CN111614633A - Auditing method and system for L2TP protocol - Google Patents

Auditing method and system for L2TP protocol Download PDF

Info

Publication number
CN111614633A
CN111614633A CN202010364640.6A CN202010364640A CN111614633A CN 111614633 A CN111614633 A CN 111614633A CN 202010364640 A CN202010364640 A CN 202010364640A CN 111614633 A CN111614633 A CN 111614633A
Authority
CN
China
Prior art keywords
message
l2tp
packet
session
header
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010364640.6A
Other languages
Chinese (zh)
Other versions
CN111614633B (en
Inventor
龙光武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuleng Technology Co Ltd
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN202010364640.6A priority Critical patent/CN111614633B/en
Publication of CN111614633A publication Critical patent/CN111614633A/en
Application granted granted Critical
Publication of CN111614633B publication Critical patent/CN111614633B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • H04L61/2525Translation at a client
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/143Termination or inactivation of sessions, e.g. event-controlled end of session

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an auditing method and system for an L2TP protocol, belongs to the technical field of message auditing, and solves the problem that an accurate auditing result of an L2TP message cannot be obtained in the prior art. An auditing method for an L2TP protocol, comprising the steps of: acquiring an L2TP message, and when the L2TP message is a data message and the load of a PPP message header is an IP message and the IP message is legal, forming a new message under the condition that a session is established and no blocking mark exists or the session is not established; associating the new message to a session, performing user identification, complete analysis, classification, marking and application strategy matching on the new message, updating flow statistical information, and then deleting the new message; and performing source NAT on the L2TP message and then transmitting the packet under the conditions that the L2TP message is a control message, the PPP message header load is not an IP message, the IP message is illegal or the policy action is not blocked. And an accurate audit result of the L2TP message can be obtained.

Description

Auditing method and system for L2TP protocol
Technical Field
The invention relates to the technical field of message auditing, in particular to an auditing method and system aiming at an L2TP protocol.
Background
L2TP establishes a tunnel between the branch office and the head office based on PPP protocol over dial-up network (PSTN/ISDN) or directly between the user terminal and the head office through L2TP client. Finally, both the branch office and the remote user can access the headquarters network;
usually, the application engine only analyzes and audits the load of the outermost layer IP message; however, for data transmitted in the L2TP tunnel, the application engine only sees the L2TP packet, and the original packet is encapsulated in the L2TP packet, so that the audit cannot be completed, and an accurate audit result of the L2TP packet cannot be obtained.
Disclosure of Invention
The invention aims to overcome at least one technical defect and provides an auditing method and system for an L2TP protocol.
In one aspect, the invention provides an auditing method for an L2TP protocol, which comprises the following steps:
step S1, obtaining an L2TP message, and judging whether the L2TP message is a control message or a data message, if so, executing step S5, and if so, executing step S2;
step S2, judging whether the PPP message header load of the L2TP message is an IP message, if so, judging whether the IP message is legal, if the PPP message header load is the IP message and the IP message is legal, extracting an inner layer message from the L2TP message to form a new message under the condition that a session is established and no blocking mark exists or the session is not established, and executing step S3, if the PPP message header load is not the IP message or the IP message is illegal, executing step S5;
step S3, if the conversation is established and there is no blocking mark, the new message is associated to the conversation, if the conversation is not established, the conversation is newly established, and the new message is associated to the newly established conversation;
step S4, executing user identification on the new message, completely analyzing the new message, classifying and marking the new message by combining the feature library, matching the application strategy of the new message, updating the flow statistical information, and then deleting the new message;
step S5, determining whether the policy action is blocked, if not, performing step S6, and if so, performing step S7;
s6, performing source NAT on the L2TP message, then sending a packet, and ending the process;
and S7, discarding the L2TP message, marking a blocking mark on the corresponding session of the L2TP message, and ending the process.
Further, the determining whether the PPP packet header load of the L2TP packet is an IP packet specifically includes shifting a pointer pointing to the L2TP packet header to the PPP packet header, parsing the PPP packet header, and checking whether the PPP packet header load is an IP packet.
Further, the determining whether the IP packet is legal specifically includes determining whether the version number of the IP packet is correct, whether the length of the IP header is correct, whether the length of the skb storage pair is consistent with the length set by the IP header, whether the source MAC address and the destination MAC address are both non-zero, and whether the checksum is correct, if both are true, the IP packet is legal, otherwise, it is illegal.
Further, the auditing method for the L2TP protocol further includes searching a session in a session table according to a five-tuple of the IP packet to determine whether the session is established, discarding the L2TP packet if the session is established and a blocking flag exists, marking the blocking flag on the session corresponding to the L2TP packet, and ending the flow.
On the other hand, the invention provides an auditing system aiming at an L2TP protocol, which comprises an L2TP message type judging module, a newly-built message module, a new message correlation module, a new message processing module, a packet sending module and a blocking marking module,
the L2TP message type determining module is configured to obtain an L2TP message, and determine whether the L2TP message is a control message or a data message;
the new message module is used for judging whether the PPP message header load of the L2TP message is an IP message, if so, judging whether the IP message is legal, and if the PPP message header load is the IP message and the IP message is legal, extracting an inner layer message from the L2TP message to form a new message under the condition that a session is established and no blocking mark exists or the session is not established;
the new message association module is used for associating the new message to the session under the condition that the session is established and no blocking mark exists, establishing a new session under the condition that the session is not established, and associating the new message to the newly established session;
the new message processing module is used for executing user identification on the new message, completely analyzing the new message, classifying and marking the new message by combining the characteristic library, performing application strategy matching on the new message, updating flow statistical information under the condition that the strategy action is not blocked, and then deleting the new message;
the packet sending module is configured to perform source NAT on the L2TP packet and then send a packet if the L2TP packet is a control packet, the PPP packet header load is not an IP packet, the IP packet is illegal, or the policy action is not blocked;
the blocking marking module is used for discarding the L2TP message and marking a blocking mark on the session corresponding to the L2TP message under the condition that the policy action is blocking.
Further, the newly-created message module includes an IP message determination unit, where the IP message determination unit is configured to determine whether a PPP message header load of the L2TP message is an IP message, and specifically includes shifting a pointer pointing to a header of the L2TP message to the header of the PPP message, analyzing the header of the PPP message, and checking whether the load of the header of the PPP message is an IP message.
Further, the newly-built message module further comprises an IP message validity judging unit, where the IP message validity judging unit is configured to judge whether the IP message is valid, and specifically includes judging whether the version number of the IP message is correct, whether the length of the IP header is correct, whether the length stored in the skb is consistent with the length set by the IP header, whether the source MAC address and the destination MAC address are both non-zero, and whether the checksum is correct, if yes, the IP message is valid, and otherwise, the IP message is not valid.
Further, the auditing system for the L2TP protocol further includes a session establishment judging module, where the session establishment judging module is used to search a session in the session table according to the quintuple of the IP packet to judge whether the session is established; the blocking mark module is further configured to discard the L2TP packet and mark a blocking mark on the session corresponding to the L2TP packet, when the session is established and the blocking mark exists.
Compared with the prior art, the invention has the beneficial effects that: judging whether the L2TP message is a control message or a data message by acquiring an L2TP message; judging whether PPP message header load of the L2TP message is an IP message, if so, judging whether the IP message is legal, if so, extracting an inner layer message from the L2TP message to form a new message under the condition that a session is established and no blocking mark exists or the session is not established; under the condition that the session is established and no blocking mark exists, the new message is associated to the session, under the condition that the session is not established, the session is newly established, and the new message is associated to the newly established session; executing user identification on the new message, completely analyzing the new message, classifying and marking the new message by combining with a feature library, performing application strategy matching on the new message, updating flow statistical information under the condition that the strategy action is not blocked, and then deleting the new message; under the conditions that the L2TP message is a control message, the PPP message header load is not an IP message, the IP message is illegal or a new message is deleted, performing source NAT on the L2TP message, and then sending a packet; and an accurate audit result of the L2TP message can be obtained.
Drawings
Fig. 1 is a schematic flow chart of an auditing method for L2TP protocol according to embodiment 1 of the present invention;
fig. 2 is a schematic diagram of an L2TP message format according to embodiment 1 of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Example 1
An embodiment of the present invention provides an auditing method for an L2TP protocol, which has a schematic flow chart, as shown in fig. 1, and the auditing method for an L2TP protocol includes the following steps:
step S1, obtaining an L2TP message, and judging whether the L2TP message is a control message or a data message, if so, executing step S5, and if so, executing step S2;
step S2, judging whether the PPP message header load of the L2TP message is an IP message, if so, judging whether the IP message is legal, if the PPP message header load is the IP message and the IP message is legal, extracting an inner layer message from the L2TP message to form a new message under the condition that a session is established and no blocking mark exists or the session is not established, and executing step S3, if the PPP message header load is not the IP message or the IP message (the PPP message header load is the IP message), executing step S5;
step S3, if the conversation is established and there is no blocking mark, the new message is associated to the conversation, if the conversation is not established, the conversation is newly established, and the new message is associated to the newly established conversation;
step S4, executing user identification on the new message, completely analyzing the new message, classifying and marking the new message by combining with the feature library, matching the application strategy of the new message, updating the flow statistical information under the condition that the strategy action is not blocked, and then deleting the new message;
step S5, determining whether the policy action is blocked, if not, performing step S6, and if so, performing step S7;
s6, performing source NAT on the L2TP message, then sending a packet, and ending the process;
and S7, discarding the L2TP message, marking a blocking mark on the corresponding session of the L2TP message (the subsequent message directly loses the packet and the process does not need to be carried out), and ending the process.
It should be noted that the packet refers to a transmission unit for carrying data information in a network, and includes a packet header and a data segment; the message header has the source and destination addresses of the message, which are used for network transmission, and the length of the message is not fixed;
in a specific embodiment, the L2TP message is a UDP message whose source/destination ports are both 1701, and if the L2TP message is a control message, its type bit is 1; when determining whether the session is established, searching the session in a session table according to the quintuple of the IP message, if the session is found, determining that the session is established, otherwise, not establishing the session; if the session is established and no blocking mark exists, associating the new message to the session, and meanwhile, updating the aging time; if the session corresponding to the new message does not exist (the session is not established) and the blocking mark does not exist, establishing a new session according to the five-tuple of the new message, adding the session into a session table, and associating the new message to the new session;
preferably, the determining whether the PPP packet header load of the L2TP packet is an IP packet specifically includes shifting a pointer pointing to the L2TP packet header to the PPP packet header, parsing the PPP packet header, and checking whether the PPP packet header load is an IP packet.
In specific implementation, the format of the L2TP message is shown schematically, as shown in fig. 2, the load of the PPP message header is the content (inner layer message) behind the PPP header in fig. 2;
preferably, the determining whether the IP packet is legal specifically includes determining whether the version number of the IP packet is correct, whether the length of the IP header is correct, whether the skb stores the length that is consistent with the length set by the IP header, whether the source MAC address and the destination MAC address are both non-zero, and whether the checksum is correct, if both are true, the IP packet is legal, otherwise, the IP packet is illegal.
Preferably, the auditing method for the L2TP protocol further includes searching a session in a session table according to a five-tuple of the IP packet to determine whether the session is established, discarding the L2TP packet if the session is established and a blocking flag exists, marking the blocking flag on the session corresponding to the L2TP packet, and ending the flow.
In specific implementation, user identification is executed on a new message, including the steps of creating a user object according to a new message source IP, associating a session to the user object, and updating message statistics of each user; the new message is completely analyzed, including the new message is sent to an application engine, the message is completely analyzed by the engine, and the message is classified and marked by combining a feature library, so that the subsequent services such as application control, intrusion prevention, virus protection and the like are facilitated;
the application engine is a module in the Dplane, and when the message is matched with the application strategy, the message is sent to the application engine; the application engine distributes the message to a corresponding sub-module for processing according to the high-level protocol of the message; extracting key information of a corresponding protocol by the sub-module, and then recording an audit log, or determining whether the message is continuously forwarded or discarded based on an application control strategy;
and carrying out application strategy matching on the new message, wherein the matching conditions comprise: user, interface, source address, destination address, application, service, for a packet matching a policy.
Example 2
The embodiment of the invention also provides an auditing method aiming at the L2TP protocol, which comprises the following steps:
step S01, checking whether the message is L2TP message (the source/destination port is UDP message of 1701), if not, executing step S14;
step S02, if the checked message is an L2TP message, analyzing an L2TP message header, checking whether the L2TP message is a control message, if so, executing the step S14, and if so, the L2TP message is a data message;
step S03, the pointer pointing to the L2TP message head is shifted to the PPP message head, the PPP message head is analyzed, whether the PPP message head load is an IP message is checked, if the PPP message head load is not the IP message, the step S14 is executed, otherwise, the step S04 is executed;
step S04, the pointer is shifted to the IP message head, then the legitimacy check is carried out to the IP message (inner layer), if the legitimacy check is successful, the step S05 is executed, otherwise, the step S14 is executed;
step S05, according to the quintuple of the IP message, searching the conversation in the conversation table, if the conversation is established and has a blocking mark, executing step S15, otherwise executing step S06;
s06, extracting an inner layer message from the L2TP message to form a new message;
step S07, if the conversation is established and no blocking mark exists, associating the new message to the conversation, updating the aging time, and executing step S09, otherwise, executing step 08 if the new message does not exist corresponding to the conversation;
step S08, a session is newly established according to the new message quintuple, the session is added into the session table, and the new message is associated to the session;
step S09, executing user identification to the new message, including creating a new user object according to the new message source IP, associating the session to the user object, and updating the message statistics of each user;
step S10, sending the new message to an application engine, completely analyzing the message by the engine, and classifying and marking the new message by combining with a feature library; so as to facilitate subsequent services such as application control, intrusion prevention, virus protection and the like;
step S11, matching the application strategy of the new message, wherein the matching conditions comprise user, interface, source address, destination address, application and service (the application and service are identified in step S10);
step S12, updating flow statistic information;
step S13, deleting the new message (if the new message is cached by the application engine, the engine is responsible for deleting the new message);
step S14, for the message matching with the strategy, judging whether the strategy action is blocking, if the strategy action is blocking, executing step S16, otherwise, executing step S15;
s15, performing source NAT on the original L2TP message, then sending a packet, and ending the flow;
and step S16, discarding the original L2TP message, marking a blocking mark on the corresponding session of the original L2TP message (the subsequent message directly loses the packet and the process does not need to be carried out), and ending the process.
It should be noted that, in the management device on the internet, before L2TP message identification, a packet forwarding process is generally performed, where the packet forwarding process includes interface packet reception, two-layer header parsing, interface traffic statistics, new session establishment, destination NAT and user identification, and if the destination is identified as local, the packet forwarding process is sent to the kernel, otherwise, control policy matching is performed, application identification (engine) is performed, and then audit is performed on L2TP messages; the internet behavior management equipment is used for summarizing terminal traffic, analyzing and controlling the traffic, such as webpage access filtering, network application control, bandwidth traffic management, protocol auditing, user behavior analysis and the like; the technical scheme can be realized in a Linux system through C language.
Example 3
The embodiment of the invention provides an auditing system aiming at an L2TP protocol, which comprises an L2TP message type judging module, a newly-built message module, a new message association module, a new message processing module, a packet sending module and a blocking marking module,
the L2TP message type determining module is configured to obtain an L2TP message, and determine whether the L2TP message is a control message or a data message;
the new message module is used for judging whether the PPP message header load of the L2TP message is an IP message, if so, judging whether the IP message is legal, and if the PPP message header load is the IP message and the IP message is legal, extracting an inner layer message from the L2TP message to form a new message under the condition that a session is established and no blocking mark exists or the session is not established;
the new message association module is used for associating the new message to the session under the condition that the session is established and no blocking mark exists, establishing a new session under the condition that the session is not established, and associating the new message to the newly established session;
the new message processing module is used for executing user identification on the new message, completely analyzing the new message, classifying and marking the new message by combining the characteristic library, performing application strategy matching on the new message, updating flow statistical information under the condition that the strategy action is not blocked, and then deleting the new message;
the packet sending module is configured to perform source NAT on the L2TP packet and then send a packet if the L2TP packet is a control packet, the PPP packet header load is not an IP packet, the IP packet is illegal, or the policy action is not blocked;
the blocking marking module is used for discarding the L2TP message and marking a blocking mark on the session corresponding to the L2TP message under the condition that the policy action is blocking.
Preferably, the newly-created message module includes an IP message determination unit, and the IP message determination unit is configured to determine whether a PPP message header load of the L2TP message is an IP message, and specifically includes shifting a pointer pointing to a header of the L2TP message to the header of the PPP message, analyzing the header of the PPP message, and checking whether the load of the header of the PPP message is an IP message.
Preferably, the newly-created message module further includes an IP message validity judging unit, where the IP message validity judging unit is configured to judge whether the IP message is valid, and specifically includes judging whether the version number of the IP message is correct, whether the length of the IP header is correct, whether the length stored in the skb is consistent with the length set by the IP header, whether the source MAC address and the destination MAC address are both non-zero, and whether the checksum is correct, if yes, the IP message is valid, and if not, the IP message is invalid.
Preferably, the auditing system for the L2TP protocol further includes a session establishment determination module, where the session establishment determination module is configured to search a session in a session table according to a quintuple of the IP packet to determine whether the session is established; the blocking mark module is further configured to discard the L2TP packet and mark a blocking mark on the session corresponding to the L2TP packet, when the session is established and the blocking mark exists.
It should be noted that the non-repeated descriptions of examples 1 to 3 can be referred to each other.
The invention discloses an auditing method and system aiming at an L2TP protocol, wherein the method comprises the steps of judging whether an L2TP message is a control message or a data message by acquiring an L2TP message; judging whether PPP message header load of the L2TP message is an IP message, if so, judging whether the IP message is legal, if so, extracting an inner layer message from the L2TP message to form a new message under the condition that a session is established and no blocking mark exists or the session is not established;
under the condition that the session is established and no blocking mark exists, the new message is associated to the session, under the condition that the session is not established, the session is newly established, and the new message is associated to the newly established session; executing user identification on the new message, completely analyzing the new message, classifying and marking the new message by combining with a feature library, performing application strategy matching on the new message, updating flow statistical information under the condition that the strategy action is not blocked, and then deleting the new message; under the conditions that the L2TP message is a control message, the PPP message header load is not an IP message, the IP message is illegal or a new message is deleted, performing source NAT on the L2TP message, and then sending a packet;
the header of the L2TP message and the header of the PPP message are stripped, and the packaged original message (inner layer message) is sent to an engine, so that an accurate audit result of the L2TP message is obtained;
the technical scheme of the invention extracts the inner layer message from the L2TP message, and executes key business related to audit aiming at the new message, wherein the key business comprises the following steps: session creation, user identification, application strategy matching and application identification, and aims to acquire key information of an inner layer message and store an audit log in an application engine, and discard the audit log without participating in forwarding after the audit is completed; the method can accurately audit the message in the tunnel.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention. Any other corresponding changes and modifications made according to the technical idea of the present invention should be included in the protection scope of the claims of the present invention.

Claims (8)

1. An auditing method for an L2TP protocol, comprising the steps of:
step S1, obtaining an L2TP message, and judging whether the L2TP message is a control message or a data message, if so, executing step S5, and if so, executing step S2;
step S2, judging whether the PPP message header load of the L2TP message is an IP message, if so, judging whether the IP message is legal, if the PPP message header load is the IP message and the IP message is legal, extracting an inner layer message from the L2TP message to form a new message under the condition that a session is established and no blocking mark exists or the session is not established, and executing step S3, if the PPP message header load is not the IP message or the IP message is illegal, executing step S5;
step S3, if the conversation is established and there is no blocking mark, the new message is associated to the conversation, if the conversation is not established, the conversation is newly established, and the new message is associated to the newly established conversation;
step S4, executing user identification on the new message, completely analyzing the new message, classifying and marking the new message by combining the feature library, matching the application strategy of the new message, updating the flow statistical information, and then deleting the new message;
step S5, determining whether the policy action is blocked, if not, performing step S6, and if so, performing step S7;
s6, performing source NAT on the L2TP message, then sending a packet, and ending the process;
and S7, discarding the L2TP message, marking a blocking mark on the corresponding session of the L2TP message, and ending the process.
2. The auditing method for the L2TP protocol of claim 1, wherein the determining whether the PPP packet header payload of the L2TP packet is an IP packet specifically comprises shifting a pointer to the L2TP packet header to the PPP packet header, parsing the PPP packet header, and checking whether the payload of the PPP packet header is an IP packet.
3. The auditing method for the L2TP protocol of claim 1, wherein said determining whether an IP packet is legitimate specifically includes determining whether an IP packet version number is correct, whether an IP header length is correct, whether a skb stores a length that is consistent with a length set for an IP header, whether a source MAC address and a destination MAC address are both non-zero, whether a checksum is correct, if both are true, the IP packet is legitimate, otherwise it is not legitimate.
4. The auditing method for L2TP protocol according to claim 1, further comprising looking up a session in a session table according to the quintuple of the IP packet to determine whether the session is established, discarding the L2TP packet if the session is established and there is a blocking flag, marking the blocking flag on the session corresponding to the L2TP packet, and ending the flow.
5. An auditing system aiming at an L2TP protocol is characterized by comprising an L2TP message type judging module, a newly-built message module, a new message correlation module, a new message processing module, a packet sending module and a blocking marking module,
the L2TP message type determining module is configured to obtain an L2TP message, and determine whether the L2TP message is a control message or a data message;
the new message module is used for judging whether the PPP message header load of the L2TP message is an IP message, if so, judging whether the IP message is legal, and if the PPP message header load is the IP message and the IP message is legal, extracting an inner layer message from the L2TP message to form a new message under the condition that a session is established and no blocking mark exists or the session is not established;
the new message association module is used for associating the new message to the session under the condition that the session is established and no blocking mark exists, establishing a new session under the condition that the session is not established, and associating the new message to the newly established session;
the new message processing module is used for executing user identification on the new message, completely analyzing the new message, classifying and marking the new message by combining the feature library, matching the application strategy of the new message, updating the flow statistical information and then deleting the new message;
the packet sending module is configured to perform source NAT on the L2TP packet and then send a packet if the L2TP packet is a control packet, the PPP packet header load is not an IP packet, the IP packet is illegal, or the policy action is not blocked;
the blocking marking module is used for discarding the L2TP message and marking a blocking mark on the session corresponding to the L2TP message under the condition that the policy action is blocking.
6. The auditing system for the L2TP protocol of claim 6, wherein the new message module includes an IP message discrimination unit, the IP message discrimination unit is configured to determine whether the PPP message header payload of the L2TP message is an IP message, and specifically includes shifting a pointer to the L2TP message header to the PPP message header, parsing the PPP message header, and checking whether the PPP message header payload is an IP message.
7. The auditing system for the L2TP protocol of claim 6, wherein the newly created message module further includes an IP message validity determination unit, which is configured to determine whether an IP message is valid, and specifically includes determining whether the version number of the IP message is correct, the length of the IP header is correct, whether the skb stores a length that is consistent with the length set for the IP header, whether the source MAC address and the destination MAC address are both non-zero, and whether the checksum is correct, and if both are true, the IP message is valid, otherwise, it is not valid.
8. The auditing system for an L2TP protocol of claim 6, further comprising a session establishment discrimination module to look up a session in a session table according to a quintuple of an IP packet to determine whether a session has been established; the blocking mark module is further configured to discard the L2TP packet and mark a blocking mark on the session corresponding to the L2TP packet, when the session is established and the blocking mark exists.
CN202010364640.6A 2020-04-30 2020-04-30 Analysis method and system for L2TP protocol Active CN111614633B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010364640.6A CN111614633B (en) 2020-04-30 2020-04-30 Analysis method and system for L2TP protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010364640.6A CN111614633B (en) 2020-04-30 2020-04-30 Analysis method and system for L2TP protocol

Publications (2)

Publication Number Publication Date
CN111614633A true CN111614633A (en) 2020-09-01
CN111614633B CN111614633B (en) 2022-03-08

Family

ID=72205613

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010364640.6A Active CN111614633B (en) 2020-04-30 2020-04-30 Analysis method and system for L2TP protocol

Country Status (1)

Country Link
CN (1) CN111614633B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113839882A (en) * 2021-09-26 2021-12-24 杭州迪普信息技术有限公司 Message flow splitting method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101094234A (en) * 2007-07-20 2007-12-26 北京启明星辰信息技术有限公司 Method and system of accurate recognition in P2P protocol based on behavior characteristics
US20120166628A1 (en) * 2010-12-22 2012-06-28 Joseph Kullos System and method for aggregate monitoring of user-based groups of private computer networks
CN102932202A (en) * 2012-10-25 2013-02-13 北京星网锐捷网络技术有限公司 Outgoing information auditing method and device
CN103023670A (en) * 2011-09-20 2013-04-03 中兴通讯股份有限公司 Message service type identifying method and message service type identifying device based on data processing installation (DPI)

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101094234A (en) * 2007-07-20 2007-12-26 北京启明星辰信息技术有限公司 Method and system of accurate recognition in P2P protocol based on behavior characteristics
US20120166628A1 (en) * 2010-12-22 2012-06-28 Joseph Kullos System and method for aggregate monitoring of user-based groups of private computer networks
CN103023670A (en) * 2011-09-20 2013-04-03 中兴通讯股份有限公司 Message service type identifying method and message service type identifying device based on data processing installation (DPI)
CN102932202A (en) * 2012-10-25 2013-02-13 北京星网锐捷网络技术有限公司 Outgoing information auditing method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
何宝宏: "《VPN协议标准化进展》", 《电信网技术》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113839882A (en) * 2021-09-26 2021-12-24 杭州迪普信息技术有限公司 Message flow splitting method and device
CN113839882B (en) * 2021-09-26 2023-09-26 杭州迪普信息技术有限公司 Message flow splitting method and device

Also Published As

Publication number Publication date
CN111614633B (en) 2022-03-08

Similar Documents

Publication Publication Date Title
US7317693B1 (en) Systems and methods for determining the network topology of a network
US10084713B2 (en) Protocol type identification method and apparatus
US7801980B1 (en) Systems and methods for determining characteristics of a network
US8060633B2 (en) Method and apparatus for identifying data content
US8488466B2 (en) Systems, methods, and apparatus for detecting a pattern within a data packet and detecting data packets related to a data packet including a detected pattern
US20130294449A1 (en) Efficient application recognition in network traffic
CN110519265B (en) Method and device for defending attack
CN109818970B (en) Data processing method and device
US10834052B2 (en) Monitoring device and method implemented by an access point for a telecommunications network
CN112751833B (en) RTP message identification method and device, electronic equipment and readable storage medium
JP4692776B2 (en) Method for protecting SIP-based applications
CN112422567B (en) Network intrusion detection method oriented to large flow
CN110691007A (en) Method for accurately measuring QUIC connection packet loss rate
CN111614633B (en) Analysis method and system for L2TP protocol
CN102271086B (en) Data transmission method and device
CN115499230A (en) Network attack detection method and device, equipment and storage medium
CN107690004A (en) The processing method and processing device of address analysis protocol message
CN113329039B (en) Cache pollution detection method and device, electronic equipment and storage medium
US20040148417A1 (en) Method and system for distinguishing higher layer protocols of the internet traffic
CN112491662A (en) ICMP hidden tunnel detection method and device
KR101081433B1 (en) An ip traceback method with enhanced integrity for ipv6-based network and the recording medium thereof
CN112565259B (en) Method and device for filtering DNS tunnel Trojan communication data
CN111431942B (en) CC attack detection method and device and network equipment
RU2469390C1 (en) Method of protecting computer networks from unauthorised scanning and blocking of network services (versions)
CN117499267B (en) Asset mapping method and device for network equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant