CN109347817B - Method and device for network security redirection - Google Patents
Method and device for network security redirection Download PDFInfo
- Publication number
- CN109347817B CN109347817B CN201811186641.5A CN201811186641A CN109347817B CN 109347817 B CN109347817 B CN 109347817B CN 201811186641 A CN201811186641 A CN 201811186641A CN 109347817 B CN109347817 B CN 109347817B
- Authority
- CN
- China
- Prior art keywords
- data packet
- redirection
- udp
- protocol
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for redirecting network communication safety, which comprises the following steps: s1: the filtration of the process, IP address, port and protocol target data packet of the designated network communication is realized through WFP driven hierarchical design, and the target network data packet is filtered out by adopting BPF rule to carry out pre-filtration treatment; s2: setting capture and interception based on a process, an IP address, a port and a protocol, capturing a target network data packet, analyzing and restoring according to a TCP/IP protocol stack, and packaging and forwarding the target network data packet; s3: establishing communication with a proxy server according to a Socks5 proxy protocol; s4: and the proxy server carries out redirection proxy forwarding on the target network data packet based on a Socks5 proxy protocol, so as to realize TCP redirection, UDP redirection and remote DNS redirection. It is further proposed a redirection module comprising: the system comprises a WFP driving module, a TCP/IP protocol decapsulation module and a redirection service module, and completes functions of TCP redirection, UDP redirection and remote DNS redirection.
Description
Technical Field
The invention relates to the field of network redirection, in particular to a method and a device for network security redirection.
Background
Nowadays, the development of the internet has been deeply advanced to various aspects of personal life and business behaviors, such as social, cross-border e-commerce, network payment, communication and other applications, and these applications on the internet have the problems of geographical limitation, information leakage, small bandwidth and the like, so people are beginning to research and develop solutions based on the defects on the traditional internet through related network communication technologies, and have evolved into virtual private networks, anonymous communication networks and other tunnel proxy networks. The solutions generally comprise three parts, namely redirection software, a dialing client and a relay server, wherein the dialing client and the relay server mainly provide the construction and data forwarding of a network communication tunnel, the redirection software is mainly responsible for guiding the flow generated by a local application program to the tunnel, the communication tunnel protocol is numerous at present, the convenience, flexibility and expansibility are excellent, the technical implementation aiming at the redirection software is numerous, and the flexibility is not enough.
At present, redirection software mainly uses three modes of virtual network card technology, firewall forwarding technology, communication process hijacking technology and direct application program agent to realize the drainage of network communication flow. The virtual network card technology utilizes a network driver to develop a virtual network interface card to bridge to a physical network card, and realizes communication data flow guidance by modifying a default routing table of a computer, wherein the virtual network interface card is commonly used in VPN communication networks such as IPSec, PPTP and IPSec, and provides global network redirection. The firewall forwarding technology is implemented by forwarding network data of a specified communication source, destination and protocol to a flow guiding program by means of an NAT forwarding function provided by a network firewall, which is commonly found in redclocks, DDProxy and other software. The communication process hijacking technology hijacks a network communication library or a service provider used by an application program to realize the drainage of a specified process, which is commonly found in LSP (label switched path) and NSP (non-symmetric Path loss) and the like. The direct application of the application proxy means that the application itself provides a proxy function, different proxy server addresses can be configured for different applications, and the direct application proxy is mostly applied to standard HTTP proxies, Socks proxies and the like. These redirection techniques cannot realize flexible application based on processes, source/destination addresses, and global or local proxies, and are greatly limited by the security policy of the operating system itself.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: at present, the processing based on network data redirection is mainly divided into four modes, namely a virtual network card (VNIC), a firewall forwarding technology, a communication program hijacking (LSP/NSP) and a direct application program providing agent. The virtual network card technology needs to redirect all local network access, cannot meet the requirements of process-level flow redirection and cannot be compatible with the requirements of different communication links with limited bandwidth; the firewall forwarding technology has limited network protocols which can be processed, and generally can not process UDP data packets; the hijacking stability of the communication program is poor, the effective application of mechanisms such as asynchronous communication or IOCP (input/output control protocol) of the application program cannot be guaranteed, and the program operation can generate a pause phenomenon; the way that the application provides the proxy interface is completely dependent on the program provider, and many programs on the market do not provide the proxy function by themselves. Therefore, the invention provides a method for redirecting network communication safety, which comprises the following steps:
s1: the process, IP address, port and protocol target data packet of appointed network communication are filtered through WFP driven hierarchical design, and the process, IP address, port and protocol target data packet are pre-filtered by adopting BPF rule to filter out target network data packet;
s2: setting capture and interception based on a process, an IP address, a port and a protocol, capturing a target network data packet, analyzing and restoring according to a TCP/IP protocol stack, and packaging and forwarding the target network data packet;
s3: establishing communication with a proxy server according to a Socks5 proxy protocol;
s4: and the proxy server carries out redirection proxy forwarding on the target network data packet based on a Socks5 proxy protocol, so as to realize TCP redirection, UDP redirection and remote DNS redirection.
Further, the hierarchical design of WFP driver includes implementing inspection filtering of the progress of network communication by callouses registering FWPM _ LAYER _ ALE _ AUTH _ CONNECT _ V4/6, and pre-filtering processing of IP addresses, ports, protocol destination packets by callouses registering FWPM _ LAYER _ bound _ IPPACKET _ V4/6, FWPM _ LAYER _ IPFORWARD _ V4/6. The WFP (Windows Filter platform) driver is a filter layer framework driver, works on all layers of a TCP/IP protocol stack of a kernel, and can carry out omnibearing filter interception on the TCPIP protocol stack.
Further, the TCP redirection method specifically includes the following steps:
s11: capturing and pre-filtering a target SYN data packet sent by an application program, establishing connection with a proxy server, and completing establishment of TCP proxy connection;
s12: analyzing and restoring the target SYN data packet through a TCP/IP protocol stack, and forwarding the packet to a proxy server;
s13: completing a Socks proxy authentication process with a proxy server;
s14: according to the negotiation condition of Socks5 with the proxy server, SYN/ACK is sent to complete TCP three-way handshake with the application program to establish proxy connection, and the application program communicates with the target site through the proxy server.
Further, S11 includes the following steps:
s111: capturing a target SYN data packet according to a BPF rule and a process black and white list;
s112: and acquiring a target SYN data packet through a driving IO interface.
Further, S12 includes the following steps:
s121: analyzing the target SYN data packet according to a TCP/IP protocol stack, modifying the destination address and the destination port of the target SYN data packet into the address and the port of a proxy server, and recalculating the TCP serial number;
s122: calculating the check value of the modified data packet and packaging the data packet into a SYN redirection data packet;
s123: sending the SYN redirection data packet to a proxy server through a driving IO;
s124: and completing three-way handshake of TCP connection with the proxy server through the drive IO.
Further, the Socks proxy authentication process of S13 includes the following steps:
s131: directly finishing the Method selection of the Socks5 proxy protocol with the proxy server through the drive IO;
s132: the real destination address of the link is sent to a proxy server through a drive IO;
s133: the proxy server establishes connection with the real destination address of the link and returns whether the connection is successful or not.
Further, the UDP redirection method specifically includes the following steps:
s21: establishing a UDPtun channel for transmitting UDP data packets, monitoring local UDP communication, and capturing target UDP data packets;
s22: analyzing and modifying the target UDP data packet according to the TCP/IP protocol stack, and then redirecting and forwarding the packet to the proxy server;
s23: the proxy server sends the target UDP data packet to the target site, and the target site generates and forwards a UDP response data packet;
s24: the proxy server receives and forwards the UDP response packet to the application.
Further, S21 includes the following steps:
s211: the redirection module establishes a UDP data transfer port;
s212: the redirection module establishes transmission connection UDPtun based on TCP with the proxy server;
s213: and capturing the UDP data packet according to the BPF rule and the black and white list of the process, wherein the UDP data packet is captured from the network layer and comprises a UDP transmission protocol header and UDP data.
Further, S22 includes the following steps:
s221: obtaining a UDP data packet through a driving IO interface, and analyzing a source IP and a source port of the UDP communication according to a TCP/IP protocol stack;
s222: monitoring a UDP data transfer port through a source IP and a source port to obtain a UDP transmission protocol header constructed by the IP and the port, and forwarding a UDP data packet downwards to the UDP data transfer port through a drive IO;
s223: after receiving the UDP data packet, the UDP data transfer port forwards the UDP data packet to the proxy server through the UDPtun;
s224: and the proxy server unpacks the UDP data packet according to a UDP transmission protocol and forwards the UDP data packet to the target site.
Further, S23 includes the following steps:
s231: the proxy server receives a UDP response data packet from the target site;
s232: the proxy server encapsulates the UDP response data packet into a network layer data packet according to a UDP transmission protocol, and forwards the network layer data packet through the UDPtun;
s233: and forwarding the network layer data packet to a corresponding application program at a network layer through the drive IO.
Further, the remote DNS redirection method specifically includes the following steps:
s31: capturing all DNS requests according to BPF rules, and replying a pseudo IP address according to DNS protocol rules;
s32: when the application program communicates with the pseudo IP address, replacing the pseudo IP address with a real domain name;
s33: when the target network data packet flow is transferred to the proxy server, different processing measures are adopted according to different transport layer protocols;
s34: when the proxy server establishes communication with a target site with a specified domain name, the DNS client side where the proxy server is located analyzes the communication to obtain a real IP address.
The invention also provides a redirection module, comprising:
the WFP driving module is set to carry out filtering processing on a specified network communication process, an IP address, a communication port and a protocol target network data packet;
the TCP/IP protocol decapsulation module is set to perform prefiltering rule setting on the WFP driving module, analyze a target network data packet and perform packet forwarding on the target network data packet;
the redirection service module is set to establish a session link with the proxy server according to the Socks5 proxy protocol, realize the proxy forwarding functions of TCP, UDP and DNS based on the Socks5 proxy protocol, and complete the functions of TCP redirection, UDP redirection and remote DNS redirection of the target network data packet.
Further, the WFP driver module implements inspection filtering on the specified network communication process by registering callous of FWPM _ LAYER _ ALE _ AUTH _ CONNECT _ V4/6, and performs prefiltering processing on the specified IP address, communication port, and protocol target network packet by registering callous of FWPM _ LAYER _ bound _ IPPACKET _ V4/6 and FWPM _ LAYER _ IPFORWARD _ V4/6 with berkely packet filtering rule.
Further, the pre-filtering rule setting comprises the steps of setting capture and interception of the WFP driving module based on a network communication process, an IP address, a communication port and a protocol.
Further, the analyzing of the target network data packet is to acquire the captured target network data packet through a physical interface layer and analyze and restore the target network data packet according to a TCP/IP protocol stack.
Further, the packet forwarding of the target network data packet is to perform packet forwarding on various self-defined protocol data packets through a specified physical interface card.
The invention also proposes a computing device comprising a processor and a storage medium comprising computer program instructions, the processor implementing the above method by executing the computer program instructions.
The invention provides a method for redirecting network communication safety, which comprises the steps of firstly realizing the filtration of a process, an IP address, a port and a protocol target data packet of appointed network communication through WFP driven hierarchical design and filtering out the target network data packet; setting capture and interception based on a process, an IP address, a port and a protocol, capturing a target network data packet, analyzing and restoring according to a TCP/IP protocol stack, and packaging and forwarding the target network data packet; establishing communication with a proxy server according to a Socks5 proxy protocol; the proxy server carries out redirection proxy forwarding on the target network data packet based on the Socks5 proxy protocol, and TCP redirection, UDP redirection and remote DNS redirection are realized. The method adopts network layered driving to realize interception of flow data packets of a designated process and source/destination addresses, realizes data analysis and drainage through a TCP/IP protocol simulation layer, can well solve the problems of the existing redirection technology in the aspects of drainage range and function expansion, and can quickly and conveniently customize a network safety redirection function by a user. And the provided redirection module can realize flexible application based on a process, a source/destination address and a global or local proxy, and is less limited by the security policy of an operating system.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow diagram of a method of network security redirection in an embodiment of the invention;
FIG. 2 is a flow chart of a TCP redirection method for network security redirection according to an embodiment of the present invention;
fig. 3 is a flowchart of S11 of the TCP redirection method for network security redirection according to the embodiment of the present invention;
fig. 4 is a flowchart of S12 of the TCP redirection method for network security redirection according to the embodiment of the present invention;
fig. 5 is a flowchart of S13 of the TCP redirection method for network security redirection according to the embodiment of the present invention;
FIG. 6 is a flow diagram of UDP redirection by the redirection module of an embodiment of the present invention;
fig. 7 is a flowchart of S21 of UDP redirection of the redirection module of an embodiment of the present invention;
fig. 8 is a flowchart of S22 for UDP redirection by the redirection module of an embodiment of the present invention;
fig. 9 is a flowchart of S23 for UDP redirection by the redirection module of an embodiment of the present invention;
FIG. 10 is a flow diagram of DNS redirection by the redirection module of an embodiment of the present invention;
FIG. 11 is a schematic diagram of a redirection module of an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a method for redirecting network communication security, as shown in figure 1, comprising the following steps:
s1: the process, IP address, port and protocol target data packet of appointed network communication are filtered through WFP driven hierarchical design, and the process, IP address, port and protocol target data packet are pre-filtered by adopting BPF rule to filter out target network data packet;
s2: setting capture and interception based on a process, an IP address, a port and a protocol, capturing a target network data packet, analyzing and restoring according to a TCP/IP protocol stack, and packaging and forwarding the target network data packet;
s3: establishing communication with a proxy server according to a Socks5 proxy protocol; the Socks5 simply transfers the data packet generated by the application layer, does not concern specific application layer protocols, and has higher speed and higher universality than the application layer proxy.
S4: and the proxy server carries out redirection proxy forwarding on the target network data packet based on a Socks5 proxy protocol, so as to realize TCP redirection, UDP redirection and remote DNS redirection.
Further, the hierarchical design of WFP driver includes implementing inspection filtering of the progress of network communication by callouses registering FWPM _ LAYER _ ALE _ AUTH _ CONNECT _ V4/6, and pre-filtering processing of IP addresses, ports, protocol destination packets by callouses registering FWPM _ LAYER _ bound _ IPPACKET _ V4/6, FWPM _ LAYER _ IPFORWARD _ V4/6. The WFP (Windows Filter platform) driver is a filter layer framework driver, works on all layers of a TCP/IP protocol stack of a kernel, and can carry out omnibearing filter interception on the TCPIP protocol stack. And realizing the redirection function based on the filtered and intercepted data.
As shown in fig. 2, the TCP redirection method specifically includes the following steps:
s11: capturing and pre-filtering a target SYN data packet sent by an application program, establishing connection with a proxy server, and completing establishment of TCP proxy connection;
as shown in fig. 3, S11 further includes the following steps:
s111: capturing a target SYN data packet according to a BPF rule and a process black and white list;
the bpf (berkeley Packet filter) berkeley Packet filter is a Packet capture mechanism working in an operating system kernel, and captures and filters a Packet of a link layer, and finally provides the Packet with a specific filtered Packet of an application layer.
The BPF is mainly composed of two parts, namely a network forwarding part and a packet filtering part. The network forwarding section captures packets from the link layer and forwards them to the datagram filtering section. The datagram filtering section accepts a filtering rule from a received datagram to decide to accept a network datagram, and other packets are discarded. Both parts of the BPF are realized in the kernel layer of the operating system, and the data packet provided for the application layer is a filtered data packet, so that the processes of capturing the data packet and filtering the data packet are finished in the kernel, and the efficiency is high.
Black and white lists are established, and after the black lists are started, users (or IP addresses, IP packets, mails, viruses and the like) listed in the black lists cannot pass through the black lists. The users (or IP addresses, IP packets, mails and the like) in the white list can pass preferentially and cannot be rejected, and the safety and the rapidness are greatly improved.
S112: and acquiring a target SYN data packet through a driving IO interface.
S12: analyzing and restoring the target SYN data packet through a TCP/IP protocol stack, and forwarding the packet to a proxy server;
as shown in fig. 4, S12 further includes the following steps:
s121: analyzing the target SYN data packet according to a TCP/IP protocol stack, modifying the destination address and the destination port of the target SYN data packet into the address and the port of a proxy server, and recalculating the TCP serial number;
s122: calculating the check value of the modified data packet and packaging the data packet into a SYN redirection data packet;
s123: sending the SYN redirection data packet to a proxy server through a driving IO;
s124: and completing three-way handshake of TCP connection with the proxy server through the drive IO.
S13: completing a Socks proxy authentication process with a proxy server;
as shown in fig. 5, the Socks proxy authentication process of S13 includes the following steps:
s131: directly finishing the Method selection of the Socks5 proxy protocol with the proxy server through the drive IO;
s132: the real destination address of the link is sent to a proxy server through a drive IO;
s133: the proxy server establishes connection with the real destination address of the link and returns whether the connection is successful or not.
S14: according to the negotiation condition of Socks5 with the proxy server, SYN/ACK is sent to complete TCP three-way handshake with the application program to establish proxy connection, and the application program communicates with the target site through the proxy server.
As shown in fig. 6, the UDP redirection method specifically includes the following steps:
s21: establishing a UDPtun channel for transmitting UDP data packets, monitoring local UDP communication, and capturing target UDP data packets;
as shown in fig. 7, S21 includes the following steps:
s211: the redirection module establishes a UDP data transfer port;
s212: the redirection module establishes transmission connection UDPtun based on TCP with the proxy server;
s213: and capturing the UDP data packet according to the BPF rule and the black and white list of the process, wherein the UDP data packet is captured from the network layer and comprises a UDP transmission protocol header and UDP data.
S22: analyzing and modifying the target UDP data packet according to the TCP/IP protocol stack, and then redirecting and forwarding the packet to the proxy server;
as shown in fig. 8, S22 includes the following steps:
s221: obtaining a UDP data packet through a driving IO interface, and analyzing a source IP and a source port of the UDP communication according to a TCP/IP protocol stack;
s222: monitoring a UDP data transfer port through a source IP and a source port to obtain a UDP transmission protocol header constructed by the IP and the port, and forwarding a UDP data packet downwards to the UDP data transfer port through a drive IO;
s223: after receiving the UDP data packet, the UDP data transfer port forwards the UDP data packet to the proxy server through the UDPtun;
s224: and the proxy server unpacks the UDP data packet according to a UDP transmission protocol and forwards the UDP data packet to the target site.
S23: the proxy server sends the target UDP data packet to the target site, and the target site generates and forwards a UDP response data packet;
as shown in fig. 9, S23 includes the following steps:
s231: the proxy server receives a UDP response data packet from the target site;
s232: the proxy server encapsulates the UDP response data packet into a network layer data packet according to a UDP transmission protocol, and forwards the network layer data packet through the UDPtun;
s233: and forwarding the network layer data packet to a corresponding application program at a network layer through the drive IO.
S24: the proxy server receives and forwards the UDP response packet to the application.
As shown in fig. 10, the remote DNS redirection method specifically includes the following steps:
s31: capturing all DNS requests according to BPF rules, and replying a pseudo IP address according to DNS protocol rules;
s32: when the application program communicates with the pseudo IP address, replacing the pseudo IP address with a real domain name;
s33: when the target network data packet flow is transferred to the proxy server, different processing measures are adopted according to different transport layer protocols;
s34: when the proxy server establishes communication with a target site with a specified domain name, the DNS client side where the proxy server is located analyzes the communication to obtain a real IP address.
The present invention further provides a redirection module, as shown in fig. 11, including:
the WFP driving module 1 is set to carry out filtering processing on a specified network communication process, an IP address, a communication port and a protocol target network data packet; the WFP driving module 1 implements checking and filtering on the specified network communication process through callouses registered with FWPM _ LAYER _ ALE _ AUTH _ CONNECT _ V4/6, and performs prefiltering processing on the specified IP address, communication port and protocol target network data packet by using Berkeley packet filtering rules through callouses registered with FWPM _ LAYER _ INBOUND _ IPPACKET _ V4/6 and FWPM _ LAYER _ IPFORWARD _ V4/6. The WFP driving module 1 adopts a double-layer design to realize the differentiation based on processes, source/destination IPs, ports and communication protocols. And taking different processing measures according to different redirection rules. The WFP driving module 1 adopts a double-layer design to support BPF rule filtering and operation, so that the network communication leakage-proof treatment can be realized. And meanwhile, the application and implementation of various ACL access control rules are supported.
A TCP/IP protocol decapsulation module 2, configured to perform pre-filtering rule setting on the WFP driver module 1, parse the target network data packet, and perform packet forwarding on the target network data packet; the pre-filtering rule setting comprises the steps of setting capture and interception based on a network communication process, an IP address, a communication port and a protocol for the WFP driving module 1. And the step of analyzing the target network data packet is to acquire the captured target network data packet through a physical interface layer and analyze and restore the target network data packet according to a TCP/IP protocol stack. The packet forwarding of the target network data packet is to perform packet forwarding on various self-defined protocol data packets through a specified physical interface card.
The redirection service module 3 is configured to establish a session link with the proxy server according to the Socks5 proxy protocol, implement TCP, UDP, and DNS proxy forwarding functions based on the Socks5 proxy protocol, and complete TCP redirection, UDP redirection, and remote DNS redirection functions of the target network packet. The redirection service module 3 and the WFP driving module 1 interact and adopt a direct memory copy technology, so that the performance problem caused by walking a traditional TCP/IP protocol stack is reduced as much as possible. The redirection service module 3 captures all SYN requests directly through the WFP driver module 1 for TCP data, modifies and edits the SYN requests into a standard Socks5 proxy protocol packet, is transparent redirection for application programs, and is compatible with all application software on the market at present. The redirection service module 3 adopts direct drive for DNS to respond to the request as a pseudo IP address field, and when an application program uses the pseudo IP to access data, the domain name is automatically replaced to reach an exit end for resolution, so that the access bottleneck caused by low resolution speed and pollution of DNS is reduced. Aiming at UDP communication processing, a user-defined protocol proxy is adopted for forwarding, and the problem that most redirection software in the market does not support UDP is solved.
The invention also proposes a computing device comprising a processor and a storage medium comprising computer program instructions, the processor implementing the above method by executing the computer program instructions.
In summary, the present invention provides a method for redirecting network communication security, which first implements filtering of a process, an IP address, a port, and a protocol target data packet of a designated network communication through WFP-driven hierarchical design, and filters out the target network data packet; setting capture and interception based on a process, an IP address, a port and a protocol, capturing a target network data packet, analyzing and restoring according to a TCP/IP protocol stack, and packaging and forwarding the target network data packet; establishing communication with a proxy server according to a Socks5 proxy protocol; the proxy server carries out redirection proxy forwarding on the target network data packet based on the Socks5 proxy protocol, and TCP redirection, UDP redirection and remote DNS redirection are realized. The method adopts network layered driving to realize interception of flow data packets of the designated process and the source/destination address, realizes analysis and drainage of data through a TCP/IP protocol simulation layer, can better solve the problems in the drainage range and function expansion of the existing redirection technology, can quickly and conveniently customize a network security redirection function by a user, can realize flexible application based on the process, the source/destination address and a global or local proxy, and is less limited by the security policy of an operating system.
And a redirection module is provided, and the WFP drive double-layer design is adopted to realize the differentiation based on the process, the source/destination IP, the port and the communication protocol. And taking different processing measures according to different redirection rules. The redirection service module 3 and the WFP driving module 1 interact and adopt a direct memory copy technology, so that the performance problem caused by walking a traditional TCP/IP protocol stack is reduced as much as possible. The redirection service module 3 captures all SYN requests directly through the WFP driver module 1 for TCP data, modifies and edits the SYN requests into a standard Socks5 proxy protocol packet, is transparent redirection for application programs, and is compatible with all application software on the market at present. The redirection service module 3 adopts direct drive for DNS to respond to the request as a pseudo IP address field, and when an application program uses the pseudo IP to access data, the domain name is automatically replaced to reach an exit end for resolution, so that the access bottleneck caused by low resolution speed and pollution of DNS is reduced. Aiming at UDP communication processing, a user-defined protocol proxy is adopted for forwarding, and the problem that most redirection software in the market does not support UDP is solved. The WFP driving module 1 adopts a double-layer design to support BPF rule filtering and operation, so that the network communication leakage-proof treatment can be realized. And meanwhile, the application and implementation of various ACL access control rules are supported.
It will be apparent to those skilled in the art that various modifications and variations can be made to the embodiments of the present invention without departing from the spirit and scope of the invention. In this way, if these modifications and changes are within the scope of the claims of the present invention and their equivalents, the present invention is also intended to cover these modifications and changes. The word "comprising" does not exclude the presence of other elements or steps than those listed in a claim. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage. Any reference signs in the claims shall not be construed as limiting the scope.
Claims (15)
1. A method for secure redirection of network traffic, comprising the steps of:
s1: the method comprises the steps of achieving filtering of a process, an IP address, a port and a protocol target data packet of specified network communication through WFP driven hierarchical design, performing pre-filtering processing on the process, the IP address, the port and the protocol target data packet by adopting BPF rules to filter out the target network data packet, wherein the WFP driven hierarchical design comprises the steps of achieving checking and filtering of the process of the network communication through calls which register FWPM _ LAYER _ ALE _ AUTH _ CONNECT _ V4/6, and performing pre-filtering processing on the IP address, the port and the protocol target data packet through calls which register FWPM _ LAYER _ INBOUND _ IPPACKET _ V4/6 and FWPM _ LAYER _ IPFORWARD _ V4/6;
s2: setting capture and interception based on the process, the IP address, the port and the protocol, capturing the target network data packet, analyzing and restoring according to a TCP/IP protocol stack, and packaging and forwarding the target network data packet;
s3: establishing communication with a proxy server according to a Socks5 proxy protocol;
s4: and carrying out redirection proxy forwarding on the target network data packet through the proxy server based on a Socks5 proxy protocol, so as to realize TCP redirection, UDP redirection and remote DNS redirection.
2. The method for redirecting network communication security according to claim 1, wherein the TCP redirecting method specifically comprises the following steps:
s11: capturing and pre-filtering a target SYN data packet sent by an application program, establishing connection with the proxy server, and completing establishment of TCP proxy connection;
s12: analyzing and restoring the target SYN data packet through a TCP/IP protocol stack, and forwarding the packet to the proxy server;
s13: completing a Socks proxy authentication process with the proxy server;
s14: and according to the negotiation condition with the Socks5 of the proxy server, sending SYN/ACK and completing TCP three-way handshake with the application program to establish proxy connection, wherein the application program communicates with a target site through the proxy server.
3. The method for redirecting network communication security according to claim 2, wherein said S11 comprises the following steps:
s111: capturing the target SYN data packet according to BPF rules and a black and white list of the process;
s112: and acquiring the target SYN data packet through a driving IO interface.
4. The method for redirecting network communication security according to claim 3, wherein said S12 comprises the following steps:
s121: analyzing the target SYN data packet according to a TCP/IP protocol stack, modifying the destination address and the destination port of the target SYN data packet into the address and the port of the proxy server, and recalculating the TCP serial number;
s122: calculating the check value of the modified data packet and packaging the data packet into a SYN redirection data packet;
s123: sending the SYN redirection data packet to the proxy server through the drive IO;
s124: and completing three-way handshake of TCP connection with the proxy server through the drive IO.
5. The method for redirecting network communication security according to claim 3, wherein the Socks proxy authentication procedure of S13 includes the following steps:
s131: completing Method selection of a Socks5 proxy protocol with the proxy server directly through the drive IO;
s132: the real destination address of the link is sent to the proxy server through the drive IO;
s133: and the proxy server establishes connection with the real destination address of the link and returns whether the connection is successful or not.
6. The method for redirecting network communication security according to claim 3, wherein the UDP redirecting method specifically comprises the following steps:
s21: establishing a UDPtun channel for transmitting UDP data packets, monitoring local UDP communication, and capturing target UDP data packets;
s22: analyzing and modifying the target UDP data packet according to a TCP/IP protocol stack, and then redirecting and forwarding the packet to the proxy server;
s23: the proxy server sends the target UDP data packet to the target station, and the target station generates and forwards a UDP response data packet;
s24: and the proxy server receives and forwards the UDP response data packet to the application program.
7. The method for redirecting network communication security according to claim 6, wherein said S21 comprises the following steps:
s211: the redirection module establishes a UDP data transfer port;
s212: the redirection module establishes transmission connection UDPtun based on TCP with the proxy server;
s213: and capturing a UDP data packet according to the BPF rule and the black and white list of the process, wherein the UDP data packet is captured from the network layer and comprises a UDP transmission protocol header and UDP data.
8. The method for redirecting network communication security according to claim 7, wherein the S22 comprises the following steps:
s221: acquiring the UDP data packet through the drive IO interface, and analyzing a source IP and a source port of the UDP communication according to a TCP/IP protocol stack;
s222: monitoring the UDP data transfer port through the source IP and the source port to obtain a UDP transmission protocol header constructed by the IP and the port, and forwarding the UDP data packet downwards to the UDP data transfer port through the drive IO;
s223: after receiving the UDP data packet, the UDP data transfer port forwards the UDP data packet to the proxy server through the UDPtun;
s224: and the proxy server unpacks the UDP data packet according to a UDP transmission protocol and forwards the UDP data packet to the target site.
9. The method for redirecting network communication security according to claim 8, wherein said S23 comprises the following steps:
s231: the proxy server receives a UDP response data packet from the target station;
s232: the proxy server encapsulates the UDP response data packet into a network layer data packet according to the UDP transmission protocol, and forwards the network layer data packet through the UDPtun;
s233: and forwarding the network layer data packet to a corresponding application program in a network layer through the drive IO.
10. The method for redirecting network communication security according to claim 2, wherein the remote DNS redirection method specifically comprises the following steps:
s31: capturing all DNS requests according to BPF rules, and replying a pseudo IP address according to DNS protocol rules;
s32: replacing the pseudo IP address with a real domain name when the application program communicates with the pseudo IP address;
s33: when the target network data packet flow is transferred to the proxy server, different processing measures are adopted according to different transport layer protocols;
s34: when the proxy server establishes communication with a target site with a specified domain name, the DNS client side where the proxy server is located analyzes the communication to obtain a real IP address.
11. A redirection module, comprising:
the WFP driving module is set to carry out filtering processing on a specified network communication process, an IP address, a communication port and a protocol target network data packet, the WFP driving module realizes checking and filtering on the specified network communication process through registering Callouts of FWPM _ LAYER _ ALE _ AUTH _ CONNECT _ V4/6, and carries out pre-filtering processing on the specified IP address, the communication port and the protocol target network data packet by adopting a Berkeley packet filtering rule through registering Callouts of FWPM _ LAYER _ INBOUND _ IPPACKET _ V4/6 and FWPM _ LAYER _ IPFORWARD _ V4/6;
a TCP/IP protocol decapsulation module configured to perform pre-filtering rule setting on the WFP driver module, parse the target network data packet, and perform packet forwarding on the target network data packet;
and the redirection service module is set to establish a session link with the proxy server according to the Socks5 proxy protocol, realize the proxy forwarding functions of TCP, UDP and DNS based on the Socks5 proxy protocol, and complete the functions of TCP redirection, UDP redirection and remote DNS redirection of the target network data packet.
12. The redirection module according to claim 11, wherein the pre-filtering rule settings comprise capturing and intercepting the WFP driver module settings based on the network communication process, IP address, communication port, protocol.
13. The redirection module according to claim 11, wherein the parsing the target network packet is to obtain the captured target network packet through a physical interface layer and parse and restore the captured target network packet according to a TCP/IP protocol stack.
14. The redirection module according to claim 11, wherein said packet forwarding of said target network packet is a packet forwarding of various custom protocol packets through a designated physical interface card.
15. A computing device comprising a processor and a storage medium, the storage medium comprising computer program instructions, the processor implementing the method of one of claims 1-10 by executing the computer program instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811186641.5A CN109347817B (en) | 2018-10-12 | 2018-10-12 | Method and device for network security redirection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811186641.5A CN109347817B (en) | 2018-10-12 | 2018-10-12 | Method and device for network security redirection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109347817A CN109347817A (en) | 2019-02-15 |
| CN109347817B true CN109347817B (en) | 2021-06-25 |
Family
ID=65309168
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811186641.5A Active CN109347817B (en) | 2018-10-12 | 2018-10-12 | Method and device for network security redirection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109347817B (en) |
Families Citing this family (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110448892B (en) * | 2019-07-18 | 2023-08-22 | 江西中业光文化科技有限公司 | Game realization method and system based on augmented reality |
| CN110417771B (en) * | 2019-07-25 | 2021-07-09 | 福建天晴在线互动科技有限公司 | Method for automatically intercepting Windows automatic update through driving |
| CN110535718A (en) * | 2019-08-19 | 2019-12-03 | 福建天晴在线互动科技有限公司 | A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature |
| CN110465094A (en) * | 2019-08-19 | 2019-11-19 | 福建天晴在线互动科技有限公司 | A kind of plug-in detection method of game based on IP port diagnostic |
| CN110535719B (en) * | 2019-08-19 | 2021-07-27 | 福建天晴在线互动科技有限公司 | Game plug-in behavior monitoring method based on DNS flow characteristics |
| CN110602192A (en) * | 2019-08-30 | 2019-12-20 | 北京谷数科技有限公司 | Method for expanding network communication capability of storage cluster system |
| CN110808990B (en) * | 2019-11-08 | 2021-11-05 | 北京明朝万达科技股份有限公司 | Mail transmission method, device, electronic equipment and computer readable storage medium |
| CN110891008A (en) * | 2019-11-21 | 2020-03-17 | 成都云智天下科技股份有限公司 | IP proxy method based on L2TP/IPSEC |
| CN110855705A (en) * | 2019-11-23 | 2020-02-28 | 赣南师范大学 | Non-port hidden communication method facing network attack and protection |
| CN111193773B (en) * | 2019-12-06 | 2022-12-09 | 腾讯云计算(北京)有限责任公司 | Load balancing method, device, equipment and storage medium |
| CN111930078B (en) * | 2020-06-21 | 2024-04-19 | 中国舰船研究设计中心 | Network testing device for nuclear control system |
| CN111787110B (en) * | 2020-07-03 | 2023-03-31 | 国网湖北省电力有限公司 | Socks proxy discovery method and system |
| CN111917730A (en) * | 2020-07-10 | 2020-11-10 | 浙江邦盛科技有限公司 | HTTP bypass flow-based machine behavior analysis method |
| CN112653609B (en) * | 2020-12-14 | 2022-05-27 | 北京指掌易科技有限公司 | VPN identification application method, device, terminal and storage medium |
| CN112491927B (en) * | 2020-12-15 | 2022-12-02 | 厦门市美亚柏科信息股份有限公司 | Method and system for bypassing network port shielding |
| CN114697440B (en) * | 2020-12-30 | 2023-08-29 | 成都鼎桥通信技术有限公司 | Network management method and mobile terminal |
| CN112887444A (en) * | 2021-01-19 | 2021-06-01 | 网宿科技股份有限公司 | VPN (virtual private network) request processing method, client device and system |
| CN113194102B (en) * | 2021-05-19 | 2023-11-21 | 苏州瑞立思科技有限公司 | ICMP (information and communication protocol) back message transmission method based on port |
| CN113271235B (en) * | 2021-05-21 | 2022-10-18 | 山石网科通信技术股份有限公司 | Fuzzy test method and device for network traffic, storage medium and processor |
| CN113452686B (en) * | 2021-06-23 | 2022-10-18 | 中移(杭州)信息技术有限公司 | Data processing method, data processing device, proxy server and storage medium |
| CN113472873B (en) * | 2021-06-25 | 2023-05-26 | 惠州高盛达科技有限公司 | Method for fixing pseudo IP address to access router homepage |
| CN113965577B (en) * | 2021-08-31 | 2024-02-27 | 联通沃音乐文化有限公司 | System and method for intelligently switching Socks5 proxy server nodes |
| CN114401245B (en) * | 2021-12-22 | 2024-03-22 | 上海网基科技有限公司 | Method, device, computer equipment and storage medium for realizing high-performance DNS service |
| CN114401243B (en) * | 2022-03-23 | 2022-06-28 | 北京指掌易科技有限公司 | Data packet sending method, device, equipment and medium |
| CN115037594B (en) * | 2022-06-06 | 2024-06-21 | 湖南匡安网络技术有限公司 | Transparent proxy method and system based on data packet redirection |
| CN115549980B (en) * | 2022-09-13 | 2023-04-18 | 应急管理部大数据中心 | Network flow auditing device and method for protocol re-editing |
| CN116545978B (en) * | 2023-05-16 | 2024-05-17 | 深圳市石犀科技有限公司 | Data processing method, device and system, readable storage medium and import network card |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197711A (en) * | 2007-12-06 | 2008-06-11 | 华为技术有限公司 | Method, device and system for implementing unified authentication management |
| CN101729543A (en) * | 2009-12-04 | 2010-06-09 | 同济大学 | Method for improving performance of mobile SSL VPN by utilizing remote Socks5 technology |
| CN201657020U (en) * | 2009-12-04 | 2010-11-24 | 同济大学 | Mobile SSL VPN system based on remote Socks 5 agent |
| CN102195972A (en) * | 2011-03-24 | 2011-09-21 | 北京思创银联科技股份有限公司 | Method for intercepting network data by using WFP (Windows Filter Platform) |
| CN104022924A (en) * | 2014-07-02 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Method for detecting HTTP (hyper text transfer protocol) communication content |
| CN104767748A (en) * | 2015-03-30 | 2015-07-08 | 西北工业大学 | OPC server safety defending system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7529241B2 (en) * | 2005-12-20 | 2009-05-05 | Matsushita Electric Works, Ltd. | Systems and methods for providing a network bridge for UDP multicast traffic |
-
2018
- 2018-10-12 CN CN201811186641.5A patent/CN109347817B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197711A (en) * | 2007-12-06 | 2008-06-11 | 华为技术有限公司 | Method, device and system for implementing unified authentication management |
| CN101729543A (en) * | 2009-12-04 | 2010-06-09 | 同济大学 | Method for improving performance of mobile SSL VPN by utilizing remote Socks5 technology |
| CN201657020U (en) * | 2009-12-04 | 2010-11-24 | 同济大学 | Mobile SSL VPN system based on remote Socks 5 agent |
| CN102195972A (en) * | 2011-03-24 | 2011-09-21 | 北京思创银联科技股份有限公司 | Method for intercepting network data by using WFP (Windows Filter Platform) |
| CN104022924A (en) * | 2014-07-02 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Method for detecting HTTP (hyper text transfer protocol) communication content |
| CN104767748A (en) * | 2015-03-30 | 2015-07-08 | 西北工业大学 | OPC server safety defending system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109347817A (en) | 2019-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109347817B (en) | Method and device for network security redirection | |
| US12010135B2 (en) | Rule-based network-threat detection for encrypted communications | |
| US11838276B2 (en) | Systems and methods for proxying encrypted traffic to protect origin servers from internet threats | |
| CA2545496C (en) | Virtual private network with pseudo server | |
| US8995453B2 (en) | Systems and methods for providing a VPN solution | |
| US10313397B2 (en) | Methods and devices for access control of data flows in software defined networking system | |
| CN102761534B (en) | Realize the method and apparatus of media access control layer Transparent Proxy | |
| CN107147588B (en) | Flow guiding method and device | |
| US20220150303A1 (en) | Managing network services using multipath protocols | |
| CN103051636B (en) | The transmission method and equipment of a kind of data message | |
| US20030131258A1 (en) | Peer-to-peer communication across firewall using internal contact point | |
| CN102647358A (en) | Message transmitting and processing method, device, client equipment and network equipment | |
| EP3468152B1 (en) | Two-way transparent proxy method and system | |
| CN115883255B (en) | Data filtering method, device and computer readable medium | |
| EP2860911A1 (en) | Method and device for classifying encrypted data flows between at least one web client and at least one web server | |
| CN115022280B (en) | NAT detection method, client and system | |
| CN116233237B (en) | Transparent proxy network shutdown and working method thereof | |
| US20240121187A1 (en) | Deploying ipv6 routing | |
| CN117336269A (en) | Resource access method, device, electronic equipment and storage medium | |
| CN117439815A (en) | Intranet penetration system and method based on reverse transparent bridging | |
| Alberdi et al. | Luth: composing and parallelizing midpoint inspection devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |