CN114006734B - Method and device for analyzing false source address of routing flow of metropolitan area network - Google Patents
Method and device for analyzing false source address of routing flow of metropolitan area network Download PDFInfo
- Publication number
- CN114006734B CN114006734B CN202111181796.1A CN202111181796A CN114006734B CN 114006734 B CN114006734 B CN 114006734B CN 202111181796 A CN202111181796 A CN 202111181796A CN 114006734 B CN114006734 B CN 114006734B
- Authority
- CN
- China
- Prior art keywords
- route
- source
- address
- marking
- label
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses a method and a device for analyzing false source addresses of routing traffic of a metropolitan area network, wherein the method comprises the following steps: the route collector collects routes of the network equipment and automatically analyzes route address segments according to route characteristics; the Netflow acquisition server establishes Netflow protocol connection with the network equipment, acquires a source IP in the flow direction of the network equipment, and marks the source IP according to an address segment; according to the marked source IP, the false source address is rapidly analyzed, and the equipment where the false source address is located is rapidly positioned. The method and the device dynamically sense the route change in real time so as to accurately analyze the address field corresponding to the equipment; the false source address and the false position are quickly positioned through the dynamic combination of the route and the netflow data.
Description
Technical Field
The invention relates to the field of operation and maintenance of metropolitan area networks of operators, in particular to a method and a device for analyzing false source addresses of routing traffic of a metropolitan area network.
Background
In the operation and maintenance of the metropolitan area network of an operator, attack traffic frequently occurs, and when the attack occurs, the attack traffic often adopts a mode of impersonating a source address to carry out traffic attack, so that network analysts cannot trace the source, and when the attack occurs, the attack traffic cannot be rapidly positioned.
Disclosure of Invention
In order to solve the technical problems, the invention provides a method and a device for analyzing false source addresses of routing traffic of a metropolitan area network, which adopt routing and traffic information of equipment in a real-time docking network, and quickly locate the positions of data packets of false source addresses through real-time combination of the routing and the traffic, thereby helping operation and maintenance personnel to quickly discharge faults, reducing operation and maintenance cost and complexity, and improving accuracy and efficiency.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
in an embodiment of the present invention, a method for analyzing a false source address of a routing traffic of a metropolitan area network is provided, which includes:
the route collector collects routes of the network equipment and automatically analyzes route address segments according to route characteristics;
the Netflow acquisition server establishes Netflow protocol connection with the network equipment, acquires a source IP in the flow direction of the network equipment, and marks the source IP according to an address segment;
according to the marked source IP, the false source address is rapidly analyzed, and the equipment where the false source address is located is rapidly positioned.
Further, the route collector collects routes of the network device, including:
the route collector establishes BGP neighbors with the network equipment, collects BGP routes, establishes connection with a route reflector in the AS, and collects routes in the whole AS.
Further, marking the source IP by address segment includes:
if the route collector and the network equipment establish BGP neighbors, checking whether a route address segment of the network equipment contains a corresponding source IP, if so, marking the equipment label, otherwise, marking the unknown label;
if the route collector establishes connection with a route reflector in the AS, checking whether a route address section of the whole AS contains a corresponding source IP, if so, marking the AS, otherwise, marking an unknown label.
Further, according to the marked source IP, a false source address is rapidly analyzed, and a device in which the false source address is located is rapidly located, including:
according to the marked source IP, analyzing that the unknown label is a false source address;
and locating the equipment with the false source address by marking the source IP of the equipment label.
In an embodiment of the present invention, there is also provided an apparatus for analyzing a false source address of a metro network routing traffic, the apparatus including:
the route collection and identification module is used for collecting routes of the network equipment through the route collector and automatically analyzing a route address segment according to route characteristics;
the flow collection and marking source IP module is used for establishing a Netflow protocol connection with the network equipment through the Netflow collection server, obtaining source IP in the flow direction of the network equipment and marking the source IP according to the address segment;
and the false source address analyzing and positioning module is used for rapidly analyzing the false source address according to the marked source IP and rapidly positioning the equipment where the false source address is located.
Further, the route collector collects routes of the network device, including:
the route collector establishes BGP neighbors with the network equipment, collects BGP routes, establishes connection with a route reflector in the AS, and collects routes in the whole AS.
Further, marking the source IP by address segment includes:
if the route collector and the network equipment establish BGP neighbors, checking whether a route address segment of the network equipment contains a corresponding source IP, if so, marking the equipment label, otherwise, marking the unknown label;
if the route collector establishes connection with a route reflector in the AS, checking whether a route address section of the whole AS contains a corresponding source IP, if so, marking the AS, otherwise, marking an unknown label.
Further, the false source address analyzing and positioning module is specifically configured to:
according to the marked source IP, analyzing that the unknown label is a false source address;
and locating the equipment with the false source address by marking the source IP of the equipment label.
In an embodiment of the present invention, a computer device is further provided, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the foregoing method for analyzing the false source address of the metro network routing traffic when executing the computer program.
In an embodiment of the present invention, a computer readable storage medium is also presented, in which a computer program for executing the method for analyzing a pseudo source address of a metro network routing traffic is stored.
The beneficial effects are that:
1. the invention dynamically senses the route change in real time, thereby accurately analyzing the address field corresponding to the equipment.
2. The invention can quickly locate false source address and position by dynamic combination of route and netflow data.
Drawings
FIG. 1 is a flow chart of a method for analyzing false source addresses of routing traffic in a metropolitan area network according to an embodiment of the invention;
FIG. 2 is a schematic diagram of routing and traffic collection according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of network device route collection according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating data collection of traffic flow through a NetFlow protocol according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a device for analyzing virtual source address of routing traffic in a metropolitan area network according to an embodiment of the invention;
FIG. 6 is a schematic diagram of a computer device according to an embodiment of the invention.
Detailed Description
The principles and spirit of the present invention will be described below with reference to several exemplary embodiments, with the understanding that these embodiments are merely provided to enable those skilled in the art to better understand and practice the invention and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Those skilled in the art will appreciate that embodiments of the invention may be implemented as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the following forms, namely: complete hardware, complete software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the embodiment of the invention, a method and a device for analyzing false source address of metro network routing flow are provided, in the metro network outlet of an operator, by receiving BGP routing, automatically analyzing a routing address segment in the metro network according to routing characteristics, detecting source IP in the flow direction of the flow based on Netflow, and analyzing false source address information of the metro network.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments thereof.
FIG. 1 is a flow chart of a method for analyzing false source addresses of routing traffic in a metropolitan area network according to an embodiment of the invention. As shown in fig. 1, the method includes:
1. route collection
The collection route can be divided into two cases:
(1) Establishing neighbors with direct interfacing of network devices
AS shown in fig. 2 and fig. 3, an IBGP (BPG protocol used in the AS) session is established through a route collector and a network device, a BGP route in the AS is collected, and a neighbor IP in the butt joint is used to determine from which router the route is played, and mainly according to the collected BGP route, a route address segment included in the device is analyzed, in this case, the address segment played by a specific router is distinguished mainly through BGP routes.
(2) Establishing a connection with a routing reflector RR inside an AS
When connection is established with a route reflector RR in the AS, the main purpose is to collect the route in the whole AS through the RR so AS to receive the route of the whole AS, and the route is distinguished mainly by the fact that the path in the route attribute is empty, when the route of the whole AS is received, the Netflow flow of the outlet of the whole metropolitan area network can be detected, and the flow of the false source address can be found globally.
2. Collecting flow direction data through Netflow protocol
As shown in fig. 2 and fig. 4, the Netflow acquisition server and the network device are in butt joint through the Netflow protocol, the Netflow acquisition server obtains the source IP and the port index information corresponding to the flow from the relevant Netflow protocol message, and the output device information marks the source IP according to the address field as follows:
(1) If the route address segment of the network equipment directly establishes a neighbor with the network equipment, checking whether the route address segment of the network equipment contains a corresponding source IP, labeling the equipment if the route address segment of the network equipment contains the corresponding source IP, and labeling the unknown label if the route address segment of the network equipment does not contain the corresponding source IP;
(2) If a connection is established with the route reflector, checking whether the route address segment of the whole AS contains the corresponding source IP, labeling the AS if the route address segment contains the corresponding source IP, and labeling the unknown label if the route address segment does not contain the corresponding source IP.
3. Traffic flow data and routing data comparison and location
The labeling in the step 2 can judge that the flow false source address is the flow false source address of the unknown label, the flow false source address of the whole metropolitan area network can be checked through an AS level, and then the false source address of a certain device is checked through the unknown device label, so that the basis is provided for rapidly processing network attack by rapidly positioning the device from which the flow of the false source address enters the network.
It should be noted that although the operations of the method of the present invention are described in a particular order in the above embodiments and the accompanying drawings, this does not require or imply that the operations must be performed in the particular order or that all of the illustrated operations be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
In order to make the above-mentioned method for quickly generating a functional configuration based on a novel metropolitan area network topology more clear, a specific embodiment is described below, but it should be noted that this embodiment is only for better explaining the present invention and is not meant to limit the present invention unduly.
Examples:
assuming that a metropolitan area network of a certain operator judges a false IP address in the traffic of the metropolitan area network, and the metropolitan area network AS number is assumed to be ASX;
firstly, receiving a route with a route reflector in an operator metropolitan area network, judging a route entry in the metropolitan area network through the fact that an Aspath is empty after the route is received, and obtaining a route entry set A in the metropolitan area network;
and then obtaining the netflow flow of the outlet at the outlet of the metropolitan area network, marking ASX labels on the source IP within the range of the set A, and marking unknown labels if the source IP is not within the range of the set A.
All source IPs that are not ASX tagged are false source addresses, forming a false source address report.
Based on the same inventive concept, the invention also provides a device for analyzing the false source address of the routing traffic of the metropolitan area network. The implementation of the device can be referred to as implementation of the above method, and the repetition is not repeated. The term "module" as used below may be a combination of software and/or hardware that implements the intended function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
FIG. 5 is a schematic diagram of a device for analyzing virtual source address of routing traffic in a metropolitan area network according to an embodiment of the invention. As shown in fig. 5, the apparatus includes:
the route collection and identification module 101 is configured to collect routes of the network device through the route collector, and automatically analyze a route address segment according to route characteristics;
a route collector collects routes for network devices, comprising:
the route collector establishes BGP neighbors with the network equipment, collects BGP routes, establishes connection with a route reflector in the AS, and collects routes in the whole AS.
The flow collection and marking source IP module 102 is used for establishing a Netflow protocol connection with the network equipment through the Netflow collection server, obtaining a source IP in the flow direction of the network equipment, and marking the source IP according to an address segment;
marking the source IP according to address segments, comprising:
if the route collector and the network equipment establish BGP neighbors, checking whether a route address segment of the network equipment contains a corresponding source IP, if so, marking the equipment label, otherwise, marking the unknown label;
if the route collector establishes connection with a route reflector in the AS, checking whether a route address section of the whole AS contains a corresponding source IP, if so, marking the AS, otherwise, marking an unknown label.
The false source address analyzing and positioning module 103 is used for rapidly analyzing the false source address according to the marked source IP and rapidly positioning the equipment where the false source address is located; the method comprises the following steps:
according to the marked source IP, analyzing that the unknown label is a false source address;
and locating the equipment with the false source address by marking the source IP of the equipment label.
It should be noted that while several modules of a metro network routing traffic false source address analysis device are mentioned in the detailed description above, this partitioning is merely exemplary and not mandatory. Indeed, the features and functions of two or more modules described above may be embodied in one module in accordance with embodiments of the present invention. Conversely, the features and functions of one module described above may be further divided into a plurality of modules to be embodied.
Based on the foregoing inventive concept, as shown in fig. 6, the present invention further proposes a computer device 200, including a memory 210, a processor 220, and a computer program 230 stored in the memory 210 and capable of running on the processor 220, where the processor 220 implements the foregoing method for analyzing the false source address of the metro network routing traffic when executing the computer program 230.
Based on the foregoing inventive concept, the present invention also proposes a computer readable storage medium storing a computer program for executing the foregoing method for analyzing a false source address of a metro network routing traffic.
The invention provides a method and a device for analyzing false source addresses of metro network routing traffic, which mainly collect routes of network equipment through BGP neighbors, automatically distinguish the routes according to route characteristics, compare route data with traffic flow direction data so as to rapidly analyze the traffic with false source addresses and rapidly locate the equipment where the false source addresses are located.
While the spirit and principles of the present invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments nor does it imply that features of the various aspects are not useful in combination, nor are they useful in any combination, such as for convenience of description. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
It should be apparent to those skilled in the art that various modifications or variations can be made in the present invention without requiring any inventive effort by those skilled in the art based on the technical solutions of the present invention.
Claims (4)
1. A method for analyzing false source addresses of routing traffic in a metropolitan area network, the method comprising:
the route collector establishes BGP neighbors with the network equipment, collects BGP routes, establishes connection with a route reflector in the AS, collects routes in the whole AS, and automatically analyzes route address segments according to route characteristics;
the Netflow acquisition server establishes Netflow protocol connection with the network equipment to acquire a source IP in the flow direction of the network equipment; if the route collector and the network equipment establish BGP neighbors, checking whether a route address segment of the network equipment contains a corresponding source IP, if so, marking the equipment label, otherwise, marking the unknown label; if the route collector establishes connection with a route reflector in the AS, checking whether a route address section of the whole AS contains a corresponding source IP, if so, marking the AS label, otherwise, marking an unknown label;
according to the source IP of the label, analyzing that the unknown label is a false source address; and locating the equipment with the false source address by marking the source IP of the equipment label.
2. A metro network routing traffic false source address analysis device, the device comprising:
the route collection and identification module is used for establishing BGP neighbors between the route collector and the network equipment, collecting BGP routes, establishing connection between the route collector and a route reflector in the AS, collecting routes in the whole AS, and automatically analyzing route address segments according to route characteristics;
the flow collection and marking source IP module is used for establishing a Netflow protocol connection with the network equipment through the Netflow collection server to obtain a source IP in the flow direction of the network equipment; if the route collector and the network equipment establish BGP neighbors, checking whether a route address segment of the network equipment contains a corresponding source IP, if so, marking the equipment label, otherwise, marking the unknown label; if the route collector establishes connection with a route reflector in the AS, checking whether a route address section of the whole AS contains a corresponding source IP, if so, marking the AS label, otherwise, marking an unknown label;
the false source address analyzing and positioning module is used for analyzing the unknown label to be the false source address according to the source IP of the label; and locating the equipment with the false source address by marking the source IP of the equipment label.
3. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of claim 1 when executing the computer program.
4. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program for executing the method of claim 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111181796.1A CN114006734B (en) | 2021-10-11 | 2021-10-11 | Method and device for analyzing false source address of routing flow of metropolitan area network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111181796.1A CN114006734B (en) | 2021-10-11 | 2021-10-11 | Method and device for analyzing false source address of routing flow of metropolitan area network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114006734A CN114006734A (en) | 2022-02-01 |
| CN114006734B true CN114006734B (en) | 2023-07-25 |
Family
ID=79922763
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111181796.1A Active CN114006734B (en) | 2021-10-11 | 2021-10-11 | Method and device for analyzing false source address of routing flow of metropolitan area network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114006734B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714942A (en) * | 2009-11-12 | 2010-05-26 | 中国人民解放军国防科学技术大学 | BGP-guided method for discovering real-time autonomous system-level topology |
| CN103442008A (en) * | 2013-08-29 | 2013-12-11 | 中国科学院计算技术研究所 | System and method for detecting routing security |
| CN108769055A (en) * | 2018-06-14 | 2018-11-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of falseness source IP detection method and device |
| CN110381006A (en) * | 2018-04-12 | 2019-10-25 | 中兴通讯股份有限公司 | Message processing method, device, storage medium and processor |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11968174B2 (en) * | 2018-10-04 | 2024-04-23 | Level 3 Communications, Llc | Systems and methods for blocking spoofed traffic |
-
2021
- 2021-10-11 CN CN202111181796.1A patent/CN114006734B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714942A (en) * | 2009-11-12 | 2010-05-26 | 中国人民解放军国防科学技术大学 | BGP-guided method for discovering real-time autonomous system-level topology |
| CN103442008A (en) * | 2013-08-29 | 2013-12-11 | 中国科学院计算技术研究所 | System and method for detecting routing security |
| CN110381006A (en) * | 2018-04-12 | 2019-10-25 | 中兴通讯股份有限公司 | Message processing method, device, storage medium and processor |
| CN108769055A (en) * | 2018-06-14 | 2018-11-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of falseness source IP detection method and device |
Non-Patent Citations (1)
| Title |
|---|
| 反射型分布式拒绝服务攻击源追踪的研究;张倩倩;《中国优秀硕士学位论文全文数据库(电子期刊)》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114006734A (en) | 2022-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7565693B2 (en) | Network intrusion detection and prevention system and method thereof | |
| CN114584401B (en) | Tracing system and method for large-scale network attack | |
| CN110661669A (en) | Network topology automatic discovery method of network equipment based on ICMP, TCP and UDP protocols | |
| KR20040052015A (en) | Traffic measurement system and traffic analysis method thereof | |
| CN114157554B (en) | Fault checking method and device, storage medium and computer equipment | |
| WO2009014283A1 (en) | Log-based traceback system and method using centroid decomposition technique | |
| CN101188530B (en) | Method and device for IPv4 and IPv6 network failure detection and location | |
| CN111934936A (en) | Network state detection method and device, electronic equipment and storage medium | |
| CN112260922B (en) | Method and system for quickly positioning network loop problem | |
| CN114006734B (en) | Method and device for analyzing false source address of routing flow of metropolitan area network | |
| CN113746654B (en) | IPv6 address management and flow analysis method and device | |
| CN107276829A (en) | The network topology acquisition methods and system of power system based on address resolution protocol | |
| CN115665006B (en) | Follow-up flow detection method and device | |
| CN106059850A (en) | Link abnormity detection method, system, apparatus, and chip in IS-IS network | |
| CN110636077A (en) | Network security protection system and method based on unified platform | |
| CN111193639A (en) | Network quality detection processing method and system | |
| CN113572751A (en) | Network flow analysis system and method | |
| CN113660146B (en) | Network boundary traffic acquisition method, device and storage medium | |
| CN115426245B (en) | Cloud platform network fault automatic detection method, equipment and computer readable medium | |
| CN117061249B (en) | Intrusion monitoring method and system based on network traffic | |
| CN109088769B (en) | Device for diagnosing MPLS-VPN data message | |
| CN114006841A (en) | IDC client resale analysis method and device | |
| CN117880247A (en) | IP address management method based on flow identification | |
| CN107104920B (en) | Method and device for identifying central control machine | |
| JP2005051579A (en) | Connection monitor system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |