CN112422577B - Method, device, server and storage medium for preventing original address spoofing attack - Google Patents
Method, device, server and storage medium for preventing original address spoofing attack Download PDFInfo
- Publication number
- CN112422577B CN112422577B CN202011338535.1A CN202011338535A CN112422577B CN 112422577 B CN112422577 B CN 112422577B CN 202011338535 A CN202011338535 A CN 202011338535A CN 112422577 B CN112422577 B CN 112422577B
- Authority
- CN
- China
- Prior art keywords
- address
- addresses
- credible
- list
- address list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/69—Types of network addresses using geographic information, e.g. room number
Abstract
The invention discloses a method, a device, a server and a storage medium for preventing original address spoofing attack, wherein the method comprises the following steps: when a user terminal initiates access through a browser, automatically extracting an IP address list initiating the access according to the access; judging whether the IP address in an IP address list is a credible IP address, wherein the IP addresses which are judged to be the local area network IP address and the user own IP address in the IP address list are determined to be credible IP addresses, judging the IP address reputation and the IP address geographic position of the rest IP addresses in the IP address list to determine whether the IP addresses are credible IP addresses, and forming the determined credible IP addresses into a credible IP address list; and when the source IP address of the http request is the IP address in the trusted IP address list, extracting the XFF field, and detecting whether the XFF field is legal. The method carries out automatic processing on the flow, automatically identifies the credible IP address list, and further prevents the original address spoofing attack.
Description
Technical Field
The present invention relates to the internet, and more particularly, to a method, apparatus, server, and storage medium for preventing an original address spoofing attack.
Background
In the internet field, when a user accesses a WEB server through a browser, when accessing the WEB server through an HTTP (hyper Text Transfer protocol) proxy or a load balancing server, an XFF field (also called XFF header) is added to an HTTP request header, wherein XFF is an abbreviation of X-Forwarded-For and is used to identify the most primitive ip (internet protocol) address of a client connected to the WEB server through the HTTP proxy or the load balancing method. Colloquially, it is the IP address where the browser accesses the web site.
Without XFF or another similar technique, all connections through a proxy server would only show the proxy server's IP address, not the original IP address from which the connection originated, such a proxy server effectively acts as an anonymous service provider, and the difficulty of detection and prevention of malicious access would be greatly increased if the original IP address of the connection were not available. Such as XFF field spoofing attack, which changes the X-Forwarded-For field of the HTTP header through a special packet-grabbing and packet-changing tool or a browser plug-in, etc. to disguise the IP address of the visited website at the application layer.
The validity of the XFF field depends on the authenticity of the original IP address of the connection provided by the proxy server, and therefore, the effective use of the XFF field should ensure that the proxy server is trusted, e.g., existing methods for preventing spoofing of the XFF field typically set up a list of trusted devices, only the visited IP addresses of which are deemed to be true visitors. If the IP layer source IP address is not in the trusted list, the XFF field is ignored. This method is poorly applicable because the trusted IP address list needs to be configured in advance. But when the enterprise uses CDN acceleration, this approach is simply not usable because the list of trusted IP addresses changes too often.
Therefore, a solution is needed to automatically identify and create a trusted IP address list, so as to prevent the original address spoofing attack.
Disclosure of Invention
Aiming at the technical problems in the prior art, the invention needs to create a trusted IP address list in real time to prevent the original address spoofing attack.
In a first aspect, the present invention discloses a method for preventing original address spoofing attacks, which is characterized in that: when a user terminal initiates access through a browser, automatically extracting an IP address list initiating the access according to the access; judging whether the IP address in an IP address list is a credible IP address, wherein the IP addresses which are judged to be the local area network IP address and the user own IP address in the IP address list are determined to be credible IP addresses, judging the IP address reputation and the IP address geographic position of the rest IP addresses in the IP address list to determine whether the IP addresses are credible IP addresses, and forming the determined credible IP addresses into a credible IP address list; and when the source IP address of the http request is the IP address in the trusted IP address list, extracting the XFF field, and detecting whether the XFF field is legal.
In an alternative embodiment, it further comprises: and when the IP address credit is judged, judging whether the IP address is a content distribution network IP address or not by using a micro-step online offline IP address credit library, inquiring whether the IP address is in China or not when the IP address geographic position is judged, and when other IP addresses in the IP address list are judged to be the content distribution network IP address in China, considering the IP addresses as credible IP addresses, otherwise, considering the IP addresses as incredible IP addresses.
In an alternative embodiment, it further comprises: and when detecting whether the XFF field is legal, judging that the XFF fields with IP addresses of 8.8.8.8, 4.4.4.4 and 8.8.4.4 are illegal.
In a second aspect, the present invention discloses an apparatus for preventing original address spoofing attacks, which is characterized in that:
the first extraction module is used for automatically extracting an IP address list for initiating the access according to the access when the user terminal initiates the access through a browser; the judging module is used for judging whether the IP address in the IP address list is a credible IP address, wherein the IP addresses which are judged to be the local area network IP address and the user own IP address in the IP address list are determined to be credible IP addresses, the IP address reputation and the IP address geographic position are judged for the rest of the IP addresses in the IP address list to determine whether the IP addresses are credible IP addresses, and the determined credible IP addresses are formed into a credible IP address list; and the second extraction module is used for extracting the XFF field when the source IP address of the http request is the IP address in the trusted IP address list and detecting whether the XFF field is legal or not.
In an alternative embodiment, it further comprises: the judging module is also used for judging whether the IP address is a content distribution network IP address or not by using a micro-step online offline IP address credit library when judging the credit of the IP address, inquiring whether the IP address is in China or not when judging the geographic position of the IP address, and regarding other IP addresses in the IP address list as credible IP addresses when judging the other IP addresses as content distribution network IP addresses in China or regarding the other IP addresses as incredible IP addresses otherwise.
In an alternative embodiment, it further comprises: the second extracting module is further configured to consider XFF fields with IP addresses 8.8.8.8, 4.4.4.4, 8.8.4.4 as illegal when detecting whether the XFF field is legal.
In a third aspect, the invention discloses a server comprising a processor and a memory, the memory storing a computer program, the processor executing the computer program to implement the method of the first aspect.
In a fourth aspect, the present invention discloses a computer storage medium storing a computer program, characterized in that the computer program, when executed by a processor, implements the method according to the first aspect.
Compared with the prior art, the embodiment of the invention has the beneficial effects that: the invention constructs the credible IP list in real time, thereby effectively preventing the original field deception attack.
Drawings
In the drawings, which are not necessarily drawn to scale, like reference numerals may describe similar components in different views. Like reference numerals having letter suffixes or different letter suffixes may represent different instances of similar components. The drawings illustrate various embodiments generally by way of example and not by way of limitation, and together with the description and claims serve to explain the disclosed embodiments. The same reference numbers will be used throughout the drawings to refer to the same or like parts, where appropriate. Such embodiments are illustrative, and are not intended to be exhaustive or exclusive embodiments of the present apparatus or method.
FIG. 1 shows a flow diagram of a method of preventing an original address spoofing attack according to the present invention;
fig. 2 shows a schematic structural diagram of an apparatus for preventing original address spoofing attacks according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
Furthermore, in the following detailed description, numerous specific details are set forth in order to provide a better understanding of the present invention. It will be understood by those skilled in the art that the present invention may be practiced without some of these specific details. In some instances, methods, procedures, components, and circuits that are well known to those skilled in the art have not been described in detail so as not to obscure the present invention.
Referring to fig. 1, a flow chart of a method for preventing an original address spoofing attack according to the invention is shown.
Step 101: when a user terminal initiates access through a browser, an IP address list for initiating the access is automatically extracted according to the access.
In actual network access, there are two ways to obtain the IP address of the requester from the HTTP request. One obtained from Remote Address and the other from X-Forward-For. The Remote Address represents the Remote Address of the current HTTP request, i.e. the source Address of the HTTP request, and also the IP Address of the user of the HTTP request. If the requester forges the Remote Address, the requester cannot receive the response message of the HTTP, and the forgery has no meaning. Therefore, the Remote Address has a function of preventing tampering as a default, and when the HTTP request is not forwarded through the proxy server, the real IP Address of the user is given by the Remote Address.
In many large websites, an HTTP request from a user is forwarded through various proxy servers such as a reverse proxy server or a load balancing server, and at this time, a Remote Address received by the server is an Address of the reverse proxy server or the load balancing server. In such a case, the user's real IP address would be lost, so there is an HTTP extension header X-Forward-For. When the reverse proxy server or the load balancing server forwards the HTTP request of the user, the real IP address of the user needs to be written into the X-Forward-For, so that the backend service can use the real IP address.
Common load balancing technologies include 1, load balancing based on DNS, 2, reverse proxy load balancing (such as a combination of Apache + JK2+ Tomcat), and 3, load balancing technology based on NAT (network Address translation) (such as Linux Virtual Server, LVS for short). The load balancing technology uniformly converts each external connection into different internal server addresses through one address conversion gateway, so that the computers in the external network respectively communicate with the servers on the addresses obtained by conversion, and the purpose of load balancing is achieved.
When a reverse proxy server or a load balancing server is used for access forwarding, it is necessary to effectively identify whether the IP address in the HTTP extension header XFF is a real or trusted IP address to determine whether to allow the corresponding IP address to access the Web server. Therefore, when the user terminal initiates access through the browser, the IP address list is automatically extracted according to the access, so that whether the corresponding IP address is credible or not is judged in the subsequent operation.
Step 102: judging whether the IP address in the IP address list is a credible IP address, wherein the IP addresses which are judged to be the local area network IP address and the user own IP address in the IP address list are determined to be credible IP addresses, judging the IP address reputation and the IP address geographic position of the rest IP addresses in the IP address list to determine whether the IP addresses are credible IP addresses, and forming the determined credible IP addresses into a credible IP address list.
Specifically, after an IP address list is automatically extracted according to the received traffic, each IP address in the IP address list is determined, and the determination steps include, in general, the IP address of the user, the IP address of a local area network (lan), the IP address of a Content Delivery Network (CDN), and the like:
the IP address of the user is regarded as a credible IP address.
And is considered a trusted IP address for all local area networks. The specific network segments are as follows:
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.31.196.0/24",
"192.52.193.0/24",
"192.88.99.0/24",
"192.168.0.0/16"
judging the IP address credit and the geographic position of the IP address, wherein the IP address credit uses a micro-step online offline IP address credit library, judging whether the IP address is the IP address of the CDN or not through the micro-step online offline IP address credit library, judging whether the IP address belongs to China or not through the geographic position, and if the inquired IP address is the domestic CDN, judging the IP address as a credible IP address:
If GeoData.IsAtCountry(IP,“china”)&&WeiBuOfflineIPReputation.Check(IP,“CDN”)
AddTrustIPList(IP)
end
since the CDN servers are developed and served by various companies, domestic CDNs and foreign CDNs are currently used in domestic markets, and in domestic, all domestic CDNs need to be put on record, and foreign CDNs do not need to be put on record, so that IP addresses from foreign CDNs are all regarded as untrusted IP addresses.
Step 103: and when the source IP address of the http request is the IP address in the trusted IP address list, extracting the XFF field, and detecting whether the XFF field is legal.
Specifically, when the source IP address of the http request from the client belongs to the trusted IP address in the trusted IP address list, extracting the corresponding XFF field, and detecting whether the XFF field is legal, where XFF fields with IP addresses 8.8.8.8, 4.4.4.4, and 8.8.4.4 are considered as illegal.
Referring to fig. 2, a schematic structural diagram of an apparatus for preventing an original address spoofing attack according to the present invention is shown.
The apparatus 200 for preventing spoofing attacks of XFF fields of the present invention is located in a server, such as a WEB server. The apparatus 200 for preventing XFF field spoofing attacks includes a first extraction module 201, a judgment module 202, and a second extraction module 203.
A first extracting module 201, configured to, when a user terminal initiates an access through a browser, automatically extract an IP address list initiating the access according to the access.
The judging module 202 judges whether the IP address in the IP address list is a trusted IP address, wherein the IP addresses judged as the local area network IP address and the user's own IP address in the IP address list are both determined as trusted IP addresses, and performs IP address reputation and IP address geographic position judgment on the remaining IP addresses in the IP address list to determine whether the IP addresses are trusted IP addresses, and forms the determined trusted IP addresses into a trusted IP address list.
In a further embodiment, the determining module 202 is further configured to determine whether the IP address is a content distribution network IP address by using a microstep online offline IP address reputation library when determining the IP address reputation, query whether the IP address is in china when determining the geographic location of the IP address, and regard other IP addresses in the IP address list as trusted IP addresses when determining that the other IP addresses are content distribution network IP addresses in china, otherwise regard the other IP addresses as untrusted IP addresses.
And the second extraction module 203 is configured to, when the source IP address of the http request is an IP address in the trusted IP address list, extract an XFF field, and detect whether the XFF field is legal.
In a further embodiment, the second extracting module 203 is further configured to consider an XFF field with IP addresses 8.8.8.8, 4.4.4.4, 8.8.4.4 as illegal when detecting whether the XFF field is legal.
It should be appreciated that the structure of the apparatus 200 for preventing XFF field spoofing attacks of the above example is merely one example provided by embodiments of the present invention, which may have more or fewer components than those shown, may combine two or more components, or may have a different configuration implementation of components. As in a WEB server, comprising a processor and a memory, the memory storing a computer program, the processor executing the computer program to implement the method of the present invention for preventing an XFF field spoofing attack.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied in hardware or in software executed by a processor. The software instructions may be comprised of corresponding software modules that may be stored in a Random Access Memory (RAM), a flash Memory, a Read Only Memory (ROM), an Erasable Programmable ROM (EPROM), an Electrically Erasable Programmable ROM (EEPROM), a register, a hard disk, a removable hard disk, a compact disc Read Only Memory (CD-ROM), or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor.
The embodiments of the present invention have been described above. These examples are for illustrative purposes only and are not intended to limit the scope of the present invention. The scope of the invention is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the invention, and such alternatives and modifications are intended to be within the scope of the disclosure.
Claims (6)
1. A method of preventing spoofing attacks on an original address, the method comprising:
when a user terminal initiates access through a browser, automatically extracting an IP address list initiating the access according to the access;
judging whether the IP address in an IP address list is a credible IP address, wherein the IP addresses which are judged to be the local area network IP address and the user own IP address in the IP address list are determined to be credible IP addresses, judging the IP address reputation and the IP address geographic position of the rest IP addresses in the IP address list to determine whether the IP addresses are credible IP addresses, and forming the determined credible IP addresses into a credible IP address list;
when the source IP address of the http request is the IP address in the trusted IP address list, extracting an XFF field, and detecting whether the XFF field is legal;
and when the IP address credit is judged, judging whether the IP address is a content distribution network IP address or not by using an off-line IP address credit library, when the geographic position of the IP address is judged, inquiring whether the IP address is in China, and when other IP addresses in the IP address list are judged to be the content distribution network IP address in China, considering the IP addresses as credible IP addresses, otherwise, considering the IP addresses as incredible IP addresses.
2. The method of claim 1, wherein: XFF fields with IP addresses 8.8.8.8, 4.4.4.4, and 8.8.4.4 are considered illegal when detecting whether the XFF field is legal.
3. An apparatus for preventing spoofing attacks on an original address, comprising:
the first extraction module is used for automatically extracting an IP address list for initiating the access according to the access when the user terminal initiates the access through a browser;
the judging module is used for judging whether the IP address in the IP address list is a credible IP address, wherein the IP addresses which are judged to be the local area network IP address and the user own IP address in the IP address list are determined to be credible IP addresses, the IP address reputation and the IP address geographic position are judged for the rest of the IP addresses in the IP address list to determine whether the IP addresses are credible IP addresses, and the determined credible IP addresses are formed into a credible IP address list;
the second extraction module is used for extracting an XFF field when the source IP address of the http request is the IP address in the trusted IP address list and detecting whether the XFF field is legal or not;
the judging module is also used for judging whether the IP address is a content distribution network IP address or not by using an off-line IP address credit library when judging the credit of the IP address, inquiring whether the IP address is in China or not when judging the geographic position of the IP address, and regarding other IP addresses in the IP address list as credible IP addresses when judging the other IP addresses as content distribution network IP addresses in China or not as incredible IP addresses.
4. The apparatus of claim 3, wherein: the second extracting module is further configured to consider XFF fields with IP addresses 8.8.8.8, 4.4.4.4, and 8.8.4.4 as illegal when detecting whether the XFF field is legal.
5. A server comprising a processor and a memory, the memory storing a computer program, the processor executing the computer program to implement the method of any of claims 1 to 2.
6. A computer storage medium storing a computer program, characterized in that the computer program, when executed by a processor, implements the method according to any one of claims 1 to 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011338535.1A CN112422577B (en) | 2020-11-25 | 2020-11-25 | Method, device, server and storage medium for preventing original address spoofing attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011338535.1A CN112422577B (en) | 2020-11-25 | 2020-11-25 | Method, device, server and storage medium for preventing original address spoofing attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112422577A CN112422577A (en) | 2021-02-26 |
| CN112422577B true CN112422577B (en) | 2021-12-24 |
Family
ID=74843166
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011338535.1A Active CN112422577B (en) | 2020-11-25 | 2020-11-25 | Method, device, server and storage medium for preventing original address spoofing attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112422577B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113794692B (en) * | 2021-08-24 | 2023-06-27 | 杭州迪普科技股份有限公司 | Attack tracing device, method and system and proxy link table learning device and method |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9674145B2 (en) * | 2005-09-06 | 2017-06-06 | Daniel Chien | Evaluating a questionable network communication |
| US8195736B2 (en) * | 2006-08-08 | 2012-06-05 | Opnet Technologies, Inc. | Mapping virtual internet protocol addresses |
| EP3142322B1 (en) * | 2015-09-10 | 2018-04-25 | Alcatel Lucent | Auto configuration server and method |
| CN105306465B (en) * | 2015-10-30 | 2019-01-18 | 新浪网技术(中国)有限公司 | Web portal security accesses implementation method and device |
| CN106998371B (en) * | 2016-01-25 | 2020-11-06 | 创新先进技术有限公司 | Credible IP information judging method, IP information base updating method and device |
| CN107465651B (en) * | 2016-06-06 | 2020-10-02 | 腾讯科技(深圳)有限公司 | Network attack detection method and device |
| CN110324437B (en) * | 2019-07-09 | 2020-08-21 | 中星科源(北京)信息技术有限公司 | Original address transmission method, system, storage medium and processor |
| CN110636068B (en) * | 2019-09-24 | 2022-01-28 | 杭州安恒信息技术股份有限公司 | Method and device for identifying unknown CDN node in CC attack protection |
-
2020
- 2020-11-25 CN CN202011338535.1A patent/CN112422577B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112422577A (en) | 2021-02-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10666608B2 (en) | Transparent proxy authentication via DNS processing | |
| EP1866783B1 (en) | System and method for detecting and mitigating dns spoofing trojans | |
| CN105430011B (en) | A kind of method and apparatus detecting distributed denial of service attack | |
| CN101310502B (en) | Security management device, communication system and access control method | |
| US8245304B1 (en) | Autonomous system-based phishing and pharming detection | |
| US7039721B1 (en) | System and method for protecting internet protocol addresses | |
| US20070056022A1 (en) | Two-factor authentication employing a user's IP address | |
| US20090055928A1 (en) | Method and apparatus for providing phishing and pharming alerts | |
| US20080060054A1 (en) | Method and system for dns-based anti-pharming | |
| US20130151587A1 (en) | Filtering system and filtering method | |
| US20120297478A1 (en) | Method and system for preventing dns cache poisoning | |
| US8955123B2 (en) | Method and system for preventing malicious communication | |
| US8914510B2 (en) | Methods, systems, and computer program products for enhancing internet security for network subscribers | |
| US9973590B2 (en) | User identity differentiated DNS resolution | |
| CN108632221B (en) | Method, equipment and system for positioning controlled host in intranet | |
| Putthacharoen et al. | Protecting cookies from cross site script attacks using dynamic cookies rewriting technique | |
| CN108270778B (en) | DNS domain name abnormal access detection method and device | |
| CN111698345B (en) | Domain name query method, recursive server and storage medium | |
| CN111953678B (en) | Method and system for verifying DNS request security | |
| CN112272164B (en) | Message processing method and device | |
| CN111935123B (en) | Method, equipment and storage medium for detecting DNS spoofing attack | |
| CN112422577B (en) | Method, device, server and storage medium for preventing original address spoofing attack | |
| JP4693174B2 (en) | Intermediate node | |
| US11811806B2 (en) | System and apparatus for internet traffic inspection via localized DNS caching | |
| US20170180401A1 (en) | Protection Against Malicious Attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |