CN109889475A - A kind of method and system for preventing TCP connection to be bypassed equipment sniff - Google Patents
A kind of method and system for preventing TCP connection to be bypassed equipment sniff Download PDFInfo
- Publication number
- CN109889475A CN109889475A CN201811478080.6A CN201811478080A CN109889475A CN 109889475 A CN109889475 A CN 109889475A CN 201811478080 A CN201811478080 A CN 201811478080A CN 109889475 A CN109889475 A CN 109889475A
- Authority
- CN
- China
- Prior art keywords
- sniff
- data
- data packet
- keyword
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method of prevent TCP connection to be bypassed equipment sniff, comprising the following steps: the data packet that capture user issues;The data for analyzing and determining data packet determine protected object according to protocol type, and parsing needs the data of anti-sniff;Modification needs the data or keyword of anti-sniff;Send the original true data packet of user.The present invention also provides a kind of system for preventing TCP connection to be bypassed equipment sniff, the bypass equipment in network can be prevented from correctly recombinating out the data in user's TCP connection, to avoid being injected malicious data.
Description
Technical field
The present invention relates to Internet technical fields, more particularly to a kind of side for preventing TCP connection to be bypassed equipment sniff
Method and anti-sniff system.
Background technique
Bypass equipment in network can be monitored or sniff is to all data packets Jing Guo the equipment, if to receiving
The data of TCP (Transmission Control Protocol, transmission control protocol) connection are recombinated, then can be restored
All data in whole connection, and advertisement or malicious code etc. are injected as needed, to threaten the network security of user.
If advertisement is often injected according to the webpage that user accesses wherein by some telecom operators, the method used is just
Be judged whether by analyzing first established after connection packet be http protocol (HyperText Transfer Protocol,
Hypertext transfer protocol), and URL (Uniform is gone out by the data recombination of the Host section of resource section and host name in request
Resource Locator, uniform resource locator) and to user send one incorporate advertisement with it is embedding comprising a real URL
Enter page packet spoof, so that user is allowed to be thought as the advertisement in former webpage, and the page that this advertisement is directed toward is third party
Advertising provider can obtain or distort full page content if advertising provider is put into malicious script in the page.
In addition to advertisement outer network supplier itself also will record all internet records of user including access website
In addition URL sniff and may also inject hostile content with the hacker in network, it is therefore desirable to a kind of method come allow bypass equipment without
The method that method recombinates correct data automatically prevents it from analyzing the data in user's TCP connection and injects malicious data.
Summary of the invention
In order to solve the shortcomings of the prior art, TCP connection quilt is prevented the purpose of the present invention is to provide a kind of
The method and system of bypass equipment sniff can prevent the bypass equipment in network from correctly recombinating out in user's TCP connection
Data, to avoid being injected malicious data.
To achieve the above object, the method provided by the invention for preventing TCP connection to be bypassed equipment sniff, including following step
It is rapid:
Capture the data packet that user issues;
The data for analyzing and determining data packet determine protected object according to protocol type, and parsing needs the data of anti-sniff;
Modification needs the data or keyword of anti-sniff;
Send the original true data packet of user.
Further, the data for analyzing and determining data packet determine protected object according to protocol type, and parsing needs anti-
The step of data of sniff, further comprise:
If the agreement of data packet is HTTPS, it is determined that be protected to handshake packet, and resolve to and need anti-sniff
Data are SNI;Or
If the agreement of data packet is HTTP, it is determined that be protected to each message, and resolve to and need anti-sniff
Data be resource path and host domain name.
Further, the step of modification needs the data or keyword of anti-sniff further comprises:
The data for needing anti-sniff or keyword are replaced, and to the check code in TCP packet without modification.
Further, the step of modification needs the data or keyword of anti-sniff further comprises:
The data for needing anti-sniff or keyword are replaced;
Recalculate the correct check code of TCP packet of forgery, wherein repair confirmation number corresponding with the check code of forgery
It is changed to identical as the confirmation number of data packet that the last time issues.
Further, the step of modification needs the data or keyword of anti-sniff further comprises:
The data for needing anti-sniff or keyword are replaced;
Recalculate the correct check code of TCP packet of forgery, wherein be modified as being less than by the TTL in the IP head of data packet
TTL is actually needed in host.
Further, which is characterized in that the step of the transmission user original true data packet, further comprise:
The original true data packet of user is truncated from the keyword for needing anti-sniff;
The half of keyword is put into the end of a upper data packet, the other half is put into the beginning of next data packet.
Further, the step of transmission user original true data packet further comprises:
The original true data packet of user is truncated from the keyword for needing anti-sniff;
The half of keyword is put into the end of a upper data packet, the other half is put into the beginning of next data packet;
Pseudo- packet is sent between two data packets for being placed with the keyword being connected.
To achieve the above object, above-mentioned the present invention also provides a kind of system for preventing TCP connection to be bypassed equipment sniff
Method prevents bypass equipment sniff TCP connection, the system, comprising:
Trapping module, the data packet that capture user issues;
Analysis module analyzes and determines the data of data packet, determines protected object according to protocol type, parsing needs anti-smell
The data of spy;
Modified module, modification need the data or keyword of anti-sniff;
Sending module sends the original true data packet of user.
Further, the data for needing anti-sniff or keyword are continued to replace by the modified module, and in TCP packet
Check code without modification or the data for needing anti-sniff or keyword are replaced, and recalculate the TCP of forgery
Wrap correct check code, wherein be modified as confirmation number corresponding with the check code of forgery and the last data packet issued
Confirmation number it is identical or the data or keyword that will need anti-sniff are replaced, and recalculate the TCP packet of forgery just
True check code, wherein be modified as the TTL in the IP head of data packet to be less than host actual needs TTL.
Further, the original true data packet of user is truncated the sending module from the keyword for needing anti-sniff,
And the half of keyword is put into the end of a upper data packet, the other half is put into the beginning of next data packet or incites somebody to action
The original true data packet of user is truncated from the keyword for needing anti-sniff, and the half of keyword is put into a upper data packet
End, the other half is put into the beginning of next data packet, and sends out between two data packets for being placed with the keyword being connected
Send pseudo- packet.
The method and system for preventing TCP connection to be bypassed equipment sniff of the invention, by the data that will need anti-sniff
Or keyword replaces with other content, Allah's machine ignores the data packet, and pseudo- packet is added to the TCP data of oneself by bypass equipment
In queue, therefore bypass equipment then ignores the true data packet when transmission true data packet.Therefore, the bypass equipment in network can be made
The data in user's TCP connection cannot be correctly recombinated out, to avoid being injected malicious data.
The method and system for preventing TCP connection to be bypassed equipment sniff of the invention, by the TCP packet for recalculating forgery
Correct check code, since Allah's machine had received the confirmation number, and think the data packet be a wrong packet to
It neglects bypass equipment when the data packet sends true data packet therefore and then ignores the true data packet.Therefore, can make in network
Bypass equipment cannot correctly recombinate out the data in user's TCP connection, to avoid being injected malicious data.
The method and system for preventing TCP connection to be bypassed equipment sniff of the invention, by the IP head by data packet
TTL is modified as being less than host actual needs TTL, and Allah's machine can not receive the data packet, and the data packet is added to oneself
In TCP data queue.Therefore, the bypass equipment in network can be prevented from correctly recombinating out the data in user's TCP connection, from
And it avoids being injected malicious data.
The method and system for preventing TCP connection to be bypassed equipment sniff of the invention, by the key that will need anti-sniff
It is truncated at word and is put into multiple and different front and back packets, and the equipment that passes into others' hands is considered as packet loss re-transmission because having received data, thus
Ignore the data packet.Therefore, the bypass equipment in network can be prevented from correctly recombinating out the data in user's TCP connection, from
And it avoids being injected malicious data.
The advantages of of the invention method and system for preventing TCP connection to be bypassed equipment sniff be in Linux platform not
It needs additional dependence can be used directly, and does not need to capture the packet largely sent, only passive receive may know that oneself is issued
Packet in serial number and the filtration of unrelated packet all give operating system itself completion, application program convenient directly use and property
It can be higher with stability.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification
It obtains it is clear that understand through the implementation of the invention.
Detailed description of the invention
Attached drawing is used to provide further understanding of the present invention, and constitutes part of specification, and with it is of the invention
Embodiment together, is used to explain the present invention, and is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is the method flow diagram according to the present invention for preventing TCP connection to be bypassed equipment sniff;
Fig. 2 is the system architecture diagram according to the present invention for preventing TCP connection to be bypassed equipment sniff.
Specific embodiment
Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings, it should be understood that preferred reality described herein
Apply example only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention.
Fig. 1 is the method flow diagram according to the present invention for preventing TCP connection to be bypassed equipment sniff, below with reference to Fig. 1,
The method for preventing TCP connection to be bypassed equipment sniff of the invention is described in detail.
Embodiment 1
Firstly, in step 101, the data packet of capture user's sending.
In step 102, the agreement of data packet is analyzed and determined, protected object is determined according to protocol type, parsing needs anti-smell
The data of spy.Specifically, if the agreement of data packet is HTTPS (Hyper Text Transfer Protocol over
Secure Socket Layer), then it needs to protect handshake packet;If the agreement of data packet is HTTP, need to every
A message is protected.Later, parsing needs the data of anti-sniff to need to prevent in the case where the agreement of data packet is HTTPS
The data of sniff are SNI (Server Name Indication, server name instruction), are HTTP in the agreement of data packet
In the case of, needing the data of anti-sniff is resource path and host domain name.
In step 103, the keyword of anti-sniff will be needed to replace with the random data of forgery, while to the school in TCP packet
Code is tested without modification.At this point, due to check code mistake, Allah's machine ignores the data packet, and in order to high-performance without
The bypass equipment of verification can be added in the TCP data queue of oneself.
In step 104, the original true data packet of user is sent.At this point, sending the original true data packet of user, then Allah's machine passes through
It verifies and puts it into TCP data queue, and the equipment that passes into others' hands is because have added in the TCP data list of oneself, in turn
Packet loss is regarded as to retransmit and ignore the data packet.
Later, return step 101.
Embodiment 2
The method and step of embodiment 2 is roughly the same with the method and step of embodiment 1, difference be step 103, for reality
The identical step of example 1 is applied to omit the description.
In step 103a, the keyword of anti-sniff will be needed to replace with the random data of forgery, while recalculating forgery
The correct check code of TCP packet, wherein confirmation number corresponding with the check code of forgery is modified as and the last number issued
It is identical according to the confirmation number of packet.At this point, since Allah's machine had received the confirmation number, and thinking the data packet is a mistake
Packet accidentally is to neglect the data packet.However, downlink of the bypass equipment of single channel detection because not recording server reply
Data, thus can not judge whether the data packet is the duplicate acknowledgment sent because of a upper confirmation packet packet loss for server,
"true" can only be considered as, and the data packet is added in the TCP data queue of oneself.
Embodiment 3
The method and step of embodiment 3 is roughly the same with the method and step of embodiment 1, difference be step 103, for reality
The identical step of example 1 is applied to omit the description.
In step 103b, the keyword of anti-sniff will be needed to replace with the random data of forgery, while recalculating forgery
The correct check code of TCP packet, wherein the TTL (Time To Live, time-to-live) in the IP head of data packet is modified as small
TTL is actually needed in host.At this point, being dropped due to TTL deficiency when TTL is reduced after each target node to 0.
Therefore, Allah's machine can not receive the data packet, and bypass equipment reach server without analysis in advance needed for TTL, thus without
Method judges the true and false, and the data packet is added in the TCP data queue of oneself.
Embodiment 4
The method and step of embodiment 4 is roughly the same with the method and step of embodiment 1 to embodiment 3, and difference is step
104, the step identical as embodiment 1 to embodiment 4 is omitted the description.
In step 104a, the original true data packet of user is truncated from the keyword for needing anti-sniff, by the one of keyword
It is partly put into the end of a data packet, the other half is put into the beginning of next data packet.After Allah's machine receives these data packets
TCP data stream is reassembled into, and the equipment that passes into others' hands is considered as packet loss re-transmission because having received data, to ignore the data packet.This
Change is the equipment not reorganizing packets that pass into others' hands in order to prevent, and is detected to single packet, such as the usual number of http protocol
It can include all the elements of conventional requests head according to packet, therefore advertisement injection device only can need a packet that can obtain puppet
Content needed for making data.Equipment to cope with this type needs to send data packet point in multiple packets, to make each packet
In all do not include bypass equipment needed for data.
Embodiment 5
The method and step of embodiment 5 is roughly the same with the method and step of embodiment 1 to embodiment 3, and difference is step
104, for being omitted the description with embodiment 1 to the identical step of embodiment 3.
In step 104b, the original true data packet of user is truncated from the keyword for needing anti-sniff, by the one of keyword
As be put into the end of a data packet, the other half is put into the beginning of next data packet, and is being placed with the keyword being connected
Two packets between retransmit the pseudo- packet that either step once in step 103, step 103a and step 103b generates.Allah
Machine reassembles into TCP data stream after receiving these data packets, and the equipment that passes into others' hands is considered as packet loss re-transmission because having received data, from
And ignore the data packet, if not retransmitting for packet loss, then true packet is override again.This change is that bypass equipment is not only in order to prevent
There is single packet detection, while data packet is not considered as packet loss repeating transmission and being directly combined and check.For setting for corresponding this type
Primary pseudo- packet is retransmited between the standby data packet for needing talent separated, so that half is by the before when the rear half really wrapped
The pseudo- cladding lid of secondary transmission, and then make in the data flow recombinated out without containing data needed for bypass equipment.
Now the above embodiments are illustrated with actual example.
Firstly, creating normal TCP socket, and with creating TCP raw socket and use connect bound targets
Location.Later, using TCP socket linking objective, and receive the SYN that server returns with raw socket | ACK response bag.Its
In, it is the acknowledgement number for the data packet that may know that oneself is issued by the ACK value in packet, for constructing the pseudo- packet needed, puppet packet
It can be sent with raw socket herein.
It in following step, is carried out respectively according to the step of each embodiment, and obtains following result.
The data that user sends:
| TTL:64 | SEQ:1 | ACK:1 | Checksum | GET/index.htm HTTP/1.1 r nHost:www.test.com r n r n |
The data that embodiment 1 is actually sent:
| TTL:64 | SEQ:1 | ACK:1 | Wrong | PUT/error.htm HTTP/1.1 r nHost:www.fake.com r n r n |
| TTL:64 | SEQ:1 | ACK:1 | Checksum | GET/index.htm HTTP/1.1 r nHost:www.test.com r n r n |
The data that embodiment 2 is actually sent:
| TTL:64 | SEQ:1 | ACK:0 | Checksum | PUT/error.htm HTTP/1.1 r nHost:www.fake.com r n r n |
| TTL:64 | SEQ:1 | ACK:1 | Checksum | GET/index.htm HTTP/1.1 r nHost:www.test.com r n r n |
The data that embodiment 3 is actually sent:
| TTL:8 | SEQ:1 | ACK:1 | Checksum | PUT/error.htm HTTP/1.1 r nHost:www.fake.com r n r n |
| TTL:64 | SEQ:1 | ACK:1 | Checksum | GET/index.htm HTTP/1.1 r nHost:www.test.com r n r n |
The data that embodiment 4 is actually sent:
| TTL:8 | SEQ:1 | ACK:1 | Checksum | PUT/error.htm HTTP/1.1 r nHost:www.fake.com r n r n |
| TTL:64 | SEQ:1 | ACK:1 | Checksum | GET/ind |
| TTL:64 | SEQ:9 | ACK:1 | Checksum | Ex.htm HTTP/1.1 r nHost:www.te |
| TTL:64 | SEQ:38 | ACK:1 | Checksum | st.com\r\n\r\n |
In embodiment 1 to embodiment 4, data that bypass equipment recombinates out:
PUT/error.htm HTTP/1.1 r nHost:www.fake.com r n r n
In embodiment 1 to embodiment 4, the data received are serviced:
GET/index.htm HTTP/1.1 r nHost:www.test.com r n r n
The data that embodiment 5 is actually sent:
| TTL:64 | SEQ:1 | ACK:0 | Checksum | PUT/error.htm HTTP/1.1 r nHost:www.fake.com r n r n |
| TTL:64 | SEQ:1 | ACK:1 | Checksum | GET/ind |
| TTL:64 | SEQ:1 | ACK:1 | Wrong | PUT/error.htm HTTP/1.1 r nHost:www.fake.com r n r n |
| TTL:64 | SEQ:9 | ACK:1 | Checksum | Ex.htm HTTP/1.1 r nHost:www.te |
| TTL:8 | SEQ:1 | ACK:1 | Checksum | PUT/error.htm HTTP/1.1 r nHost:www.fake.com r n r n |
| TTL:64 | SEQ:38 | ACK:1 | Checksum | st.com\r\n\r\n |
In embodiment 5, data that bypass equipment recombinates out (receive every time data that new package-restructuring goes out can be different):
1, PUT/error.htm HTTP/1.1 r nHost:www.fake.com r n r n
2, GET/indor.htm HTTP/1.1 r nHost:www.fake.com r n r n
3, PUT/error.htm HTTP/1.1 r nHost:www.fake.com r n r n
4, PUT/errex.htm HTTP/1.1 r nHost:www.teke.com r n r n
5, PUT/error.htm HTTP/1.1 r nHost:www.fake.com r n r n
6, PUT/error.htm HTTP/1.1 r nHost:www.fast.com r n r n
In embodiment 5, the data received are serviced:
GET/index.htm HTTP/1.1 r nHost:www.test.com r n r n.
Fig. 2 is the system architecture diagram according to the present invention for preventing TCP connection to be bypassed equipment sniff, as shown in Fig. 2, this hair
The bright system 200 for preventing TCP connection to be bypassed equipment sniff, including, trapping module 201, analysis module 202, modified module
203, sending module 204.
Trapping module 201 captures the data packet that user issues.
Analysis module 202 analyzes and determines the agreement of data packet, and determines protected object according to protocol type, and parsing need to
Will anti-sniff data.Specifically, analysis module 202 is judged as that the agreement of data packet is HTTPS (Hyper Text
Transfer Protocol over Secure Socket Layer), then it needs to protect handshake packet;Analysis module
202 are judged as that the agreement of data packet is HTTP, then need to protect each message.Later, the parsing of analysis module 202 needs
The data of anti-sniff resolve in the case where the agreement of data packet is HTTPS and need the data of anti-sniff for SNI (Server
Name Indication, server name instruction), in the case where the agreement of data packet is HTTP, resolves to and need anti-sniff
Data be resource path and host domain name.
Modified module 203 modifies the keyword for needing anti-sniff.Specifically, modified module 203 is by all data or key
Word replaces with other contents, while replacing with to the check code in TCP packet without modification or by all data or keyword
Other contents, while recalculating the correct check code of TCP packet of forgery, wherein by confirmation corresponding with the check code of forgery
Number is modified as identical as the confirmation number of data packet of last time sending or replaces with all data or keyword other
Content, while recalculating the correct check code of TCP packet of forgery, wherein by TTL (the Time To in the IP head of data packet
Live, time-to-live) it is modified as being less than host actual needs TTL.
Sending module 204 sends the original true data packet of user.Specifically, by the original true data packet of user from needing anti-sniff
Keyword at be truncated, the half of keyword is put into the end of a upper data packet, the other half is put into next data packet
Start or the original true data packet of user is truncated from the keyword for needing anti-sniff, keyword is generally put into upper one
The end of a data packet, the other half is put into the beginning of next data packet, and wraps it in two for being placed with the keyword being connected
Between retransmit primary pseudo- packet.
According to the present embodiment, since all data or keyword are replaced with other contents, Allah's machine ignores the data packet,
And puppet packet is added in the TCP data queue of oneself by bypass equipment, therefore bypass equipment then ignores this when transmission true data packet
True data packet.Therefore, the bypass equipment in network can be prevented from correctly recombinating out the data in user's TCP connection, to keep away
Exempt to be injected malicious data.
According to the present embodiment, due to recalculating the correct check code of TCP packet of forgery, since Allah's machine had received
The confirmation number, and thinking the data packet is a wrong packet thus by when neglecting the data packet therefore sending true data packet
Pipeline equipment then ignores the true data packet.Therefore, the bypass equipment in network can be prevented from correctly recombinating out in user's TCP connection
Data, to avoid being injected malicious data.
According to the present embodiment, the TTL in the IP head of data packet is modified as being less than host and is actually needed TTL, Allah's machine without
Method receives the data packet, and the data packet is added in the TCP data queue of oneself.Therefore, the bypass in network can be made
Equipment cannot correctly recombinate out the data in user's TCP connection, to avoid being injected malicious data.
According to the present embodiment, it will be truncated at the keyword for needing anti-sniff and be put into multiple and different front and backs and wrapped, and passed into others' hands
Equipment is considered as packet loss re-transmission because having received data, to ignore the data packet.Therefore, the bypass in network can be made to set
The standby data that cannot correctly recombinate out in user's TCP connection, to avoid being injected malicious data.
Those of ordinary skill in the art will appreciate that: the foregoing is only a preferred embodiment of the present invention, and does not have to
In the limitation present invention, although the present invention is described in detail referring to the foregoing embodiments, for those skilled in the art
For, still can to foregoing embodiments record technical solution modify, or to part of technical characteristic into
Row equivalent replacement.All within the spirits and principles of the present invention, any modification, equivalent replacement, improvement and so on should all include
Within protection scope of the present invention.
Claims (10)
1. a kind of method for preventing TCP connection to be bypassed equipment sniff, comprising the following steps:
Capture the data packet that user issues;
The data for analyzing and determining data packet determine protected object according to protocol type, and parsing needs the data of anti-sniff;
Modification needs the data or keyword of anti-sniff;
Send the original true data packet of user.
2. the method for preventing TCP connection to be bypassed equipment sniff according to claim 1, which is characterized in that the analysis is sentenced
The step of data of disconnected data packet determine protected object according to protocol type, and parsing needs the data of anti-sniff, further wraps
It includes:
If the agreement of data packet is HTTPS, it is determined that protect to handshake packet, and resolve to the data for needing anti-sniff
It is SNI;Or
If the agreement of data packet is HTTP, it is determined that protect to each message, and resolve to the number for needing anti-sniff
According to being resource path and host domain name.
3. the method for preventing TCP connection to be bypassed equipment sniff according to claim 1, which is characterized in that the modification needs
Will anti-sniff data or keyword the step of, further comprise:
The data for needing anti-sniff or keyword are replaced, and to the check code in TCP packet without modification.
4. the method for preventing TCP connection to be bypassed equipment sniff according to claim 1, which is characterized in that the modification needs
Will anti-sniff data or keyword the step of, further comprise:
The data for needing anti-sniff or keyword are replaced;
Recalculate the correct check code of TCP packet of forgery, wherein be modified as confirmation number corresponding with the check code of forgery
It is identical as the confirmation number of data packet that the last time issues.
5. the method for preventing TCP connection to be bypassed equipment sniff according to claim 1, which is characterized in that the modification needs
Will anti-sniff data or keyword the step of, further comprise:
The data for needing anti-sniff or keyword are replaced;
Recalculate the correct check code of TCP packet of forgery, wherein be modified as the TTL in the IP head of data packet to be less than host
TTL is actually needed.
6. according to claim 1 to the method for preventing TCP connection to be bypassed equipment sniff described in any one of 5, which is characterized in that
The step of transmission user original true data packet, further comprise:
The original true data packet of user is truncated from the keyword for needing anti-sniff;
The half of keyword is put into the end of a upper data packet, the other half is put into the beginning of next data packet.
7. according to claim 1 to the method for preventing TCP connection to be bypassed equipment sniff described in any one of 5, which is characterized in that
The step of transmission user original true data packet, further comprise:
The original true data packet of user is truncated from the keyword for needing anti-sniff;
The half of keyword is put into the end of a upper data packet, the other half is put into the beginning of next data packet;
Pseudo- packet is sent between two data packets for being placed with the keyword being connected.
8. a kind of system for preventing TCP connection to be bypassed equipment sniff uses the described in any item methods of claim 1-7 anti-
Only bypass equipment sniff TCP connection, which is characterized in that the system, comprising:
Trapping module, the data packet that capture user issues;
Analysis module analyzes and determines the data of data packet, determines protected object according to protocol type, parsing needs anti-sniff
Data;
Modified module, modification need the data or keyword of anti-sniff;
Sending module sends the original true data packet of user.
9. the system according to claim 8 for preventing TCP connection to be bypassed equipment sniff, which is characterized in that
The data for needing anti-sniff or keyword are replaced by the modified module, and to the check code in TCP packet without
Modification or the correct verification of TCP packet that the data for needing anti-sniff or keyword are replaced evidence, and recalculate forgery
Code, wherein confirmation number corresponding with the check code of forgery is modified as to the confirmation number phase with the last data packet issued
Together or the data for needing anti-sniff or keyword are replaced, and recalculate the correct check code of TCP packet of forgery,
Wherein, the TTL in the IP head of data packet is modified as being less than host actual needs TTL.
10. the system for preventing TCP connection to be bypassed equipment sniff according to claim 8 or claim 9, which is characterized in that
The original true data packet of user is truncated the sending module from the keyword for needing anti-sniff, and by keyword
Half is put into the end of a data packet, the other half is put into the beginning of next data packet or by the original true data of user
Packet is truncated from the keyword for needing anti-sniff, and the half of keyword is put into the end of a upper data packet, the other half
It is put into the beginning of next data packet, and sends pseudo- packet between two data packets for being placed with the keyword being connected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811478080.6A CN109889475B (en) | 2018-12-05 | 2018-12-05 | Method and system for preventing TCP connection from being sniffed by bypass equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811478080.6A CN109889475B (en) | 2018-12-05 | 2018-12-05 | Method and system for preventing TCP connection from being sniffed by bypass equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109889475A true CN109889475A (en) | 2019-06-14 |
| CN109889475B CN109889475B (en) | 2021-08-06 |
Family
ID=66924959
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811478080.6A Active CN109889475B (en) | 2018-12-05 | 2018-12-05 | Method and system for preventing TCP connection from being sniffed by bypass equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109889475B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220224622A1 (en) * | 2021-01-14 | 2022-07-14 | Zscaler, Inc. | TCP traceroute using RST and SYN-ACK to determine destination reachability |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101478387A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Defense method, apparatus and system for hyper text transmission protocol attack |
| US20140006430A1 (en) * | 2006-08-08 | 2014-01-02 | CastTV Inc. | Indexing multimedia web content |
| CN105046150A (en) * | 2015-08-06 | 2015-11-11 | 福建天晴数码有限公司 | Method and system for preventing structured query language (SQL) implantation |
| CN106131060A (en) * | 2016-08-23 | 2016-11-16 | 公安部第三研究所 | Utilize the tcp/ip communication control method of SYN bag manipulative communications deception track |
| CN107896145A (en) * | 2017-11-10 | 2018-04-10 | 郑州云海信息技术有限公司 | A kind of anti-method for implanting of interface interchange and system |
-
2018
- 2018-12-05 CN CN201811478080.6A patent/CN109889475B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140006430A1 (en) * | 2006-08-08 | 2014-01-02 | CastTV Inc. | Indexing multimedia web content |
| CN101478387A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Defense method, apparatus and system for hyper text transmission protocol attack |
| CN105046150A (en) * | 2015-08-06 | 2015-11-11 | 福建天晴数码有限公司 | Method and system for preventing structured query language (SQL) implantation |
| CN106131060A (en) * | 2016-08-23 | 2016-11-16 | 公安部第三研究所 | Utilize the tcp/ip communication control method of SYN bag manipulative communications deception track |
| CN107896145A (en) * | 2017-11-10 | 2018-04-10 | 郑州云海信息技术有限公司 | A kind of anti-method for implanting of interface interchange and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220224622A1 (en) * | 2021-01-14 | 2022-07-14 | Zscaler, Inc. | TCP traceroute using RST and SYN-ACK to determine destination reachability |
| US11770319B2 (en) * | 2021-01-14 | 2023-09-26 | Zscaler, Inc. | TCP traceroute using RST and SYN-ACK to determine destination reachability |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109889475B (en) | 2021-08-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104519018B (en) | A kind of methods, devices and systems preventing the malicious requests for server | |
| CN107634967B (en) | CSRFtoken defense system and method for CSRF attack | |
| CN102480490B (en) | Method for preventing CSRF attack and equipment thereof | |
| US7703127B2 (en) | System for verifying a client request | |
| CN101789947B (en) | Method and firewall for preventing HTTP POST flooding attacks | |
| Kaksonen et al. | Software security assessment through specification mutations and fault injection | |
| CN103327025A (en) | Method and device for network access control | |
| US20110202987A1 (en) | Service access control | |
| EP1931114B1 (en) | Method and apparatus for detecting the IP address of a computer and location information associated therewith | |
| CN101478387A (en) | Defense method, apparatus and system for hyper text transmission protocol attack | |
| CN103401836A (en) | Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not | |
| CN107426711A (en) | Bind or unbind the method, apparatus and system of cell-phone number | |
| CN109413060A (en) | Message processing method, device, equipment and storage medium | |
| US10798080B2 (en) | User authentication in communication systems | |
| CN102571846A (en) | Method and device for forwarding hyper text transport protocol (HTTP) request | |
| CN105025041A (en) | File upload method, file upload apparatus and system | |
| Bocovich et al. | Secure asymmetry and deployability for decoy routing systems | |
| CN103634111B (en) | Single-point logging method and system and single sign-on client-side | |
| CN108476199A (en) | A kind of system and method for detection and defence CC attacks based on token mechanism | |
| CN103051598B (en) | Method, user equipment and packet access gateway for secure access to Internet services | |
| CN109889475A (en) | A kind of method and system for preventing TCP connection to be bypassed equipment sniff | |
| CN107786489A (en) | Access request verification method and device | |
| CN103812859B (en) | Network admission method, terminal admission method, network admission device and terminal | |
| CN108259416B (en) | Method for detecting malicious webpage and related equipment | |
| CN101267456B (en) | Method and system for preventing CP subscription simulation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |