CN109274638A - A kind of method and router of attack source access automatic identification processing - Google Patents
A kind of method and router of attack source access automatic identification processing Download PDFInfo
- Publication number
- CN109274638A CN109274638A CN201810494398.7A CN201810494398A CN109274638A CN 109274638 A CN109274638 A CN 109274638A CN 201810494398 A CN201810494398 A CN 201810494398A CN 109274638 A CN109274638 A CN 109274638A
- Authority
- CN
- China
- Prior art keywords
- access device
- router
- attack source
- attack
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides the method and router of a kind of attack source access automatic identification processing, method includes: to have monitored whether that access device carries out network sweep;The access device is the terminal device connecting with router;When there is access device to carry out network sweep, according to the corresponding data packet of attack source access device, the corresponding identification information of attack source access device is obtained, and obtain the connection type of the attack source access device and the router;When the attack source access device and the router are wired connection, the operation of cable network attack defending is executed;When the attack source access device and the router are to be wirelessly connected, wireless network attack defence operation is executed.The present invention realizes automatic identification attack source access device, and solves network attack, promotes the purpose of network security.
Description
Technical field
The present invention relates to field of network communication safety, the espespecially a kind of method and routing of attack source access automatic identification processing
Device.
Background technique
With the development of communication technology, internet is all over the world, provides the diversified network information service for user.But
While providing network networking using router, the following network security problem is also got worse.
When someone wants to attack the wireless network connected, current connected wireless network can first be swept
It retouches, which the terminal device for finding out active wireless network connection has.After finding out terminal device, there are 2 kinds of attack patterns: 1. pairs of terminals
Whether the carry out port scan of equipment one by one, checks whether each terminal device has open port, then have by port test
Available loophole;2. pair terminal device carries out man-in-the-middle attack, so that it is road that terminal device, which is mistakenly considered attack source access device,
By device, attack source access device has been delivered a packet to.Such as ARP attack is exactly real by forging IP address and MAC Address
Existing ARP deception can generate a large amount of ARP traffic in network kind, so that network congestion, as long as the continual hair of attacker
The arp response packet forged out can change the IP-MAC entry in destination host arp cache, cause network interruption or go-between
Attack.
ARP attack is primarily present in local net network, if there is a host infection ARP wooden horse in local area network, infection should
The system of ARP wooden horse will attempt the communication information of other computers in network where intercepting and capturing by ARP fraud, and therefore
Cause the communication failure of other computers in netting.
Nmap is a network connection end scanning software, for scanning the open network connection end of online computer, with determination
Which service operation infers which operating system computer runs in which connecting pin, and nmap is that network administrator must use
One of software, system manager can use nmap and carry out the server used without approval in detection operations environment;However
Nmap is also that the illegal users such as many hackers commonly attack software, and the network that hacker can collect object computer using nmap is set
It is fixed, to plan the method for attack.Attacked using nmap manual identified ARP, can not automatic identification network attack, and can not give
Attack source access device out needs to be manually entered router or carries out data packet capturing, can find out attack source access device,
It cannot achieve automatically identification and inhibit to attack, the personal data of user have been stolen when many attacks being caused not to be found
Network security problem.
Summary of the invention
The object of the present invention is to provide the methods and router of a kind of attack source access automatic identification processing, realize automatic knowledge
Other attack source access device, and network attack is solved, promote the purpose of network security.
Technical solution provided by the invention is as follows:
The present invention provides a kind of method of attack source access automatic identification processing, comprising steps of
Monitor whether that access device carries out network sweep;The access device is the terminal device connecting with router;
When there is access device to carry out network sweep, according to the corresponding data packet of attack source access device, attack source is obtained
The corresponding identification information of access device, and obtain the connection type of the attack source access device and the router;
When the attack source access device and the router are wired connection, cable network attack defending behaviour is executed
Make;
When the attack source access device and the router are to be wirelessly connected, wireless network attack defence behaviour is executed
Make.
Further, described when the attack source access device is wired connection with the router, execute wired network
Network attack defending operates
When the attack source access device and the router are wired connection, refuse to respond the attack source access and set
Standby data packet;
It is described when the attack source access device and the router are to be wirelessly connected, execute wireless network attack defence
Operation includes:
When the attack source access device and the router are to be wirelessly connected, disconnect and the attack source access device
Wireless network connection, and refuse attack source access device wireless access request.
Further, described according to the corresponding data packet of attack source access device, it is corresponding to obtain attack source access device
After identification information, and the connection type for obtaining the attack source access device and the router includes: before
Obtain the first time of n-th network sweep and the second time of (n+1)th network sweep;N >=0, and n ∈ N;
When the time difference of second time and the first time being more than or equal to preset time threshold, attacked according to described
The corresponding data packet of source access device is hit, the connection type of the attack source access device and the router is analyzed;
When the time difference of second time and the first time being less than preset time threshold, it is anti-to open default network
Imperial operation.
Further, described to be more than or equal to preset time threshold when the time difference of second time and the first time
When, execute default cyber-defence operation comprising steps of
The IP address and MAC Address of bound targets access device;The target access device is not carry out network sweep
Access device;
Standard ARP data packet is sent to all access devices every preset duration;
Default firewall rule, default wireless driving rule are opened, and obtains the access request of new access device;
According to the default firewall rule, allow to respond the data packet of the target access device;
According to the default wireless driving rule, the target access device is allowed to access;
When the quantity of access request described in prefixed time interval is less than preset quantity threshold value, the default network is closed
Defence operation.
Further, it is described monitored whether access device carry out network sweep comprising steps of
The data packet that access device is sent is obtained by router connecting port;
Parsing obtains the attribute information of each data packet, obtains status information of giving out a contract for a project according to the attribute information;The category
Property information includes temporal information, source identification information, purpose mark information, port numbers;The status information of giving out a contract for a project includes frequency of giving out a contract for a project
It spends and/or rule of giving out a contract for a project;
When the status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine that the access device carries out network
Scanning.
The present invention also provides a kind of routers, comprising: monitoring modular, analysis module, control module;The monitoring modular point
It is not connect with the analysis module and the control module;
The monitoring modular has monitored whether that access device carries out network sweep;The access device is to connect with router
The terminal device connect;
When there is access device to carry out network sweep, the analysis module is according to the corresponding data of attack source access device
Packet obtains the corresponding identification information of attack source access device, and obtains the attack source access device and the router
Connection type;
When the attack source access device and the router are wired connection, the control module executes cable network
Attack defending operation;Also when the attack source access device and the router are to be wirelessly connected, the control module is executed
Wireless network attack defence operation.
Further, the control module includes: first control unit and the second control unit;
The first control unit, when the attack source access device is wired connection with the router, refusal is rung
Answer the data packet of the attack source access device;
Second control unit, when the attack source access device and the router are to be wirelessly connected, disconnect with
The wireless network connection of the attack source access device, and the wireless access for refusing attack source access device is asked
It asks.
Further, further includes: time recording module, the time recording module respectively with the monitoring modular and described
Analysis module connection;
Time recording module, obtain n-th network sweep first time and (n+1)th network sweep second when
Between;N >=0, and n ∈ N;
When the time difference of second time and the first time being more than or equal to preset time threshold, the analysis mould
Root tuber analyzes the connection of the attack source access device and the router according to the corresponding data packet of the attack source access device
Mode;
When the time difference of second time and the first time being less than preset time threshold, the control module is opened
Open default cyber-defence operation.
Further, the control module further include: binding unit, transmission unit, processing unit and third control unit,
The transmission unit is connect with the binding unit, and the processing unit is connect with the third control unit;
The binding unit, the IP address and MAC Address of bound targets access device;The target access device be not into
The access device of row network sweep;
The transmission unit sends standard ARP data packet to all access devices every preset duration;
The processing unit opens default firewall rule, default wireless driving rule, and obtains new access device
Access request;
The third control unit allows to respond the number of the target access device according to the default firewall rule
According to packet;According to the default wireless driving rule, the target access device is allowed to access;It is connect when described in prefixed time interval
When entering the quantity of request less than preset quantity threshold value, the default cyber-defence operation is closed.
Further, the monitoring modular includes:
Acquiring unit obtains the data packet that access device is sent by router connecting port;
Resolution unit, parsing obtain the attribute information of each data packet, obtain state letter of giving out a contract for a project according to the attribute information
Breath;The attribute information includes temporal information, source identification information, purpose mark information, port numbers;The status information packet of giving out a contract for a project
Include give out a contract for a project frequency and/or rule of giving out a contract for a project;
Judging unit, when the status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine it is described access set
It is standby to carry out network sweep.
The method and router of a kind of attack source access automatic identification processing provided through the invention, can bring following
It is at least one the utility model has the advantages that
1) present invention is continual in real time to all access devices connecting with router is monitored, can be to all companies
The access device of logical router network is monitored, and is avoided omitting any network attack, is promoted internet security.
2) present invention takes different defence to arrange by the connection type between identification attack source access device and router
The a variety of different network attacks of reply, automatic identification attack source access device are applied, and attack source access device is handled in time, is mentioned
Rise internet security.
3) present invention takes the default cyber-defence operation of unlatching to initiate network sweep to frequent replacement access device to realize
The defence of network attack, the further accuracy rate for increasing attack source access device automatic identification are carried out, to promote network peace
Entirely.
4) present invention obtain attack source access device identification information, user can track illegal user identity information and
Crime address can make existing security protection system safer perfect convenient for catching illegal user.
Detailed description of the invention
Below by clearly understandable mode, preferred embodiment is described with reference to the drawings, a kind of attack source is accessed automatic
The method of identifying processing and above-mentioned characteristic, technical characteristic, advantage and its implementation of router are further described.
Fig. 1 is a kind of flow chart of one embodiment of the method for attack source access automatic identification processing of the present invention;
Fig. 2 is a kind of flow chart of another embodiment of the method for attack source access automatic identification processing of the present invention;
Fig. 3 is a kind of flow chart of another embodiment of the method for attack source access automatic identification processing of the present invention;
Fig. 4 is a kind of flow chart of another embodiment of the method for attack source access automatic identification processing of the present invention;
Fig. 5 is a kind of structural schematic diagram of one embodiment of router of the present invention;
Fig. 6 is a kind of structural schematic diagram of another embodiment of router of the present invention.
Specific embodiment
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, Detailed description of the invention will be compareed below
A specific embodiment of the invention.It should be evident that drawings in the following description are only some embodiments of the invention, for
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing, and obtain other embodiments.
To make simplified form, part related to the present invention is only schematically shown in each figure, they are not represented
Its practical structures as product.In addition, there is identical structure or function in some figures so that simplified form is easy to understand
Component only symbolically depicts one of those, or has only marked one of those.Herein, "one" is not only indicated
" only this ", can also indicate the situation of " more than one ".
First embodiment of the invention, a kind of method of attack source access automatic identification processing, as shown in Figure 1, comprising:
Monitor whether that access device carries out network sweep;The access device is the terminal device connecting with router;
Specifically, network sweep (ip address scan, port scan, ARP scanning, ICMP scanning etc.).Router monitors institute
There is access device, access device includes but is not limited to the terminal devices such as the computer of wired connection, the mobile phone of wireless connection, notes
This grade terminal device, when router be in booting working condition when, to all access devices being connect with router in real time not between
Disconnected is monitored, and can be monitored to the access device of all connection router networks, avoid omitting any network attack,
Promote internet security.
When there is access device to carry out network sweep, according to the corresponding data packet of attack source access device, attack source is obtained
The corresponding identification information of access device, and obtain the connection type of the attack source access device and the router;
Specifically, router can supervise the acquisition modes of data packet, if router is obtained by wireless network
The data packet of attack source access device is taken it is determined that attack source access device current time and router are in and carry out wirelessly
Connection, if router obtains the data packet of attack source access device it is determined that attack source access device by cable network
Current time and router, which are in, carries out wired connection, thus the connection type of distinguishing attack source access device and router.
When the attack source access device and the router are wired connection, cable network attack defending behaviour is executed
Make;
When the attack source access device and the router are to be wirelessly connected, wireless network attack defence behaviour is executed
Make.
Specifically, at present router on the market can not the relevant network attack of automatic identification, cause to work as terminal device
After being connected to router, it is easy to carry out network attack by attack source access device, so that the offenders such as hacker can intercept
User information steals user's property.The present invention is taken by the connection type between identification attack source access device and router
Different defensive measures copes with a variety of different network attacks, i.e., when attack source access device and router are wired connection,
The operation of cable network attack defending is executed, when attack source access device is to be wirelessly connected with router, wireless network is executed and attacks
Hit defence operation.Prevent the attack source access device of wired perhaps wireless access routers from passing through wired or side wireless communication
Formula illegally pretends the personal information of other legal access devices of router intercepts, automatic identification attack source access device, and right
Attack source access device is handled in time, is not needed user and is obtained the letter for being connected to the access device of router using nmap software
The information of access device and default white list are carried out whether contrast judgement one by one has network attack by breath, and real time monitoring processing is attacked
Source access device is hit, the cost of manual maintenance is reduced, promotes internet security.
Second embodiment of the invention, as shown in Fig. 2, be the optimal enforcement example of above-mentioned first embodiment, the present embodiment with it is upper
It states first embodiment to compare, main improve is, described when the attack source access device and the router are wired connection
When, execute the operation of cable network attack defending include: when the attack source access device and the router are wired connection,
Refuse to respond the data packet of the attack source access device;
Specifically, router refuses to respond attack source when being wired connection between attack source access device and router
The data packet of access device, further, it is also possible to which the data package capture of attack source access device is avoided the number according to access device
According to the legal ARP data packet for wrapping the router that disguises oneself as, guarantees that other access devices are not influenced by ARP deception, ARP attack, protect
Hold that network is unimpeded and communication security.
It is described when the attack source access device and the router are to be wirelessly connected, execute wireless network attack defence
Operation includes: to disconnect and setting with attack source access when the attack source access device is to be wirelessly connected with the router
Standby wireless network connection, and refuse the wireless access request of the attack source access device.
Specifically, router disconnects and attack immediately when being to be wirelessly connected between attack source access device and router
The wireless network connection of source access device, forbids the wireless network of attack source access device connection router, and judges there is net
Network refuses always the wireless access request of all attack source access devices during scanning, avoid the data according to access device
The legal ARP data packet for the router that disguises oneself as is wrapped, guarantees that other access devices are not influenced by ARP deception, ARP attack, keeps
Network is unimpeded and communication security.
Third embodiment of the invention, is the optimal enforcement example of above-mentioned first or second embodiments, the present embodiment and above-mentioned the
One embodiment is compared, and main improve is, described according to the corresponding data packet of attack source access device, is obtained attack source access and is set
After standby corresponding identification information, and wrapped before obtaining the connection type of the attack source access device and the router
It includes:
Obtain the first time of n-th network sweep and the second time of (n+1)th network sweep;N >=0, and n ∈ N;
When the time difference of second time and the first time being more than or equal to preset time threshold, attacked according to described
The corresponding data packet of source access device is hit, the connection type of the attack source access device and the router is analyzed;
When the time difference of second time and the first time being less than preset time threshold, it is anti-to open default network
Imperial operation.
Specifically, after discriminatory analysis goes out to have access device to carry out network sweep through the above way, although positioning searching goes out
The identification information that network sweep carries out the attack source access device of network attack is initiated, and to attack source access device with difference
Defence operation be on the defensive to the network attack of attack source access device, still, some illegal persons will use different IP
Address or the corresponding access device of MAC Address frequently initiate network sweep and carry out network attack, at this point, once frequently replacement
When access device carries out network attack as new attack source access device, only routed in attack source access device access in radio
Current attack source access device is refused to respond when device, or is disconnected and prohibited in attack source access device wireless access routers
Only with the connection of attack source access device, access device can not be frequently replaced as new attack source access device in illegal person
In the case where internet security, therefore obtain the network sweep of attack source access device each time temporal information, when n times net
Difference, that is, T2-T1 value between the first time T1 of network scanning and the second time T2 of (n+1)th network sweep is less than default
When time threshold, decide that illegal user frequently replaces access device and initiates network sweep progress network attack, to take out
It opens default cyber-defence operation and the defence that network sweep carries out network attack is initiated to frequent replacement access device to realize, into one
The accuracy rate of the increasing attack source access device automatic identification of step, to promote network security.
Otherwise the difference between the first time T1 of n times network sweep and the second time T2 of (n+1)th network sweep
When i.e. the value of T2-T1 is more than or equal to preset time threshold, according to the corresponding data packet of attack source access device, analytical attack source is connect
The connection type for entering equipment Yu the router illustrates that illegal user may be without frequently replacement access device as new attack
Source access device attacking network, at this time, it is only necessary to the common operation of cable network attack defending or wireless network attack defence
Operation can prevent the network attack of attack source access device.
Fourth embodiment of the invention, is the optimal enforcement example of above-mentioned 3rd embodiment, and the present embodiment and above-mentioned third are implemented
Example is compared, and main improve is, described to be more than or equal to preset time when the time difference of second time and the first time
When threshold value, execute default cyber-defence operation comprising steps of
The IP address and MAC Address of bound targets access device;The target access device is not carry out network sweep
Access device;
Standard ARP data packet is sent to all access devices every preset duration;
Default firewall rule, default wireless driving rule are opened, and obtains the access request of new access device;
According to the default firewall rule, allow to respond the data packet of the target access device;
According to the default wireless driving rule, the target access device is allowed to access;
When the quantity of access request described in prefixed time interval is less than preset quantity threshold value, the default network is closed
Defence operation.
Specifically, carrying out network sweep, and the time and upper one of current network scanning when having once again listened for access device
When the time difference of secondary network sweep is less than preset time threshold, router switches to protected mode, that is, executes default cyber-defence
Operation, i.e., 1, the IP address of bound targets access device and MAC Address;2, it sends and marks to all access devices every preset duration
Quasi- ARP data packet, that is, gratuitous ARP packet;3, default firewall rule is opened, only response and the target of router wired connection access
The data packet of equipment;4, default wireless driving rule is opened, the wireless network of target access device couple in router is only allowed;5,
Obtain the access request of new access device;Wherein there is no sequencing between 2,3 and 4, may be performed simultaneously, it can also be successive
It is out of order successively to execute.
After opening default cyber-defence operation, whether constant testing is there is to the access request of new access device, counted
The quantity of the access request of new access device in prefixed time interval, judges whether the quantity is less than preset quantity threshold value,
If it is larger than or equal to illustrate illegal user may without frequently replacement access device as new attack source access device attack net
Network closes default cyber-defence operation at this time, that is, releases the bindings of IP address and the address mac, close the broadcast of free arp
It sends, closes default firewall rule, only respond the data packet of original access device.Router closes default wireless driving rule
Then, allow the wireless access of any access device, and stop the access record of new access device, in such manner, it is possible to attacking
Source access device restores normal after disappearing automatically, manual intervention is not needed, so that the network function normal use of router.
The present invention starts to send infected information after can monitoring whether have terminal to connect router in real time or scans network,
Router meeting automatic identification attack source access device, after finding attack, the mark of automatic quick lock in attack source access device
Know information (IP address or MAC Address), and according to the identification information of attack source access device and disconnects attack source access device
Network connection between router, it is ensured that other access devices for connecting router can operate normally, and guarantee other accesses
The network security of equipment promotes the defence capability of the network sweep to attack source access device.
Fifth embodiment of the invention, as shown in figure 3, be the optimal enforcement example of above-mentioned first embodiment, the present embodiment with it is upper
First embodiment is stated to compare, main improve is, it is described monitored whether access device carry out network sweep comprising steps of
The data packet that access device is sent is obtained by router connecting port;
Parsing obtains the attribute information of each data packet, obtains status information of giving out a contract for a project according to the attribute information;The category
Property information includes temporal information, source identification information, purpose mark information, port numbers;The status information of giving out a contract for a project includes frequency of giving out a contract for a project
It spends and/or rule of giving out a contract for a project;
When the status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine that the access device carries out network
Scanning.
Specifically, router obtains the data packet that all access devices are sent, each data packet is parsed to obtain
Corresponding attribute information, according to the temporal information in attribute information, source identification information (source MAC and/or source IP address), mesh
Identification information (target MAC (Media Access Control) address and/or purpose IP address) and port numbers analyzed, obtain each access device
Give out a contract for a project status information, when status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine that current access device carries out
Network sweep.
Such as: determine that current access device carries out the method for network sweep just like under type, but not only comprising with lower section
Method:
Judge whether the quantity of giving out a contract for a project of the address source ip in data packet excessively high, if when then current access device carry out network
Scanning;
Judge whether the different local addresses ip into multiple same local area networks are sent for the address data packet identical source ip
Data packet, if then current access device carries out network sweep;
Judge that the address data packet identical source ip whether to the address identical purpose ip, sends data packet, and port numbers
With the presence or absence of rule, from 1 to 65535, if then current access device carries out network sweep;
Judge the arp message in data packet, the identical address the mac mac address multiple and different into network sends arp report
Text, if then current access device carries out network sweep;
Judge in data packet, icmp packet, the address purpose ip is the local address ip, and purpose ip is in rule, from 1-
253, if then current access device carries out network sweep.
The present invention can be measured in real time and judge to all network sweep behaviors, and default state of giving out a contract for a project can be existing
The corresponding state of giving out a contract for a project of network scan attack, can also be by neural network algorithm model according to existing network scan attack
Corresponding state training of giving out a contract for a project obtains new default state of giving out a contract for a project, and promotes the standard for monitoring whether that access device carries out network sweep
True rate increases the prevention degree of network security.
Based on the above embodiment, example cites an actual example below, as shown in figure 4, comprising steps of
Router monitors the terminal device of all accesses, check whether there is equipment carry out network sweep (ip address scan,
Port scan, ARP scanning, ICMP scanning etc.)
When discovery has network sweep, the address ip and the address mac for carrying out the attack source access device of network sweep are obtained.
It is lasting to monitor when not checking.
Judge whether the difference between last network sweep time and this time network sweep time is less than preset duration (such as
5min);
If the difference between last network sweep time and this time network sweep time is less than preset duration, router
Switch to the i.e. default cyber-defence operation of protected mode;After switching to default cyber-defence operation, judge in prefixed time interval
The number of request of new access device whether be less than preset number, such as whether asking less than 5 minutes 1 new access devices
It asks, if it is, router closes protected mode;
If the difference between last network sweep time and this time network sweep time is more than or equal to preset duration, inspection
Looking into attack source access device is access in radio or wireless access.
When attack source access device is accessed by wired mode, router refuses attack source by IPtables rule
Access device corresponds to all data packets.
When attack source, access device is wirelessly accessed, router is disconnected by wirelessly driving and being accessed with attack source
The wireless connection of equipment disconnects, and refuses the wireless access request of attack source access device transmission, and attack source access is forbidden to set
The wireless network of standby couple in router.
Router of the present invention starts to send infected information or be swept after can monitoring whether have terminal to connect router in real time
Network, router meeting automatic identification attack source access device are retouched, and disconnects the network between attack source access device and router
Connection, it is ensured that other access devices for connecting router can operate normally, and promote the network security of access device.
Sixth embodiment of the invention, a kind of router, as shown in Figure 5, comprising: monitoring modular 100, analysis module 200, control
Molding block 300;The monitoring modular 100 is connect with the analysis module 200 and the control module 300 respectively;
The monitoring modular 100 has monitored whether that access device carries out network sweep;The access device is and router
The terminal device of connection;
When there is access device to carry out network sweep, the analysis module 200 is according to the corresponding number of attack source access device
According to packet, the corresponding identification information of attack source access device is obtained, and obtains the attack source access device and the routing
The connection type of device;
When the attack source access device and the router are wired connection, the control module 300 executes wired
Network attack defence operation;Also when the attack source access device and the router are to be wirelessly connected, the control module
300 execute wireless network attack defence operation.
Specifically, the present embodiment is the corresponding Installation practice of above method embodiment, specific effect is referring to above-mentioned first
Embodiment, this is no longer going to repeat them.
Seventh embodiment of the invention, as shown in figure 5, be the optimal enforcement example of above-mentioned sixth embodiment, the present embodiment with it is upper
It states sixth embodiment to compare, main improve is, the control module 300 includes: that first control unit 310 and the second control are single
Member 320;
The first control unit 310, when the attack source access device is wired connection with the router, refusal
Respond the data packet of the attack source access device;
Second control unit 320 is disconnected when the attack source access device is to be wirelessly connected with the router
With the wireless network connection of the attack source access device, and the wireless access for refusing attack source access device is asked
It asks.
Specifically, the present embodiment is the corresponding Installation practice of above method embodiment, specific effect is referring to above-mentioned second
Embodiment, this is no longer going to repeat them.
Eighth embodiment of the invention, is the optimal enforcement example of above-mentioned 6th or the 7th embodiment, the present embodiment and above-mentioned the
Six or the 7th embodiment is compared, and main improve is, further includes: time recording module, the time recording module respectively with institute
It states monitoring modular 100 and the analysis module 200 connects;
Time recording module, obtain n-th network sweep first time and (n+1)th network sweep second when
Between;N >=0, and n ∈ N;
When the time difference of second time and the first time being more than or equal to preset time threshold, the analysis mould
Block 200 analyzes the attack source access device and the router according to the corresponding data packet of the attack source access device
Connection type;
When the time difference of second time and the first time being less than preset time threshold, the control module
300 open default cyber-defence operation.
Specifically, the present embodiment is the corresponding Installation practice of above method embodiment, specific effect is referring to above-mentioned third
Embodiment, this is no longer going to repeat them.
Ninth embodiment of the invention, is the optimal enforcement example of above-mentioned 8th embodiment, and the present embodiment and the above-mentioned 8th implement
Example is compared, and main improve is, the control module 300 further include: binding unit, transmission unit, processing unit and third control
Unit processed, the transmission unit are connect with the binding unit, and the processing unit is connect with the third control unit;
The binding unit, the IP address and MAC Address of bound targets access device;The target access device be not into
The access device of row network sweep;
The transmission unit sends standard ARP data packet to all access devices every preset duration;
The processing unit opens default firewall rule, default wireless driving rule, and obtains new access device
Access request;
The third control unit allows to respond the number of the target access device according to the default firewall rule
According to packet;According to the default wireless driving rule, the target access device is allowed to access;It is connect when described in prefixed time interval
When entering the quantity of request less than preset quantity threshold value, the default cyber-defence operation is closed.
Specifically, the present embodiment is the corresponding Installation practice of above method embodiment, specific effect is referring to above-mentioned first
Embodiment, this is no longer going to repeat them.
Tenth embodiment of the invention, is the optimal enforcement example of above-mentioned sixth embodiment, and the present embodiment and the above-mentioned 6th implement
Example is compared, and main improve is that the monitoring modular 100 includes:
Acquiring unit obtains the data packet that access device is sent by router connecting port;
Resolution unit, parsing obtain the attribute information of each data packet, obtain state letter of giving out a contract for a project according to the attribute information
Breath;The attribute information includes temporal information, source identification information, purpose mark information, port numbers;The status information packet of giving out a contract for a project
Include give out a contract for a project frequency and/or rule of giving out a contract for a project;
Judging unit, when the status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine it is described access set
It is standby to carry out network sweep.
Specifically, the present embodiment is the corresponding Installation practice of above method embodiment, specific effect is referring to above-mentioned first
Embodiment, this is no longer going to repeat them.
It should be noted that above-described embodiment can be freely combined as needed.The above is only of the invention preferred
Embodiment, it is noted that for those skilled in the art, in the premise for not departing from the principle of the invention
Under, several improvements and modifications can also be made, these modifications and embellishments should also be considered as the scope of protection of the present invention.
Claims (10)
1. a kind of method of attack source access automatic identification processing, which is characterized in that comprising steps of
Monitor whether that access device carries out network sweep;The access device is the terminal device connecting with router;
When there is access device to carry out network sweep, according to the corresponding data packet of attack source access device, attack source access is obtained
The corresponding identification information of equipment, and obtain the connection type of the attack source access device and the router;
When the attack source access device and the router are wired connection, the operation of cable network attack defending is executed;
When the attack source access device and the router are to be wirelessly connected, wireless network attack defence operation is executed.
2. the method for access automatic identification processing in attack source according to claim 1, which is characterized in that described to be attacked when described
When to hit source access device and the router be wired connection, executing the operation of cable network attack defending includes:
When the attack source access device and the router are wired connection, the attack source access device is refused to respond
Data packet;
It is described when the attack source access device and the router are to be wirelessly connected, execute wireless network attack defence operation
Include:
When the attack source access device and the router are to be wirelessly connected, the nothing with the attack source access device is disconnected
Line network connection, and refuse the wireless access request of attack source access device.
3. the method for access automatic identification processing in attack source according to claim 1 or 2, which is characterized in that the basis
Access device corresponding data packet in attack source after obtaining the corresponding identification information of attack source access device, and obtains institute
Include: before stating attack source access device and the connection type of the router
Obtain the first time of n-th network sweep and the second time of (n+1)th network sweep;N >=0, and n ∈ N;
When the time difference of second time and the first time being more than or equal to preset time threshold, according to the attack source
The corresponding data packet of access device analyzes the connection type of the attack source access device and the router;
When the time difference of second time and the first time being less than preset time threshold, default cyber-defence behaviour is opened
Make.
4. the method for attack source according to claim 3 access automatic identification processing, which is characterized in that described when described the
When the time difference of two times and the first time are more than or equal to preset time threshold, executing default cyber-defence operation includes step
It is rapid:
The IP address and MAC Address of bound targets access device;The target access device is the access for not carrying out network sweep
Equipment;
Standard ARP data packet is sent to all access devices every preset duration;
Default firewall rule, default wireless driving rule are opened, and obtains the access request of new access device;
According to the default firewall rule, allow to respond the data packet of the target access device;
According to the default wireless driving rule, the target access device is allowed to access;
When the quantity of access request described in prefixed time interval is less than preset quantity threshold value, the default cyber-defence is closed
Operation.
5. the method for access automatic identification processing in attack source according to claim 1, which is characterized in that described to monitor whether
Have access device carry out network sweep comprising steps of
The data packet that access device is sent is obtained by router connecting port;
Parsing obtains the attribute information of each data packet, obtains status information of giving out a contract for a project according to the attribute information;The attribute letter
Breath includes temporal information, source identification information, purpose mark information, port numbers;It is described give out a contract for a project status information include give out a contract for a project frequency and/
Or rule of giving out a contract for a project;
When the status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine that the access device carries out network and sweeps
It retouches.
6. a kind of router characterized by comprising monitoring modular, analysis module, control module;The monitoring modular difference
It is connect with the analysis module and the control module;
The monitoring modular has monitored whether that access device carries out network sweep;The access device is to connect with router
Terminal device;
When there is access device to carry out network sweep, the analysis module is obtained according to the corresponding data packet of attack source access device
The corresponding identification information of attack source access device is taken, and obtains the connection of the attack source access device and the router
Mode;
When the attack source access device and the router are wired connection, the control module executes cable network attack
Defence operation;Also when the attack source access device and the router are to be wirelessly connected, the control module executes wireless
Network attack defence operation.
7. router according to claim 6, which is characterized in that the control module includes: first control unit and
Two control units;
The first control unit refuses to respond institute when the attack source access device is wired connection with the router
State the data packet of attack source access device;
Second control unit, when the attack source access device and the router are to be wirelessly connected, disconnect with it is described
The wireless network connection of attack source access device, and refuse the wireless access request of attack source access device.
8. router according to claim 6 or 7, which is characterized in that further include: time recording module, the time note
Record module is connect with the monitoring modular and the analysis module respectively;
Time recording module obtains the first time of n-th network sweep and the second time of (n+1)th network sweep;n≥
0, and n ∈ N;
When the time difference of second time and the first time being more than or equal to preset time threshold, the analysis module root
According to the corresponding data packet of the attack source access device, the connection side of the attack source access device and the router is analyzed
Formula;
When the time difference of second time and the first time being less than preset time threshold, the control module is opened pre-
If cyber-defence operates.
9. router according to claim 8, which is characterized in that the control module further include: binding unit is sent single
Member, processing unit and third control unit, the transmission unit are connect with the binding unit, the processing unit and described the
The connection of three control units;
The binding unit, the IP address and MAC Address of bound targets access device;The target access device is not carry out net
The access device of network scanning;
The transmission unit sends standard ARP data packet to all access devices every preset duration;
The processing unit opens default firewall rule, default wireless driving rule, and obtains the access of new access device
Request;
The third control unit allows to respond the data packet of the target access device according to the default firewall rule;
According to the default wireless driving rule, the target access device is allowed to access;When access described in prefixed time interval is asked
When the quantity asked is less than preset quantity threshold value, the default cyber-defence operation is closed.
10. router according to claim 6, which is characterized in that the monitoring modular includes:
Acquiring unit obtains the data packet that access device is sent by router connecting port;
Resolution unit, parsing obtain the attribute information of each data packet, obtain status information of giving out a contract for a project according to the attribute information;Institute
Stating attribute information includes temporal information, source identification information, purpose mark information, port numbers;The status information of giving out a contract for a project includes hair
Packet frequency and/or rule of giving out a contract for a project;
Judging unit, when the status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine the access device into
Row network sweep.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810494398.7A CN109274638A (en) | 2018-05-22 | 2018-05-22 | A kind of method and router of attack source access automatic identification processing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810494398.7A CN109274638A (en) | 2018-05-22 | 2018-05-22 | A kind of method and router of attack source access automatic identification processing |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109274638A true CN109274638A (en) | 2019-01-25 |
Family
ID=65152849
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810494398.7A Pending CN109274638A (en) | 2018-05-22 | 2018-05-22 | A kind of method and router of attack source access automatic identification processing |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109274638A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111092790A (en) * | 2019-12-19 | 2020-05-01 | 国网山东省电力公司泰安供电公司 | Power distribution terminal network stability testing method, system, terminal and storage medium |
CN113285919A (en) * | 2021-04-14 | 2021-08-20 | 上海瀚银信息技术有限公司 | Automatic protection method and system for website |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101247217A (en) * | 2008-03-17 | 2008-08-20 | 北京星网锐捷网络技术有限公司 | Method, unit and system for preventing address resolution protocol flux attack |
US20130336326A1 (en) * | 2007-07-20 | 2013-12-19 | Huawei Technologies Co., Ltd. | Arp packet processing method, communication system and device |
CN105279437A (en) * | 2014-06-20 | 2016-01-27 | 北京奇虎科技有限公司 | Method and device for website scanning control |
CN105577608A (en) * | 2014-10-08 | 2016-05-11 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and network attack behavior detection device |
CN105721427A (en) * | 2016-01-14 | 2016-06-29 | 湖南大学 | Method for mining attack frequent sequence mode from Web log |
CN106027559A (en) * | 2016-07-05 | 2016-10-12 | 国家计算机网络与信息安全管理中心 | Network session statistical characteristic based large-scale network scanning detection method |
CN106850511A (en) * | 2015-12-07 | 2017-06-13 | 阿里巴巴集团控股有限公司 | Identification accesses the method and device attacked |
CN107426132A (en) * | 2016-05-23 | 2017-12-01 | 腾讯科技(深圳)有限公司 | The detection method and device of network attack |
CN107483478A (en) * | 2017-09-08 | 2017-12-15 | 绵阳西真科技有限公司 | A kind of ARP attacks active defense method |
-
2018
- 2018-05-22 CN CN201810494398.7A patent/CN109274638A/en active Pending
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130336326A1 (en) * | 2007-07-20 | 2013-12-19 | Huawei Technologies Co., Ltd. | Arp packet processing method, communication system and device |
CN101247217A (en) * | 2008-03-17 | 2008-08-20 | 北京星网锐捷网络技术有限公司 | Method, unit and system for preventing address resolution protocol flux attack |
CN105279437A (en) * | 2014-06-20 | 2016-01-27 | 北京奇虎科技有限公司 | Method and device for website scanning control |
CN105577608A (en) * | 2014-10-08 | 2016-05-11 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and network attack behavior detection device |
CN106850511A (en) * | 2015-12-07 | 2017-06-13 | 阿里巴巴集团控股有限公司 | Identification accesses the method and device attacked |
CN105721427A (en) * | 2016-01-14 | 2016-06-29 | 湖南大学 | Method for mining attack frequent sequence mode from Web log |
CN107426132A (en) * | 2016-05-23 | 2017-12-01 | 腾讯科技(深圳)有限公司 | The detection method and device of network attack |
CN106027559A (en) * | 2016-07-05 | 2016-10-12 | 国家计算机网络与信息安全管理中心 | Network session statistical characteristic based large-scale network scanning detection method |
CN107483478A (en) * | 2017-09-08 | 2017-12-15 | 绵阳西真科技有限公司 | A kind of ARP attacks active defense method |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111092790A (en) * | 2019-12-19 | 2020-05-01 | 国网山东省电力公司泰安供电公司 | Power distribution terminal network stability testing method, system, terminal and storage medium |
CN113285919A (en) * | 2021-04-14 | 2021-08-20 | 上海瀚银信息技术有限公司 | Automatic protection method and system for website |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Kuwatly et al. | A dynamic honeypot design for intrusion detection | |
EP1244967B1 (en) | Method for automatic intrusion detection and deflection in a network | |
Artail et al. | A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks | |
US8635666B2 (en) | Anti-phishing system | |
DE102005037968B4 (en) | Protection system for a network information security zone | |
US8631496B2 (en) | Computer network intrusion detection | |
US7225468B2 (en) | Methods and apparatus for computer network security using intrusion detection and prevention | |
US7162742B1 (en) | Interoperability of vulnerability and intrusion detection systems | |
CN101136922B (en) | Service stream recognizing method, device and distributed refusal service attack defending method, system | |
US20060129810A1 (en) | Method and apparatus for evaluating security of subscriber network | |
CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
US20070214504A1 (en) | Method And System For Network Intrusion Detection, Related Network And Computer Program Product | |
CN106992955A (en) | APT fire walls | |
CN113422779B (en) | Active security defense system based on centralized management and control | |
CN110266673A (en) | Security strategy optimized treatment method and device based on big data | |
CN109274638A (en) | A kind of method and router of attack source access automatic identification processing | |
CN112231679A (en) | Terminal equipment verification method and device and storage medium | |
JP4159814B2 (en) | Interactive network intrusion detection system and interactive intrusion detection program | |
Vokorokos et al. | Network security on the intrusion detection system level | |
KR100613904B1 (en) | Apparatus and method for defeating network attacks with abnormal IP address | |
JP2003186763A (en) | Detection and prevention method of breaking into computer system | |
KR20110006398A (en) | A method for detecting and protecting ddos attack | |
KR100959264B1 (en) | A system for monitoring network process's and preventing proliferation of zombi pc and the method thereof | |
KR20090113745A (en) | Cyber attack traceback system by using spy-bot agent, and method thereof | |
CN115208596B (en) | Network intrusion prevention method, device and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190125 |