CN109842595A - Prevent the method and device of network attack - Google Patents
Prevent the method and device of network attack Download PDFInfo
- Publication number
- CN109842595A CN109842595A CN201711216740.9A CN201711216740A CN109842595A CN 109842595 A CN109842595 A CN 109842595A CN 201711216740 A CN201711216740 A CN 201711216740A CN 109842595 A CN109842595 A CN 109842595A
- Authority
- CN
- China
- Prior art keywords
- data packet
- data
- module
- packet
- network attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of method and device for preventing network attack, method includes: received data packet;One or more characteristics in the data packet are parsed according to preset algorithm;According to the characteristic to data packet starting legitimacy certification;It is obstructed out-of-date to authenticate, and abandons the data packet.As the calculating equipment of recipient in the present invention, receiving device passes through to a series of certifications in starting above-described embodiment, the data packet for ensuring to enter calculating equipment is all based on made of dedicated packet transformation, can effectively prevent from forging IP attack, DOS flood attack etc..
Description
Technical field
The invention belongs to information security field more particularly to a kind of method and devices for preventing network attack.
Background technique
Data have proven to one of enterprise-essential assets, and the rapid growth of data makes enterprise face unprecedented choose
War.Data safety is primarily referred to as storage of the data in terminal/server and hands over safely and using safe and equipment room data
Mutually safety;For data interaction safety, the technology of mainstream is the encryption/decryption process by cryptographic algorithm at present.
The safety of encryption/decryption process depends on the complexity of its algorithm and whether key is kept properly, with
32,64, the appearance of 128 bit encryption algorithms, the difficulty to break a code although obtained the pass for greatly being promoted, but being cracked
The problem of key factor is still time and cost, and these problems are controlled by attacker, the use of encryption/decryption algorithm
Person can not conclude that its interaction data is not intercepted and captured by attacker, therefore lack one kind in the prior art and interactive number is effectively protected
According to the strategy of safety.
Summary of the invention
In view of this, it is an object of the invention to a kind of method and device for preventing network attack, to solve existing skill
The problem of safety of interaction data, interactive device in art.
In some illustrative embodiments, the method for preventing network attack, comprising: received data packet;According to default
Arithmetic analysis goes out one or more characteristics in the data packet;The data packet is started according to the characteristic and is closed
Method certification;It is obstructed out-of-date to authenticate, and abandons the data packet.
In some preferred embodiments, the one or more spy parsed according to preset algorithm in the data packet
Levy data, comprising: extract the protocol number in the IP head of the data packet;It is described that the data packet is opened according to the characteristic
Dynamic legitimacy certification, comprising: judge whether the protocol number is pre-set nonstandard protocol number;If it is not, then indicating the number
Do not pass through according to the legitimacy certification of packet.
In some preferred embodiments, the one or more spy parsed according to preset algorithm in the data packet
Levy data, comprising: parse the data in the data segment of the data packet in the first specific field;It is described according to the characteristic
According to the data packet starting legitimacy certification, comprising: judge the data in first specific field whether be pre-configured with
Sequence number value it is consistent;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
In some preferred embodiments, the one or more spy parsed according to preset algorithm in the data packet
Levy data, further includes: parse the data in the data segment of the data packet in the second specific field;It is described according to the feature
Data are to data packet starting legitimacy certification, comprising: calculate the in the IP head and the data segment of the data packet
The cryptographic Hash of one specific field;Judge after calculating the cryptographic Hash that obtains whether with the data one in second specific field
It causes;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
In some preferred embodiments, the one or more spy parsed according to preset algorithm in the data packet
During levying data, comprising: the data packet is decrypted.
Another object of the present invention is to propose a kind of device for preventing network attack, existing in the prior art to solve
Problem.
In some illustrative embodiments, the device for preventing network attack, comprising: receiving module, for receiving number
According to packet;Parsing module, for parsing one or more characteristics in the data packet according to preset algorithm;Audit mould
Block, for being authenticated according to the characteristic to data packet starting legitimacy;Module is removed, it is obstructed out-of-date for authenticating,
Abandon the data packet.
It include: the first analyzing sub-module in the parsing module, for extracting the number in some preferred embodiments
According to the protocol number in the IP head of packet;It include: the first audit submodule in the auditing module, for whether judging the protocol number
For pre-set nonstandard protocol number;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
It include: the second analyzing sub-module in the parsing module in some preferred embodiments, it is described for parsing
Data in the data segment of data packet in the first specific field;It include: second instance nucleon module in the auditing module, for sentencing
Whether the data broken in first specific field are consistent with preconfigured sequence number value;If it is not, then indicating the data packet
Legitimacy certification does not pass through.
It include: third analyzing sub-module in the parsing module in some preferred embodiments, it is described for parsing
Data in the data segment of data packet in the second specific field;It include: third audit submodule in the auditing module, based on
Calculate the IP head of the data packet and the cryptographic Hash of the first specific field in the data segment;The institute that judgement obtains after calculating
Whether consistent with the data in second specific field state cryptographic Hash;If it is not, then indicating the legitimacy certification of the data packet
Do not pass through.
In some preferred embodiments, in the parsing module further include: deciphering module, for the data packet into
Row decryption processing.
Compared with prior art, the invention has the following advantages that
As the calculating equipment of recipient in the present invention, receiving device is by recognizing a series of in starting above-described embodiment
Card, it is ensured that the data packet for entering calculating equipment is all based on made of dedicated packet transformation, effectively can prevent spoofed IP from attacking
It hits, DOS flood attack etc..
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart of communication uplink data reconstruction method in the present invention;
Fig. 2 is the first exemplary flow chart of communication uplink data reconstruction method in the present invention;
Fig. 3 is the second exemplary flow chart of communication uplink data reconstruction method in the present invention;
Fig. 4 is the exemplary flow chart of third of communication uplink data reconstruction method in the present invention;
Fig. 5 is the structural block diagram of communication uplink data reconstruction component in the present invention;
Fig. 6 is the flow chart of communication downlink data reconstruction method in the present invention;
Fig. 7 is the first exemplary flow chart of communication downlink data reconstruction method in the present invention;
Fig. 8 is the second exemplary flow chart of communication downlink data reconstruction method in the present invention;
Fig. 9 is the exemplary flow chart of third of communication downlink data reconstruction method in the present invention;
Figure 10 is the structural block diagram of communication downlink data reconstruction component in the present invention;
Figure 11 is the flow chart that the method for network attack is prevented in the present invention;
Figure 12 is the structural block diagram that the device of network attack is prevented in the present invention;
Figure 13 is the flow chart of safety communicating method in the present invention.
Specific embodiment
The following description and drawings fully show specific embodiments of the present invention, to enable those skilled in the art to
Practice them.Other embodiments may include structure, logic, it is electrical, process and other change.Embodiment
Only represent possible variation.Unless explicitly requested, otherwise individual components and functionality is that optionally, and the sequence operated can be with
Variation.The part of some embodiments and feature can be included in or replace part and the feature of other embodiments.This hair
The range of bright embodiment includes equivalent obtained by the entire scope of claims and all of claims
Object.Herein, these embodiments of the invention can individually or generally be indicated that this is only with term " invention "
For convenience, and if in fact disclosing the invention more than one, the range for being not meant to automatically limit the application is to appoint
What single invention or inventive concept.
And in the following detailed description, a large amount of specific details can be proposed, in order to provide a thorough understanding of the present invention.
It will be understood by those skilled in the art, however, that implementable present invention without these specific details.In addition, in order to avoid
Unnecessarily obscure main thought of the invention, be not described in well-known method, process, component, structure, circuit and
Other feature.
Term " communication uplink data ", " communication downlink data " are for the independent network equipment (such as terminal PC machine, service
Device etc. has the non-intermediate equipment of the support communication for the functions such as data transmit-receive, data store, data use) for, " in communication
Row data " refer to the data that equipment is sent out, and " communication downlink data " refer to the data that equipment receives.Term " dedicated network "
Be for the network equipment of interaction data, such as between terminal PC machine and server through the embodiment of the present invention shown in
Method out interacts, then between terminal PC machine and server for just constitute the dedicated network of two equipment.
As used in claims, unless otherwise noted, for describing elements/structures/signal/data
The uses of ordinal adjectives " first ", " second ", " third " etc. to be only used for indicator elment/structure/signal/data specific
Example or similar elements/structure/signal/data different instances, and it is not intended to imply that these element/knots so described
Structure/signal/data must in a specific sequence (either temporally, spatially sequence or in any other manner)
The present invention can be understood faster for the ease of those skilled in the art, and main thought of the invention is carried out at this
It is simple to illustrate.Equipment (such as terminal) in conventional communication mode in network can constantly monitor the data flow in network,
And intercepted data stream, the target ip address of the data flow is parsed from data flow, if the target ip address is exactly this equipment
The next stage that the data flow is sent into itself is then handled and then obtains data content by the IP address of itself;Opposite, if the mesh
Mark IP address is not the IP address of this equipment, then can directly remove the data flow from caching, i.e. discarding data flow.Based on number
It, can also be to the source IP address in data flow in existing safety measure other than checking target ip address according to the consideration of safety
(the original promoter of data flow) carries out identification certification, and whether identify is that registration/authorisation device initiates access, if it is receives
And it is sent into next stage processing, if not then abandoning data flow.Forge IP address attack then aiming at above-mentioned security strategy and
A kind of attack pattern used, which have got certification/authorisation device IP address by certain means, attack sending
Before packet, the source address of itself is changed to the IP address of authorisation device, data packet will enter target device to produce at this time
Its raw attack effect.It is dedicated in view of the above-mentioned problems, proposing the security strategy of reconstruct data flow (such as data packet) in the present invention
The network equipment is intercepted and captured brokenly to can avoid data packet by other equipment by the way that routine data packet is transformed into private network data packet
In addition solution carries out the certification policy of a variety of private network data packets when receiving, can prevent the multiple networks such as spoofed IP, flood attack from attacking
The infringement hit.
Referring now to fig. 1, Fig. 1 is shown in the present invention for general communication upstream data to be transformed into private network communication uplink
The method flow diagram of data discloses a kind of communication uplink data reconstruction method as shown in the drawing, and following steps can be performed:
Step S11. obtains the first data packet;
First data packet can refer to the routine data packet for sending to the device external of calculating equipment generation (as
Raw data packets), which is made of IP and data segment, sets in IP including at least the source IP address of this equipment, target
(such as TCP is that 6, UDP is to the protocol number of other instruction information such as standby target ip address and target device response mode
17);
Step S12. transfers one or more features data corresponding with first data packet;
The step can match preset one or more features data by the information in parsing IP, such as can lead to
Target IP address information is crossed to match the sequence number value of this preset data packet, used nonstandard protocol number and pass through meter
The check value added and got;
Step S13. is recombinated according to structure of the characteristic to first data packet, obtains the second data
Packet;
Second data packet can refer to be generated after " recombination " operation in the present invention is realized to the transformation of raw data packets
Obtained dedicated packet equally includes IP and data segment in the dedicated packet;But in the data in IP and data segment
Appearance/structure has been changed, such as one or more features field is extended on data segment, each spy in " recombination " logic
Sign field can store extracted characteristic in step S12, and the initial data of raw data packets is utilized during recombination
Section and extension feature field are combined to obtain dedicated packet according to specific structure.
Step S14. sends second data packet.
The security strategy proposed in the present invention can be prevented by the way that conventional data packet to be transformed into the data packet of dedicated network
Equipment in non-dedicated network is communicated since physics or the modes such as wireless enter after the dedicated network with private network device,
Or the data in dedicated network are resolved to, it ensure that the safety and reliability of dedicated network.
Referring now to Fig. 2, Fig. 2 shows an examples of communication uplink data reconstruction method in the present invention, such as the example
Shown, in the present invention communication uplink data reconstruction method, comprising:
Step S21., which is obtained, calculates the routine data packet (i.e. the first data packet) that equipment is sent out;
Step S22. parses the target ip address of the IP head of the routine data packet;
Step S23. is matched to serial number table corresponding with the target ip address according to the target ip address in serial number library;
Step S24. extracts the sequence number value in the serial number table;
Step S25. generates dedicated packet (i.e. the second data packet) according to the routine data packet and sequence number value;Wherein,
The data segment of dedicated packet by initial data section (i.e. the data segment of routine data packet) and store sequence number value sequence number field group
At;
The data segment of the dedicated packet is encrypted in step S26.;
Step S27. sends the dedicated packet according to set objective;
Sequence number value in the serial number table is carried out+1 processing by step S28..
In the above-described embodiments, method shown in figure 2 can be executed in differing order, and such as rearrangement, saves combination
Slightly, additional step or combinations thereof.Such as step S26 and/or step S28 can be omitted in another embodiment;In another example
Step S28 can be exchanged in a further embodiment with the position of step S26 or step S27.
By adding sequence number field in routine data packet in the embodiment of the present invention, it on the one hand can indicate that dedicated network is set
Recipient in standby avoids receiving duplicate data packet;On the other hand, sequence number field is not merely anti-heavy effect, position
And data can also be used in identification effect, such as start legitimacy certification for recipient, prevent attacker from forging dedicated packet,
Guarantee that recipient receives with this is dedicated packet.Therefore, sequence number value employed in the embodiment also alternatively at appoint
What can be used for the data content of mark action.
Another example of communication uplink data reconstruction method in the present invention is shown referring now to Fig. 3, Fig. 3, such as the example
Shown, in the present invention communication uplink data reconstruction method, comprising:
Step S31., which is obtained, calculates the routine data packet (i.e. the first data packet) that equipment is sent out;
Step S32. parses the target ip address of the IP head of the routine data packet;
Step S33. is matched to serial number table corresponding with the target ip address according to the target ip address in serial number library;
Step S34. extracts the sequence number value in the serial number table;
Step S35. calculates the IP head of the routine data packet and the sum of the cryptographic Hash of sequence number value, as verification and;
Step S36. is according to the routine data packet, sequence number value, verification and generates dedicated packet (i.e. the second data packet);
Wherein, the data segment of dedicated packet is by initial data section (i.e. the data segment of routine data packet), the serial number word of storage sequence number value
The check field composition of section and storage verification sum;
The data segment of the dedicated packet is encrypted in step S37.;
Step S38. sends the dedicated packet according to set objective;
Sequence number value in the serial number table is carried out+1 processing by step S39..
In the above-described embodiments, the method being shown in FIG. 3 can be executed in differing order, and such as rearrangement, saves combination
Slightly, additional step or combinations thereof.Such as step S37 and/or step S39 can be omitted in another embodiment;In another example
Step S39 can be exchanged in a further embodiment with the position of step S37 or step S38.
By adding sequence number field and check field in routine data packet in the embodiment of the present invention, show in addition to reaching Fig. 2
Except the function and effect being previously mentioned in example, the integrality of dedicated packet can also be verified, avoid network transmission that number occurs
According to loss cause recipient to receive the incorrect problem of data packet, and can further to the exclusive property of dedicated packet into
Row verifying.
Another example of communication uplink data reconstruction method in the present invention is shown referring now to Fig. 4, Fig. 4, such as the example
Shown, in the present invention communication uplink data reconstruction method, comprising:
Step S41., which is obtained, calculates the routine data packet (i.e. the first data packet) that equipment is sent out;
Step S42. extracts the standard agreement number in the IP head of the routine data packet;
Step S43. transfers preconfigured nonstandard protocol number;Wherein, step S43 can be by with the letter in routine data packet
Breath carries out matching and obtains the nonstandard protocol number, such as matches corresponding nonstandard protocol number by target ip address;Or it is nonstandard
Protocol number is fixed value.
Step S44. is raw according to the standard agreement number in the routine data packet, IP and the nonstandard protocol number transferred
At dedicated packet (i.e. the second data packet);Wherein, the protocol number in the IP head of dedicated packet is the nonstandard protocol number, specially
It is assisted with the data segment of data packet by initial data section (i.e. the data segment of routine data packet), the extracted standard of storage step S42
The protocol fields composition of view number;
The data segment of the dedicated packet is encrypted in step S45.;
Step S46. sends the dedicated packet according to set objective.
In the above-described embodiments, the method being shown in FIG. 4 can be executed in differing order, and such as rearrangement, saves combination
Slightly, additional step or combinations thereof.Such as step S45 can be omitted in another embodiment;In another example step S42 and step
The position of S43 can be exchanged in a further embodiment.
By the way that original standard agreement number to be hidden into the data segment of data packet in the embodiment of the present invention, utilization is dedicated
Customized nonstandard protocol number replaces the protocol number in the IP head of data packet in network, avoids forging dedicated packet, and drop
The low non-dedicated network equipment receives the risk of dedicated packet.
In Fig. 2, Fig. 3 and embodiment illustrated in fig. 4, method and step is combined into new embodiment, such as: transformation
Dedicated packet afterwards not only increases above-mentioned sequence number field, check field, also increases above-mentioned protocol fields, and data packet is substituted
Protocol number in IP, a preferred embodiment of dedicated packet in constructions cost inventive embodiments.
It shows in the present invention referring now to Fig. 5, Fig. 5 for general communication upstream data to be transformed into private network communication uplink
The structural block diagram of the device of data discloses a kind of communication uplink data reconstruction component 100, which can wrap as shown in the drawing
It includes: receiving module 110, parsing module 120, package module 130 and sending module 140;
Receiving module 110, for obtaining the first data packet;
Parsing module 120, for transferring one or more features data corresponding with first data packet;
Package module 130 obtains for recombinating according to structure of the characteristic to first data packet
Two data packets;
Sending module 140, for sending second data packet.
It wherein, may include several submodules in parsing module and package module in the embodiment shown in Fig. 5, it is above-mentioned to realize
Fig. 2, Fig. 3 and each function/step illustrated in fig. 4;Communication uplink data reconstruction component in the embodiment of the present invention can be by hard
The mode of coding is solidificated in the inside of chip as independent hardware cell component, its function can be achieved by any in each function
The logic component of purpose, which is constituted, to be realized.
The present invention can be realized by Fig. 1-embodiment illustrated in fig. 5, part or all of step/structure to dedicated network
The building of middle dedicated packet, dedicated packet are low to the identification risk of the non-dedicated network equipment, and the non-dedicated network equipment can not
Identification abandons, to realize that the interaction between the private network device in dedicated network is more safe and hidden close.
It shows in the present invention referring now to Fig. 6, Fig. 6 for general communication downlink data to be transformed into private network communication downlink
The method flow diagram of data as shown in the drawing, discloses one kind with corresponding to the communication uplink data reconstruction method in the present invention
Following steps can be performed in communication downlink data reconstruction method:
Step S51. obtains the second data packet;
Second data packet can refer to the transformation realized by " recombination " operation in the embodiment of the present invention to raw data packets
The dedicated packet generated afterwards equally includes IP and data segment in the dedicated packet;But in IP and data segment
Data content/structure has been changed, such as one or more features field is extended on data segment, in " recombination " logic
Each feature field can store extracted characteristic in step S12, and the original of raw data packets is utilized during recombination
Beginning data segment and extension feature field are combined to obtain dedicated packet according to specific structure.
Step S52. parses one or more characteristics in second data packet according to preset algorithm;
Preset algorithm can include: extract corresponding feature on decipherment algorithm and specific location in dedicated packet
Data;Such as the protocol number in IP, the sequence number value in the sequence number field in data segment, the verification in check field and and
Protocol number in protocol fields;
Step S53. is according to the characteristic to second data packet starting legitimacy certification;
Legitimacy certification can be primary certification or repeatedly certification, for example, in dedicated packet sequence number value, protocol number or
It verifies and is authenticated, in another example the process gradually authenticated to sequence number value, protocol number or verification and respectively;
After step S54. certification passes through, the characteristic in second data packet is rejected, by second data
Packet is reduced into the first data packet;
First data packet can refer to calculate equipment generate routine data packet (as raw data packets), the data packet by
IP form with data segment, and the source IP address of this equipment, the target ip address of target device and instruction are included at least in IP
The protocol number of other instruction information such as target device response mode (such as TCP is 6, UDP 17);
Dedicated packet will be reduced into routine data packet after the step, to enter dedicated network target device;
Step S55. sends first data packet.
The security strategy proposed in the present invention is same to make by the way that conventional data packet to be transformed into the data packet of dedicated network
For private network device recipient by being authenticated to dedicated packet, to identify the correctness of dedicated packet, really
The fixed dedicated packet is sent out by other private network devices, and instruction or the number of forgery or the non-dedicated network equipment are prevented
According to entering in private network device, the safety and reliability of dedicated network ensure that.
An example of communication downlink data reconstruction method in the present invention is shown referring now to Fig. 7, Fig. 7, such as the example
Shown, in the present invention communication downlink data reconstruction method, comprising:
Step S61., which is obtained, will enter the data packet for calculating equipment;
Step S62. extracts the protocol number in the IP head of the data packet;
Step S63. is by checking whether the protocol number that extracts is preset nonstandard protocol number, described in judgement
Whether data packet is dedicated packet;If so, entering step S64;Otherwise, S60 is entered step;
It is (pre- that step S64. parses the standard agreement number in the protocol fields in the dedicated packet according to preset algorithm
Imputation method may include decipherment algorithm);
Step S65. extracts the standard agreement number, rejects the protocol fields, replaces IP head with the standard agreement number
In nonstandard protocol number, generate routine data packet;
The routine data packet is sent into the calculating equipment by step S66., is terminated.
Step S60. abandons the data packet, terminates.
It is authenticated in the embodiment of the present invention by carrying out the inspection of protocol number to the data packet that receives, to differentiate that data packet is
The no dedicated packet to circulate in the private network, calculate equipment can only through the invention in communication downlink data reconstruction strategy
Routine data packet later, and then limit only dedicated packet and be able to enter private network device, and then guarantee illegally to refer to
Order/data can not pass through network intrusions private network device.
Another example of communication downlink data reconstruction method in the present invention is shown referring now to Fig. 8, Fig. 8, such as the example
Shown, in the present invention communication downlink data reconstruction method, comprising:
Step S71., which is obtained, will enter the data packet for calculating equipment;
Step S72. extracts the source IP address in the IP head of the routine data packet;
Step S73. is matched to serial number table corresponding with the source IP address according to the source IP address in serial number library;
Step S74. parses the sequence number value in the data packet according to preset algorithm, and (preset algorithm may include that decryption is calculated
Method);
Whether the sequence number value that step S75. inspection parses and the numerical value in the serial number table being matched to are consistent;If one
It causes, then enters step S76;Otherwise, S70 is entered step;
Step S76. rejects the field that sequence number value is stored in the data packet, generates routine data packet;
The routine data packet is sent into the calculating equipment by step S77.;
Numerical value in the serial number table is carried out+1 processing by step S78., is terminated;
Step S70. abandons the data packet, terminates.
In the above-described embodiments, the method being shown in FIG. 8 can be executed in differing order, and such as rearrangement, saves combination
Slightly, additional step or combinations thereof.Such as the position of step S72-73 and step S74 can be exchanged in another embodiment.
By the sequence number value in inspection data packet in the embodiment of the present invention, can prevent from receiving duplicate data packet;In addition,
Can also be used in whether inspection data packet is dedicated packet.
Another example of communication downlink data reconstruction method in the present invention is shown referring now to Fig. 9, Fig. 9, such as the example
Shown, in the present invention communication downlink data reconstruction method, comprising:
Step S81., which is obtained, will enter the data packet for calculating equipment;
Step S82. extracts the source IP address in the IP head of the routine data packet;
Step S83. is matched to serial number table corresponding with the source IP address according to the source IP address in serial number library;
Step S84. parses sequence number value in the data packet and verification according to preset algorithm and (preset algorithm may include
Decipherment algorithm);
Whether the sequence number value that step S85. inspection parses and the numerical value in the serial number table being matched to are consistent;If one
It causes, then enters step S86;Otherwise, S80 is entered step;
Step S86. calculates the IP head of the data packet and the sum of the cryptographic Hash of sequence number field, and judge the value whether with
It is described verification with it is consistent;If consistent, S77 is entered step;Otherwise, S70 is entered step;
Step S87. rejects the check field of the sequence number field that sequence number value is stored in the data packet and storage verification sum, raw
At routine data packet;
The routine data packet is sent into the calculating equipment by step S88.;
Numerical value in the serial number table is carried out+1 processing by step S89., is terminated;
Step S80. abandons the data packet, terminates.
In the embodiment on the basis of embodiment shown in Fig. 8, it can also test to the integrality of data packet, into
The correctness of one step guarantee data packet.
In Fig. 7, Fig. 8 and embodiment illustrated in fig. 9, method and step is combined into new embodiment, such as: first
Protocol number in IP is authenticated, certification passes through and then carries out subsequent serial number comparison, and completeness check etc. authenticates,
Data packet is converted to routine data packet after all passing through and is sent to calculating equipment by certification;Any one certification does not pass through,
It then can determine that the data packet does not pass through legitimate authentication, directly abandon the data packet.The verification process may be configured to implementation of the present invention
A preferred embodiment of communication downlink data reconstruction in example.
0, Figure 10 is shown in the present invention for general communication downlink data to be transformed under private network communication referring now to fig. 1
The structural block diagram of the device of row data discloses a kind of communication downlink data reconstruction component 200, which can as shown in the drawing
It include: receiving module 110, parsing module 120, authentication module 130, package module 140 and sending module 150;
Receiving module 110, for obtaining the second data packet;
Parsing module 120, for parsing one or more characteristics in second data packet according to preset algorithm
According to;
Authentication module 130, for being authenticated according to the characteristic to second data packet starting legitimacy;
Package module 140 after passing through for certification, rejects the characteristic in second data packet, will be described
Second data packet is reduced into the first data packet;
Sending module 150, for sending first data packet.
Wherein, parsing module in the embodiment shown in Figure 10, authentication module, in package module may include several submodules,
To realize above-mentioned Fig. 7, Fig. 8 and each function/step illustrated in fig. 9;Communication downlink data reconstruction group in the embodiment of the present invention
Part can be solidificated in the inside of chip as independent hardware cell component by way of hard coded, each function can by it is any can
It realizes that the logic component of its functional purpose is constituted to realize.
The present invention can be realized by Fig. 6-embodiment illustrated in fig. 10, part or all of step/structure to private network
The destructing of dedicated packet in network, dedicated packet are low to the identification risk of the non-dedicated network equipment, the non-dedicated network equipment without
Method identification abandons, to realize that the interaction between the private network device in dedicated network is more safe and hidden close.
1, Figure 11 is shown based on the side for preventing network attack gone out disclosed in the above embodiment of the present invention referring now to fig. 1
Method flow chart, as shown in the drawing, the method for preventing network attack, comprising:
Step S91. received data packet;
Step S92. parses one or more characteristics in the data packet according to preset algorithm;
Step S93. is according to the characteristic to data packet starting legitimacy certification;
Step S94. certification is obstructed out-of-date, abandons the data packet.
Calculating equipment of the embodiment suitable for the present invention as recipient, receiving device pass through to the above-mentioned implementation of starting
A series of certifications in example, it is ensured that the data packet for entering calculating equipment is all based on made of dedicated packet transformation, can be effective
It prevents from forging IP attack, DOS flood attack etc..
Specifically, the one or more characteristics parsed according to preset algorithm in the data packet in the embodiment
According to, comprising: extract the protocol number in the IP head of the data packet;Described started according to the characteristic to the data packet is closed
Method certification, comprising: judge whether the protocol number is pre-set nonstandard protocol number;If it is not, then indicating the data packet
Legitimacy certification do not pass through.
Specifically, the one or more characteristics parsed according to preset algorithm in the data packet in the embodiment
According to, comprising: parse the data in the data segment of the data packet in the first specific field;It is described according to the characteristic pair
Data packet starting legitimacy certification, comprising: judge data in first specific field whether with preconfigured sequence
Number value is consistent;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
Specifically, the one or more characteristics parsed according to preset algorithm in the data packet in the embodiment
According to, further includes: parse the data in the data segment of the data packet in the second specific field;It is described according to the characteristic
To data packet starting legitimacy certification, comprising: first calculated in the IP head and the data segment of the data packet refers to
Determine the cryptographic Hash of field;Judge whether the cryptographic Hash obtained after calculating is consistent with the data in second specific field;
If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
Specifically, the one or more characteristics parsed according to preset algorithm in the data packet in the embodiment
During, comprising: the data packet is decrypted.
2, Figure 12 is shown based on the dress for preventing network attack gone out disclosed in the above embodiment of the present invention referring now to fig. 1
Structural block diagram flow chart is set, as shown in the drawing, prevents the device 300 of network attack, comprising: receiving module 310, parsing module
320, auditing module 330, removing module 340;
Receiving module 310, is wrapped for receiving data;
Parsing module 320, for parsing one or more characteristics in the data packet according to preset algorithm;
Auditing module 330, for being authenticated according to the characteristic to data packet starting legitimacy;
Module 340 is removed, it is obstructed out-of-date for authenticating, abandon the data packet.
It is described for extracting specifically, including: the first analyzing sub-module 321 in the parsing module 320 in the embodiment
Protocol number in the IP head of data packet;
It is described for judging specifically, including: the first audit submodule 331 in the auditing module 330 in the embodiment
Whether protocol number is pre-set nonstandard protocol number;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
Specifically, including: the second analyzing sub-module 322 in the parsing module 320, for parsing in the embodiment
State the data in the data segment of data packet in the first specific field;
It is described for judging specifically, including: second instance nucleon module 332 in the auditing module 330 in the embodiment
Whether the data in the first specific field are consistent with preconfigured sequence number value;If it is not, then indicating the legitimacy of the data packet
Certification does not pass through.
Specifically, including: third analyzing sub-module 323 in the parsing module 320, for parsing in the embodiment
State the data in the data segment of data packet in the second specific field;
It is described for calculating specifically, including: third audit submodule 333 in the auditing module 330 in the embodiment
The cryptographic Hash of the first specific field in the IP head of data packet and the data segment;The Hash that judgement obtains after calculating
Whether consistent with the data in second specific field it is worth;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
In the embodiment specifically, in the parsing module 320 further include: deciphering module 324, for the data packet
It is decrypted.
3, Figure 13 shows the stream based on the safety communicating method gone out disclosed in the above embodiment of the present invention referring now to fig. 1
Cheng Tu, as shown in the drawing, safety communicating method, applied to the calculating equipment as sender and recipient, comprising:
Step S101. obtains the first data packet;
Step S102. transfers one or more features data corresponding with first data packet;
Step S103. is recombinated according to structure of the characteristic to first data packet, obtains the second data
Packet;
Step S104. sends second data packet.
Wherein, step S101-S104 is suitable for sending among the network between method, apparatus or described sender and outer net and set
It is standby, such as gateway, routing, interchanger
Step S105. obtains the second data packet;
Step S106. parses one or more characteristics in second data packet according to preset algorithm;
Step S107. is according to the characteristic to second data packet starting legitimacy certification;
After step S108. certification passes through, the characteristic in second data packet is rejected, by second data
Packet is reduced into the first data packet;
Step S109. obtains first data packet.
Wherein, step S105-S109 is suitable for setting among the network between receiver equipment or the recipient and outer net
It is standby, such as gateway, routing, interchanger.
It should also be appreciated by one skilled in the art that various illustrative logical boxs, mould in conjunction with the embodiments herein description
Electronic hardware, computer software or combinations thereof may be implemented into block, circuit and algorithm steps.In order to clearly demonstrate hardware and
Interchangeability between software surrounds its function to various illustrative components, frame, module, circuit and step above and carries out
It is generally described.Hardware is implemented as this function and is also implemented as software, depends on specific application and to entire
The design constraint that system is applied.Those skilled in the art can be directed to each specific application, be realized in a manner of flexible
Described function, still, this realization decision should not be construed as a departure from the scope of protection of this disclosure.
The above description of the embodiment is only used to help understand the method for the present invention and its core ideas;Meanwhile for this
The those skilled in the art in field, according to the thought of the present invention, there will be changes in the specific implementation manner and application range,
In conclusion the contents of this specification are not to be construed as limiting the invention.
Claims (10)
1. a kind of method for preventing network attack characterized by comprising
Received data packet;
One or more characteristics in the data packet are parsed according to preset algorithm;
According to the characteristic to data packet starting legitimacy certification;
It is obstructed out-of-date to authenticate, and abandons the data packet.
2. the method according to claim 1 for preventing network attack, which is characterized in that described to be parsed according to preset algorithm
One or more characteristics in the data packet, comprising:
Extract the protocol number in I P of the data packet;
It is described that data packet starting legitimacy is authenticated according to the characteristic, comprising:
Judge whether the protocol number is pre-set nonstandard protocol number;
If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
3. the method according to claim 1 for preventing network attack, which is characterized in that described to be parsed according to preset algorithm
One or more characteristics in the data packet, comprising:
Parse the data in the data segment of the data packet in the first specific field;
It is described that data packet starting legitimacy is authenticated according to the characteristic, comprising:
Judge whether the data in first specific field are consistent with preconfigured sequence number value;
If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
4. the method according to claim 3 for preventing network attack, which is characterized in that described to be parsed according to preset algorithm
One or more characteristics in the data packet, further includes:
Parse the data in the data segment of the data packet in the second specific field;
It is described that data packet starting legitimacy is authenticated according to the characteristic, comprising:
Calculate I P of the data packet and the cryptographic Hash of the first specific field in the data segment;
Judge whether the cryptographic Hash obtained after calculating is consistent with the data in second specific field;
If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
5. the method according to claim 1-4 for preventing network attack, which is characterized in that the basis is imputed in advance
During method parses one or more characteristics in the data packet, comprising:
The data packet is decrypted.
6. a kind of device for preventing network attack characterized by comprising
Receiving module wraps for receiving data;
Parsing module, for parsing one or more characteristics in the data packet according to preset algorithm;
Auditing module, for being authenticated according to the characteristic to data packet starting legitimacy;
Module is removed, it is obstructed out-of-date for authenticating, abandon the data packet.
7. the device according to claim 6 for preventing network attack, which is characterized in that include: in the parsing module
One analyzing sub-module, the protocol number in I P for extracting the data packet;
It include: the first audit submodule in the auditing module, for judging whether the protocol number is pre-set nonstandard
Protocol number;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
8. the device according to claim 6 for preventing network attack, which is characterized in that include: in the parsing module
Two analyzing sub-modules, the data in the data segment for parsing the data packet in the first specific field;
Include: second instance nucleon module in the auditing module, for judge the data in first specific field whether with
Preconfigured sequence number value is consistent;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
9. the device according to claim 8 for preventing network attack, which is characterized in that include: in the parsing module
Three analyzing sub-modules, the data in the data segment for parsing the data packet in the second specific field;
Include: in the auditing module third audit submodule, for calculate the data packet I P and the data
The cryptographic Hash of the first specific field in section;Judge after calculating the cryptographic Hash that obtains whether in second specific field
Data it is consistent;If it is not, then indicating that the legitimacy certification of the data packet does not pass through.
10. according to the described in any item devices for preventing network attack of claim 6-9, which is characterized in that the parsing module
In further include: deciphering module, for the data packet to be decrypted.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711216740.9A CN109842595A (en) | 2017-11-28 | 2017-11-28 | Prevent the method and device of network attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711216740.9A CN109842595A (en) | 2017-11-28 | 2017-11-28 | Prevent the method and device of network attack |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109842595A true CN109842595A (en) | 2019-06-04 |
Family
ID=66881143
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711216740.9A Pending CN109842595A (en) | 2017-11-28 | 2017-11-28 | Prevent the method and device of network attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109842595A (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5086469A (en) * | 1990-06-29 | 1992-02-04 | Digital Equipment Corporation | Encryption with selective disclosure of protocol identifiers |
CN101834864A (en) * | 2010-04-30 | 2010-09-15 | 中兴通讯股份有限公司 | Method and device for preventing attack in three-layer virtual private network |
US20140095862A1 (en) * | 2012-09-28 | 2014-04-03 | Hangzhou H3C Technologies Co., Ltd. | Security association detection for internet protocol security |
CN103905452A (en) * | 2014-04-03 | 2014-07-02 | 国家电网公司 | Credible network attack filter device and method |
-
2017
- 2017-11-28 CN CN201711216740.9A patent/CN109842595A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5086469A (en) * | 1990-06-29 | 1992-02-04 | Digital Equipment Corporation | Encryption with selective disclosure of protocol identifiers |
CN101834864A (en) * | 2010-04-30 | 2010-09-15 | 中兴通讯股份有限公司 | Method and device for preventing attack in three-layer virtual private network |
US20140095862A1 (en) * | 2012-09-28 | 2014-04-03 | Hangzhou H3C Technologies Co., Ltd. | Security association detection for internet protocol security |
CN103905452A (en) * | 2014-04-03 | 2014-07-02 | 国家电网公司 | Credible network attack filter device and method |
Non-Patent Citations (1)
Title |
---|
李乐昆等: "基于IPSec的VPN网络安全的实现", 《实验科学与技术》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103875207B (en) | The method and network equipment of identification with the checking of network user | |
CN107579991B (en) | Method for performing cloud protection authentication on client, server and client | |
CN102036242B (en) | Access authentication method and system in mobile communication network | |
CN106789983A (en) | A kind of CC attack defense methods and its system of defense | |
CN104468606B (en) | A kind of credible connection system and method controlling class system based on power generation | |
CN111770071B (en) | Method and device for gateway authentication of trusted device in network stealth scene | |
US10257226B2 (en) | Identifying and trapping wireless based attacks on networks using deceptive network emulation | |
CN108377231A (en) | A kind of online game security administrative system apparatus and its method | |
CN107508847A (en) | One kind connection method for building up, device and equipment | |
CN106209883A (en) | Based on link selection and the multi-chain circuit transmission method and system of broken restructuring | |
Sani et al. | Xyreum: A high-performance and scalable blockchain for iiot security and privacy | |
CN112615866B (en) | Pre-authentication method, device and system for TCP connection | |
CN108282779A (en) | Incorporate Information Network low time delay anonymous access authentication method | |
CN107483415A (en) | A kind of mutual authentication method of shared electricity consumption interactive system | |
CN107547559A (en) | A kind of message processing method and device | |
CN106056419A (en) | Method, system and device for realizing independent transaction by using electronic signature equipment | |
CN105245338B (en) | A kind of authentication method and apparatus system | |
CN100512108C (en) | Method for identifying physical uniqueness of networked terminal, and access authentication system for terminals | |
Pagliusi | A contemporary foreword on GSM security | |
CN102045310B (en) | Industrial Internet intrusion detection as well as defense method and device | |
CN107888548A (en) | A kind of Information Authentication method and device | |
CN113055357A (en) | Method and device for verifying credibility of communication link by single packet and computing equipment | |
CN101938428B (en) | Message transmission method and equipment | |
Venkatesan et al. | Analysis of accounting models for the detection of duplicate requests in web services | |
CN105681364B (en) | A kind of IPv6 mobile terminal attack resistance method based on enhancing binding |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190604 |
|
WD01 | Invention patent application deemed withdrawn after publication |