CN111049821B - Method and device for preventing HTTP hijacking and electronic equipment - Google Patents
Method and device for preventing HTTP hijacking and electronic equipment Download PDFInfo
- Publication number
- CN111049821B CN111049821B CN201911254765.7A CN201911254765A CN111049821B CN 111049821 B CN111049821 B CN 111049821B CN 201911254765 A CN201911254765 A CN 201911254765A CN 111049821 B CN111049821 B CN 111049821B
- Authority
- CN
- China
- Prior art keywords
- communication data
- data packet
- target
- screened
- data packets
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method, a device and electronic equipment for preventing HTTP hijacking, which relate to the technical field of network security and comprise the steps of obtaining communication data packets received by a station to be protected, screening the communication data packets to obtain screened communication data packets, wherein the screened communication data packets comprise: normally responding the data packet, and/or redirecting the response data packet, and then extracting the target parameters of the screened communication data packet; then determining hijacked communication data packets in the screened communication data packets based on the target parameters and a preset TTL (transistor-transistor logic) library; and finally discarding the screened hijacked communication data packets, wherein the method can determine the hijacked communication data packets in the screened communication data packets by utilizing the target parameters of the screened communication data packets and a preset TTL (transistor-transistor logic) library and discard the hijacked communication data packets, and finally achieves the effect of preventing HTTP hijacking.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for preventing HTTP hijacking and electronic equipment.
Background
As is well known, HTTP (HyperText Transfer Protocol) is widely used in Web pages and various mobile terminal APP services worldwide, and is a foundation of the global internet industry at some level, and its importance is self-evident. The traffic hijacking refers to a criminal behavior that a third party controls a user to normally access a data stream through a network by using an illegal means to push or tamper the content of the user to normally access, and the HTTP hijacking refers to the traffic hijacking of a pointer to an HTTP Protocol, so that the operation of an application developer faces certain difficulties, such as stealing of access traffic, threat of user network security, and the like.
Disclosure of Invention
The invention aims to provide a method, a device and electronic equipment for preventing HTTP hijacking, so as to solve the technical problem that the implementation cost of the HTTP hijacking preventing method in the prior art is high.
In a first aspect, an embodiment provides a method for preventing HTTP hijacking, including: acquiring a communication data packet received by a station to be protected; screening the communication data packets to obtain screened communication data packets, wherein the screened communication data packets include: a normal response packet, and/or a redirected response packet; extracting target parameters of the screened communication data packets, wherein the target parameters comprise: server IP address, TTL value and synchronization sequence number SYN; determining hijacked communication data packets in the screened communication data packets based on the target parameters and a preset TTL (transistor-transistor logic) library; and discarding the screened hijacked communication data packets.
In an optional embodiment, the preset TTL library stores maximum TTL values of a plurality of server IP addresses for sending communication packets; determining hijacked communication data packets in the screened communication data packets based on the target parameters and a preset TTL (time to live) library, wherein the method comprises the following steps: judging whether a target server IP address matched with a target communication data packet exists in the preset TTL library, wherein the target communication data packet is any one of the screened communication data packets; if not, judging whether a communication data packet which has the same server IP address and the same SYN with the target communication data packet exists in the screened communication data packets after the target communication data packet is received; and if so, determining that the target communication data packet is a hijacked communication data packet.
In an alternative embodiment, the method further comprises: and if no communication data packet with the same server IP address and the same SYN as the target communication data packet exists, adding the server IP address of the target communication data packet and the TTL value of the target communication data packet to the preset TTL library.
In an alternative embodiment, the method further comprises: if the IP address of the target server matched with the target communication data packet exists, judging whether the TTL value of the target communication data packet is larger than a target TTL value corresponding to the IP address of the target server or not; if yes, judging whether a communication data packet with the same server IP address and the same SYN as the target communication data packet exists in the screened communication data packets after the target communication data packet is received; and if so, determining that the target communication data packet is a hijacked communication data packet.
In an alternative embodiment, the method further comprises: and if no communication data packet with the same server IP address and the same SYN as the target communication data packet exists, updating the preset TTL base according to the TTL value of the target communication data packet.
In an optional embodiment, after determining the hijacked communication data packet in the screened communication data packets based on the target parameter and a preset TTL base, the method further includes: judging whether a server IP address of the hijacked communication data packet exists in a preset IP address white list or not; if yes, releasing the hijacked communication data packet; and if not, discarding the hijacked communication data packet.
In a second aspect, an embodiment provides an apparatus for preventing HTTP hijacking, including: the acquisition module is used for acquiring the communication data packet received by the station to be protected; a screening module, configured to screen the communication data packet to obtain a screened communication data packet, where the screened communication data packet includes: a normal response packet, and/or a redirected response packet; an extracting module, configured to extract target parameters of the screened communication data packets, where the target parameters include: server IP address, TTL value and synchronization sequence number SYN; the determining module is used for determining hijacked communication data packets in the screened communication data packets based on the target parameters and a preset TTL (transistor-transistor logic) library; and the first discarding module is used for discarding the screened hijacked communication data packets.
In an optional embodiment, the preset TTL library stores maximum TTL values of a plurality of server IP addresses for sending communication packets; the determining module comprises: a first judging unit, configured to judge whether a target server IP address matching a target communication data packet exists in the preset TTL base, where the target communication data packet is any one of the screened communication data packets; a second judging unit configured to judge whether or not a communication packet having the same server IP address and the same SYN as the target communication packet exists in the screened communication packets after the target communication packet is received, if not; and if the target communication data packet exists, the first determining unit determines that the target communication data packet is the hijacked communication data packet.
In a third aspect, an embodiment provides an electronic device, including a memory and a processor, where the memory stores a computer program operable on the processor, and the processor implements the steps of the method described in any one of the foregoing embodiments when executing the computer program.
In a fourth aspect, embodiments provide a computer readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method of any of the preceding embodiments.
Compared with the prior art, the invention provides the method for preventing the HTTP hijack, which comprises the steps of firstly obtaining a communication data packet received by a site to be protected, then screening the communication data packet to obtain a screened communication data packet, wherein the screened communication data packet comprises: the normal response data packet and/or the redirection response data packet, and then extracting the target parameters of the screened communication data packet, wherein the target parameters comprise: the IP address, the TTL value and the synchronization sequence number SYN of the server; then determining hijacked communication data packets in the screened communication data packets based on the target parameters and a preset TTL (transistor-transistor logic) library; and finally discarding the screened hijacked communication data packets, wherein the method can determine the hijacked communication data packets in the screened communication data packets by utilizing the target parameters of the screened communication data packets and a preset TTL (transistor-transistor logic) library and discard the hijacked communication data packets, and finally achieves the effect of preventing HTTP hijacking.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a method for preventing HTTP hijacking according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a method for determining a hijacked communication packet in screened communication packets based on a target parameter and a preset TTL base according to an embodiment of the present invention;
fig. 3 is a flowchart of another method for preventing HTTP hijacking according to an embodiment of the present invention;
fig. 4 is a functional block diagram of an apparatus for preventing HTTP hijacking according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Icon: 10-an acquisition module; 20-a screening module; 30-an extraction module; 40-a determination module; 50-a first discard module; 60-a processor; 61-a memory; 62-a bus; 63-communication interface.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Some embodiments of the invention are described in detail below with reference to the accompanying drawings. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
The HTTP hijacking refers to traffic hijacking aiming at an HTTP protocol, the HTTP hijacking can hijack a user HTTP GET request in a mirror image or light splitting mode and the like, HTTP response data are modified, a source station is simulated to forge a response, malicious codes are embedded in a response packet, and the source station responds to the user preferentially, so that the purpose of deceiving the user is achieved, the user accesses a part of non-source stations to provide contents while accessing the content of the source station, the contents provided by the non-source stations can be advertisement push, yellow-related, fraud and other information, and the potential safety hazard of the information is increased while the complaint of the user is increased. In the prior art, most methods for preventing HTTP hijacking adopt HTTPs encryption schemes, but the schemes require encryption certificates to be purchased, so that the implementation cost is high and the popularity is low.
Example one
The embodiment of the invention provides a method for preventing HTTP hijacking, which specifically comprises the following steps as shown in figure 1:
step S102, obtaining the communication data packet received by the station to be protected.
Specifically, when the method of the present invention is running, firstly, a station to be protected is confirmed, and then, a communication data packet received by the station to be protected is obtained through corresponding configuration, in some embodiments, the communication data packet received by the station to be protected within a preset time period is obtained, and in order to ensure the fluency of a user in browsing the station to be protected, the preset time period may be set to 1 second.
And step S104, screening the communication data packets to obtain screened communication data packets.
Next, in order to prevent HTTP hijacking, only the received normal response packet and/or the redirected response packet need to be analyzed, that is, after the communication packet received by the station to be protected is obtained, the communication packet needs to be screened to obtain a screened communication packet, and the screened communication packet includes: a normal response packet, and/or a redirected response packet.
Specifically, the HTTP response codes of the screened communication data packets are 200, 301, and 302, the 200 response code indicates that the request is successful, and a response header or a data body desired by the request is returned along with the response; the 301 response code indicates that the requested resource has been moved permanently to a new location. When the server returns the response (response to the GET or HEAD request), the requester is automatically transferred to the new location; the 302 response code indicates that the requesting resource temporarily responded to the request from a different URI, but that the requester should continue to use the original location to make subsequent requests.
And step S106, extracting the target parameters of the screened communication data packets.
After obtaining the screened communication data packets, it is necessary to further extract target parameters of each screened communication data packet, where the target parameters include: server IP address, TTL (time to live) value, and synchronization Sequence number syn (synchronization Sequence number), which are mainly used for the determination of HTTP hijacking in the subsequent steps.
And S108, determining hijacked communication data packets in the screened communication data packets based on the target parameters and a preset TTL (transistor-transistor logic) library.
And step S110, discarding the screened hijacked communication data packet.
After the target parameters of all the screened communication data packets are obtained, the target parameters and a preset TTL (transistor-transistor logic) library are combined, so that which of the screened communication data packets are hijacked communication data packets can be determined, the screened hijacked communication data packets are discarded, and the non-hijacked communication data packets are released, so that the effect of preventing HTTP hijacking is achieved. For the convenience of statistical analysis, the related information of the discarded hijacked communication data packet can be recorded in a log, and can also be displayed to the user through a page.
Compared with the prior art, the invention provides the method for preventing the HTTP hijack, which comprises the steps of firstly obtaining a communication data packet received by a site to be protected, then screening the communication data packet to obtain a screened communication data packet, wherein the screened communication data packet comprises: the normal response data packet and/or the redirection response data packet, and then extracting the target parameters of the screened communication data packet, wherein the target parameters comprise: server IP address, TTL value and synchronization sequence number SYN; then determining hijacked communication data packets in the screened communication data packets based on the target parameters and a preset TTL (transistor-transistor logic) library; and finally discarding the screened hijacked communication data packets, wherein the method can determine the hijacked communication data packets in the screened communication data packets by utilizing the target parameters of the screened communication data packets and a preset TTL (transistor-transistor logic) library and discard the hijacked communication data packets, and finally achieves the effect of preventing HTTP hijacking.
The flow of the method for preventing HTTP hijacking according to the embodiment of the present invention is briefly described above, and the following describes in detail how to determine the hijacked communication packet.
In an optional embodiment, the preset TTL database stores maximum TTL values of a plurality of server IP addresses transmitting communication packets.
As shown in fig. 2, the step S108 of determining the hijacked communication data packet in the screened communication data packets based on the target parameter and the preset TTL library specifically includes the following steps:
step S1081, judging whether a preset TTL base has a target server IP address matched with the target communication data packet.
Specifically, in the embodiment of the present invention, the preset TTL library stores the maximum TTL values of the multiple IP address sending communication packets, for example, the preset TTL library stores in advance that the maximum TTL value of the communication packet from the IP address 109.130.246.236 is 6, and the maximum TTL value of the communication packet from the IP address 109.130.246.216 is 10. Therefore, after the screened communication data packets are obtained, it is necessary to determine whether a target server IP address matched with a target communication data packet exists in the preset TTL base, where the target communication data packet is any one of the screened communication data packets.
If not, step S1082 is executed, and if yes, step S1085 is executed.
Step S1082, after receiving the destination communication packet, determines whether or not there is a communication packet having the same server IP address and the same SYN as the destination communication packet in the screened communication packets.
If yes, step S1083 is executed, and if no, step S1084 is executed.
And step S1083, determining the target communication data packet as a hijacked communication data packet.
Step S1084, adding the server IP address of the target communication packet and the TTL value of the target communication packet to a preset TTL library.
If the preset TTL base does not have a target server IP address matched with a target communication data packet, the target communication data packet is indicated to be hijacked, whether a communication data packet which has the same server IP address and the same SYN as the target communication data packet exists in the screened communication data packets after the target communication data packet is received needs to be further judged, in the judging process, the judgment is sequentially carried out according to the time sequence of the received target communication data packet, if the communication data packets which have the same server IP address and the same SYN as the target communication data packet exist in the communication data packets appearing after the target communication data packet, the target communication data packet is indicated to be a communication data packet which is responded to in advance, namely, the target communication data packet can be determined to be hijacked, and if the communication data packets appearing after the target communication data packet do not have the same server IP address and the same SYN as the target communication data packet The destination communication data packet is safe, and the server IP address of the destination communication data packet and the TTL value of the destination communication data packet may be added to the preset TTL library.
In the above, a process of determining whether a target communication data packet is hijacked or not when a target server IP address matching the target communication data packet does not exist in the preset TTL base is introduced, and a detailed description is given below of a process of determining whether a target communication data packet is hijacked or not when a target server IP address matching the target communication data packet exists in the preset TTL base.
Step S1085, judge whether the TTL value of the target communication data packet is greater than the target TTL value corresponding to the IP address of the target server.
If yes, executing step S1086, and if not, determining that the target communication data packet is safe, and releasing the target communication data packet.
Step S1086, after receiving the destination communication packet, determines whether or not there is a communication packet having the same server IP address and the same SYN as the destination communication packet in the screened communication packets.
If yes, step S1087 is executed, and if no, step S1088 is executed.
Step S1087, determining that the target communication packet is a hijacked communication packet.
And step S1088, updating the preset TTL library according to the TTL value of the target communication data packet.
Specifically, if the preset TTL is stored with the maximum TTL value of the server IP address of the target communication packet, first, it is determined whether the TTL value of the target communication packet is greater than a target TTL value (maximum TTL value) corresponding to the target server IP address stored in the preset TTL, and if not, the target communication packet is safe and can be released; if the sum of the server IP address and the SYN number is greater than the threshold value, it is indicated that the target communication data packet may be hijacked, and it is further determined whether a communication data packet having the same server IP address and the same SYN as the target communication data packet exists in the screened communication data packets after the target communication data packet is received.
In the judging process, the judgment is carried out in sequence according to the time sequence of receiving the target communication data packet, if a communication data packet having the same server IP address and the same SYN as the target communication data packet exists in the communication data packets appearing after the target communication data packet, it is indicated that the target communication data packet is a communication data packet which is preemptively responded, that is, it can be determined that the target communication data packet is hijacked, if there is no communication packet having the same server IP address and the same SYN as the destination communication packet among communication packets appearing after the destination communication packet, the destination communication packet is said to be secure, the destination communication packet can be released, meanwhile, the preset TTL base needs to be updated, and the TTL value of the target communication data packet is replaced with the target TTL value corresponding to the IP address of the original target server.
For ease of understanding, the following is exemplified: assuming that the preset TTL library preset that the maximum TTL value of the communication data packet from the IP address 109.130.246.236 is 6, if the TTL value of the received target communication data packet from the IP address 109.130.246.236 is 3, it indicates that the target communication data packet is safe and can be released; if the TTL value of the received destination communication packet from the IP address 109.130.246.236 is 10, it indicates that the destination communication packet may be hijacked, and it needs to further determine whether there is a communication packet with the same server IP address and the same SYN as the destination communication packet in the screened communication packets after the destination communication packet is received, if so, it is determined that the destination communication packet is the hijacked communication packet, and if not, it is determined that the destination communication packet is safe, and the maximum TTL value of the communication packet at the IP address 109.130.246.236 stored in the preset TTL library needs to be updated to 10.
In some embodiments, the data packets determined to be hijacked are discarded by using an iptables rule, the iptables is a packet filtering firewall under the Linux platform, the packet filtering firewall is the most basic firewall and mainly works at a network layer and a transmission layer, a security policy of the iptables consists of a set of rules which act as discarding or receiving, the rules explicitly define which data packets are allowed or forbidden to pass through a local network interface, matching conditions of the rules are mainly IP address and port number, when the data packets reach the local network interface, the firewall checks contents of the two fields, and then determines whether to allow the data packets to pass through or directly discard the data packets according to the action of the rules.
In order to reduce the impact on the normal HTTP request, in an alternative embodiment, as shown in fig. 3, after determining the hijacked communication packets in the screened communication packets based on the target parameters and the preset TTL library in step S108, the method further includes the following steps:
step S1091, determining whether the preset IP address white list has the server IP address of the hijacked communication data packet.
If yes, step S1092 is executed, and if not, step S1093 is executed.
And step S1092, releasing the hijacked communication data packet.
Step S1093, discarding the hijacked communication data packet.
That is, if a certain communication packet has been determined to be hijacked, but the server IP address of the hijacked communication packet is in the preset IP address white list, the hijacked communication packet is not discarded, but is released.
In summary, the method for preventing HTTP hijacking provided in the embodiments of the present invention comprehensively determines whether a communication data packet is hijacked or not by determining whether the same SYN is returned or not according to the TTL value of the communication data packet, so that a false alarm rate can be reduced, and a user can add a preset IP address white list to reduce the influence of an iptables rule on a normal HTTP request.
Example two
The embodiment of the invention also provides a device for preventing HTTP hijacking, which is mainly used for executing the method for preventing HTTP hijacking provided by the first embodiment of the invention, and the device for preventing HTTP hijacking provided by the embodiment of the invention is specifically introduced below.
Fig. 4 is a functional block diagram of an apparatus for preventing HTTP hijacking according to an embodiment of the present invention, as shown in fig. 4, the apparatus mainly includes: an obtaining module 10, a screening module 20, an extracting module 30, a determining module 40, and a first discarding module 50, wherein:
an obtaining module 10, configured to obtain a communication data packet received by a station to be protected.
A screening module 20, configured to screen the communication data packet to obtain a screened communication data packet, where the screened communication data packet includes: a normal response packet, and/or a redirected response packet.
An extracting module 30, configured to extract target parameters of the screened communication data packets, where the target parameters include: server IP address, TTL value, and synchronization sequence number SYN.
And the determining module 40 is configured to determine, based on the target parameter and a preset TTL base, a hijacked communication data packet in the screened communication data packets.
And a first discarding module 50, configured to discard the screened hijacked communication data packet.
Compared with the prior art, the invention provides a device for preventing HTTP hijack, which comprises the following steps of firstly obtaining a communication data packet received by a station to be protected, then screening the communication data packet to obtain a screened communication data packet, wherein the screened communication data packet comprises: the normal response data packet and/or the redirection response data packet, and then extracting the target parameters of the screened communication data packet, wherein the target parameters comprise: server IP address, TTL value and synchronization sequence number SYN; then determining hijacked communication data packets in the screened communication data packets based on the target parameters and a preset TTL (transistor-transistor logic) library; and finally, discarding the screened hijacked communication data packets, wherein the device can determine the hijacked communication data packets in the screened communication data packets by using the target parameters of the screened communication data packets and a preset TTL (transistor-transistor logic) library and discard the hijacked communication data packets, so that the effect of preventing HTTP hijacking is finally achieved, the operation is simple, the cost is low, and the technical problem of higher implementation cost in the HTTP hijacking prevention method in the prior art is solved.
Optionally, the preset TTL library stores the maximum TTL values of the communication data packets sent by the multiple server IP addresses.
The determination module 40 includes:
and the first judging unit is used for judging whether a target server IP address matched with a target communication data packet exists in a preset TTL (transistor-transistor logic) base, wherein the target communication data packet is any one of the screened communication data packets.
And a second judging unit for judging whether the screened communication data packet has the same server IP address and the same SYN with the target communication data packet after receiving the target communication data packet if the screened communication data packet does not have the server IP address and the SYN with the target communication data packet.
And the first determining unit determines that the target communication data packet is the hijacked communication data packet if the target communication data packet exists.
Optionally, the determining module 40 further includes:
and the adding unit is used for adding the server IP address of the target communication data packet and the TTL value of the target communication data packet to a preset TTL library if no communication data packet with the same server IP address and the same SYN as the target communication data packet exists.
Optionally, the determining module 40 further includes:
and the third judging unit is used for judging whether the TTL value of the target communication data packet is greater than the target TTL value corresponding to the IP address of the target server or not if the IP address of the target server matched with the target communication data packet exists.
And a fourth judging unit, if yes, judging whether the screened communication data packet has the communication data packet with the same server IP address and the same SYN with the target communication data packet after receiving the target communication data packet.
And if the target communication data packet exists, the second determining unit determines that the target communication data packet is the hijacked communication data packet.
Optionally, the determining module 40 further includes:
and the updating unit is used for updating the preset TTL base according to the TTL value of the target communication data packet if no communication data packet with the same server IP address and the same SYN as the target communication data packet exists.
Optionally, the apparatus further comprises:
and the judging module is used for judging whether the server IP address of the hijacked communication data packet exists in the preset IP address white list.
And if the communication data packet exists, the hijacked communication data packet is released.
And the second discarding module discards the hijacked communication data packet if the second discarding module does not exist.
EXAMPLE III
Referring to fig. 5, an embodiment of the present invention provides an electronic device, including: a processor 60, a memory 61, a bus 62 and a communication interface 63, wherein the processor 60, the communication interface 63 and the memory 61 are connected through the bus 62; the processor 60 is arranged to execute executable modules, such as computer programs, stored in the memory 61.
The memory 61 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 63 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like may be used.
The bus 62 may be an ISA bus, a PCI bus, an EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 5, but this does not indicate only one bus or one type of bus.
The memory 61 is used for storing a program, the processor 60 executes the program after receiving an execution instruction, and the method executed by the apparatus defined by the flow process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 60, or implemented by the processor 60.
The processor 60 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 60. The Processor 60 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory 61, and the processor 60 reads the information in the memory 61 and, in combination with its hardware, performs the steps of the above method.
The method, the apparatus, and the computer program product of the electronic device for preventing HTTP hijacking provided in the embodiments of the present invention include a computer-readable storage medium storing a non-volatile program code executable by a processor, where instructions included in the program code may be used to execute the method described in the foregoing method embodiments, and specific implementations may refer to the method embodiments, which are not described herein again.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings or the orientations or positional relationships that the products of the present invention are conventionally placed in use, and are only used for convenience in describing the present invention and simplifying the description, but do not indicate or imply that the devices or elements referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," "third," and the like are used solely to distinguish one from another and are not to be construed as indicating or implying relative importance.
Furthermore, the terms "horizontal", "vertical", "overhang" and the like do not imply that the components are required to be absolutely horizontal or overhang, but may be slightly inclined. For example, "horizontal" merely means that the direction is more horizontal than "vertical" and does not mean that the structure must be perfectly horizontal, but may be slightly inclined.
In the description of the present invention, it should also be noted that, unless otherwise explicitly specified or limited, the terms "disposed," "mounted," "connected," and "connected" are to be construed broadly and may, for example, be fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (8)
1. A method for preventing HTTP hijacking, comprising:
acquiring a communication data packet received by a station to be protected;
screening the communication data packets to obtain screened communication data packets, wherein the screened communication data packets include: a normal response packet, and/or a redirected response packet;
extracting target parameters of the screened communication data packets, wherein the target parameters comprise: the IP address, the TTL value and the synchronization sequence number SYN of the server;
determining hijacked communication data packets in the screened communication data packets based on the target parameters and a preset TTL (transistor-transistor logic) library;
discarding the screened hijacked communication data packets;
the preset TTL library stores the maximum TTL values of a plurality of server IP addresses for sending communication data packets;
determining hijacked communication data packets in the screened communication data packets based on the target parameters and a preset TTL (time to live) library, wherein the method comprises the following steps:
judging whether a target server IP address matched with a target communication data packet exists in the preset TTL library, wherein the target communication data packet is any one of the screened communication data packets;
if not, judging whether a communication data packet which has the same server IP address and the same SYN with the target communication data packet exists in the screened communication data packets after the target communication data packet is received;
and if so, determining that the target communication data packet is a hijacked communication data packet.
2. The method of claim 1, further comprising:
and if no communication data packet with the same server IP address and the same SYN as the target communication data packet exists, adding the server IP address of the target communication data packet and the TTL value of the target communication data packet to the preset TTL library.
3. The method of claim 1, further comprising:
if the IP address of the target server matched with the IP address of the target communication data packet exists, judging whether the TTL value of the target communication data packet is larger than the target TTL value corresponding to the IP address of the target server or not;
if so, judging whether a communication data packet which has the same server IP address and the same SYN with the target communication data packet exists in the screened communication data packets after the target communication data packet is received;
and if so, determining that the target communication data packet is a hijacked communication data packet.
4. The method of claim 3, further comprising:
and if no communication data packet with the same server IP address and the same SYN as the target communication data packet exists, updating the preset TTL base according to the TTL value of the target communication data packet.
5. The method as claimed in claim 1, wherein after determining the hijacked communication packets in the screened communication packets based on the target parameter and a preset TTL base, the method further comprises:
judging whether a server IP address of the hijacked communication data packet exists in a preset IP address white list or not;
if yes, the hijacked communication data packet is released;
and if not, discarding the hijacked communication data packet.
6. An apparatus for preventing HTTP hijacking, comprising:
the acquisition module is used for acquiring the communication data packet received by the station to be protected;
a screening module, configured to screen the communication data packet to obtain a screened communication data packet, where the screened communication data packet includes: a normal response packet, and/or a redirected response packet;
an extracting module, configured to extract target parameters of the screened communication data packets, where the target parameters include: server IP address, TTL value and synchronization sequence number SYN;
the determining module is used for determining hijacked communication data packets in the screened communication data packets based on the target parameters and a preset TTL (transistor-transistor logic) library;
the first discarding module is used for discarding the screened hijacked communication data packets;
the preset TTL library stores the maximum TTL values of a plurality of server IP addresses for sending communication data packets;
the determining module comprises:
a first judging unit, configured to judge whether a target server IP address matching a target communication data packet exists in the preset TTL base, where the target communication data packet is any one of the screened communication data packets;
a second judging unit configured to judge whether or not a communication packet having the same server IP address and the same SYN as the target communication packet exists in the screened communication packets after the target communication packet is received, if not;
and the first determining unit determines that the target communication data packet is a hijacked communication data packet if the target communication data packet exists.
7. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the method of any of claims 1 to 5 when executing the computer program.
8. A computer-readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911254765.7A CN111049821B (en) | 2019-12-09 | 2019-12-09 | Method and device for preventing HTTP hijacking and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911254765.7A CN111049821B (en) | 2019-12-09 | 2019-12-09 | Method and device for preventing HTTP hijacking and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111049821A CN111049821A (en) | 2020-04-21 |
| CN111049821B true CN111049821B (en) | 2022-06-07 |
Family
ID=70235561
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911254765.7A Active CN111049821B (en) | 2019-12-09 | 2019-12-09 | Method and device for preventing HTTP hijacking and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111049821B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114095274B (en) * | 2021-12-10 | 2023-11-10 | 北京天融信网络安全技术有限公司 | Attack studying and judging method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582833A (en) * | 2008-05-15 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
| CN106060023A (en) * | 2016-05-20 | 2016-10-26 | 汉柏科技有限公司 | Malicious data interception processing method and device |
| CN107204971A (en) * | 2016-11-03 | 2017-09-26 | 深圳汇网天下科技有限公司 | Web stations electric business kidnaps detection method |
| CN108512816A (en) * | 2017-02-28 | 2018-09-07 | 中国移动通信集团广东有限公司 | A kind of detection method and device that flow is kidnapped |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050180421A1 (en) * | 2002-12-02 | 2005-08-18 | Fujitsu Limited | Source address-fabricated packet detection unit, source address-fabricated packet detection method, and source address-fabricated packet detection program |
| EP2615772A1 (en) * | 2012-01-10 | 2013-07-17 | Thomson Licensing | Method and device for timestamping data and method and device for verification of a timestamp |
-
2019
- 2019-12-09 CN CN201911254765.7A patent/CN111049821B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582833A (en) * | 2008-05-15 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
| CN106060023A (en) * | 2016-05-20 | 2016-10-26 | 汉柏科技有限公司 | Malicious data interception processing method and device |
| CN107204971A (en) * | 2016-11-03 | 2017-09-26 | 深圳汇网天下科技有限公司 | Web stations electric business kidnaps detection method |
| CN108512816A (en) * | 2017-02-28 | 2018-09-07 | 中国移动通信集团广东有限公司 | A kind of detection method and device that flow is kidnapped |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111049821A (en) | 2020-04-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11082436B1 (en) | System and method for offloading packet processing and static analysis operations | |
| CN109951500B (en) | Network attack detection method and device | |
| EP2408166B1 (en) | Filtering method, system and network device therefor | |
| KR101672791B1 (en) | Method and system for detection of vulnerability on html5 mobile web application | |
| CN107046544B (en) | Method and device for identifying illegal access request to website | |
| EP2634989A1 (en) | Mobile terminal to detect network attack and method thereof | |
| US8584240B1 (en) | Community scan for web threat protection | |
| CA3159619C (en) | Packet processing method and apparatus, device, and computer-readable storage medium | |
| CN104396220A (en) | Method and device for secure content retrieval | |
| US9444830B2 (en) | Web server/web application server security management apparatus and method | |
| KR101847381B1 (en) | System and method for offering e-mail in security network | |
| CN114866361A (en) | Method, device, electronic equipment and medium for detecting network attack | |
| KR101281160B1 (en) | Intrusion Prevention System using extract of HTTP request information and Method URL cutoff using the same | |
| CN111030887B (en) | Web server discovery method and device and electronic equipment | |
| CN111049821B (en) | Method and device for preventing HTTP hijacking and electronic equipment | |
| CN107968765A (en) | A kind of network inbreak detection method and server | |
| CN112311722A (en) | Access control method, device, equipment and computer readable storage medium | |
| KR101598187B1 (en) | Method and apparatus for blocking distributed denial of service | |
| US10757118B2 (en) | Method of aiding the detection of infection of a terminal by malware | |
| US10360379B2 (en) | Method and apparatus for detecting exploits | |
| CN111147625B (en) | Method, device and storage medium for acquiring local external network IP address | |
| CN111212070B (en) | Risk monitoring method and device, computing equipment and medium | |
| KR20140126633A (en) | Method and appratus for detecting malicious message | |
| CN112202717B (en) | HTTP request processing method and device, server and storage medium | |
| JP6955527B2 (en) | Information processing equipment, information processing methods, and information processing programs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |