CN113890760B - Data packet processing method and device based on single packet authorization, electronic equipment and medium - Google Patents
Data packet processing method and device based on single packet authorization, electronic equipment and medium Download PDFInfo
- Publication number
- CN113890760B CN113890760B CN202111145955.2A CN202111145955A CN113890760B CN 113890760 B CN113890760 B CN 113890760B CN 202111145955 A CN202111145955 A CN 202111145955A CN 113890760 B CN113890760 B CN 113890760B
- Authority
- CN
- China
- Prior art keywords
- data packet
- processed
- address
- authentication
- spa
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Abstract
The present disclosure relates to a data packet processing method, apparatus, electronic device and medium based on single packet authorization, the method comprising: matching the IP address of the data packet to be processed with the IP address in the blacklist subchain, discarding the data packet to be processed when the data packet to be processed hits the blacklist subchain, judging whether the data packet to be processed meets the preset SPA processing condition or not when the data packet to be processed does not hit the blacklist subchain, and performing SPA authentication on the data packet to be processed under the condition that the data packet to be processed meets the SPA processing condition. By adopting the scheme, the attack message is directly discarded by filtering the blacklist subchain, so that the SPA service is effectively contained and is not attacked; and for the data packets which are not matched with the IP addresses in the blacklist subchain, screening the data packets which meet the SPA processing conditions for SPA authentication, so that the SPA service only processes the data packets which meet the conditions, and the blocking probability can be effectively reduced.
Description
Technical Field
The present disclosure relates to the field of zero trust technologies, and in particular, to a method and an apparatus for processing a data packet based on single packet authorization, an electronic device, and a medium.
Background
From the perspective of network security, the more ports opened by a server in the internet are more vulnerable to attack, so the most effective way in system security reinforcement service is to not open ports as far as possible. The client sends the information to be accessed to the server by using Single Packet Authorization (SPA), and the server opens a corresponding port for a corresponding IP (Internet Protocol) address according to the received information.
In the related technology, the SPA service directly acquires data packets from the network card, analyzes and processes all the captured data packets, and whether all the data packets passing through the network card are SPA authentication packets or not, the data packets are processed by the SPA service, so that the SPA service processes a large amount of invalid data packets, and when the flow of the network card is large, the data packets are easy to block; moreover, the current scheme does not perform attack protection, so that the SPA service is easy to attack.
Disclosure of Invention
In order to solve the technical problem or at least partially solve the technical problem, at least one embodiment of the present disclosure provides a data packet processing method and apparatus based on single packet authorization, an electronic device, and a medium.
In a first aspect, the present disclosure provides a data packet processing method based on single packet authorization, including:
acquiring a data packet to be processed;
matching the IP address of the data packet to be processed with the IP address in the blacklist subchain;
if the IP address of the data packet to be processed is consistent with the IP address in the blacklist subchain, discarding the data packet to be processed;
if the IP address of the data packet to be processed is inconsistent with the IP address in the blacklist subchain, judging whether the data packet to be processed meets a preset SPA processing condition;
and performing SPA authentication on the data packet to be processed under the condition that the data packet to be processed meets the SPA processing condition.
In a second aspect, the present disclosure provides a data packet processing apparatus based on single packet authorization, including:
the data packet acquisition module is used for acquiring a data packet to be processed;
the blacklist matching module is used for matching the IP address of the data packet to be processed with the IP address in the blacklist subchain;
the discarding module is used for discarding the data packet to be processed under the condition that the IP address of the data packet to be processed is consistent with the IP address in the blacklist subchain;
the judging module is used for judging whether the data packet to be processed meets the preset SPA processing condition or not under the condition that the IP address of the data packet to be processed is inconsistent with the IP address in the blacklist subchain;
and the SPA authentication module is used for performing SPA authentication on the data packet to be processed under the condition that the data packet to be processed meets the SPA processing condition.
In a third aspect, the present disclosure provides an electronic device, comprising: a processor and a memory; the processor is used for executing any one of the data packet processing methods based on single packet authorization provided by the embodiments of the present disclosure by calling a program or an instruction stored in the memory.
In a fourth aspect, the present disclosure provides a computer-readable storage medium, which stores a program or instructions, where the program or instructions cause a computer to execute any one of the data packet processing methods based on single packet authorization provided in the embodiments of the present disclosure.
In a fifth aspect, the present disclosure provides a computer program product, which is configured to execute any one of the data packet processing methods based on single packet authorization provided in the embodiments of the present disclosure.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has at least the following advantages:
in the embodiment of the disclosure, by acquiring a to-be-processed data packet, an IP address of the to-be-processed data packet is matched with an IP address in a blacklist sub-chain, when the IP address of the to-be-processed data packet is consistent with the IP address in the blacklist sub-chain, the to-be-processed data packet is discarded, when the IP address of the to-be-processed data packet is inconsistent with the IP address in the blacklist sub-chain, whether the to-be-processed data packet meets a preset SPA processing condition is further determined, and when the to-be-processed data packet meets the SPA processing condition, SPA authentication is performed on the to-be-processed data packet. By adopting the technical scheme, the data packets to be processed are filtered by utilizing the blacklist subchain, and the data packets to be processed matched with the IP address in the blacklist subchain are discarded, so that the attack message is directly discarded by filtering the blacklist subchain, and the SPA service is effectively contained and is not attacked; and for the data packets which are not matched with the IP addresses in the blacklist subchain, the data packets meeting the SPA processing conditions are screened out for SPA authentication, so that the SPA service only needs to process the data packets meeting the conditions, the processing pressure of the SPA service is reduced, and the blocking probability can be effectively reduced.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a data packet processing method based on single packet authorization according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of a data packet processing method based on single packet authorization according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a packet processing device based on single-packet authorization according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure can be more clearly understood, the present disclosure will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the embodiments described are only a few embodiments of the present disclosure, rather than all embodiments, and that specific embodiments described herein are merely illustrative of the present disclosure and are not limiting of the present disclosure, as features of embodiments and examples of the present disclosure may be combined with each other without conflict. All other embodiments derived by one of ordinary skill in the art from the described embodiments of the disclosure are intended to be within the scope of the disclosure.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
Fig. 1 is a schematic flowchart of a method for processing a data packet based on single packet authorization according to an embodiment of the present disclosure, where the method for processing a data packet based on single packet authorization may be executed by a device for processing a data packet based on single packet authorization according to an embodiment of the present disclosure, and the device for processing a data packet based on single packet authorization may be implemented by software and/or hardware, and may be integrated in a software-defined boundary product to complete a process of processing a data packet during single packet authorization.
As shown in fig. 1, the method for processing a data packet based on single packet authorization provided in the embodiment of the present disclosure may include the following steps:
s101, acquiring a data packet to be processed.
The to-be-processed data packet may be at least one data packet acquired from the network card, and each to-be-processed data packet carries a corresponding IP address.
S102, matching the IP address of the data packet to be processed with the IP address in the blacklist sub-chain.
The blacklist subchain is preset, each IP address in the blacklist subchain can be added manually by an administrator, and can be dynamically updated according to an SPA authentication processing result, a hit rule corresponding to the blacklist subchain is a blocking access, and a data packet hitting the blacklist subchain is directly discarded.
S103, if the IP address of the data packet to be processed is consistent with the IP address in the blacklist subchain, discarding the data packet to be processed.
In the embodiment of the disclosure, for an acquired to-be-processed data packet, an IP address of the to-be-processed data packet is matched with each IP address in the blacklist subchain, and if the IP address of a certain to-be-processed data packet is consistent with a certain IP address in the blacklist subchain, that is, the IP address of the to-be-processed data packet is recorded in the blacklist subchain, the to-be-processed data packet is directly discarded, a client sending the to-be-processed data packet is blocked from accessing a server, so that a received attack packet is filtered, and an SPA service is effectively protected from being attacked.
And S104, if the IP address of the data packet to be processed is inconsistent with the IP address in the blacklist subchain, judging whether the data packet to be processed meets a preset SPA processing condition or not.
In the embodiment of the disclosure, for an obtained to-be-processed data packet, an IP address of the to-be-processed data packet is matched with each IP address in the blacklist sub-chain, and if the IP address of a certain to-be-processed data packet is not consistent with each IP address in the blacklist sub-chain, the to-be-processed data packet is considered not to be an attack packet, and whether the to-be-processed data packet meets a preset SPA processing condition is further determined.
The SPA processing condition may be preset, and the SPA processing condition may be set according to a SPA packet format requirement, for example, if the SPA packet format is a UDP (User data packet Protocol) packet, and the port number is 40, the SPA processing condition may be set to be the port number 40, and the type is a UDP packet, and when the port number to be accessed by the to-be-processed packet is 40, and the type is a UDP packet, it is determined that the to-be-processed packet meets the SPA processing condition.
And S105, performing SPA authentication on the data packet to be processed under the condition that the data packet to be processed meets the SPA processing condition.
In the embodiment of the disclosure, when the to-be-processed data packet meets the preset SPA processing condition, the to-be-processed data packet is transmitted to the SPA service for SPA authentication, and the client is authorized to perform data access when the authentication is successful.
In the data packet processing method based on single packet authorization according to the embodiment, a data packet to be processed is acquired, an IP address of the data packet to be processed is matched with an IP address in a blacklist sub-chain, the data packet to be processed is discarded when the IP address of the data packet to be processed is consistent with the IP address in the blacklist sub-chain, whether the data packet to be processed meets a preset SPA processing condition is further judged when the IP address of the data packet to be processed is inconsistent with the IP address in the blacklist sub-chain, and SPA authentication is performed on the data packet to be processed under the condition that the data packet to be processed meets the SPA processing condition. By adopting the technical scheme, the data packets to be processed are filtered by utilizing the blacklist subchain, and the data packets to be processed matched with the IP address in the blacklist subchain are discarded, so that the attack message is directly discarded by filtering the blacklist subchain, and the SPA service is effectively contained and is not attacked; and for the data packets which are not matched with the IP addresses in the blacklist subchain, the data packets meeting the SPA processing conditions are screened out for SPA authentication, so that the SPA service only needs to process the data packets meeting the conditions, the processing pressure of the SPA service is reduced, and the blocking probability can be effectively reduced.
In a possible implementation manner of the embodiment of the present disclosure, under the condition that the SPA authentication of the data packet to be processed fails, the number of times of consecutive SPA authentication failures of the IP address of the data packet to be processed within a preset time period is counted; and adding the IP address of the data packet to be processed into the blacklist subchain under the condition that the times are greater than the threshold value of authentication failure times.
The preset time length may be preset, for example, set to 30 seconds, one minute, and the like; the threshold of the number of authentication failures may also be preset, for example, set to 3 times, 5 times, etc., which is not limited by the present disclosure.
In the embodiment of the disclosure, when performing SPA authentication on a data packet to be processed meeting SPA processing conditions, if the authentication fails, counting the number of times of continuous SPA authentication failures of an IP address of the data packet to be processed within a preset time length. Usually, the IP address of the client is fixed, so the IP address can identify the client, and count the number of times of continuous SPA authentication failures of the IP address of the data packet to be processed in a preset time period, that is, count the number of times of continuous SPA authentication failures of the corresponding client in a short time. And if the number of continuous SPA authentication failures of a certain client in a preset time length is greater than the threshold value of the number of authentication failures, adding the IP address of the data packet to be processed into the blacklist subchain to update the blacklist subchain, and directly discarding the data packet carrying the IP address by matching the blacklist subchain when the IP address sends the data packet again. Therefore, dynamic updating of the blacklist subchain is achieved.
Further, for an IP address added to the sub-chain of the blacklist due to authentication failure, timing may be started from when the IP address is added to the sub-chain of the blacklist, a timeout time is preset, and when a duration that the IP address exists in the sub-chain of the blacklist exceeds the preset timeout time, the IP address is removed from the sub-chain of the blacklist.
Optionally, before the number of consecutive SPA authentication failures of a certain IP address reaches the authentication failure number threshold, if the SPA authentication of a certain data packet carrying the IP address is successful, the number of consecutive SPA authentication failures of the IP address is cleared, and when the SPA authentication fails again, counting is restarted.
In order to improve the applicability of the scheme, a client which is attacked by a dynamic IP address is identified, the client can be identified by using a unique identifier of the client, a data packet to be processed carries the unique identifier of the client which sends the data packet, when SPA authentication of a certain data packet to be processed fails, the unique identifier of the client is obtained from the data packet to be processed, the number of times of continuous SPA authentication failure of the data packet sent by the client within a preset time length is counted, and when the number of times is greater than an authentication failure number threshold value, the unique identifier of the client is added into a blacklist sub-chain, so that the blacklist sub-chain can also comprise the identifier of the client, and the client in the blacklist sub-chain is blocked from accessing a server.
In a possible implementation manner of the embodiment of the present disclosure, for a to-be-processed data packet that does not hit a blacklist sub-chain, before determining whether the to-be-processed data packet meets a preset SPA processing condition, an IP address of the to-be-processed data packet may be first matched with an IP address in an authentication release sub-chain; if the IP address of the data packet to be processed is consistent with the IP address in the authentication release sub-chain, releasing the data packet to be processed; and if the IP address of the data packet to be processed is not consistent with the IP address in the authentication release sub-chain, judging whether the data packet to be processed meets the SPA processing condition.
The authentication release subchain can be dynamically added by an SPA service according to an SPA authentication result, the initial authentication release subchain can be set to be empty, at the moment, a data packet to be processed cannot be matched with the authentication release subchain, whether the data packet to be processed meets an SPA processing condition or not is judged, SPA authentication is carried out on the data packet meeting the SPA processing condition, and the IP address of the data packet is added into the authentication release subchain if the SPA authentication is successful. The hit rule corresponding to the authentication release sub-chain is directly released, that is, a data packet hitting the authentication release sub-chain is directly released, the release refers to receiving the data packet, and a client sending the data packet can directly access the server.
In the embodiment of the disclosure, for a to-be-processed data packet which does not hit a blacklist sub-chain, matching an IP address of the to-be-processed data packet with an IP address in an authentication release sub-chain, if the IP address of a certain to-be-processed data packet is consistent with a certain IP address in the authentication release sub-chain, determining that the to-be-processed data packet hits the authentication release sub-chain, and directly releasing the to-be-processed data packet; if the IP address of a certain data packet to be processed is inconsistent with each IP address in the authentication release sub-chain, judging that the data packet to be processed does not hit the authentication release sub-chain, and continuously judging whether the data packet to be processed meets the SPA processing condition. By arranging the authentication release sub-chain, the data packet hitting the authentication release sub-chain is directly released, the process of analyzing whether the data packet is an SPA authentication packet or not can be reduced, and the processing pressure of the SPA service is reduced.
Further, in a possible implementation manner of the embodiment of the present disclosure, the SPA authentication is performed on the to-be-processed packet that meets the SPA processing condition, and the IP address of the to-be-processed packet is added to the authentication release sub-chain in the case that the SPA authentication of the to-be-processed packet is successful. Therefore, dynamic updating of the authentication release sub-chain is achieved.
Optionally, in a possible implementation manner of the embodiment of the present disclosure, for an IP address added to the authentication release sub-chain due to successful authentication, timing may be started from when the IP address is added to the authentication release sub-chain, and a timeout time is preset, and when a duration that the IP address exists in the authentication release sub-chain exceeds the preset timeout time, the IP address is removed from the authentication release sub-chain.
In a possible implementation manner of the embodiment of the present disclosure, before the IP address of the to-be-processed data packet is matched with the IP address in the authentication release sub-chain, the IP address of the to-be-processed data packet may be matched with the IP address in the white list sub-chain; if the IP address of the data packet to be processed is consistent with the IP address in the white list subchain, the data packet to be processed is released; and if the IP address of the data packet to be processed is inconsistent with the IP address in the white list sub-chain, matching the IP address of the data packet to be processed with the IP address in the authentication release sub-chain.
The whitelist subchain can be manually set by an administrator and used in a scene without SPA authentication direct access service, and the hit rule of the whitelist subchain is directly released, namely, a to-be-processed data packet hitting the whitelist subchain is directly released, and a subsequent flow of matching with an IP address in the authentication release subchain is not entered.
In the embodiment of the disclosure, for a to-be-processed data packet that does not hit a blacklist sub-chain, an IP address of the to-be-processed data packet is matched with an IP address in a whitelist sub-chain, if the IP address of a certain to-be-processed data packet is consistent with a certain IP address in the whitelist sub-chain, the to-be-processed data packet is released, and if the IP address of a certain to-be-processed data packet is inconsistent with each IP address in the whitelist sub-chain, the IP address of the to-be-processed data packet is continuously matched with an IP address in an authentication release sub-chain, and whether the to-be-processed data packet hits the authentication release sub-chain is determined. Therefore, the data packet hitting the white list sub-chain is released by setting the white list sub-chain, so that the flow of analyzing whether the data packet is the SPA authentication packet or not can be reduced, and the processing pressure of the SPA service is relieved.
In a possible implementation manner of the embodiment of the present disclosure, before the IP address of the to-be-processed data packet is matched with the IP address in the blacklist sub-chain, it may be determined whether the to-be-processed data packet hits a rule of a local traffic sub-chain, where the rule of the local traffic sub-chain is directly released if both a source address and a destination address of the data packet are local addresses; if the data packet to be processed hits the rule of the local flow subchain, releasing the data packet to be processed; and if the data packet to be processed does not hit the rule of the local flow sub-chain, matching the IP address of the data packet to be processed with the IP address in the blacklist sub-chain.
The local traffic subchain records own traffic, and the hit rule of the local traffic subchain is that if the source address and the destination address of a certain data packet are local addresses, the data packet is directly released, and for the data packet to be processed which hits the local traffic subchain, the data packet is directly released, namely the data packet accesses the local traffic and the own traffic is directly released.
In the embodiment of the disclosure, for an obtained to-be-processed data packet, it may be determined first whether the to-be-processed data packet hits a rule of a local traffic subchain, that is, whether the to-be-processed data packet accesses a local traffic of the to-be-processed data packet (both a source address and a destination address are local addresses), and if the to-be-processed data packet hits the rule of the local traffic subchain, it is determined that the to-be-processed data packet is the local traffic, and the to-be-processed data packet is directly released; if the data packet to be processed does not hit the rule of the local flow subchain, the data packet to be processed is indicated to be not the local flow, the IP address of the data packet to be processed is continuously matched with the IP address in the blacklist subchain, and whether the data packet to be processed is an attack packet or not is judged. Therefore, the data packets to be processed which hit the rules of the local traffic subchain are directly released, and the subsequent judgment operation is executed only on the data packets which do not hit the rules of the local traffic subchain, so that the flow of analyzing whether the data packets are the SPA authentication packets or not can be reduced, and the processing pressure of the SPA service is reduced.
Fig. 2 is a schematic flow diagram of a data packet processing method based on single packet authorization according to a specific embodiment of the present disclosure, and as shown in fig. 2, when there is traffic entering, a gateway determines traffic related to the gateway from all the traffic, an SPA service obtains traffic flowing to the local from the gateway as traffic to be processed, and filters the traffic to be processed by using a preset filtering rule, and screens out traffic that is directly released, traffic that is discarded, and traffic that needs to be authenticated by the SPA service. Specifically, matching the traffic to be processed with a set hit rule of the local traffic sub-chain, where the hit rule of the local traffic sub-chain is to release the traffic itself (i.e., to directly release a packet whose source address and destination address are both local addresses), and if the traffic to be processed hits the rule of the local traffic sub-chain, receiving (releasing) the traffic; and if the traffic to be processed does not hit the rule of the local traffic subchain, continuing to match the traffic to be processed with the preset blacklist subchain, wherein the hit rule of the blacklist subchain is a blocking access (namely, discarding). If the traffic to be processed hits the blacklist subchain, namely the IP address of the traffic to be processed is consistent with the IP address in the blacklist subchain, discarding the traffic; if the traffic to be processed does not hit the blacklist subchain, namely the IP address of the traffic to be processed is inconsistent with each IP address in the blacklist subchain, continuing to match the traffic to be processed with the preset whitelist subchain, and directly releasing the hit rule of the whitelist subchain. If the traffic to be processed hits the sub chain of the white list, namely the IP address of the traffic to be processed is consistent with the IP address in the sub chain of the white list, receiving the traffic; if the flow to be processed does not hit the sub-chain of the white list, namely the IP address of the flow to be processed is inconsistent with each IP address in the sub-chain of the white list, continuing to match the flow to be processed with the preset authentication release sub-chain, wherein the hit rule of the authentication release sub-chain is direct release. If the flow to be processed hits the authentication release sub-chain, namely the IP address of the flow to be processed is consistent with the IP address in the authentication release sub-chain, receiving the flow; if the traffic to be processed does not hit the authentication release sub-chain, namely the IP address of the traffic to be processed is inconsistent with each IP address in the authentication release sub-chain, the traffic to be processed is continuously matched with a preset SPA processing sub-chain, SPA processing conditions are recorded in the SPA processing sub-chain, and the hitting rule is that the traffic is put into a queue and is authenticated by an SPA service. And if the traffic to be processed hits the SPA processing subchain, namely the traffic to be processed meets the SPA processing condition, putting the traffic to be processed into the queue for SPA authentication. In this embodiment, the blacklist sub-chain and the authentication release sub-chain may be manually added by an administrator, and may be dynamically updated according to an authentication result. For the traffic successfully authenticated, the corresponding IP address may be added to the authentication release sub-chain, timeout time is set, and the IP address is removed from the authentication release sub-chain after timeout occurs. For the flow of authentication failure, the number of times of continuous authentication failure of the corresponding IP address in a preset time length can be counted, when the number of times of continuous failure exceeds a certain number of times, the IP address is added into the blacklist subchain, the timeout time is set, and the IP address is removed from the blacklist subchain after the timeout. According to the scheme provided by the disclosure, only the data packet conforming to the SPA message format can be processed by the SPA service, so that the processes of receiving the packet and analyzing whether the packet is the SPA authentication packet or not are reduced, and the pressure of the SPA service is reduced; and the traffic to be processed is released or blocked according to the own traffic, the blacklist traffic, the white list traffic, the released traffic and the like of the local computer, so that the processing of the SPA service on the data packet can be reduced on one hand, and the attack message can be directly discarded through the filtering of the blacklist subchain on the other hand, thereby effectively protecting the SPA service from being attacked.
In order to implement the above embodiments, the present disclosure further provides a data packet processing apparatus based on single packet authorization.
Fig. 3 is a schematic structural diagram of a packet processing device based on single-packet authorization according to an embodiment of the present disclosure, where the device may be implemented by software and/or hardware and may be integrated in a software-defined boundary product.
As shown in fig. 3, the data packet processing apparatus 20 based on single packet authorization provided by the embodiment of the present disclosure may include: a packet acquisition module 210, a blacklist matching module 220, a discarding module 230, a determination module 240 and an SPA authentication module 250.
The data packet obtaining module 210 is configured to obtain a data packet to be processed;
a blacklist matching module 220, configured to match the IP address of the to-be-processed data packet with an IP address in a blacklist sub-chain;
a discarding module 230, configured to discard the to-be-processed data packet for a second when the IP address of the to-be-processed data packet is consistent with the IP address in the blacklist child chain;
a determining module 240, configured to determine whether the to-be-processed data packet meets a preset SPA processing condition under the condition that the IP address of the to-be-processed data packet is inconsistent with the IP address in the blacklist child chain;
an SPA authentication module 250, configured to perform SPA authentication on the to-be-processed data packet if the to-be-processed data packet meets the SPA processing condition.
In a possible implementation manner of the embodiment of the present disclosure, the data packet processing apparatus 20 based on single packet authorization further includes:
the statistical module is used for counting the number of times of continuous SPA authentication failure of the IP address of the data packet to be processed within a preset time length under the condition that the SPA authentication of the data packet to be processed fails;
and the blacklist updating module is used for adding the IP address of the data packet to be processed to the blacklist sub-chain under the condition that the times are greater than the threshold value of authentication failure times.
In a possible implementation manner of the embodiment of the present disclosure, the data packet processing apparatus 20 based on single packet authorization further includes:
the release matching module is used for matching the IP address of the data packet to be processed with the IP address in the authentication release sub-chain under the condition that the IP address of the data packet to be processed is inconsistent with the IP address in the blacklist sub-chain;
the first releasing module is used for releasing the data packet to be processed under the condition that the IP address of the data packet to be processed is consistent with the IP address in the authentication releasing sub-chain;
the determining module 240 is further configured to:
and under the condition that the IP address of the data packet to be processed is not consistent with the IP address in the authentication release sub-chain, judging whether the data packet to be processed meets the SPA processing condition.
In a possible implementation manner of the embodiment of the present disclosure, the data packet processing apparatus 20 based on single packet authorization further includes:
and the authentication release updating module is used for adding the IP address of the data packet to be processed into the authentication release sub-chain under the condition that the SPA authentication of the data packet to be processed is successful.
In a possible implementation manner of the embodiment of the present disclosure, the data packet processing apparatus 20 based on single packet authorization further includes:
the white list matching module is used for matching the IP address of the data packet to be processed with the IP address in the white list subchain under the condition that the IP address of the data packet to be processed is inconsistent with the IP address in the black list subchain;
the second releasing module is used for releasing the data packet to be processed under the condition that the IP address of the data packet to be processed is consistent with the IP address in the white list subchain;
the releasing matching module is further configured to:
and matching the IP address of the data packet to be processed with the IP address in the authentication release sub-chain under the condition that the IP address of the data packet to be processed is inconsistent with the IP address in the white list sub-chain.
In a possible implementation manner of the embodiment of the present disclosure, the data packet processing apparatus 20 based on single packet authorization further includes:
the local flow matching module is used for judging whether the data packet to be processed hits the rule of the local flow subchain, wherein the rule of the local flow subchain is directly released if the source address and the destination address of the data packet are both local addresses;
a third releasing module, configured to release the to-be-processed data packet if the to-be-processed data packet hits the rule of the local traffic subchain;
the blacklist matching module is further configured to:
and matching the IP address of the data packet to be processed with the IP address in the blacklist sub-chain under the condition that the data packet to be processed does not hit the rule of the local flow sub-chain.
The data packet processing device based on single packet authorization and capable of being configured on the software-defined boundary product, which is provided by the embodiment of the disclosure, can execute any data packet processing method based on single packet authorization and capable of being applied to the software-defined boundary product, and has corresponding functional modules and beneficial effects of the execution method. Reference may be made to the description of any method embodiment of the disclosure for content not explicitly described in the apparatus embodiments of the disclosure.
The embodiment of the present disclosure also provides an electronic device, which includes a processor and a memory; the processor is configured to execute the steps of the embodiments of the data packet processing method based on single packet authorization according to the foregoing embodiments by calling the program or the instruction stored in the memory, and details are not repeated here to avoid repeated description.
The embodiments of the present disclosure further provide a non-transitory computer-readable storage medium, where the non-transitory computer-readable storage medium stores a program or an instruction, and the program or the instruction causes a computer to execute the steps of the embodiments of the method for processing a data packet based on single packet authorization according to the foregoing embodiments, and in order to avoid repeated descriptions, the steps are not repeated here.
The embodiment of the present disclosure further provides a computer program product, where the computer program product is configured to execute the steps of the embodiments of the data packet processing method based on single packet authorization according to the foregoing embodiments.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (7)
1. A data packet processing method based on single packet authorization is characterized by comprising the following steps:
acquiring a data packet to be processed;
matching the IP address of the data packet to be processed with the IP address in the blacklist subchain;
if the IP address of the data packet to be processed is consistent with the IP address in the blacklist subchain, discarding the data packet to be processed;
if the IP address of the data packet to be processed is inconsistent with the IP address in the blacklist subchain, matching the IP address of the data packet to be processed with the IP address in the whitelist subchain;
if the IP address of the data packet to be processed is consistent with the IP address in the white list subchain, releasing the data packet to be processed;
if the IP address of the data packet to be processed is inconsistent with the IP address in the white list sub-chain, matching the IP address of the data packet to be processed with the IP address in the authentication release sub-chain;
if the IP address of the data packet to be processed is consistent with the IP address in the authentication release sub-chain, releasing the data packet to be processed;
if the IP address of the data packet to be processed is not consistent with the IP address in the authentication release sub-chain, judging whether the data packet to be processed meets a preset SPA processing condition;
performing SPA authentication on the data packet to be processed under the condition that the data packet to be processed meets the SPA processing condition;
under the condition that the SPA authentication of the data packet to be processed is successful, adding the IP address of the data packet to be processed into the authentication release sub-chain and starting timing;
and when the time length of the IP address of the data packet to be processed existing in the authentication release sub-chain exceeds the preset timeout time, removing the IP address of the data packet to be processed from the authentication release sub-chain.
2. The method of claim 1, further comprising:
under the condition that the SPA authentication of the data packet to be processed fails, counting the number of times of continuous SPA authentication failures of the IP address of the data packet to be processed in a preset time length;
and adding the IP address of the data packet to be processed into the blacklist subchain under the condition that the times are greater than the threshold value of authentication failure times.
3. The method according to claim 1 or 2, wherein before the matching the IP address of the data packet to be processed with the IP address in the blacklist child chain, the method further comprises:
judging whether the data packet to be processed hits a rule of a local flow subchain, wherein the rule of the local flow subchain is that if a source address and a destination address of the data packet are local addresses, the data packet is directly released;
if the data packet to be processed hits the rule of the local flow subchain, releasing the data packet to be processed;
and if the to-be-processed data packet does not hit the rule of the local flow subchain, matching the IP address of the to-be-processed data packet with the IP address in the blacklist subchain.
4. A packet processing apparatus based on single packet authorization, comprising:
the data packet acquisition module is used for acquiring a data packet to be processed;
the blacklist matching module is used for matching the IP address of the data packet to be processed with the IP address in the blacklist subchain;
the discarding module is used for discarding the data packet to be processed under the condition that the IP address of the data packet to be processed is consistent with the IP address in the blacklist subchain;
the white list matching module is used for matching the IP address of the data packet to be processed with the IP address in the white list subchain under the condition that the IP address of the data packet to be processed is inconsistent with the IP address in the black list subchain;
the second releasing module is used for releasing the data packet to be processed under the condition that the IP address of the data packet to be processed is consistent with the IP address in the white list subchain;
the release matching module is used for matching the IP address of the data packet to be processed with the IP address in the authentication release sub-chain under the condition that the IP address of the data packet to be processed is inconsistent with the IP address in the white list sub-chain;
the first releasing module is used for releasing the data packet to be processed under the condition that the IP address of the data packet to be processed is consistent with the IP address in the authentication releasing sub-chain; the judging module is used for judging whether the data packet to be processed meets the preset SPA processing condition or not under the condition that the IP address of the data packet to be processed is inconsistent with the IP address in the authentication release sub-chain;
the SPA authentication module is used for performing SPA authentication on the data packet to be processed under the condition that the data packet to be processed meets the SPA processing condition;
the authentication release updating module is used for adding the IP address of the data packet to be processed into the authentication release sub-chain under the condition that the SPA authentication of the data packet to be processed is successful;
starting timing when the IP address of the data packet to be processed is added into the authentication release sub-chain;
and when the time length of the IP address of the data packet to be processed existing in the authentication release sub-chain exceeds the preset overtime time, removing the IP address of the data packet to be processed from the authentication release sub-chain.
5. The apparatus for processing data packets based on single packet authorization according to claim 4, wherein the apparatus further comprises:
the statistical module is used for counting the number of times of continuous SPA authentication failure of the IP address of the data packet to be processed within a preset time length under the condition that the SPA authentication of the data packet to be processed fails;
and the adding module is used for adding the IP address of the data packet to be processed into the blacklist sub-chain under the condition that the times are greater than the threshold value of authentication failure times.
6. An electronic device, comprising: a processor and a memory;
the processor is configured to execute the steps of the method for processing data packets based on single packet grant according to any of claims 1 to 3 by calling the program or the instructions stored in the memory.
7. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a program or instructions for causing a computer to execute the steps of the data packet processing method based on single-packet authorization according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111145955.2A CN113890760B (en) | 2021-09-28 | 2021-09-28 | Data packet processing method and device based on single packet authorization, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111145955.2A CN113890760B (en) | 2021-09-28 | 2021-09-28 | Data packet processing method and device based on single packet authorization, electronic equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113890760A CN113890760A (en) | 2022-01-04 |
| CN113890760B true CN113890760B (en) | 2022-07-12 |
Family
ID=79007623
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111145955.2A Active CN113890760B (en) | 2021-09-28 | 2021-09-28 | Data packet processing method and device based on single packet authorization, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113890760B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110830447A (en) * | 2019-10-14 | 2020-02-21 | 云深互联(北京)科技有限公司 | SPA single packet authorization method and device |
| CN111586025A (en) * | 2020-04-30 | 2020-08-25 | 广州市品高软件股份有限公司 | SDN-based SDP security group implementation method and security system |
| CN113312632A (en) * | 2021-06-21 | 2021-08-27 | 清华大学 | Positive defense system based on zero trust verification |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10033702B2 (en) * | 2015-08-05 | 2018-07-24 | Intralinks, Inc. | Systems and methods of secure data exchange |
| US10320748B2 (en) * | 2017-02-23 | 2019-06-11 | At&T Intellectual Property I, L.P. | Single packet authorization in a cloud computing environment |
| US11381557B2 (en) * | 2019-09-24 | 2022-07-05 | Pribit Technology, Inc. | Secure data transmission using a controlled node flow |
| US11190493B2 (en) * | 2019-12-16 | 2021-11-30 | Vmware, Inc. | Concealing internal applications that are accessed over a network |
| CN112491710B (en) * | 2020-11-09 | 2023-06-23 | 锐捷网络股份有限公司 | Message forwarding method and device based on Openflow |
-
2021
- 2021-09-28 CN CN202111145955.2A patent/CN113890760B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110830447A (en) * | 2019-10-14 | 2020-02-21 | 云深互联(北京)科技有限公司 | SPA single packet authorization method and device |
| CN111586025A (en) * | 2020-04-30 | 2020-08-25 | 广州市品高软件股份有限公司 | SDN-based SDP security group implementation method and security system |
| CN113312632A (en) * | 2021-06-21 | 2021-08-27 | 清华大学 | Positive defense system based on zero trust verification |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113890760A (en) | 2022-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101136922B (en) | Service stream recognizing method, device and distributed refusal service attack defending method, system | |
| US9491185B2 (en) | Proactive containment of network security attacks | |
| KR101217647B1 (en) | Method and apparatus for defending against denial of service attacks in IP networks based on specified source/destination IP address pairs | |
| KR101067781B1 (en) | Method and apparatus for defending against denial of service attacks in IP networks by target victim self-identification and control | |
| CN107707435B (en) | Message processing method and device | |
| JP2022551140A (en) | Security vulnerability protection methods and devices | |
| CN113228591B (en) | Methods, systems, and computer readable media for dynamically remediating security system entities | |
| EP2009864A1 (en) | Method and apparatus for attack prevention | |
| US20090240804A1 (en) | Method and apparatus for preventing igmp packet attack | |
| JP3928866B2 (en) | DoS attack source detection method, DoS attack prevention method, session control device, router control device, program, and recording medium thereof | |
| van Oorschot et al. | Intrusion detection and network-based attacks | |
| CN113890760B (en) | Data packet processing method and device based on single packet authorization, electronic equipment and medium | |
| US20100107239A1 (en) | Method and network device for defending against attacks of invalid packets | |
| CN110198290A (en) | A kind of information processing method, unit and storage medium | |
| KR100722720B1 (en) | A secure gateway system and method with internal network user authentication and packet control function | |
| JP2003283554A (en) | Distributed denial of service attack preventing method, gate device, communication device, and program | |
| JP4322179B2 (en) | Denial of service attack prevention method and system | |
| CN112134845A (en) | Rejection service system | |
| KR20110006398A (en) | A method for detecting and protecting ddos attack | |
| EP2109279B1 (en) | Method and system for mitigation of distributed denial of service attacks using geographical source and time information | |
| JP2003283555A (en) | Distributed denial of service attack preventing method, gate device, communication device, and program | |
| KR102571147B1 (en) | Security apparatus and method for smartwork environment | |
| CN111193689B (en) | Network attack processing method and device, electronic equipment and storage medium | |
| KR102062718B1 (en) | Honeynet system for internet of things using packet virtualization | |
| CN115622754A (en) | Method, system and device for detecting and preventing MQTT vulnerability |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |