by a legitimate peer neighbor or not, and avoid resource consumption caused by the attack on the device.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a message security check method and a message security check system based on survival time, which can accurately judge whether a message is generated by a legal opposite-end neighbor or not and avoid resource consumption caused by equipment being attacked.
In order to achieve the above purposes, the technical scheme adopted by the invention is as follows: a message security check method based on survival time comprises the following steps:
obtaining a legal hop count set by a user, and converting the legal hop count into a TTL range of survival time;
calculating a mask of a rule of a corresponding Access Control List (ACL) according to the TTL range;
when equipment receives a message sent by adjacent equipment, whether the message accords with the rule of the ACL is judged according to the mask of the rule of the ACL, if so, the message is judged to be a legal message, and the message is allowed to be sent; if not, the message is judged to be a non-legal message and discarded.
On the basis of the technical scheme, the legal hop count is hops, and the TTL range is (255-hops-255).
On the basis of the technical scheme, the process of judging whether the message conforms to the ACL rule according to the mask of the ACL rule comprises the following steps:
and carrying out bitwise AND operation on the TTL value in the received message and the calculated mask, if the mask is obtained, judging that the TTL value accords with the ACL rule, otherwise, judging that the TTL value does not accord with the ACL rule.
On the basis of the technical scheme, the process of calculating the mask of the rule of the corresponding access control list ACL according to the TTL range comprises the following steps:
s31, setting the minimum value of the TTL range as TTL _ min; converting ttl _ min to a binary number;
s32, searching from the highest bit of the binary number not 0 to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s33, continuing to search from the current index to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s34, repeating the step S33 until the lowest bit of the binary number is found, judging whether the value of the lowest bit is 0, if so, keeping the value from the highest bit to the higher bit of the current index unchanged, and setting the value of the bit corresponding to the current index as 1 to form a mask; if not, finishing the search.
On the basis of the technical scheme, the maximum number of masks of the rules of the corresponding access control list ACL is calculated to be 8 according to the TTL range.
The invention also discloses a message security check system based on the survival time, which comprises:
the system comprises a hop count conversion module, a Time To Live (TTL) module and a time to live (time to live) module, wherein the hop count conversion module is used for acquiring a legal hop count set by a user and converting the legal hop count into a TTL range;
the ACL rule generating module is used for calculating the mask of the rule of the corresponding access control list ACL according to the TTL range;
the ACL rule checking module is used for judging whether the message conforms to the ACL rule according to the mask code of the ACL rule when the equipment receives the message sent by the adjacent equipment, if so, the message is judged to be a legal message, and the message is allowed to be sent; if not, the message is judged to be a non-legal message and discarded.
On the basis of the technical scheme, the legal hop count is hops, and the TTL range is (255-hops-255).
On the basis of the above technical solution, the process that the ACL rule checking module judges whether the packet conforms to the ACL rule according to the mask of the ACL rule includes:
and carrying out bitwise AND operation on the TTL value in the received message and the calculated mask, if the mask is obtained, judging that the TTL value accords with the ACL rule, otherwise, judging that the TTL value does not accord with the ACL rule.
On the basis of the above technical solution, the specific process of the ACL rule generating module determining whether a message conforms to the ACL rule includes:
s31, setting the minimum value of the TTL range as TTL _ min; converting ttl _ min to a binary number;
s32, searching from the highest bit of the binary number not 0 to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s33, continuing to search from the current index to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s34, repeating the step S33 until the lowest bit of the binary number is found, judging whether the value of the lowest bit is 0, if so, keeping the value from the highest bit to the higher bit of the current index unchanged, and setting the value of the bit corresponding to the current index as 1 to form a mask; if not, finishing the search.
On the basis of the technical scheme, the maximum number of masks of the rules of the corresponding access control list ACL calculated by the ACL rule generating module according to the TTL range is 8.
Compared with the prior art, the invention has the advantages that:
the invention provides a message security check method and system based on survival time, which comprises the steps of converting legal hop count into a TTL range by obtaining legal hop count value input by a user, generating a corresponding ACL rule according to the TTL range, carrying out ACL rule check on a message received by a local machine, directly discarding an illegal message, and accurately judging whether the message is generated by a legal opposite-end neighbor or not, thereby protecting resources consumed by attacking a unicast routing protocol based on IP (Internet protocol) and protecting CPU (Central processing Unit) resources; and converting the TTL range into an ACL rule, and ensuring that the ACL rule entry is minimized, thereby realizing the optimal inspection performance in advance under the condition of minimally occupying hardware resources.
Drawings
Fig. 1 is a schematic flow chart of a message security check method based on time to live in an embodiment of the present invention;
fig. 2 is a schematic flowchart illustrating a process of calculating a mask of an ACL rule in the message security inspection method based on time to live according to the embodiment of the present invention;
fig. 3 is a schematic structural diagram of a message security check system based on time-to-live in an embodiment of the present invention.
Detailed Description
Description of terms:
an access Control list, acl (access Control list), is a set of filtering rules, which may be referred to as a rule set. When defining the filtering rule, the user describes the filtering rule according to the TTL value of the message and the corresponding attribute such as the mask value, the input interface, the source or destination address, the protocol type, the source or destination port number and the like, and designates to reject or receive the message. Then, the system classifies the message arriving at the router according to the filtering rule and judges whether the message is rejected or received. The method needs to be used in cooperation with services to realize the function of filtering messages. The invention applies the ACL to a GTSM check mechanism, and judges the validity of the message TTL by defining the ACL rule and carrying out ACL check.
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Example 1:
referring to fig. 1, an embodiment of the present invention provides a message security check method based on a survival time, including the following steps:
s1, obtaining the legal hop count set by the user, and converting the legal hop count into the TTL range of the survival time;
s2, calculating the mask of the rule of the corresponding access control list ACL according to the TTL range;
s3, when the device receives the message sent by the adjacent device, judging whether the message accords with the ACL rule according to the mask of the ACL rule, if so, judging the message as a legal message, and allowing the message to be sent; if not, the message is judged to be a non-legal message and discarded.
The embodiment provides a message security check method based on survival time, which comprises the steps of converting a legal hop count into a TTL range by obtaining a legal hop count value input by a user, calculating a mask of a corresponding ACL rule according to the TTL range, carrying out ACL rule check on a message received by a local machine, uploading a legal message, and directly discarding an illegal message, thereby protecting CPU resources.
Example 2:
on the basis of the embodiment 1, the legal hop count is converted into a TTL range, the legal hop count is hos, and the TTL range is (255-hos to 255 ]. for example, the user configures the legal hop count hos to be 40, and the TTL range after conversion is (215 to 255).
Example 3:
on the basis of embodiment 1, the process of determining whether the packet conforms to the ACL rule according to the mask of the ACL rule includes:
and carrying out bitwise AND operation on the TTL value in the received message and the calculated mask, if the mask is obtained, judging that the TTL value accords with the ACL rule, and otherwise, judging that the TTL value does not accord with the ACL rule.
Example 4:
on the basis of embodiment 3, the specific process of determining whether the packet conforms to the ACL rules includes:
s31, setting the minimum value of the TTL range as TTL _ min; converting ttl _ min to a binary number;
s32, searching from the highest bit of non-0 to the lower bit of the binary number, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s33, continuing to search from the current index to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s34, repeating the step S33 until the lowest bit of the binary number is found, judging whether the value of the lowest bit is 0, if so, keeping the value from the highest bit to the higher bit of the current index unchanged, and setting the value of the bit corresponding to the current index as 1 to form a mask; if not, finishing the search.
Example 5:
on the basis of embodiment 4, the maximum number of masks of the rule of the corresponding access control list ACL calculated from the TTL range is 8.
Example 6:
referring to fig. 3, a message security check system based on time-to-live includes:
the hop count conversion module is used for acquiring the legal hop count set by the user and converting the legal hop count into a TTL range of survival time;
the ACL rule generating module is used for calculating the mask of the rule of the corresponding access control list ACL according to the TTL range;
the ACL rule checking module is used for judging whether the message accords with the rule of the ACL according to the mask code of the rule of the ACL when the equipment receives the message sent by the adjacent equipment, if so, the message is judged to be a legal message, and the message is allowed to be sent; if not, the message is judged to be a non-legal message and discarded.
The legal hop count is hops, and the TTL range is (255-hops to 255).
The process that the ACL rule checking module judges whether the message accords with the rule of the ACL according to the mask of the rule of the ACL comprises the following steps:
and carrying out bitwise AND operation on the TTL value in the received message and the calculated mask, if the mask is obtained, judging that the TTL value accords with the ACL rule, and otherwise, judging that the TTL value does not accord with the ACL rule.
The specific process of the ACL rule generating module for judging whether the message conforms to the ACL rule includes the following steps:
s31, setting the minimum value of the TTL range as TTL _ min; converting ttl _ min to a binary number;
s32, searching from the highest bit of non-0 to the lower bit of the binary number, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s33, continuing to search from the current index to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s34, repeating the step S33 until the lowest bit of the binary number is found, judging whether the value of the lowest bit is 0, if so, keeping the value from the highest bit to the higher bit of the current index unchanged, and setting the value of the bit corresponding to the current index as 1 to form a mask; if not, finishing the search.
And the ACL rule generating module calculates the maximum number of masks of the rules of the corresponding access control list ACL to be 8 according to the TTL range.
The present invention is not limited to the above-described embodiments, and it will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and such modifications and improvements are also considered to be within the scope of the present invention. Those not described in detail in this specification are within the skill of the art.