CN111953807B - Message identifier processing method and device and storage medium - Google Patents
Message identifier processing method and device and storage medium Download PDFInfo
- Publication number
- CN111953807B CN111953807B CN202010748730.5A CN202010748730A CN111953807B CN 111953807 B CN111953807 B CN 111953807B CN 202010748730 A CN202010748730 A CN 202010748730A CN 111953807 B CN111953807 B CN 111953807B
- Authority
- CN
- China
- Prior art keywords
- message
- nat
- intranet
- converted
- messages
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2514—Translation of Internet protocol [IP] addresses between local and global IP addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides a message identifier processing method, device and storage medium, which are used to solve the technical problems that a message identifier word of an IP message easily causes information leakage in an external network and is easy to cause network attack. In the embodiment of the disclosure, after performing NAT conversion on an IP packet, the firewall device performs unified conversion on packet identification fields of the NAT-converted IP packets sent by different devices in the intranet, so that packet identifications of the IP packets forwarded to the extranet are uniformly encoded and increased progressively according to a rule, thereby preventing a network attacker or a malicious network information thief in the extranet from acquiring intranet information such as the number of intranet users by analyzing packet identifications of packets sent by the intranet users, and improving network security.
Description
Technical Field
The present disclosure relates to the field of network communication technologies, and in particular, to a method and an apparatus for processing a packet identifier, and a storage medium.
Background
At present, Network terminals all use a private Network Address, and then perform Network Address Translation (NAT) by an upstream operator, and then translate a source Address of a message into a public Network Address to access an external Network.
An IP packet is a data unit transmitted in a network layer, also called an IP datagram, and a packet identification (identification) field is provided in a header of the IP packet,hereinafter abbreviated to IPIDThis field takes 16 bits, the IP protocol software maintains a counter in memory, increments the counter by 1 each time a datagram is generated, and assigns this value to the identification field. But this "identity" is not a sequence number since IP is a connectionless service and there is no problem with the in-sequence reception of datagrams. If there are multiple host users in the intranet, the IP header identification fields IPID of the messages sent by each host are sorted according to their host, and after the messages are sent to the extranet through the firewall device, the attacker of the extranet is likely to analyze how many hosts there are in the intranet or perform the detection of the intranet according to the change rule of the IPID of the messages, which is not beneficial to the security of the network.
Disclosure of Invention
In view of this, the present disclosure provides a method, an apparatus, and a storage medium for processing a message identifier, which are used to solve the technical problem that a message identifier word of an IP message easily causes information leakage in an external network and is easy to cause network attack.
Based on an embodiment of the present disclosure, the present disclosure provides a method for processing a packet identifier, where the method is applied to a firewall device located in an intranet, and includes:
receiving IP messages sent by one or more devices in an intranet;
performing Network Address Translation (NAT) on the IP message to be forwarded to the external network;
and uniformly converting the message identification fields of the IP messages which are sent by different equipment in the intranet and are converted by the NAT according to a preset message identification conversion strategy.
Further, the method for uniformly converting the message identification fields of the IP messages sent by different devices in the intranet and converted by the NAT according to the preset message identification conversion policy includes:
and generating a new message identifier by a time function of the output positive integer increasing sequence, and sequentially replacing the message identifier field of each IP message forwarded to the external network according to the sequence of the messages.
Further, the method for uniformly converting the message identification fields of the IP messages sent by different devices in the intranet and converted by the NAT according to the preset message identification conversion policy includes:
the message identification value of the first IP message which is converted by the NAT in the intranet is used as an initial value, and the initial value is used for gradually increasing to replace the message identification in the subsequent IP messages which are converted by the NAT.
Further, the method for uniformly converting the message identification fields of the IP messages sent by different devices in the intranet and converted by the NAT according to the preset message identification conversion policy includes:
the message length value of the first IP message converted by the NAT in the internal network is used as an initial value, and the message identifiers of all the IP messages converted by the NAT are replaced one by increasing the initial value.
On the other hand, the present disclosure further provides a packet identifier processing apparatus, where the apparatus is applied to a firewall device located in an intranet, and the apparatus includes:
the receiving module is used for receiving IP messages sent by one or more devices in the intranet;
the NAT conversion module is used for carrying out NAT conversion on the IP message which needs to be forwarded to the external network;
and the message identifier replacement module is used for uniformly converting the message identifier fields of the IP messages which are sent by different equipment in the intranet and are converted by the NAT according to a preset message identifier conversion strategy.
Further, the message identifier replacing module generates a new message identifier by a time function of the output positive integer increasing sequence, and sequentially replaces the message identifier field of each IP message forwarded to the external network according to the sequence of the messages.
Further, the message identifier replacing module uses the message identifier value of the first NAT-converted IP message in the intranet as an initial value, and replaces the message identifiers in the subsequent NAT-converted IP messages one by increasing the initial value.
Further, the message identifier replacing module uses the message length value of the first NAT-converted IP message in the intranet as an initial value, and replaces the message identifiers of all NAT-converted IP messages one by increasing the initial value.
In accordance with an implementation of the present disclosure, a storage medium is further provided, on which a computer program is stored, which, when being executed by a processor, implements the functionality of the method steps of the aforementioned message identification processing method.
In the embodiment of the disclosure, after performing NAT conversion on an IP packet, the firewall device performs unified conversion on packet identification fields of the NAT-converted IP packets sent by different devices in the intranet, so that packet identifications of the IP packets forwarded to the extranet are uniformly encoded and increased progressively according to a rule, thereby preventing a network attacker or a malicious network information thief in the extranet from acquiring intranet information such as the number of intranet users by analyzing packet identifications of packets sent by the intranet users, and improving network security.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present disclosure or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and other drawings can be obtained by those skilled in the art according to the drawings of the embodiments of the present disclosure.
Fig. 1 is a schematic networking diagram in an embodiment of the present disclosure;
fig. 2 is a flowchart illustrating steps of a message identifier processing method according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a message identifier processing apparatus according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a message identifier processing apparatus according to an embodiment of the present disclosure.
Detailed Description
The terminology used in the embodiments of the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the embodiments of the present disclosure. As used in the embodiments of the present disclosure, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. The term "and/or" as used in this disclosure is meant to encompass any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information in the embodiments of the present disclosure, such information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of embodiments of the present disclosure. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".
Fig. 1 is a schematic networking diagram in an embodiment of the present disclosure, where a terminal device of a user is connected to an external network server through an internal firewall or a forwarding device with a firewall function, and it is assumed that 3 terminals in an internal network of the user access the external network server after passing through the firewall, and when the terminal accesses the external network server, an IPID of an IP packet sent by each terminal is incremented in an order of itself. The inventor finds out through analysis that if a network attacker or a malicious network information thief of the external network obtains the internal network information such as the number of internal network users by analyzing the IPID field of a message sent by the internal network users to the external network through the firewall, for example, by monitoring the change rule of the IPID in the IP message through the external network, the number of the internal network users can be snooped to be 3, and the internal network information is exposed.
In order to solve the technical problem of potential safety hazard caused by intranet information exposure, an embodiment of the present disclosure provides a method for processing a packet identifier, fig. 2 is a flowchart of steps of the method, the method is applied to a firewall device located in an intranet, and the method includes:
step 201, receiving an IP message sent by one or more devices in an intranet;
in this step, the firewall device may receive a plurality of intranet device sending end IP messages. These IP messages may be addressed to other devices in the intranet or to the extranet.
Step 202, performing NAT conversion on the IP message which needs to be forwarded to the external network;
in this step, after receiving an IP packet sent by one or more terminal devices in the intranet, the firewall device performs a determination according to a destination address of the packet, and if it is determined that the IP packet needs to be forwarded to the intranet, it needs to perform NAT conversion from the intranet address to the public network address.
And 203, uniformly converting the message identification fields of the IP messages which are sent by different equipment in the intranet and are converted by the NAT according to a preset message identification conversion strategy.
In this step, the firewall may receive IP packets sent by multiple intranet devices to the extranet according to a time sequence, and particularly, in this step, the firewall device may use a preset packet identifier conversion policy to uniformly convert packet identifier fields of all IP packets forwarded to the outside, so that an attacker located in the extranet cannot acquire information of the intranet according to a monitored change rule of the packet identifiers of the IP packets.
In an embodiment of the present disclosure, the method for performing unified conversion on the packet identifier field of the IP packet forwarded to the extranet according to the preset packet identifier conversion policy may be one of the following methods, but is not limited to the following method:
the method I comprises the steps of generating new message identification by a time function of an output positive integer increasing sequence, and sequentially replacing the message identification field of each IP message forwarded to an external network according to the sequence of the messages.
For example, in an embodiment of the present disclosure, after performing NAT conversion on an IP address of a message, the IPID fields of the message are also sequentially ordered according to the sequence of performing NAT conversion on the message. Assuming that the time function is f (t), and t is the time of the moment when the message identifier is processed, outputting a positive integer value representing the current moment, and replacing the message identifier IPID in the message with the positive integer value. For example, the current timestamp can be obtained by a time function provided by the operating system to replace the message identifier. Suppose that a message 1, a message 2 and a message 3 after NAT conversion are received in sequence, the message 1 is sent by the terminal 1, the message 2 is sent by the terminal 2, and the message 3 is sent by the terminal 3. When receiving the message 1, the timestamp 1 of the current moment is obtained through the time function, the IPID of the message 1 is replaced by the timestamp 1, when receiving the message 2, the timestamp 2 of the current moment is obtained through the time function, the IPID of the message 2 is replaced by the timestamp 2, and the like.
And secondly, taking the message identification value of the first IP message subjected to NAT conversion in the intranet as an initial value, and gradually increasing the initial value to replace the message identification in the subsequent IP messages subjected to NAT conversion one by one.
And thirdly, the message length value of the first IP message converted by the NAT in the intranet is used as an initial value, and the initial value is used for gradually increasing the message identifiers of all the IP messages converted by the NAT one by one.
Fig. 3 is a schematic structural diagram of a message identifier processing apparatus according to an embodiment of the present disclosure, and each functional module in the apparatus 300 may be implemented in a form of a software module or a hardware unit. The functions of the modules of the device 300 have corresponding relations with the steps in the message identifier processing method provided by the present disclosure. The apparatus 300 is applied to a firewall device located in an intranet, and the apparatus includes:
a receiving module 310, configured to receive an IP packet sent by one or more devices in an intranet;
the NAT conversion module 320 is used for performing NAT conversion on the IP packet to be forwarded to the external network;
the message identifier replacing module 330 is configured to perform unified translation on the message identifier fields of the IP messages that are sent by different devices in the intranet and are subjected to NAT translation according to a preset message identifier translation policy.
Based on an embodiment of the present disclosure, the message identifier replacing module 330 generates a new message identifier according to a time function of an output positive integer increasing sequence, and sequentially replaces the message identifier field of each IP message forwarded to the external network according to the sequence of the message.
Based on an embodiment of the present disclosure, the message identifier replacing module 330 uses the message identifier value of the first IP message undergoing NAT conversion in the intranet as an initial value, and replaces the message identifiers in the subsequent IP messages undergoing NAT conversion one by increasing the initial value.
Based on an embodiment of the present disclosure, the message identifier replacing module 330 uses the message length value of the first IP message subjected to NAT conversion in the intranet as an initial value, and replaces the message identifiers of all the IP messages subjected to NAT conversion one by increasing the initial value.
Fig. 4 is a schematic structural diagram of a message identifier processing apparatus according to an embodiment of the present disclosure, where the apparatus 400 includes: a processor 410 such as a Central Processing Unit (CPU), an internal bus 420, a network interface 440, and a computer-readable storage medium 430. Wherein the processor 410 and the computer-readable storage medium 430 can communicate with each other through an internal bus 420. The computer readable storage medium 430 may store a computer program provided by the present disclosure for implementing the message identification processing method, and when the computer program is executed by the processor 410, the functions of the steps of the method provided by the present disclosure can be implemented.
The above description is only an example of the present disclosure and is not intended to limit the present disclosure. Various modifications and variations of this disclosure will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.
Claims (9)
1. A message identification processing method is characterized in that the method is applied to firewall equipment located in an intranet, and comprises the following steps:
receiving IP messages sent by one or more devices in an intranet;
performing Network Address Translation (NAT) on the IP message to be forwarded to the external network;
and uniformly converting the message identification fields of the IP messages which are sent by different equipment in the intranet and are converted by the NAT according to a preset message identification conversion strategy.
2. The method according to claim 1, wherein the method for uniformly converting the message identifier fields of the NAT-converted IP messages sent by different devices in the intranet according to the preset message identifier conversion policy comprises:
and generating a new message identifier by a time function of the output positive integer increasing sequence, and sequentially replacing the message identifier field of each IP message forwarded to the external network according to the sequence of the messages.
3. The method according to claim 1, wherein the method for uniformly converting the message identifier fields of the NAT-converted IP messages sent by different devices in the intranet according to the preset message identifier conversion policy comprises:
the message identification value of the first IP message which is converted by the NAT in the intranet is used as an initial value, and the initial value is used for gradually increasing to replace the message identification in the subsequent IP messages which are converted by the NAT.
4. The method according to claim 1, wherein the method for uniformly converting the message identifier fields of the NAT-converted IP messages sent by different devices in the intranet according to the preset message identifier conversion policy comprises:
the message length value of the first IP message converted by the NAT in the internal network is used as an initial value, and the message identifiers of all the IP messages converted by the NAT are replaced one by increasing the initial value.
5. A message identification processing device is characterized in that the device is applied to firewall equipment located in an intranet, and the device comprises:
the receiving module is used for receiving IP messages sent by one or more devices in the intranet;
the NAT conversion module is used for carrying out NAT conversion on the IP message which needs to be forwarded to the external network;
and the message identifier replacement module is used for uniformly converting the message identifier fields of the IP messages which are sent by different equipment in the intranet and are converted by the NAT according to a preset message identifier conversion strategy.
6. The apparatus of claim 5,
the message identification replacing module generates a new message identification by a time function of an output positive integer increasing sequence, and sequentially replaces the message identification field of each IP message forwarded to the external network according to the sequence of the messages.
7. The apparatus of claim 5,
the message identification replacing module uses the message identification value of the first IP message which is converted by the NAT in the internal network as an initial value, and replaces the message identifications in the subsequent IP messages which are converted by the NAT one by increasing the initial value.
8. The apparatus of claim 5,
the message mark replacing module uses the message length value of the first IP message converted by NAT in the internal network as an initial value, and replaces the message marks of all the IP messages converted by NAT one by increasing the initial value.
9. A storage medium on which a computer program is stored which, when being executed by a processor, carries out the functions of the method steps of the message identification processing method according to one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010748730.5A CN111953807B (en) | 2020-07-30 | 2020-07-30 | Message identifier processing method and device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010748730.5A CN111953807B (en) | 2020-07-30 | 2020-07-30 | Message identifier processing method and device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111953807A CN111953807A (en) | 2020-11-17 |
| CN111953807B true CN111953807B (en) | 2022-02-22 |
Family
ID=73338572
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010748730.5A Active CN111953807B (en) | 2020-07-30 | 2020-07-30 | Message identifier processing method and device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111953807B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101980477A (en) * | 2010-10-09 | 2011-02-23 | 北京星网锐捷网络技术有限公司 | Method and device for detecting number of shadow users, and network equipment |
| CN102232288A (en) * | 2011-04-15 | 2011-11-02 | 华为技术有限公司 | Method and apparatus for network address translation |
| CN109067935A (en) * | 2018-08-16 | 2018-12-21 | 深圳市风云实业有限公司 | Packet message processing method and multi-core processor system |
| CN110769077A (en) * | 2019-10-14 | 2020-02-07 | 新华三信息安全技术有限公司 | Message processing method, device, network equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7564843B2 (en) * | 2004-12-16 | 2009-07-21 | International Business Machines Corporation | Method, system and article for improved network performance by avoiding IP-ID wrap-arounds causing data corruption on fast networks |
-
2020
- 2020-07-30 CN CN202010748730.5A patent/CN111953807B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101980477A (en) * | 2010-10-09 | 2011-02-23 | 北京星网锐捷网络技术有限公司 | Method and device for detecting number of shadow users, and network equipment |
| CN102232288A (en) * | 2011-04-15 | 2011-11-02 | 华为技术有限公司 | Method and apparatus for network address translation |
| CN109067935A (en) * | 2018-08-16 | 2018-12-21 | 深圳市风云实业有限公司 | Packet message processing method and multi-core processor system |
| CN110769077A (en) * | 2019-10-14 | 2020-02-07 | 新华三信息安全技术有限公司 | Message processing method, device, network equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111953807A (en) | 2020-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9729655B2 (en) | Managing transfer of data in a data network | |
| US10503899B2 (en) | Cyberanalysis workflow acceleration | |
| Barbosa et al. | Flow whitelisting in SCADA networks | |
| CN112468518B (en) | Access data processing method and device, storage medium and computer equipment | |
| JP2008066945A (en) | Attack detection system and attack detection method | |
| US9338657B2 (en) | System and method for correlating security events with subscriber information in a mobile network environment | |
| US11546356B2 (en) | Threat information extraction apparatus and threat information extraction system | |
| US10097510B2 (en) | Identifying network flows under network address translation | |
| US11777960B2 (en) | Detection of DNS (domain name system) tunneling and exfiltration through DNS query analysis | |
| WO2019148714A1 (en) | Ddos attack detection method and apparatus, and computer device and storage medium | |
| CN109474713B (en) | Message forwarding method and device | |
| CN111614580A (en) | Data forwarding method, device and equipment | |
| CN112383559B (en) | Address resolution protocol attack protection method and device | |
| CN111953807B (en) | Message identifier processing method and device and storage medium | |
| Salim et al. | Preventing ARP spoofing attacks through gratuitous decision packet | |
| CN114143079B (en) | Verification device and method for packet filtering strategy | |
| Gad et al. | Hierarchical events for efficient distributed network analysis and surveillance | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN111866216B (en) | NAT equipment detection method and system based on wireless network access point | |
| US9912557B2 (en) | Node information detection apparatus, node information detection method, and program | |
| CN109889619B (en) | Abnormal domain name monitoring method and device based on block chain | |
| CN105471839A (en) | Method for judging whether router data is tampered | |
| CN117395162B (en) | Method, system, device and medium for identifying operating system by using encrypted traffic | |
| CN115174243A (en) | Malicious IP address blocking processing method, device, equipment and storage medium | |
| AU2015100002A4 (en) | Next generation firewalls using physical layer firewall solution and bit filter |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |