CN109274638A - A kind of method and router of attack source access automatic identification processing - Google Patents

A kind of method and router of attack source access automatic identification processing Download PDF

Info

Publication number
CN109274638A
CN109274638A CN201810494398.7A CN201810494398A CN109274638A CN 109274638 A CN109274638 A CN 109274638A CN 201810494398 A CN201810494398 A CN 201810494398A CN 109274638 A CN109274638 A CN 109274638A
Authority
CN
China
Prior art keywords
access device
router
attack source
attack
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810494398.7A
Other languages
Chinese (zh)
Inventor
黄雁冰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Feixun Information Technology Co Ltd
Original Assignee
Sichuan Feixun Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Feixun Information Technology Co Ltd filed Critical Sichuan Feixun Information Technology Co Ltd
Priority to CN201810494398.7A priority Critical patent/CN109274638A/en
Publication of CN109274638A publication Critical patent/CN109274638A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides the method and router of a kind of attack source access automatic identification processing, method includes: to have monitored whether that access device carries out network sweep;The access device is the terminal device connecting with router;When there is access device to carry out network sweep, according to the corresponding data packet of attack source access device, the corresponding identification information of attack source access device is obtained, and obtain the connection type of the attack source access device and the router;When the attack source access device and the router are wired connection, the operation of cable network attack defending is executed;When the attack source access device and the router are to be wirelessly connected, wireless network attack defence operation is executed.The present invention realizes automatic identification attack source access device, and solves network attack, promotes the purpose of network security.

Description

A kind of method and router of attack source access automatic identification processing
Technical field
The present invention relates to field of network communication safety, the espespecially a kind of method and routing of attack source access automatic identification processing Device.
Background technique
With the development of communication technology, internet is all over the world, provides the diversified network information service for user.But While providing network networking using router, the following network security problem is also got worse.
When someone wants to attack the wireless network connected, current connected wireless network can first be swept It retouches, which the terminal device for finding out active wireless network connection has.After finding out terminal device, there are 2 kinds of attack patterns: 1. pairs of terminals Whether the carry out port scan of equipment one by one, checks whether each terminal device has open port, then have by port test Available loophole;2. pair terminal device carries out man-in-the-middle attack, so that it is road that terminal device, which is mistakenly considered attack source access device, By device, attack source access device has been delivered a packet to.Such as ARP attack is exactly real by forging IP address and MAC Address Existing ARP deception can generate a large amount of ARP traffic in network kind, so that network congestion, as long as the continual hair of attacker The arp response packet forged out can change the IP-MAC entry in destination host arp cache, cause network interruption or go-between Attack.
ARP attack is primarily present in local net network, if there is a host infection ARP wooden horse in local area network, infection should The system of ARP wooden horse will attempt the communication information of other computers in network where intercepting and capturing by ARP fraud, and therefore Cause the communication failure of other computers in netting.
Nmap is a network connection end scanning software, for scanning the open network connection end of online computer, with determination Which service operation infers which operating system computer runs in which connecting pin, and nmap is that network administrator must use One of software, system manager can use nmap and carry out the server used without approval in detection operations environment;However Nmap is also that the illegal users such as many hackers commonly attack software, and the network that hacker can collect object computer using nmap is set It is fixed, to plan the method for attack.Attacked using nmap manual identified ARP, can not automatic identification network attack, and can not give Attack source access device out needs to be manually entered router or carries out data packet capturing, can find out attack source access device, It cannot achieve automatically identification and inhibit to attack, the personal data of user have been stolen when many attacks being caused not to be found Network security problem.
Summary of the invention
The object of the present invention is to provide the methods and router of a kind of attack source access automatic identification processing, realize automatic knowledge Other attack source access device, and network attack is solved, promote the purpose of network security.
Technical solution provided by the invention is as follows:
The present invention provides a kind of method of attack source access automatic identification processing, comprising steps of
Monitor whether that access device carries out network sweep;The access device is the terminal device connecting with router;
When there is access device to carry out network sweep, according to the corresponding data packet of attack source access device, attack source is obtained The corresponding identification information of access device, and obtain the connection type of the attack source access device and the router;
When the attack source access device and the router are wired connection, cable network attack defending behaviour is executed Make;
When the attack source access device and the router are to be wirelessly connected, wireless network attack defence behaviour is executed Make.
Further, described when the attack source access device is wired connection with the router, execute wired network Network attack defending operates
When the attack source access device and the router are wired connection, refuse to respond the attack source access and set Standby data packet;
It is described when the attack source access device and the router are to be wirelessly connected, execute wireless network attack defence Operation includes:
When the attack source access device and the router are to be wirelessly connected, disconnect and the attack source access device Wireless network connection, and refuse attack source access device wireless access request.
Further, described according to the corresponding data packet of attack source access device, it is corresponding to obtain attack source access device After identification information, and the connection type for obtaining the attack source access device and the router includes: before
Obtain the first time of n-th network sweep and the second time of (n+1)th network sweep;N >=0, and n ∈ N;
When the time difference of second time and the first time being more than or equal to preset time threshold, attacked according to described The corresponding data packet of source access device is hit, the connection type of the attack source access device and the router is analyzed;
When the time difference of second time and the first time being less than preset time threshold, it is anti-to open default network Imperial operation.
Further, described to be more than or equal to preset time threshold when the time difference of second time and the first time When, execute default cyber-defence operation comprising steps of
The IP address and MAC Address of bound targets access device;The target access device is not carry out network sweep Access device;
Standard ARP data packet is sent to all access devices every preset duration;
Default firewall rule, default wireless driving rule are opened, and obtains the access request of new access device;
According to the default firewall rule, allow to respond the data packet of the target access device;
According to the default wireless driving rule, the target access device is allowed to access;
When the quantity of access request described in prefixed time interval is less than preset quantity threshold value, the default network is closed Defence operation.
Further, it is described monitored whether access device carry out network sweep comprising steps of
The data packet that access device is sent is obtained by router connecting port;
Parsing obtains the attribute information of each data packet, obtains status information of giving out a contract for a project according to the attribute information;The category Property information includes temporal information, source identification information, purpose mark information, port numbers;The status information of giving out a contract for a project includes frequency of giving out a contract for a project It spends and/or rule of giving out a contract for a project;
When the status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine that the access device carries out network Scanning.
The present invention also provides a kind of routers, comprising: monitoring modular, analysis module, control module;The monitoring modular point It is not connect with the analysis module and the control module;
The monitoring modular has monitored whether that access device carries out network sweep;The access device is to connect with router The terminal device connect;
When there is access device to carry out network sweep, the analysis module is according to the corresponding data of attack source access device Packet obtains the corresponding identification information of attack source access device, and obtains the attack source access device and the router Connection type;
When the attack source access device and the router are wired connection, the control module executes cable network Attack defending operation;Also when the attack source access device and the router are to be wirelessly connected, the control module is executed Wireless network attack defence operation.
Further, the control module includes: first control unit and the second control unit;
The first control unit, when the attack source access device is wired connection with the router, refusal is rung Answer the data packet of the attack source access device;
Second control unit, when the attack source access device and the router are to be wirelessly connected, disconnect with The wireless network connection of the attack source access device, and the wireless access for refusing attack source access device is asked It asks.
Further, further includes: time recording module, the time recording module respectively with the monitoring modular and described Analysis module connection;
Time recording module, obtain n-th network sweep first time and (n+1)th network sweep second when Between;N >=0, and n ∈ N;
When the time difference of second time and the first time being more than or equal to preset time threshold, the analysis mould Root tuber analyzes the connection of the attack source access device and the router according to the corresponding data packet of the attack source access device Mode;
When the time difference of second time and the first time being less than preset time threshold, the control module is opened Open default cyber-defence operation.
Further, the control module further include: binding unit, transmission unit, processing unit and third control unit, The transmission unit is connect with the binding unit, and the processing unit is connect with the third control unit;
The binding unit, the IP address and MAC Address of bound targets access device;The target access device be not into The access device of row network sweep;
The transmission unit sends standard ARP data packet to all access devices every preset duration;
The processing unit opens default firewall rule, default wireless driving rule, and obtains new access device Access request;
The third control unit allows to respond the number of the target access device according to the default firewall rule According to packet;According to the default wireless driving rule, the target access device is allowed to access;It is connect when described in prefixed time interval When entering the quantity of request less than preset quantity threshold value, the default cyber-defence operation is closed.
Further, the monitoring modular includes:
Acquiring unit obtains the data packet that access device is sent by router connecting port;
Resolution unit, parsing obtain the attribute information of each data packet, obtain state letter of giving out a contract for a project according to the attribute information Breath;The attribute information includes temporal information, source identification information, purpose mark information, port numbers;The status information packet of giving out a contract for a project Include give out a contract for a project frequency and/or rule of giving out a contract for a project;
Judging unit, when the status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine it is described access set It is standby to carry out network sweep.
The method and router of a kind of attack source access automatic identification processing provided through the invention, can bring following It is at least one the utility model has the advantages that
1) present invention is continual in real time to all access devices connecting with router is monitored, can be to all companies The access device of logical router network is monitored, and is avoided omitting any network attack, is promoted internet security.
2) present invention takes different defence to arrange by the connection type between identification attack source access device and router The a variety of different network attacks of reply, automatic identification attack source access device are applied, and attack source access device is handled in time, is mentioned Rise internet security.
3) present invention takes the default cyber-defence operation of unlatching to initiate network sweep to frequent replacement access device to realize The defence of network attack, the further accuracy rate for increasing attack source access device automatic identification are carried out, to promote network peace Entirely.
4) present invention obtain attack source access device identification information, user can track illegal user identity information and Crime address can make existing security protection system safer perfect convenient for catching illegal user.
Detailed description of the invention
Below by clearly understandable mode, preferred embodiment is described with reference to the drawings, a kind of attack source is accessed automatic The method of identifying processing and above-mentioned characteristic, technical characteristic, advantage and its implementation of router are further described.
Fig. 1 is a kind of flow chart of one embodiment of the method for attack source access automatic identification processing of the present invention;
Fig. 2 is a kind of flow chart of another embodiment of the method for attack source access automatic identification processing of the present invention;
Fig. 3 is a kind of flow chart of another embodiment of the method for attack source access automatic identification processing of the present invention;
Fig. 4 is a kind of flow chart of another embodiment of the method for attack source access automatic identification processing of the present invention;
Fig. 5 is a kind of structural schematic diagram of one embodiment of router of the present invention;
Fig. 6 is a kind of structural schematic diagram of another embodiment of router of the present invention.
Specific embodiment
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, Detailed description of the invention will be compareed below A specific embodiment of the invention.It should be evident that drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing, and obtain other embodiments.
To make simplified form, part related to the present invention is only schematically shown in each figure, they are not represented Its practical structures as product.In addition, there is identical structure or function in some figures so that simplified form is easy to understand Component only symbolically depicts one of those, or has only marked one of those.Herein, "one" is not only indicated " only this ", can also indicate the situation of " more than one ".
First embodiment of the invention, a kind of method of attack source access automatic identification processing, as shown in Figure 1, comprising:
Monitor whether that access device carries out network sweep;The access device is the terminal device connecting with router;
Specifically, network sweep (ip address scan, port scan, ARP scanning, ICMP scanning etc.).Router monitors institute There is access device, access device includes but is not limited to the terminal devices such as the computer of wired connection, the mobile phone of wireless connection, notes This grade terminal device, when router be in booting working condition when, to all access devices being connect with router in real time not between Disconnected is monitored, and can be monitored to the access device of all connection router networks, avoid omitting any network attack, Promote internet security.
When there is access device to carry out network sweep, according to the corresponding data packet of attack source access device, attack source is obtained The corresponding identification information of access device, and obtain the connection type of the attack source access device and the router;
Specifically, router can supervise the acquisition modes of data packet, if router is obtained by wireless network The data packet of attack source access device is taken it is determined that attack source access device current time and router are in and carry out wirelessly Connection, if router obtains the data packet of attack source access device it is determined that attack source access device by cable network Current time and router, which are in, carries out wired connection, thus the connection type of distinguishing attack source access device and router.
When the attack source access device and the router are wired connection, cable network attack defending behaviour is executed Make;
When the attack source access device and the router are to be wirelessly connected, wireless network attack defence behaviour is executed Make.
Specifically, at present router on the market can not the relevant network attack of automatic identification, cause to work as terminal device After being connected to router, it is easy to carry out network attack by attack source access device, so that the offenders such as hacker can intercept User information steals user's property.The present invention is taken by the connection type between identification attack source access device and router Different defensive measures copes with a variety of different network attacks, i.e., when attack source access device and router are wired connection, The operation of cable network attack defending is executed, when attack source access device is to be wirelessly connected with router, wireless network is executed and attacks Hit defence operation.Prevent the attack source access device of wired perhaps wireless access routers from passing through wired or side wireless communication Formula illegally pretends the personal information of other legal access devices of router intercepts, automatic identification attack source access device, and right Attack source access device is handled in time, is not needed user and is obtained the letter for being connected to the access device of router using nmap software The information of access device and default white list are carried out whether contrast judgement one by one has network attack by breath, and real time monitoring processing is attacked Source access device is hit, the cost of manual maintenance is reduced, promotes internet security.
Second embodiment of the invention, as shown in Fig. 2, be the optimal enforcement example of above-mentioned first embodiment, the present embodiment with it is upper It states first embodiment to compare, main improve is, described when the attack source access device and the router are wired connection When, execute the operation of cable network attack defending include: when the attack source access device and the router are wired connection, Refuse to respond the data packet of the attack source access device;
Specifically, router refuses to respond attack source when being wired connection between attack source access device and router The data packet of access device, further, it is also possible to which the data package capture of attack source access device is avoided the number according to access device According to the legal ARP data packet for wrapping the router that disguises oneself as, guarantees that other access devices are not influenced by ARP deception, ARP attack, protect Hold that network is unimpeded and communication security.
It is described when the attack source access device and the router are to be wirelessly connected, execute wireless network attack defence Operation includes: to disconnect and setting with attack source access when the attack source access device is to be wirelessly connected with the router Standby wireless network connection, and refuse the wireless access request of the attack source access device.
Specifically, router disconnects and attack immediately when being to be wirelessly connected between attack source access device and router The wireless network connection of source access device, forbids the wireless network of attack source access device connection router, and judges there is net Network refuses always the wireless access request of all attack source access devices during scanning, avoid the data according to access device The legal ARP data packet for the router that disguises oneself as is wrapped, guarantees that other access devices are not influenced by ARP deception, ARP attack, keeps Network is unimpeded and communication security.
Third embodiment of the invention, is the optimal enforcement example of above-mentioned first or second embodiments, the present embodiment and above-mentioned the One embodiment is compared, and main improve is, described according to the corresponding data packet of attack source access device, is obtained attack source access and is set After standby corresponding identification information, and wrapped before obtaining the connection type of the attack source access device and the router It includes:
Obtain the first time of n-th network sweep and the second time of (n+1)th network sweep;N >=0, and n ∈ N;
When the time difference of second time and the first time being more than or equal to preset time threshold, attacked according to described The corresponding data packet of source access device is hit, the connection type of the attack source access device and the router is analyzed;
When the time difference of second time and the first time being less than preset time threshold, it is anti-to open default network Imperial operation.
Specifically, after discriminatory analysis goes out to have access device to carry out network sweep through the above way, although positioning searching goes out The identification information that network sweep carries out the attack source access device of network attack is initiated, and to attack source access device with difference Defence operation be on the defensive to the network attack of attack source access device, still, some illegal persons will use different IP Address or the corresponding access device of MAC Address frequently initiate network sweep and carry out network attack, at this point, once frequently replacement When access device carries out network attack as new attack source access device, only routed in attack source access device access in radio Current attack source access device is refused to respond when device, or is disconnected and prohibited in attack source access device wireless access routers Only with the connection of attack source access device, access device can not be frequently replaced as new attack source access device in illegal person In the case where internet security, therefore obtain the network sweep of attack source access device each time temporal information, when n times net Difference, that is, T2-T1 value between the first time T1 of network scanning and the second time T2 of (n+1)th network sweep is less than default When time threshold, decide that illegal user frequently replaces access device and initiates network sweep progress network attack, to take out It opens default cyber-defence operation and the defence that network sweep carries out network attack is initiated to frequent replacement access device to realize, into one The accuracy rate of the increasing attack source access device automatic identification of step, to promote network security.
Otherwise the difference between the first time T1 of n times network sweep and the second time T2 of (n+1)th network sweep When i.e. the value of T2-T1 is more than or equal to preset time threshold, according to the corresponding data packet of attack source access device, analytical attack source is connect The connection type for entering equipment Yu the router illustrates that illegal user may be without frequently replacement access device as new attack Source access device attacking network, at this time, it is only necessary to the common operation of cable network attack defending or wireless network attack defence Operation can prevent the network attack of attack source access device.
Fourth embodiment of the invention, is the optimal enforcement example of above-mentioned 3rd embodiment, and the present embodiment and above-mentioned third are implemented Example is compared, and main improve is, described to be more than or equal to preset time when the time difference of second time and the first time When threshold value, execute default cyber-defence operation comprising steps of
The IP address and MAC Address of bound targets access device;The target access device is not carry out network sweep Access device;
Standard ARP data packet is sent to all access devices every preset duration;
Default firewall rule, default wireless driving rule are opened, and obtains the access request of new access device;
According to the default firewall rule, allow to respond the data packet of the target access device;
According to the default wireless driving rule, the target access device is allowed to access;
When the quantity of access request described in prefixed time interval is less than preset quantity threshold value, the default network is closed Defence operation.
Specifically, carrying out network sweep, and the time and upper one of current network scanning when having once again listened for access device When the time difference of secondary network sweep is less than preset time threshold, router switches to protected mode, that is, executes default cyber-defence Operation, i.e., 1, the IP address of bound targets access device and MAC Address;2, it sends and marks to all access devices every preset duration Quasi- ARP data packet, that is, gratuitous ARP packet;3, default firewall rule is opened, only response and the target of router wired connection access The data packet of equipment;4, default wireless driving rule is opened, the wireless network of target access device couple in router is only allowed;5, Obtain the access request of new access device;Wherein there is no sequencing between 2,3 and 4, may be performed simultaneously, it can also be successive It is out of order successively to execute.
After opening default cyber-defence operation, whether constant testing is there is to the access request of new access device, counted The quantity of the access request of new access device in prefixed time interval, judges whether the quantity is less than preset quantity threshold value, If it is larger than or equal to illustrate illegal user may without frequently replacement access device as new attack source access device attack net Network closes default cyber-defence operation at this time, that is, releases the bindings of IP address and the address mac, close the broadcast of free arp It sends, closes default firewall rule, only respond the data packet of original access device.Router closes default wireless driving rule Then, allow the wireless access of any access device, and stop the access record of new access device, in such manner, it is possible to attacking Source access device restores normal after disappearing automatically, manual intervention is not needed, so that the network function normal use of router.
The present invention starts to send infected information after can monitoring whether have terminal to connect router in real time or scans network, Router meeting automatic identification attack source access device, after finding attack, the mark of automatic quick lock in attack source access device Know information (IP address or MAC Address), and according to the identification information of attack source access device and disconnects attack source access device Network connection between router, it is ensured that other access devices for connecting router can operate normally, and guarantee other accesses The network security of equipment promotes the defence capability of the network sweep to attack source access device.
Fifth embodiment of the invention, as shown in figure 3, be the optimal enforcement example of above-mentioned first embodiment, the present embodiment with it is upper First embodiment is stated to compare, main improve is, it is described monitored whether access device carry out network sweep comprising steps of
The data packet that access device is sent is obtained by router connecting port;
Parsing obtains the attribute information of each data packet, obtains status information of giving out a contract for a project according to the attribute information;The category Property information includes temporal information, source identification information, purpose mark information, port numbers;The status information of giving out a contract for a project includes frequency of giving out a contract for a project It spends and/or rule of giving out a contract for a project;
When the status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine that the access device carries out network Scanning.
Specifically, router obtains the data packet that all access devices are sent, each data packet is parsed to obtain Corresponding attribute information, according to the temporal information in attribute information, source identification information (source MAC and/or source IP address), mesh Identification information (target MAC (Media Access Control) address and/or purpose IP address) and port numbers analyzed, obtain each access device Give out a contract for a project status information, when status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine that current access device carries out Network sweep.
Such as: determine that current access device carries out the method for network sweep just like under type, but not only comprising with lower section Method:
Judge whether the quantity of giving out a contract for a project of the address source ip in data packet excessively high, if when then current access device carry out network Scanning;
Judge whether the different local addresses ip into multiple same local area networks are sent for the address data packet identical source ip Data packet, if then current access device carries out network sweep;
Judge that the address data packet identical source ip whether to the address identical purpose ip, sends data packet, and port numbers With the presence or absence of rule, from 1 to 65535, if then current access device carries out network sweep;
Judge the arp message in data packet, the identical address the mac mac address multiple and different into network sends arp report Text, if then current access device carries out network sweep;
Judge in data packet, icmp packet, the address purpose ip is the local address ip, and purpose ip is in rule, from 1- 253, if then current access device carries out network sweep.
The present invention can be measured in real time and judge to all network sweep behaviors, and default state of giving out a contract for a project can be existing The corresponding state of giving out a contract for a project of network scan attack, can also be by neural network algorithm model according to existing network scan attack Corresponding state training of giving out a contract for a project obtains new default state of giving out a contract for a project, and promotes the standard for monitoring whether that access device carries out network sweep True rate increases the prevention degree of network security.
Based on the above embodiment, example cites an actual example below, as shown in figure 4, comprising steps of
Router monitors the terminal device of all accesses, check whether there is equipment carry out network sweep (ip address scan, Port scan, ARP scanning, ICMP scanning etc.)
When discovery has network sweep, the address ip and the address mac for carrying out the attack source access device of network sweep are obtained. It is lasting to monitor when not checking.
Judge whether the difference between last network sweep time and this time network sweep time is less than preset duration (such as 5min);
If the difference between last network sweep time and this time network sweep time is less than preset duration, router Switch to the i.e. default cyber-defence operation of protected mode;After switching to default cyber-defence operation, judge in prefixed time interval The number of request of new access device whether be less than preset number, such as whether asking less than 5 minutes 1 new access devices It asks, if it is, router closes protected mode;
If the difference between last network sweep time and this time network sweep time is more than or equal to preset duration, inspection Looking into attack source access device is access in radio or wireless access.
When attack source access device is accessed by wired mode, router refuses attack source by IPtables rule Access device corresponds to all data packets.
When attack source, access device is wirelessly accessed, router is disconnected by wirelessly driving and being accessed with attack source The wireless connection of equipment disconnects, and refuses the wireless access request of attack source access device transmission, and attack source access is forbidden to set The wireless network of standby couple in router.
Router of the present invention starts to send infected information or be swept after can monitoring whether have terminal to connect router in real time Network, router meeting automatic identification attack source access device are retouched, and disconnects the network between attack source access device and router Connection, it is ensured that other access devices for connecting router can operate normally, and promote the network security of access device.
Sixth embodiment of the invention, a kind of router, as shown in Figure 5, comprising: monitoring modular 100, analysis module 200, control Molding block 300;The monitoring modular 100 is connect with the analysis module 200 and the control module 300 respectively;
The monitoring modular 100 has monitored whether that access device carries out network sweep;The access device is and router The terminal device of connection;
When there is access device to carry out network sweep, the analysis module 200 is according to the corresponding number of attack source access device According to packet, the corresponding identification information of attack source access device is obtained, and obtains the attack source access device and the routing The connection type of device;
When the attack source access device and the router are wired connection, the control module 300 executes wired Network attack defence operation;Also when the attack source access device and the router are to be wirelessly connected, the control module 300 execute wireless network attack defence operation.
Specifically, the present embodiment is the corresponding Installation practice of above method embodiment, specific effect is referring to above-mentioned first Embodiment, this is no longer going to repeat them.
Seventh embodiment of the invention, as shown in figure 5, be the optimal enforcement example of above-mentioned sixth embodiment, the present embodiment with it is upper It states sixth embodiment to compare, main improve is, the control module 300 includes: that first control unit 310 and the second control are single Member 320;
The first control unit 310, when the attack source access device is wired connection with the router, refusal Respond the data packet of the attack source access device;
Second control unit 320 is disconnected when the attack source access device is to be wirelessly connected with the router With the wireless network connection of the attack source access device, and the wireless access for refusing attack source access device is asked It asks.
Specifically, the present embodiment is the corresponding Installation practice of above method embodiment, specific effect is referring to above-mentioned second Embodiment, this is no longer going to repeat them.
Eighth embodiment of the invention, is the optimal enforcement example of above-mentioned 6th or the 7th embodiment, the present embodiment and above-mentioned the Six or the 7th embodiment is compared, and main improve is, further includes: time recording module, the time recording module respectively with institute It states monitoring modular 100 and the analysis module 200 connects;
Time recording module, obtain n-th network sweep first time and (n+1)th network sweep second when Between;N >=0, and n ∈ N;
When the time difference of second time and the first time being more than or equal to preset time threshold, the analysis mould Block 200 analyzes the attack source access device and the router according to the corresponding data packet of the attack source access device Connection type;
When the time difference of second time and the first time being less than preset time threshold, the control module 300 open default cyber-defence operation.
Specifically, the present embodiment is the corresponding Installation practice of above method embodiment, specific effect is referring to above-mentioned third Embodiment, this is no longer going to repeat them.
Ninth embodiment of the invention, is the optimal enforcement example of above-mentioned 8th embodiment, and the present embodiment and the above-mentioned 8th implement Example is compared, and main improve is, the control module 300 further include: binding unit, transmission unit, processing unit and third control Unit processed, the transmission unit are connect with the binding unit, and the processing unit is connect with the third control unit;
The binding unit, the IP address and MAC Address of bound targets access device;The target access device be not into The access device of row network sweep;
The transmission unit sends standard ARP data packet to all access devices every preset duration;
The processing unit opens default firewall rule, default wireless driving rule, and obtains new access device Access request;
The third control unit allows to respond the number of the target access device according to the default firewall rule According to packet;According to the default wireless driving rule, the target access device is allowed to access;It is connect when described in prefixed time interval When entering the quantity of request less than preset quantity threshold value, the default cyber-defence operation is closed.
Specifically, the present embodiment is the corresponding Installation practice of above method embodiment, specific effect is referring to above-mentioned first Embodiment, this is no longer going to repeat them.
Tenth embodiment of the invention, is the optimal enforcement example of above-mentioned sixth embodiment, and the present embodiment and the above-mentioned 6th implement Example is compared, and main improve is that the monitoring modular 100 includes:
Acquiring unit obtains the data packet that access device is sent by router connecting port;
Resolution unit, parsing obtain the attribute information of each data packet, obtain state letter of giving out a contract for a project according to the attribute information Breath;The attribute information includes temporal information, source identification information, purpose mark information, port numbers;The status information packet of giving out a contract for a project Include give out a contract for a project frequency and/or rule of giving out a contract for a project;
Judging unit, when the status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine it is described access set It is standby to carry out network sweep.
Specifically, the present embodiment is the corresponding Installation practice of above method embodiment, specific effect is referring to above-mentioned first Embodiment, this is no longer going to repeat them.
It should be noted that above-described embodiment can be freely combined as needed.The above is only of the invention preferred Embodiment, it is noted that for those skilled in the art, in the premise for not departing from the principle of the invention Under, several improvements and modifications can also be made, these modifications and embellishments should also be considered as the scope of protection of the present invention.

Claims (10)

1. a kind of method of attack source access automatic identification processing, which is characterized in that comprising steps of
Monitor whether that access device carries out network sweep;The access device is the terminal device connecting with router;
When there is access device to carry out network sweep, according to the corresponding data packet of attack source access device, attack source access is obtained The corresponding identification information of equipment, and obtain the connection type of the attack source access device and the router;
When the attack source access device and the router are wired connection, the operation of cable network attack defending is executed;
When the attack source access device and the router are to be wirelessly connected, wireless network attack defence operation is executed.
2. the method for access automatic identification processing in attack source according to claim 1, which is characterized in that described to be attacked when described When to hit source access device and the router be wired connection, executing the operation of cable network attack defending includes:
When the attack source access device and the router are wired connection, the attack source access device is refused to respond Data packet;
It is described when the attack source access device and the router are to be wirelessly connected, execute wireless network attack defence operation Include:
When the attack source access device and the router are to be wirelessly connected, the nothing with the attack source access device is disconnected Line network connection, and refuse the wireless access request of attack source access device.
3. the method for access automatic identification processing in attack source according to claim 1 or 2, which is characterized in that the basis Access device corresponding data packet in attack source after obtaining the corresponding identification information of attack source access device, and obtains institute Include: before stating attack source access device and the connection type of the router
Obtain the first time of n-th network sweep and the second time of (n+1)th network sweep;N >=0, and n ∈ N;
When the time difference of second time and the first time being more than or equal to preset time threshold, according to the attack source The corresponding data packet of access device analyzes the connection type of the attack source access device and the router;
When the time difference of second time and the first time being less than preset time threshold, default cyber-defence behaviour is opened Make.
4. the method for attack source according to claim 3 access automatic identification processing, which is characterized in that described when described the When the time difference of two times and the first time are more than or equal to preset time threshold, executing default cyber-defence operation includes step It is rapid:
The IP address and MAC Address of bound targets access device;The target access device is the access for not carrying out network sweep Equipment;
Standard ARP data packet is sent to all access devices every preset duration;
Default firewall rule, default wireless driving rule are opened, and obtains the access request of new access device;
According to the default firewall rule, allow to respond the data packet of the target access device;
According to the default wireless driving rule, the target access device is allowed to access;
When the quantity of access request described in prefixed time interval is less than preset quantity threshold value, the default cyber-defence is closed Operation.
5. the method for access automatic identification processing in attack source according to claim 1, which is characterized in that described to monitor whether Have access device carry out network sweep comprising steps of
The data packet that access device is sent is obtained by router connecting port;
Parsing obtains the attribute information of each data packet, obtains status information of giving out a contract for a project according to the attribute information;The attribute letter Breath includes temporal information, source identification information, purpose mark information, port numbers;It is described give out a contract for a project status information include give out a contract for a project frequency and/ Or rule of giving out a contract for a project;
When the status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine that the access device carries out network and sweeps It retouches.
6. a kind of router characterized by comprising monitoring modular, analysis module, control module;The monitoring modular difference It is connect with the analysis module and the control module;
The monitoring modular has monitored whether that access device carries out network sweep;The access device is to connect with router Terminal device;
When there is access device to carry out network sweep, the analysis module is obtained according to the corresponding data packet of attack source access device The corresponding identification information of attack source access device is taken, and obtains the connection of the attack source access device and the router Mode;
When the attack source access device and the router are wired connection, the control module executes cable network attack Defence operation;Also when the attack source access device and the router are to be wirelessly connected, the control module executes wireless Network attack defence operation.
7. router according to claim 6, which is characterized in that the control module includes: first control unit and Two control units;
The first control unit refuses to respond institute when the attack source access device is wired connection with the router State the data packet of attack source access device;
Second control unit, when the attack source access device and the router are to be wirelessly connected, disconnect with it is described The wireless network connection of attack source access device, and refuse the wireless access request of attack source access device.
8. router according to claim 6 or 7, which is characterized in that further include: time recording module, the time note Record module is connect with the monitoring modular and the analysis module respectively;
Time recording module obtains the first time of n-th network sweep and the second time of (n+1)th network sweep;n≥ 0, and n ∈ N;
When the time difference of second time and the first time being more than or equal to preset time threshold, the analysis module root According to the corresponding data packet of the attack source access device, the connection side of the attack source access device and the router is analyzed Formula;
When the time difference of second time and the first time being less than preset time threshold, the control module is opened pre- If cyber-defence operates.
9. router according to claim 8, which is characterized in that the control module further include: binding unit is sent single Member, processing unit and third control unit, the transmission unit are connect with the binding unit, the processing unit and described the The connection of three control units;
The binding unit, the IP address and MAC Address of bound targets access device;The target access device is not carry out net The access device of network scanning;
The transmission unit sends standard ARP data packet to all access devices every preset duration;
The processing unit opens default firewall rule, default wireless driving rule, and obtains the access of new access device Request;
The third control unit allows to respond the data packet of the target access device according to the default firewall rule; According to the default wireless driving rule, the target access device is allowed to access;When access described in prefixed time interval is asked When the quantity asked is less than preset quantity threshold value, the default cyber-defence operation is closed.
10. router according to claim 6, which is characterized in that the monitoring modular includes:
Acquiring unit obtains the data packet that access device is sent by router connecting port;
Resolution unit, parsing obtain the attribute information of each data packet, obtain status information of giving out a contract for a project according to the attribute information;Institute Stating attribute information includes temporal information, source identification information, purpose mark information, port numbers;The status information of giving out a contract for a project includes hair Packet frequency and/or rule of giving out a contract for a project;
Judging unit, when the status information of giving out a contract for a project meet default network sweep give out a contract for a project state when, determine the access device into Row network sweep.
CN201810494398.7A 2018-05-22 2018-05-22 A kind of method and router of attack source access automatic identification processing Pending CN109274638A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810494398.7A CN109274638A (en) 2018-05-22 2018-05-22 A kind of method and router of attack source access automatic identification processing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810494398.7A CN109274638A (en) 2018-05-22 2018-05-22 A kind of method and router of attack source access automatic identification processing

Publications (1)

Publication Number Publication Date
CN109274638A true CN109274638A (en) 2019-01-25

Family

ID=65152849

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810494398.7A Pending CN109274638A (en) 2018-05-22 2018-05-22 A kind of method and router of attack source access automatic identification processing

Country Status (1)

Country Link
CN (1) CN109274638A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111092790A (en) * 2019-12-19 2020-05-01 国网山东省电力公司泰安供电公司 Power distribution terminal network stability testing method, system, terminal and storage medium
CN113285919A (en) * 2021-04-14 2021-08-20 上海瀚银信息技术有限公司 Automatic protection method and system for website

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101247217A (en) * 2008-03-17 2008-08-20 北京星网锐捷网络技术有限公司 Method, unit and system for preventing address resolution protocol flux attack
US20130336326A1 (en) * 2007-07-20 2013-12-19 Huawei Technologies Co., Ltd. Arp packet processing method, communication system and device
CN105279437A (en) * 2014-06-20 2016-01-27 北京奇虎科技有限公司 Method and device for website scanning control
CN105577608A (en) * 2014-10-08 2016-05-11 腾讯科技(深圳)有限公司 Network attack behavior detection method and network attack behavior detection device
CN105721427A (en) * 2016-01-14 2016-06-29 湖南大学 Method for mining attack frequent sequence mode from Web log
CN106027559A (en) * 2016-07-05 2016-10-12 国家计算机网络与信息安全管理中心 Network session statistical characteristic based large-scale network scanning detection method
CN106850511A (en) * 2015-12-07 2017-06-13 阿里巴巴集团控股有限公司 Identification accesses the method and device attacked
CN107426132A (en) * 2016-05-23 2017-12-01 腾讯科技(深圳)有限公司 The detection method and device of network attack
CN107483478A (en) * 2017-09-08 2017-12-15 绵阳西真科技有限公司 A kind of ARP attacks active defense method

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130336326A1 (en) * 2007-07-20 2013-12-19 Huawei Technologies Co., Ltd. Arp packet processing method, communication system and device
CN101247217A (en) * 2008-03-17 2008-08-20 北京星网锐捷网络技术有限公司 Method, unit and system for preventing address resolution protocol flux attack
CN105279437A (en) * 2014-06-20 2016-01-27 北京奇虎科技有限公司 Method and device for website scanning control
CN105577608A (en) * 2014-10-08 2016-05-11 腾讯科技(深圳)有限公司 Network attack behavior detection method and network attack behavior detection device
CN106850511A (en) * 2015-12-07 2017-06-13 阿里巴巴集团控股有限公司 Identification accesses the method and device attacked
CN105721427A (en) * 2016-01-14 2016-06-29 湖南大学 Method for mining attack frequent sequence mode from Web log
CN107426132A (en) * 2016-05-23 2017-12-01 腾讯科技(深圳)有限公司 The detection method and device of network attack
CN106027559A (en) * 2016-07-05 2016-10-12 国家计算机网络与信息安全管理中心 Network session statistical characteristic based large-scale network scanning detection method
CN107483478A (en) * 2017-09-08 2017-12-15 绵阳西真科技有限公司 A kind of ARP attacks active defense method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111092790A (en) * 2019-12-19 2020-05-01 国网山东省电力公司泰安供电公司 Power distribution terminal network stability testing method, system, terminal and storage medium
CN113285919A (en) * 2021-04-14 2021-08-20 上海瀚银信息技术有限公司 Automatic protection method and system for website

Similar Documents

Publication Publication Date Title
Kuwatly et al. A dynamic honeypot design for intrusion detection
EP1244967B1 (en) Method for automatic intrusion detection and deflection in a network
Artail et al. A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks
US8635666B2 (en) Anti-phishing system
DE102005037968B4 (en) Protection system for a network information security zone
US8631496B2 (en) Computer network intrusion detection
US7225468B2 (en) Methods and apparatus for computer network security using intrusion detection and prevention
US7162742B1 (en) Interoperability of vulnerability and intrusion detection systems
CN101136922B (en) Service stream recognizing method, device and distributed refusal service attack defending method, system
US20060129810A1 (en) Method and apparatus for evaluating security of subscriber network
CN108289088A (en) Abnormal traffic detection system and method based on business model
US20070214504A1 (en) Method And System For Network Intrusion Detection, Related Network And Computer Program Product
CN106992955A (en) APT fire walls
CN113422779B (en) Active security defense system based on centralized management and control
CN110266673A (en) Security strategy optimized treatment method and device based on big data
CN109274638A (en) A kind of method and router of attack source access automatic identification processing
CN112231679A (en) Terminal equipment verification method and device and storage medium
JP4159814B2 (en) Interactive network intrusion detection system and interactive intrusion detection program
Vokorokos et al. Network security on the intrusion detection system level
KR100613904B1 (en) Apparatus and method for defeating network attacks with abnormal IP address
JP2003186763A (en) Detection and prevention method of breaking into computer system
KR20110006398A (en) A method for detecting and protecting ddos attack
KR100959264B1 (en) A system for monitoring network process's and preventing proliferation of zombi pc and the method thereof
KR20090113745A (en) Cyber attack traceback system by using spy-bot agent, and method thereof
CN115208596B (en) Network intrusion prevention method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190125