CN109842595A - Prevent the method and device of network attack - Google Patents

Prevent the method and device of network attack Download PDF

Info

Publication number
CN109842595A
CN109842595A CN201711216740.9A CN201711216740A CN109842595A CN 109842595 A CN109842595 A CN 109842595A CN 201711216740 A CN201711216740 A CN 201711216740A CN 109842595 A CN109842595 A CN 109842595A
Authority
CN
China
Prior art keywords
data packet
data
module
packet
network attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711216740.9A
Other languages
Chinese (zh)
Inventor
汪家祥
张春龙
陈宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongtian Aetna (beijing) Information Technology Co Ltd
Original Assignee
Zhongtian Aetna (beijing) Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongtian Aetna (beijing) Information Technology Co Ltd filed Critical Zhongtian Aetna (beijing) Information Technology Co Ltd
Priority to CN201711216740.9A priority Critical patent/CN109842595A/en
Publication of CN109842595A publication Critical patent/CN109842595A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of method and device for preventing network attack, method includes: received data packet;One or more characteristics in the data packet are parsed according to preset algorithm;According to the characteristic to data packet starting legitimacy certification;It is obstructed out-of-date to authenticate, and abandons the data packet.As the calculating equipment of recipient in the present invention, receiving device passes through to a series of certifications in starting above-described embodiment, the data packet for ensuring to enter calculating equipment is all based on made of dedicated packet transformation, can effectively prevent from forging IP attack, DOS flood attack etc..

Description

Prevent the method and device of network attack
Technical field
The invention belongs to information security field more particularly to a kind of method and devices for preventing network attack.
Background technique
Data have proven to one of enterprise-essential assets, and the rapid growth of data makes enterprise face unprecedented choose War.Data safety is primarily referred to as storage of the data in terminal/server and hands over safely and using safe and equipment room data Mutually safety;For data interaction safety, the technology of mainstream is the encryption/decryption process by cryptographic algorithm at present.
The safety of encryption/decryption process depends on the complexity of its algorithm and whether key is kept properly, with 32,64, the appearance of 128 bit encryption algorithms, the difficulty to break a code although obtained the pass for greatly being promoted, but being cracked The problem of key factor is still time and cost, and these problems are controlled by attacker, the use of encryption/decryption algorithm Person can not conclude that its interaction data is not intercepted and captured by attacker, therefore lack one kind in the prior art and interactive number is effectively protected According to the strategy of safety.
Summary of the invention
In view of this, it is an object of the invention to a kind of method and device for preventing network attack, to solve existing skill The problem of safety of interaction data, interactive device in art.
In some illustrative embodiments, the method for preventing network attack, comprising: received data packet;According to default Arithmetic analysis goes out one or more characteristics in the data packet;The data packet is started according to the characteristic and is closed Method certification;It is obstructed out-of-date to authenticate, and abandons the data packet.
In some preferred embodiments, the one or more spy parsed according to preset algorithm in the data packet Levy data, comprising: extract the protocol number in the IP head of the data packet;It is described that the data packet is opened according to the characteristic Dynamic legitimacy certification, comprising: judge whether the protocol number is pre-set nonstandard protocol number;If it is not, then indicating the number Do not pass through according to the legitimacy certification of packet.
In some preferred embodiments, the one or more spy parsed according to preset algorithm in the data packet Levy data, comprising: parse the data in the data segment of the data packet in the first specific field;It is described according to the characteristic According to the data packet starting legitimacy certification, comprising: judge the data in first specific field whether be pre-configured with Sequence number value it is consistent;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
In some preferred embodiments, the one or more spy parsed according to preset algorithm in the data packet Levy data, further includes: parse the data in the data segment of the data packet in the second specific field;It is described according to the feature Data are to data packet starting legitimacy certification, comprising: calculate the in the IP head and the data segment of the data packet The cryptographic Hash of one specific field;Judge after calculating the cryptographic Hash that obtains whether with the data one in second specific field It causes;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
In some preferred embodiments, the one or more spy parsed according to preset algorithm in the data packet During levying data, comprising: the data packet is decrypted.
Another object of the present invention is to propose a kind of device for preventing network attack, existing in the prior art to solve Problem.
In some illustrative embodiments, the device for preventing network attack, comprising: receiving module, for receiving number According to packet;Parsing module, for parsing one or more characteristics in the data packet according to preset algorithm;Audit mould Block, for being authenticated according to the characteristic to data packet starting legitimacy;Module is removed, it is obstructed out-of-date for authenticating, Abandon the data packet.
It include: the first analyzing sub-module in the parsing module, for extracting the number in some preferred embodiments According to the protocol number in the IP head of packet;It include: the first audit submodule in the auditing module, for whether judging the protocol number For pre-set nonstandard protocol number;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
It include: the second analyzing sub-module in the parsing module in some preferred embodiments, it is described for parsing Data in the data segment of data packet in the first specific field;It include: second instance nucleon module in the auditing module, for sentencing Whether the data broken in first specific field are consistent with preconfigured sequence number value;If it is not, then indicating the data packet Legitimacy certification does not pass through.
It include: third analyzing sub-module in the parsing module in some preferred embodiments, it is described for parsing Data in the data segment of data packet in the second specific field;It include: third audit submodule in the auditing module, based on Calculate the IP head of the data packet and the cryptographic Hash of the first specific field in the data segment;The institute that judgement obtains after calculating Whether consistent with the data in second specific field state cryptographic Hash;If it is not, then indicating the legitimacy certification of the data packet Do not pass through.
In some preferred embodiments, in the parsing module further include: deciphering module, for the data packet into Row decryption processing.
Compared with prior art, the invention has the following advantages that
As the calculating equipment of recipient in the present invention, receiving device is by recognizing a series of in starting above-described embodiment Card, it is ensured that the data packet for entering calculating equipment is all based on made of dedicated packet transformation, effectively can prevent spoofed IP from attacking It hits, DOS flood attack etc..
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart of communication uplink data reconstruction method in the present invention;
Fig. 2 is the first exemplary flow chart of communication uplink data reconstruction method in the present invention;
Fig. 3 is the second exemplary flow chart of communication uplink data reconstruction method in the present invention;
Fig. 4 is the exemplary flow chart of third of communication uplink data reconstruction method in the present invention;
Fig. 5 is the structural block diagram of communication uplink data reconstruction component in the present invention;
Fig. 6 is the flow chart of communication downlink data reconstruction method in the present invention;
Fig. 7 is the first exemplary flow chart of communication downlink data reconstruction method in the present invention;
Fig. 8 is the second exemplary flow chart of communication downlink data reconstruction method in the present invention;
Fig. 9 is the exemplary flow chart of third of communication downlink data reconstruction method in the present invention;
Figure 10 is the structural block diagram of communication downlink data reconstruction component in the present invention;
Figure 11 is the flow chart that the method for network attack is prevented in the present invention;
Figure 12 is the structural block diagram that the device of network attack is prevented in the present invention;
Figure 13 is the flow chart of safety communicating method in the present invention.
Specific embodiment
The following description and drawings fully show specific embodiments of the present invention, to enable those skilled in the art to Practice them.Other embodiments may include structure, logic, it is electrical, process and other change.Embodiment Only represent possible variation.Unless explicitly requested, otherwise individual components and functionality is that optionally, and the sequence operated can be with Variation.The part of some embodiments and feature can be included in or replace part and the feature of other embodiments.This hair The range of bright embodiment includes equivalent obtained by the entire scope of claims and all of claims Object.Herein, these embodiments of the invention can individually or generally be indicated that this is only with term " invention " For convenience, and if in fact disclosing the invention more than one, the range for being not meant to automatically limit the application is to appoint What single invention or inventive concept.
And in the following detailed description, a large amount of specific details can be proposed, in order to provide a thorough understanding of the present invention. It will be understood by those skilled in the art, however, that implementable present invention without these specific details.In addition, in order to avoid Unnecessarily obscure main thought of the invention, be not described in well-known method, process, component, structure, circuit and Other feature.
Term " communication uplink data ", " communication downlink data " are for the independent network equipment (such as terminal PC machine, service Device etc. has the non-intermediate equipment of the support communication for the functions such as data transmit-receive, data store, data use) for, " in communication Row data " refer to the data that equipment is sent out, and " communication downlink data " refer to the data that equipment receives.Term " dedicated network " Be for the network equipment of interaction data, such as between terminal PC machine and server through the embodiment of the present invention shown in Method out interacts, then between terminal PC machine and server for just constitute the dedicated network of two equipment.
As used in claims, unless otherwise noted, for describing elements/structures/signal/data The uses of ordinal adjectives " first ", " second ", " third " etc. to be only used for indicator elment/structure/signal/data specific Example or similar elements/structure/signal/data different instances, and it is not intended to imply that these element/knots so described Structure/signal/data must in a specific sequence (either temporally, spatially sequence or in any other manner)
The present invention can be understood faster for the ease of those skilled in the art, and main thought of the invention is carried out at this It is simple to illustrate.Equipment (such as terminal) in conventional communication mode in network can constantly monitor the data flow in network, And intercepted data stream, the target ip address of the data flow is parsed from data flow, if the target ip address is exactly this equipment The next stage that the data flow is sent into itself is then handled and then obtains data content by the IP address of itself;Opposite, if the mesh Mark IP address is not the IP address of this equipment, then can directly remove the data flow from caching, i.e. discarding data flow.Based on number It, can also be to the source IP address in data flow in existing safety measure other than checking target ip address according to the consideration of safety (the original promoter of data flow) carries out identification certification, and whether identify is that registration/authorisation device initiates access, if it is receives And it is sent into next stage processing, if not then abandoning data flow.Forge IP address attack then aiming at above-mentioned security strategy and A kind of attack pattern used, which have got certification/authorisation device IP address by certain means, attack sending Before packet, the source address of itself is changed to the IP address of authorisation device, data packet will enter target device to produce at this time Its raw attack effect.It is dedicated in view of the above-mentioned problems, proposing the security strategy of reconstruct data flow (such as data packet) in the present invention The network equipment is intercepted and captured brokenly to can avoid data packet by other equipment by the way that routine data packet is transformed into private network data packet In addition solution carries out the certification policy of a variety of private network data packets when receiving, can prevent the multiple networks such as spoofed IP, flood attack from attacking The infringement hit.
Referring now to fig. 1, Fig. 1 is shown in the present invention for general communication upstream data to be transformed into private network communication uplink The method flow diagram of data discloses a kind of communication uplink data reconstruction method as shown in the drawing, and following steps can be performed:
Step S11. obtains the first data packet;
First data packet can refer to the routine data packet for sending to the device external of calculating equipment generation (as Raw data packets), which is made of IP and data segment, sets in IP including at least the source IP address of this equipment, target (such as TCP is that 6, UDP is to the protocol number of other instruction information such as standby target ip address and target device response mode 17);
Step S12. transfers one or more features data corresponding with first data packet;
The step can match preset one or more features data by the information in parsing IP, such as can lead to Target IP address information is crossed to match the sequence number value of this preset data packet, used nonstandard protocol number and pass through meter The check value added and got;
Step S13. is recombinated according to structure of the characteristic to first data packet, obtains the second data Packet;
Second data packet can refer to be generated after " recombination " operation in the present invention is realized to the transformation of raw data packets Obtained dedicated packet equally includes IP and data segment in the dedicated packet;But in the data in IP and data segment Appearance/structure has been changed, such as one or more features field is extended on data segment, each spy in " recombination " logic Sign field can store extracted characteristic in step S12, and the initial data of raw data packets is utilized during recombination Section and extension feature field are combined to obtain dedicated packet according to specific structure.
Step S14. sends second data packet.
The security strategy proposed in the present invention can be prevented by the way that conventional data packet to be transformed into the data packet of dedicated network Equipment in non-dedicated network is communicated since physics or the modes such as wireless enter after the dedicated network with private network device, Or the data in dedicated network are resolved to, it ensure that the safety and reliability of dedicated network.
Referring now to Fig. 2, Fig. 2 shows an examples of communication uplink data reconstruction method in the present invention, such as the example Shown, in the present invention communication uplink data reconstruction method, comprising:
Step S21., which is obtained, calculates the routine data packet (i.e. the first data packet) that equipment is sent out;
Step S22. parses the target ip address of the IP head of the routine data packet;
Step S23. is matched to serial number table corresponding with the target ip address according to the target ip address in serial number library;
Step S24. extracts the sequence number value in the serial number table;
Step S25. generates dedicated packet (i.e. the second data packet) according to the routine data packet and sequence number value;Wherein, The data segment of dedicated packet by initial data section (i.e. the data segment of routine data packet) and store sequence number value sequence number field group At;
The data segment of the dedicated packet is encrypted in step S26.;
Step S27. sends the dedicated packet according to set objective;
Sequence number value in the serial number table is carried out+1 processing by step S28..
In the above-described embodiments, method shown in figure 2 can be executed in differing order, and such as rearrangement, saves combination Slightly, additional step or combinations thereof.Such as step S26 and/or step S28 can be omitted in another embodiment;In another example Step S28 can be exchanged in a further embodiment with the position of step S26 or step S27.
By adding sequence number field in routine data packet in the embodiment of the present invention, it on the one hand can indicate that dedicated network is set Recipient in standby avoids receiving duplicate data packet;On the other hand, sequence number field is not merely anti-heavy effect, position And data can also be used in identification effect, such as start legitimacy certification for recipient, prevent attacker from forging dedicated packet, Guarantee that recipient receives with this is dedicated packet.Therefore, sequence number value employed in the embodiment also alternatively at appoint What can be used for the data content of mark action.
Another example of communication uplink data reconstruction method in the present invention is shown referring now to Fig. 3, Fig. 3, such as the example Shown, in the present invention communication uplink data reconstruction method, comprising:
Step S31., which is obtained, calculates the routine data packet (i.e. the first data packet) that equipment is sent out;
Step S32. parses the target ip address of the IP head of the routine data packet;
Step S33. is matched to serial number table corresponding with the target ip address according to the target ip address in serial number library;
Step S34. extracts the sequence number value in the serial number table;
Step S35. calculates the IP head of the routine data packet and the sum of the cryptographic Hash of sequence number value, as verification and;
Step S36. is according to the routine data packet, sequence number value, verification and generates dedicated packet (i.e. the second data packet); Wherein, the data segment of dedicated packet is by initial data section (i.e. the data segment of routine data packet), the serial number word of storage sequence number value The check field composition of section and storage verification sum;
The data segment of the dedicated packet is encrypted in step S37.;
Step S38. sends the dedicated packet according to set objective;
Sequence number value in the serial number table is carried out+1 processing by step S39..
In the above-described embodiments, the method being shown in FIG. 3 can be executed in differing order, and such as rearrangement, saves combination Slightly, additional step or combinations thereof.Such as step S37 and/or step S39 can be omitted in another embodiment;In another example Step S39 can be exchanged in a further embodiment with the position of step S37 or step S38.
By adding sequence number field and check field in routine data packet in the embodiment of the present invention, show in addition to reaching Fig. 2 Except the function and effect being previously mentioned in example, the integrality of dedicated packet can also be verified, avoid network transmission that number occurs According to loss cause recipient to receive the incorrect problem of data packet, and can further to the exclusive property of dedicated packet into Row verifying.
Another example of communication uplink data reconstruction method in the present invention is shown referring now to Fig. 4, Fig. 4, such as the example Shown, in the present invention communication uplink data reconstruction method, comprising:
Step S41., which is obtained, calculates the routine data packet (i.e. the first data packet) that equipment is sent out;
Step S42. extracts the standard agreement number in the IP head of the routine data packet;
Step S43. transfers preconfigured nonstandard protocol number;Wherein, step S43 can be by with the letter in routine data packet Breath carries out matching and obtains the nonstandard protocol number, such as matches corresponding nonstandard protocol number by target ip address;Or it is nonstandard Protocol number is fixed value.
Step S44. is raw according to the standard agreement number in the routine data packet, IP and the nonstandard protocol number transferred At dedicated packet (i.e. the second data packet);Wherein, the protocol number in the IP head of dedicated packet is the nonstandard protocol number, specially It is assisted with the data segment of data packet by initial data section (i.e. the data segment of routine data packet), the extracted standard of storage step S42 The protocol fields composition of view number;
The data segment of the dedicated packet is encrypted in step S45.;
Step S46. sends the dedicated packet according to set objective.
In the above-described embodiments, the method being shown in FIG. 4 can be executed in differing order, and such as rearrangement, saves combination Slightly, additional step or combinations thereof.Such as step S45 can be omitted in another embodiment;In another example step S42 and step The position of S43 can be exchanged in a further embodiment.
By the way that original standard agreement number to be hidden into the data segment of data packet in the embodiment of the present invention, utilization is dedicated Customized nonstandard protocol number replaces the protocol number in the IP head of data packet in network, avoids forging dedicated packet, and drop The low non-dedicated network equipment receives the risk of dedicated packet.
In Fig. 2, Fig. 3 and embodiment illustrated in fig. 4, method and step is combined into new embodiment, such as: transformation Dedicated packet afterwards not only increases above-mentioned sequence number field, check field, also increases above-mentioned protocol fields, and data packet is substituted Protocol number in IP, a preferred embodiment of dedicated packet in constructions cost inventive embodiments.
It shows in the present invention referring now to Fig. 5, Fig. 5 for general communication upstream data to be transformed into private network communication uplink The structural block diagram of the device of data discloses a kind of communication uplink data reconstruction component 100, which can wrap as shown in the drawing It includes: receiving module 110, parsing module 120, package module 130 and sending module 140;
Receiving module 110, for obtaining the first data packet;
Parsing module 120, for transferring one or more features data corresponding with first data packet;
Package module 130 obtains for recombinating according to structure of the characteristic to first data packet Two data packets;
Sending module 140, for sending second data packet.
It wherein, may include several submodules in parsing module and package module in the embodiment shown in Fig. 5, it is above-mentioned to realize Fig. 2, Fig. 3 and each function/step illustrated in fig. 4;Communication uplink data reconstruction component in the embodiment of the present invention can be by hard The mode of coding is solidificated in the inside of chip as independent hardware cell component, its function can be achieved by any in each function The logic component of purpose, which is constituted, to be realized.
The present invention can be realized by Fig. 1-embodiment illustrated in fig. 5, part or all of step/structure to dedicated network The building of middle dedicated packet, dedicated packet are low to the identification risk of the non-dedicated network equipment, and the non-dedicated network equipment can not Identification abandons, to realize that the interaction between the private network device in dedicated network is more safe and hidden close.
It shows in the present invention referring now to Fig. 6, Fig. 6 for general communication downlink data to be transformed into private network communication downlink The method flow diagram of data as shown in the drawing, discloses one kind with corresponding to the communication uplink data reconstruction method in the present invention Following steps can be performed in communication downlink data reconstruction method:
Step S51. obtains the second data packet;
Second data packet can refer to the transformation realized by " recombination " operation in the embodiment of the present invention to raw data packets The dedicated packet generated afterwards equally includes IP and data segment in the dedicated packet;But in IP and data segment Data content/structure has been changed, such as one or more features field is extended on data segment, in " recombination " logic Each feature field can store extracted characteristic in step S12, and the original of raw data packets is utilized during recombination Beginning data segment and extension feature field are combined to obtain dedicated packet according to specific structure.
Step S52. parses one or more characteristics in second data packet according to preset algorithm;
Preset algorithm can include: extract corresponding feature on decipherment algorithm and specific location in dedicated packet Data;Such as the protocol number in IP, the sequence number value in the sequence number field in data segment, the verification in check field and and Protocol number in protocol fields;
Step S53. is according to the characteristic to second data packet starting legitimacy certification;
Legitimacy certification can be primary certification or repeatedly certification, for example, in dedicated packet sequence number value, protocol number or It verifies and is authenticated, in another example the process gradually authenticated to sequence number value, protocol number or verification and respectively;
After step S54. certification passes through, the characteristic in second data packet is rejected, by second data Packet is reduced into the first data packet;
First data packet can refer to calculate equipment generate routine data packet (as raw data packets), the data packet by IP form with data segment, and the source IP address of this equipment, the target ip address of target device and instruction are included at least in IP The protocol number of other instruction information such as target device response mode (such as TCP is 6, UDP 17);
Dedicated packet will be reduced into routine data packet after the step, to enter dedicated network target device;
Step S55. sends first data packet.
The security strategy proposed in the present invention is same to make by the way that conventional data packet to be transformed into the data packet of dedicated network For private network device recipient by being authenticated to dedicated packet, to identify the correctness of dedicated packet, really The fixed dedicated packet is sent out by other private network devices, and instruction or the number of forgery or the non-dedicated network equipment are prevented According to entering in private network device, the safety and reliability of dedicated network ensure that.
An example of communication downlink data reconstruction method in the present invention is shown referring now to Fig. 7, Fig. 7, such as the example Shown, in the present invention communication downlink data reconstruction method, comprising:
Step S61., which is obtained, will enter the data packet for calculating equipment;
Step S62. extracts the protocol number in the IP head of the data packet;
Step S63. is by checking whether the protocol number that extracts is preset nonstandard protocol number, described in judgement Whether data packet is dedicated packet;If so, entering step S64;Otherwise, S60 is entered step;
It is (pre- that step S64. parses the standard agreement number in the protocol fields in the dedicated packet according to preset algorithm Imputation method may include decipherment algorithm);
Step S65. extracts the standard agreement number, rejects the protocol fields, replaces IP head with the standard agreement number In nonstandard protocol number, generate routine data packet;
The routine data packet is sent into the calculating equipment by step S66., is terminated.
Step S60. abandons the data packet, terminates.
It is authenticated in the embodiment of the present invention by carrying out the inspection of protocol number to the data packet that receives, to differentiate that data packet is The no dedicated packet to circulate in the private network, calculate equipment can only through the invention in communication downlink data reconstruction strategy Routine data packet later, and then limit only dedicated packet and be able to enter private network device, and then guarantee illegally to refer to Order/data can not pass through network intrusions private network device.
Another example of communication downlink data reconstruction method in the present invention is shown referring now to Fig. 8, Fig. 8, such as the example Shown, in the present invention communication downlink data reconstruction method, comprising:
Step S71., which is obtained, will enter the data packet for calculating equipment;
Step S72. extracts the source IP address in the IP head of the routine data packet;
Step S73. is matched to serial number table corresponding with the source IP address according to the source IP address in serial number library;
Step S74. parses the sequence number value in the data packet according to preset algorithm, and (preset algorithm may include that decryption is calculated Method);
Whether the sequence number value that step S75. inspection parses and the numerical value in the serial number table being matched to are consistent;If one It causes, then enters step S76;Otherwise, S70 is entered step;
Step S76. rejects the field that sequence number value is stored in the data packet, generates routine data packet;
The routine data packet is sent into the calculating equipment by step S77.;
Numerical value in the serial number table is carried out+1 processing by step S78., is terminated;
Step S70. abandons the data packet, terminates.
In the above-described embodiments, the method being shown in FIG. 8 can be executed in differing order, and such as rearrangement, saves combination Slightly, additional step or combinations thereof.Such as the position of step S72-73 and step S74 can be exchanged in another embodiment.
By the sequence number value in inspection data packet in the embodiment of the present invention, can prevent from receiving duplicate data packet;In addition, Can also be used in whether inspection data packet is dedicated packet.
Another example of communication downlink data reconstruction method in the present invention is shown referring now to Fig. 9, Fig. 9, such as the example Shown, in the present invention communication downlink data reconstruction method, comprising:
Step S81., which is obtained, will enter the data packet for calculating equipment;
Step S82. extracts the source IP address in the IP head of the routine data packet;
Step S83. is matched to serial number table corresponding with the source IP address according to the source IP address in serial number library;
Step S84. parses sequence number value in the data packet and verification according to preset algorithm and (preset algorithm may include Decipherment algorithm);
Whether the sequence number value that step S85. inspection parses and the numerical value in the serial number table being matched to are consistent;If one It causes, then enters step S86;Otherwise, S80 is entered step;
Step S86. calculates the IP head of the data packet and the sum of the cryptographic Hash of sequence number field, and judge the value whether with It is described verification with it is consistent;If consistent, S77 is entered step;Otherwise, S70 is entered step;
Step S87. rejects the check field of the sequence number field that sequence number value is stored in the data packet and storage verification sum, raw At routine data packet;
The routine data packet is sent into the calculating equipment by step S88.;
Numerical value in the serial number table is carried out+1 processing by step S89., is terminated;
Step S80. abandons the data packet, terminates.
In the embodiment on the basis of embodiment shown in Fig. 8, it can also test to the integrality of data packet, into The correctness of one step guarantee data packet.
In Fig. 7, Fig. 8 and embodiment illustrated in fig. 9, method and step is combined into new embodiment, such as: first Protocol number in IP is authenticated, certification passes through and then carries out subsequent serial number comparison, and completeness check etc. authenticates, Data packet is converted to routine data packet after all passing through and is sent to calculating equipment by certification;Any one certification does not pass through, It then can determine that the data packet does not pass through legitimate authentication, directly abandon the data packet.The verification process may be configured to implementation of the present invention A preferred embodiment of communication downlink data reconstruction in example.
0, Figure 10 is shown in the present invention for general communication downlink data to be transformed under private network communication referring now to fig. 1 The structural block diagram of the device of row data discloses a kind of communication downlink data reconstruction component 200, which can as shown in the drawing It include: receiving module 110, parsing module 120, authentication module 130, package module 140 and sending module 150;
Receiving module 110, for obtaining the second data packet;
Parsing module 120, for parsing one or more characteristics in second data packet according to preset algorithm According to;
Authentication module 130, for being authenticated according to the characteristic to second data packet starting legitimacy;
Package module 140 after passing through for certification, rejects the characteristic in second data packet, will be described Second data packet is reduced into the first data packet;
Sending module 150, for sending first data packet.
Wherein, parsing module in the embodiment shown in Figure 10, authentication module, in package module may include several submodules, To realize above-mentioned Fig. 7, Fig. 8 and each function/step illustrated in fig. 9;Communication downlink data reconstruction group in the embodiment of the present invention Part can be solidificated in the inside of chip as independent hardware cell component by way of hard coded, each function can by it is any can It realizes that the logic component of its functional purpose is constituted to realize.
The present invention can be realized by Fig. 6-embodiment illustrated in fig. 10, part or all of step/structure to private network The destructing of dedicated packet in network, dedicated packet are low to the identification risk of the non-dedicated network equipment, the non-dedicated network equipment without Method identification abandons, to realize that the interaction between the private network device in dedicated network is more safe and hidden close.
1, Figure 11 is shown based on the side for preventing network attack gone out disclosed in the above embodiment of the present invention referring now to fig. 1 Method flow chart, as shown in the drawing, the method for preventing network attack, comprising:
Step S91. received data packet;
Step S92. parses one or more characteristics in the data packet according to preset algorithm;
Step S93. is according to the characteristic to data packet starting legitimacy certification;
Step S94. certification is obstructed out-of-date, abandons the data packet.
Calculating equipment of the embodiment suitable for the present invention as recipient, receiving device pass through to the above-mentioned implementation of starting A series of certifications in example, it is ensured that the data packet for entering calculating equipment is all based on made of dedicated packet transformation, can be effective It prevents from forging IP attack, DOS flood attack etc..
Specifically, the one or more characteristics parsed according to preset algorithm in the data packet in the embodiment According to, comprising: extract the protocol number in the IP head of the data packet;Described started according to the characteristic to the data packet is closed Method certification, comprising: judge whether the protocol number is pre-set nonstandard protocol number;If it is not, then indicating the data packet Legitimacy certification do not pass through.
Specifically, the one or more characteristics parsed according to preset algorithm in the data packet in the embodiment According to, comprising: parse the data in the data segment of the data packet in the first specific field;It is described according to the characteristic pair Data packet starting legitimacy certification, comprising: judge data in first specific field whether with preconfigured sequence Number value is consistent;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
Specifically, the one or more characteristics parsed according to preset algorithm in the data packet in the embodiment According to, further includes: parse the data in the data segment of the data packet in the second specific field;It is described according to the characteristic To data packet starting legitimacy certification, comprising: first calculated in the IP head and the data segment of the data packet refers to Determine the cryptographic Hash of field;Judge whether the cryptographic Hash obtained after calculating is consistent with the data in second specific field; If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
Specifically, the one or more characteristics parsed according to preset algorithm in the data packet in the embodiment During, comprising: the data packet is decrypted.
2, Figure 12 is shown based on the dress for preventing network attack gone out disclosed in the above embodiment of the present invention referring now to fig. 1 Structural block diagram flow chart is set, as shown in the drawing, prevents the device 300 of network attack, comprising: receiving module 310, parsing module 320, auditing module 330, removing module 340;
Receiving module 310, is wrapped for receiving data;
Parsing module 320, for parsing one or more characteristics in the data packet according to preset algorithm;
Auditing module 330, for being authenticated according to the characteristic to data packet starting legitimacy;
Module 340 is removed, it is obstructed out-of-date for authenticating, abandon the data packet.
It is described for extracting specifically, including: the first analyzing sub-module 321 in the parsing module 320 in the embodiment Protocol number in the IP head of data packet;
It is described for judging specifically, including: the first audit submodule 331 in the auditing module 330 in the embodiment Whether protocol number is pre-set nonstandard protocol number;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
Specifically, including: the second analyzing sub-module 322 in the parsing module 320, for parsing in the embodiment State the data in the data segment of data packet in the first specific field;
It is described for judging specifically, including: second instance nucleon module 332 in the auditing module 330 in the embodiment Whether the data in the first specific field are consistent with preconfigured sequence number value;If it is not, then indicating the legitimacy of the data packet Certification does not pass through.
Specifically, including: third analyzing sub-module 323 in the parsing module 320, for parsing in the embodiment State the data in the data segment of data packet in the second specific field;
It is described for calculating specifically, including: third audit submodule 333 in the auditing module 330 in the embodiment The cryptographic Hash of the first specific field in the IP head of data packet and the data segment;The Hash that judgement obtains after calculating Whether consistent with the data in second specific field it is worth;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
In the embodiment specifically, in the parsing module 320 further include: deciphering module 324, for the data packet It is decrypted.
3, Figure 13 shows the stream based on the safety communicating method gone out disclosed in the above embodiment of the present invention referring now to fig. 1 Cheng Tu, as shown in the drawing, safety communicating method, applied to the calculating equipment as sender and recipient, comprising:
Step S101. obtains the first data packet;
Step S102. transfers one or more features data corresponding with first data packet;
Step S103. is recombinated according to structure of the characteristic to first data packet, obtains the second data Packet;
Step S104. sends second data packet.
Wherein, step S101-S104 is suitable for sending among the network between method, apparatus or described sender and outer net and set It is standby, such as gateway, routing, interchanger
Step S105. obtains the second data packet;
Step S106. parses one or more characteristics in second data packet according to preset algorithm;
Step S107. is according to the characteristic to second data packet starting legitimacy certification;
After step S108. certification passes through, the characteristic in second data packet is rejected, by second data Packet is reduced into the first data packet;
Step S109. obtains first data packet.
Wherein, step S105-S109 is suitable for setting among the network between receiver equipment or the recipient and outer net It is standby, such as gateway, routing, interchanger.
It should also be appreciated by one skilled in the art that various illustrative logical boxs, mould in conjunction with the embodiments herein description Electronic hardware, computer software or combinations thereof may be implemented into block, circuit and algorithm steps.In order to clearly demonstrate hardware and Interchangeability between software surrounds its function to various illustrative components, frame, module, circuit and step above and carries out It is generally described.Hardware is implemented as this function and is also implemented as software, depends on specific application and to entire The design constraint that system is applied.Those skilled in the art can be directed to each specific application, be realized in a manner of flexible Described function, still, this realization decision should not be construed as a departure from the scope of protection of this disclosure.
The above description of the embodiment is only used to help understand the method for the present invention and its core ideas;Meanwhile for this The those skilled in the art in field, according to the thought of the present invention, there will be changes in the specific implementation manner and application range, In conclusion the contents of this specification are not to be construed as limiting the invention.

Claims (10)

1. a kind of method for preventing network attack characterized by comprising
Received data packet;
One or more characteristics in the data packet are parsed according to preset algorithm;
According to the characteristic to data packet starting legitimacy certification;
It is obstructed out-of-date to authenticate, and abandons the data packet.
2. the method according to claim 1 for preventing network attack, which is characterized in that described to be parsed according to preset algorithm One or more characteristics in the data packet, comprising:
Extract the protocol number in I P of the data packet;
It is described that data packet starting legitimacy is authenticated according to the characteristic, comprising:
Judge whether the protocol number is pre-set nonstandard protocol number;
If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
3. the method according to claim 1 for preventing network attack, which is characterized in that described to be parsed according to preset algorithm One or more characteristics in the data packet, comprising:
Parse the data in the data segment of the data packet in the first specific field;
It is described that data packet starting legitimacy is authenticated according to the characteristic, comprising:
Judge whether the data in first specific field are consistent with preconfigured sequence number value;
If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
4. the method according to claim 3 for preventing network attack, which is characterized in that described to be parsed according to preset algorithm One or more characteristics in the data packet, further includes:
Parse the data in the data segment of the data packet in the second specific field;
It is described that data packet starting legitimacy is authenticated according to the characteristic, comprising:
Calculate I P of the data packet and the cryptographic Hash of the first specific field in the data segment;
Judge whether the cryptographic Hash obtained after calculating is consistent with the data in second specific field;
If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
5. the method according to claim 1-4 for preventing network attack, which is characterized in that the basis is imputed in advance During method parses one or more characteristics in the data packet, comprising:
The data packet is decrypted.
6. a kind of device for preventing network attack characterized by comprising
Receiving module wraps for receiving data;
Parsing module, for parsing one or more characteristics in the data packet according to preset algorithm;
Auditing module, for being authenticated according to the characteristic to data packet starting legitimacy;
Module is removed, it is obstructed out-of-date for authenticating, abandon the data packet.
7. the device according to claim 6 for preventing network attack, which is characterized in that include: in the parsing module One analyzing sub-module, the protocol number in I P for extracting the data packet;
It include: the first audit submodule in the auditing module, for judging whether the protocol number is pre-set nonstandard Protocol number;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
8. the device according to claim 6 for preventing network attack, which is characterized in that include: in the parsing module Two analyzing sub-modules, the data in the data segment for parsing the data packet in the first specific field;
Include: second instance nucleon module in the auditing module, for judge the data in first specific field whether with Preconfigured sequence number value is consistent;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
9. the device according to claim 8 for preventing network attack, which is characterized in that include: in the parsing module Three analyzing sub-modules, the data in the data segment for parsing the data packet in the second specific field;
Include: in the auditing module third audit submodule, for calculate the data packet I P and the data The cryptographic Hash of the first specific field in section;Judge after calculating the cryptographic Hash that obtains whether in second specific field Data it is consistent;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
10. according to the described in any item devices for preventing network attack of claim 6-9, which is characterized in that the parsing module In further include: deciphering module, for the data packet to be decrypted.
CN201711216740.9A 2017-11-28 2017-11-28 Prevent the method and device of network attack Pending CN109842595A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711216740.9A CN109842595A (en) 2017-11-28 2017-11-28 Prevent the method and device of network attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711216740.9A CN109842595A (en) 2017-11-28 2017-11-28 Prevent the method and device of network attack

Publications (1)

Publication Number Publication Date
CN109842595A true CN109842595A (en) 2019-06-04

Family

ID=66881143

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711216740.9A Pending CN109842595A (en) 2017-11-28 2017-11-28 Prevent the method and device of network attack

Country Status (1)

Country Link
CN (1) CN109842595A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5086469A (en) * 1990-06-29 1992-02-04 Digital Equipment Corporation Encryption with selective disclosure of protocol identifiers
CN101834864A (en) * 2010-04-30 2010-09-15 中兴通讯股份有限公司 Method and device for preventing attack in three-layer virtual private network
US20140095862A1 (en) * 2012-09-28 2014-04-03 Hangzhou H3C Technologies Co., Ltd. Security association detection for internet protocol security
CN103905452A (en) * 2014-04-03 2014-07-02 国家电网公司 Credible network attack filter device and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5086469A (en) * 1990-06-29 1992-02-04 Digital Equipment Corporation Encryption with selective disclosure of protocol identifiers
CN101834864A (en) * 2010-04-30 2010-09-15 中兴通讯股份有限公司 Method and device for preventing attack in three-layer virtual private network
US20140095862A1 (en) * 2012-09-28 2014-04-03 Hangzhou H3C Technologies Co., Ltd. Security association detection for internet protocol security
CN103905452A (en) * 2014-04-03 2014-07-02 国家电网公司 Credible network attack filter device and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李乐昆等: "基于IPSec的VPN网络安全的实现", 《实验科学与技术》 *

Similar Documents

Publication Publication Date Title
CN103875207B (en) The method and network equipment of identification with the checking of network user
CN107579991B (en) Method for performing cloud protection authentication on client, server and client
CN102036242B (en) Access authentication method and system in mobile communication network
CN106789983A (en) A kind of CC attack defense methods and its system of defense
CN104468606B (en) A kind of credible connection system and method controlling class system based on power generation
CN111770071B (en) Method and device for gateway authentication of trusted device in network stealth scene
US10257226B2 (en) Identifying and trapping wireless based attacks on networks using deceptive network emulation
CN108377231A (en) A kind of online game security administrative system apparatus and its method
CN107508847A (en) One kind connection method for building up, device and equipment
CN106209883A (en) Based on link selection and the multi-chain circuit transmission method and system of broken restructuring
Sani et al. Xyreum: A high-performance and scalable blockchain for iiot security and privacy
CN112615866B (en) Pre-authentication method, device and system for TCP connection
CN108282779A (en) Incorporate Information Network low time delay anonymous access authentication method
CN107483415A (en) A kind of mutual authentication method of shared electricity consumption interactive system
CN107547559A (en) A kind of message processing method and device
CN106056419A (en) Method, system and device for realizing independent transaction by using electronic signature equipment
CN105245338B (en) A kind of authentication method and apparatus system
CN100512108C (en) Method for identifying physical uniqueness of networked terminal, and access authentication system for terminals
Pagliusi A contemporary foreword on GSM security
CN102045310B (en) Industrial Internet intrusion detection as well as defense method and device
CN107888548A (en) A kind of Information Authentication method and device
CN113055357A (en) Method and device for verifying credibility of communication link by single packet and computing equipment
CN101938428B (en) Message transmission method and equipment
Venkatesan et al. Analysis of accounting models for the detection of duplicate requests in web services
CN105681364B (en) A kind of IPv6 mobile terminal attack resistance method based on enhancing binding

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190604

WD01 Invention patent application deemed withdrawn after publication