CN114567615A - Network attack tracing positioning method, device, equipment and medium - Google Patents
Network attack tracing positioning method, device, equipment and medium Download PDFInfo
- Publication number
- CN114567615A CN114567615A CN202210191657.5A CN202210191657A CN114567615A CN 114567615 A CN114567615 A CN 114567615A CN 202210191657 A CN202210191657 A CN 202210191657A CN 114567615 A CN114567615 A CN 114567615A
- Authority
- CN
- China
- Prior art keywords
- address
- target
- network
- source
- attribution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000004891 communication Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 15
- 238000013519 translation Methods 0.000 claims description 11
- 238000010586 diagram Methods 0.000 description 14
- 238000012545 processing Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/255—Maintenance or indexing of mapping tables
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network attack tracing and positioning method, a device, equipment and a medium, wherein in a multi-network environment with a complex network environment, according to first routing information and a corresponding first attribution collected in each network, the method determines a target first attribution corresponding to target first routing information of which an IP address section contains a target IP address, thereby determining a target network corresponding to the target first attribution which is the same as a second attribution of the target IP address, and determining target asset information corresponding to a source IP address in the target network, thereby improving the accuracy of determining the target asset information of the source IP address of an attacker in the multi-network environment.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a network attack tracing and positioning method, device, equipment and medium.
Background
When it is detected that the network asset is attacked by the network, the source tracing and positioning are performed on the network attack, that is, the asset information of the source IP address of the network attack is determined, wherein the asset information of the source IP address includes information such as equipment, registration information, and a location corresponding to the source IP address.
In the conventional simple intranet and extranet network environment, for example, when the extranet is the internet and the intranet is a campus network, the number of IP addresses in the internet is limited, so that if a device in the campus wants to surf the internet, the device can only surf the internet by using the internet IP address corresponding to the IP address allocated to the campus network. Therefore, in a simple Network environment of an intranet and an extranet, a source IP Address of a Network attack is basically an extranet IP Address corresponding to the intranet, and therefore, according to the source IP Address, a timestamp and an Address port of the Network attack, the source IP Address tracing positioning scheme is to determine an IP Address after the source IP Address is subjected to Network Address Translation (NAT) in log information of a firewall, determine asset information corresponding to the IP Address after the source IP Address is subjected to NAT according to asset information corresponding to each IP Address in the intranet, and determine the asset information as target asset information of the source IP Address of the Network attack.
However, the current Network environment is complex, and there are various networks such as Internet Protocol Version 6 (Internet Protocol Version 6, IPv6) Network, public Network Protocol Version4 (Internet Protocol Version4, IPv4) Network, and various Virtual Private Networks (VPN), which cause the same IP address to overlap in different networks, so the accuracy of the target asset information in determining the source IP address of the Network attack is low.
Disclosure of Invention
The invention provides a network attack tracing and positioning method, device, equipment and medium, which are used for solving the problem that the accuracy of determining target asset information of a source IP address of a network attack is lower in the prior art.
The invention provides a network attack tracing and positioning method, which comprises the following steps:
acquiring a source IP address of network attack and an attacked target IP address;
for each kind of network stored in advance, performing route attribution query on the target IP address in the network to obtain each first route information and a first attribution corresponding to each first route information, and determining a target first attribution corresponding to the target first route information containing the target IP address according to the target IP address and an IP address segment included in each first route information;
and determining a target network corresponding to a target first attribution which is the same as the second attribution according to each target first attribution corresponding to each network and a second attribution corresponding to the target IP address acquired in advance, and determining target asset information corresponding to the source IP address in the target network.
Further, the determining, according to the target IP address and the IP address segment included in each piece of first routing information, a target first attribution corresponding to target first routing information including the target IP address includes:
determining each target IP address segment containing the target IP address according to the target IP address and the IP address segment contained in each first routing message;
and determining a first attribution corresponding to the target first routing information of the target IP address segment with the minimum range as the target first attribution according to the range of the IP address segment included in each target IP address segment.
Further, the determining, in the target network, target asset information corresponding to the source IP address includes:
performing routing attribution query on the source IP address in the target network to obtain each piece of second routing information corresponding to the source IP address and a third attribution corresponding to each piece of second routing information, and determining a target third attribution corresponding to target second routing information of a target IP address segment containing the source IP address according to the source IP address and an IP address segment contained in each piece of second routing information;
and inquiring target asset information corresponding to the source IP address in a database according to the pre-stored database corresponding to the target third attribution.
Further, the querying, according to a pre-stored database corresponding to a third attribution, the target asset information corresponding to the source IP address in the database includes:
judging whether each IP address does not correspond to a local area network or not according to each IP address in the target network and equipment or the local area network corresponding to each IP address in the target network which is stored in advance;
if yes, determining target asset information corresponding to the source IP address according to asset information corresponding to each IP address included in the database;
if not, determining the IP address of the source IP address after Network Address Translation (NAT) according to the source IP address, the pre-acquired timestamp and the address port, and determining the asset information corresponding to the IP address after NAT as the target asset information corresponding to the source IP address according to the asset information corresponding to each IP address in the database.
Correspondingly, the invention provides a network attack tracing positioning device, which comprises:
the acquisition module is used for acquiring a source IP address of the network attack and an attacked target IP address;
a determining module, configured to perform route affiliation query on the target IP address in each network that is pre-stored in the network, to obtain each first routing information and a first affiliation location corresponding to each first routing information, and determine a target first affiliation location corresponding to target first routing information that includes the target IP address according to the target IP address and an IP address segment included in each first routing information;
and the source tracing positioning module is used for determining a target network corresponding to a target first attribution which is the same as the second attribution according to each target first attribution corresponding to each network and a second attribution corresponding to the target IP address acquired in advance, and determining target asset information corresponding to the source IP address in the target network.
Further, the determining module is specifically configured to determine, according to the target IP address and the IP address segment included in each piece of the first routing information, each target IP address segment including the target IP address; and determining a first attribution corresponding to the target first routing information of the target IP address segment with the minimum range as the target first attribution according to the range of the IP address segment included in each target IP address segment.
Further, the source tracing location module is specifically configured to perform route attribution query on the source IP address in the target network, obtain each piece of second routing information corresponding to the source IP address and a third attribution corresponding to each piece of second routing information, and determine, according to the source IP address and an IP address segment included in each piece of second routing information, a target third attribution corresponding to target second routing information of a target IP address segment including the source IP address; and inquiring target asset information corresponding to the source IP address in a database according to the pre-stored database corresponding to the target third attribution.
Further, the source tracing positioning module is specifically further configured to determine whether each IP address in the target network does not correspond to a local area network according to each IP address in the target network and a device or local area network corresponding to each IP address in the target network that is stored in advance; if yes, determining target asset information corresponding to the source IP address according to asset information corresponding to each IP address included in the database; if not, determining the IP address of the source IP address after Network Address Translation (NAT) according to the source IP address, the pre-acquired timestamp and the address port, and determining the asset information corresponding to the IP address after NAT as the target asset information corresponding to the source IP address according to the asset information corresponding to each IP address in the database.
Accordingly, the present invention provides an electronic device, which includes a processor and a memory, where the memory is used to store program instructions, and the processor is used to implement the steps of any one of the above network attack tracing location methods when executing a computer program stored in the memory.
Accordingly, the present invention provides a computer readable storage medium, which stores a computer program, and the computer program, when executed by a processor, implements the steps of any one of the above network attack tracing and locating methods.
The invention provides a network attack tracing and positioning method, a device, equipment and a medium, wherein in a multi-network environment with a complex network environment, according to first routing information and a corresponding first attribution collected in each network, the method determines a target first attribution corresponding to target first routing information of which an IP address section contains a target IP address, thereby determining a target network corresponding to the target first attribution which is the same as a second attribution of the target IP address, and determining target asset information corresponding to a source IP address in the target network, thereby improving the accuracy of determining the target asset information of the source IP address of an attacker in the multi-network environment.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments will be briefly introduced below, and it is apparent that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings may be obtained according to the drawings without inventive labor.
Fig. 1 is a schematic process diagram of a network attack tracing positioning method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a network attack tracing positioning apparatus according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to improve the accuracy of determining the target asset information of the source IP address of the network attack, embodiments of the present invention provide a network attack tracing positioning method, apparatus, device, and medium.
Example 1:
fig. 1 is a schematic process diagram of a network attack source tracing positioning method according to an embodiment of the present invention, where the process includes the following steps:
s101: and acquiring a source IP address of the network attack and an attacked target IP address.
The network attack tracing and positioning method provided by the embodiment of the invention is applied to electronic equipment, wherein the electronic equipment can be an intelligent terminal such as a PC (personal computer), a tablet computer, a mobile terminal and the like, and can also be a server; the server can be a local server or a cloud server. Specifically, the embodiment of the present invention does not limit this.
In order to improve the accuracy of determining the target asset information of the source IP address of the network attack, in the embodiment of the present invention, the electronic device obtains the source IP address of the network attack and the attacked target IP address, where the source IP address and the attacked target IP address are in the same network, the source IP address refers to an address of a node that initiates the network attack in the same network, the target IP address refers to an address of a node that is attacked by the network in the same network, and the same network may be any one of an IPv6 network, an IPv4 network, and a VPN network.
Specifically, the electronic device may receive, through a keyboard, a mouse, and other devices, an input source IP address and an attacked target IP address of the network attack, may also receive a source IP address and a target IP address sent by a user through other devices, and may also obtain a source IP address and a target IP address of the network attack carried in a data packet of the network attack.
S102: and for each kind of network stored in advance, performing route attribution query on the target IP address in the network to obtain each piece of first route information and a first attribution corresponding to the first route information, and determining a target first attribution corresponding to the target first route information containing the target IP address according to the target IP address and an IP address segment included in the first route information.
Because the current network environment is a multi-network environment, in order to determine which network currently performs network attack, each network is pre-stored in the electronic device, for each network, a routing attribution query is performed on a target IP address in the network, and each first routing information and a first attribution corresponding to each first routing information can be obtained through the routing query.
The routing information includes self-consistent System (AS) number information, Loopback (Loopback) information, router name information, router (interface) information, and network flow (Netflow) traffic sampling information, and the attribution information refers to a specific province and city or county of a country where the router is located.
And determining a target IP address segment containing the target IP address according to the target IP address and the IP address segment contained in each piece of first routing information, and determining a target first attribution corresponding to the target first routing information containing the target IP address segment. There may be one or more destination IP address fields containing destination IP addresses.
S103: and determining a target network corresponding to a target first attribution which is the same as the second attribution according to each target first attribution corresponding to each network and a second attribution corresponding to the target IP address acquired in advance, and determining target asset information corresponding to the source IP address in the target network.
And determining a target first attribution which is the same as the second attribution according to each target first attribution corresponding to each network and the second attribution corresponding to the pre-acquired target IP address, and determining a target network corresponding to the target first attribution which is the same as the second attribution.
After the target network corresponding to the target first attribution which is the same as the second attribution is determined, the target asset information corresponding to the source IP address is also determined in the target network, specifically, the asset information corresponding to each IP address is stored in the target network, so the target asset information corresponding to the source IP address is determined according to the source IP address and the asset information corresponding to each IP address.
In the embodiment of the invention, in a multi-network environment with a complex network environment, the method determines the target first attribution corresponding to the target first routing information of the target IP address contained in the IP address section according to the first routing information and the corresponding first attribution collected in each network, thereby determining the target network corresponding to the target first attribution which is the same as the second attribution of the target IP address, and determining the target asset information corresponding to the source IP address in the target network, thereby improving the accuracy of determining the target asset information of the source IP address of the attacker in the multi-network environment.
Example 2:
to determine the target first attribution, on the basis of the above embodiment, in an embodiment of the present invention, the determining, according to the target IP address and the IP address segment included in each piece of first routing information, the target first attribution corresponding to the target first routing information including the target IP address includes:
determining each target IP address segment containing the target IP address according to the target IP address and the IP address segment contained in each first routing message;
and determining a first attribution corresponding to the target first routing information of the target IP address segment with the minimum range as the target first attribution according to the range of the IP address segment included in each target IP address segment.
In order to determine the target first attribution, in the embodiment of the invention, each target IP address segment containing the target IP address in each IP address segment is determined according to the target IP address and the IP address segment contained in each first routing message.
And determining a target IP address segment with the minimum range according to the range of the IP address segment included in each target IP address segment, determining a first attribution corresponding to the target first routing information of the target IP address segment with the minimum range, and determining the first attribution corresponding to the target first routing information as a target first attribution.
Taking a network attack occurring at the alarm time 2021-04-1608: 12:07 as an example, the process of determining the target first attribution of the present invention is described below by using a specific embodiment, and the source IP address of the network attack is obtained as 172.22.77.9, the target IP address is obtained as 172.17.150.3, and the second attribution corresponding to the target IP address is liaoning.
Performing a routing attribution query on the target IP address 172.17.150.3 in each network that is pre-stored, and obtaining routing information that includes each first routing information of the address field:
BGP route attribution query: IP 172.17.150.3, vpnId 4134:202, results { "routes" [ { "netname": CN 2), "bgp _ prefix": 172.17.0.0/16"," aspath ": 17799", "originator": 59.43.6.43"," med ": 0", "nexthop": 59.43.15.69"," community ":" "router _ IP": 59.43.8.1"," localpref ": 100", "rd": 4134:202 "}; the result is the first routing information queried in the network corresponding to the network identification information 4134:202, which includes the IP address field of 172.17.0.0/16, the range of the included IP address of 172.17.0.0 to 172.17.255.255, and the first attribution corresponding to "nexthop": 59.43.15.69 "is liaoning.
BGP route attribution query: IP 172.17.150.3, vpnId 4809:1124, results { "routes" [ { "netname": CN 2), "bgp _ prefix": 172.17.0.0/16"," aspath ": 17799", "originator": 59.43.6.43"," med ": null," nexthop ": 59.43.15.69", "communication": "" router _ IP ": 59.43.8.1", "localpref": 100"," rd ": 4809:1124" }; the result is the first routing information queried in the network corresponding to the network identification information 4809:1124, the first routing information includes the IP address segment of 172.17.0.0/16, the range of the included IP address is from 172.17.0.0 to 172.17.255.255, and the first attribution corresponding to "nexthop": 59.43.15.69 "is liaoning.
Example 3:
in order to determine the target asset information corresponding to the source IP address, on the basis of the foregoing embodiments, in an embodiment of the present invention, the determining, in the target network, the target asset information corresponding to the source IP address includes:
performing routing attribution query on the source IP address in the target network to obtain each piece of second routing information corresponding to the source IP address and a third attribution corresponding to each piece of second routing information, and determining a target third attribution corresponding to target second routing information of a target IP address segment containing the source IP address according to the source IP address and an IP address segment contained in each piece of second routing information;
and inquiring target asset information corresponding to the source IP address in a database according to the pre-stored database corresponding to the target third attribution.
In order to determine the target asset information corresponding to the source IP address, in the embodiment of the present invention, a routing attribution query is performed on the source IP address in the target network, and each piece of second routing information corresponding to the source IP address and a third attribution corresponding to each piece of second routing information are obtained through the query.
And determining target second routing information of a target IP address field containing the source IP address according to the source IP address and the IP address field contained in each piece of second routing information, and determining a target third attribution corresponding to the target second routing information.
In the embodiment of the invention, each third attribution correspondingly stores a database, and target asset information corresponding to the source IP address is inquired in the database according to the database corresponding to the target third attribution.
The following describes a process of determining a target first attribution according to a specific embodiment, taking a network attack occurring at the alarm time 2021-04-1608: 12:07 as an example, a source IP address of the network attack is 172.22.77.9, a target IP address is 172.17.150.3, and a second attribution corresponding to the target IP address is liaoning.
Since the network identification information corresponding to the target network is 4134:202 and 4809:1124 respectively according to the above embodiment, the route attribution query is performed on the source IP address 172.22.77.9 in the target network corresponding to the network identification information 4134:202, and the obtained second route information is:
{ "routes" [ { "netname": CN2"," bgp _ prefix ": 172.22.0.0/16", "aspat h": 65500"," originator ": 59.43.0.241", "med": null "," nexthop ": 59.43.12.83", "community": "," router _ ip ": 59.43.8.1", "localpref": 100"," rd ": 4134:202" }; the result is the second routing information queried in the network corresponding to the network identification information 4134:202, which includes the IP address segment of 172.22.0.0/16 and the IP address range of 172.22.0.0 to 172.22.255.255, and the third attribution of "nexthop": 59.43.12.83 "is Henan.
Performing a routing home query on the source IP address 172.22.77.9 in the target network corresponding to the network identification information 4809:1124, where the obtained second routing information is:
{ "routes" [ { "netname": CN2"," bgp _ prefix ": 172.22.0.0/16", "aspath": 65500"," originator ": 59.43.0.241", "med": null "," nexthop ": 59.43.12.83", "community": "", "router _ ip": 59.43.8.1"," localpref ": 100", "rd": 4809:1124 "}; the result is the second routing information queried in the network corresponding to the network identification information 4809:1124, the second routing information includes the IP address segment of 172.22.0.0/16, which includes the IP address ranging from 172.22.0.0 to 172.22.255.255, and the third attribution corresponding to "nexthop": "59.43.12.83" is in the south of the river.
And determining that the third attribution of the target IP address field inquired in the two target networks comprises Henan and the third attribution corresponding to the second routing information of the source IP address.
In order to query the database for the target asset information corresponding to the source IP address, in an embodiment of the present invention, the querying, according to the database corresponding to the pre-stored third attribution, the target asset information corresponding to the source IP address in the database includes:
judging whether each IP address does not correspond to a local area network or not according to each IP address in the target network and equipment or the local area network corresponding to each IP address in the target network which is stored in advance;
if yes, determining target asset information corresponding to the source IP address according to asset information corresponding to each IP address included in the database;
if not, determining the IP address of the source IP address after Network Address Translation (NAT) according to the source IP address, the pre-acquired timestamp and the address port, and determining the asset information corresponding to the IP address after NAT as the target asset information corresponding to the source IP address according to the asset information corresponding to each IP address in the database.
In order to query the target asset information corresponding to the source IP address in the database, when the IP address in the target network corresponds to the local area network, the source IP address of the network attack may be an IP address obtained by converting the IP address in the local area network, and therefore the electronic device also needs to determine whether each IP address in the target network does not correspond to the local area network.
And determining whether the local area network corresponding to the IP address exists or not according to each IP address in the target network and the equipment or the local area network corresponding to each IP address in the target network which is stored in advance, and determining that each IP address in the target network does not correspond to the local area network if the local area network corresponding to the IP address does not exist.
And if it is determined that each IP address in the target network does not correspond to the local area network, determining target asset information corresponding to the source IP address according to the asset information corresponding to each IP address in the database.
When determining that the local area network corresponding to the IP address exists in the target network, in order to determine the target asset information corresponding to the source IP address, network address conversion is carried out on the source IP address. And according to the pre-acquired timestamp, the address port and the source IP address, performing network address translation on the source IP address, and determining the IP address after the network address translation.
And determining the asset information corresponding to the converted IP address according to the converted IP address and the asset information corresponding to each IP address pre-stored in a database, and determining the asset information corresponding to the converted IP address as the target asset information corresponding to the source IP address.
Example 4:
fig. 2 is a schematic structural diagram of a network attack tracing positioning apparatus provided in an embodiment of the present invention, where the apparatus includes:
an obtaining module 201, configured to obtain a source IP address of a network attack and an attacked target IP address;
a determining module 202, configured to perform route affiliation query on the target IP address in each network that is pre-stored in the network, to obtain each first routing information and a first affiliation location corresponding to each first routing information, and determine, according to the target IP address and an IP address segment included in each first routing information, a target first affiliation location corresponding to target first routing information that includes the target IP address;
and the source tracing and positioning module 203 is configured to determine, according to each target first attribution corresponding to each network and a second attribution corresponding to the target IP address obtained in advance, a target network corresponding to a target first attribution that is the same as the second attribution, and determine target asset information corresponding to the source IP address in the target network.
Further, the determining module 202 is specifically configured to determine, according to the target IP address and the IP address segment included in each piece of first routing information, each target IP address segment including the target IP address; and determining a first attribution corresponding to the target first routing information of the target IP address segment with the minimum range as the target first attribution according to the range of the IP address segment included in each target IP address segment.
Further, the source tracing positioning module 203 is specifically configured to perform a route attribution query on the source IP address in the target network, obtain each piece of second routing information corresponding to the source IP address and a third attribution corresponding to each piece of second routing information, and determine, according to the source IP address and an IP address segment included in each piece of second routing information, a target third attribution corresponding to target second routing information of a target IP address segment including the source IP address; and inquiring target asset information corresponding to the source IP address in a database according to the pre-stored database corresponding to the target third attribution.
Further, the source tracing and positioning module 203 is specifically configured to determine whether each IP address in the target network does not correspond to a local area network according to each IP address in the target network and a device or local area network corresponding to each IP address in the target network that is stored in advance; if yes, determining target asset information corresponding to the source IP address according to asset information corresponding to each IP address included in the database; if not, determining the IP address of the source IP address after Network Address Translation (NAT) according to the source IP address, the pre-acquired timestamp and the address port, and determining the asset information corresponding to the IP address after NAT as the target asset information corresponding to the source IP address according to the asset information corresponding to each IP address in the database.
Example 5:
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and on the basis of the foregoing embodiments, the present application further provides an electronic device including a processor 301, a communication interface 302, a memory 303, and a communication bus 304, where the processor 301, the communication interface 302, and the memory 303 complete communication with each other through the communication bus 304;
the memory 303 has stored therein a computer program which, when executed by the processor 301, causes the processor 301 to perform the steps of:
acquiring a source IP address of network attack and an attacked target IP address;
for each kind of network stored in advance, performing route attribution query on the target IP address in the network to obtain each first route information and a first attribution corresponding to each first route information, and determining a target first attribution corresponding to the target first route information containing the target IP address according to the target IP address and an IP address segment included in each first route information;
and determining a target network corresponding to a target first attribution which is the same as the second attribution according to each target first attribution corresponding to each network and a second attribution corresponding to the target IP address acquired in advance, and determining target asset information corresponding to the source IP address in the target network.
Further, the determining, by the processor 301, a target first attribution corresponding to target first routing information including the target IP address according to the target IP address and the IP address segment included in each piece of first routing information specifically includes:
determining each target IP address segment containing the target IP address according to the target IP address and the IP address segment contained in each first routing message;
and determining a first attribution corresponding to the target first routing information of the target IP address segment with the minimum range as the target first attribution according to the range of the IP address segment included in each target IP address segment.
Further, the specifically determining, by the processor 301, target asset information corresponding to the source IP address in the target network includes:
performing routing attribution query on the source IP address in the target network to obtain each piece of second routing information corresponding to the source IP address and a third attribution corresponding to each piece of second routing information, and determining a target third attribution corresponding to target second routing information of a target IP address segment containing the source IP address according to the source IP address and an IP address segment contained in each piece of second routing information;
and inquiring target asset information corresponding to the source IP address in a database according to the pre-stored database corresponding to the target third attribution.
Further, the processor 301 is specifically configured to, according to a pre-stored database corresponding to a third attribution, query, in the database, target asset information corresponding to the source IP address, including:
judging whether each IP address does not correspond to a local area network or not according to each IP address in the target network and equipment or the local area network corresponding to each IP address in the target network which is stored in advance;
if yes, determining target asset information corresponding to the source IP address according to asset information corresponding to each IP address included in the database;
if not, determining the IP address of the source IP address after Network Address Translation (NAT) according to the source IP address, the pre-acquired timestamp and the address port, and determining the asset information corresponding to the IP address after NAT as the target asset information corresponding to the source IP address according to the asset information corresponding to each IP address in the database.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface 302 is used for communication between the above-described electronic apparatus and other apparatuses.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the memory may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a central processing unit, a Network Processor (NP), and the like; but may also be a Digital instruction processor (DSP), an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like.
Example 6:
on the basis of the foregoing embodiments, an embodiment of the present invention further provides a computer-readable storage medium, in which a computer program executable by a processor is stored, and when the program runs on the processor, the processor is caused to execute the following steps:
acquiring a source IP address of network attack and an attacked target IP address;
for each kind of network stored in advance, performing route attribution query on the target IP address in the network to obtain each first route information and a first attribution corresponding to each first route information, and determining a target first attribution corresponding to the target first route information containing the target IP address according to the target IP address and an IP address segment included in each first route information;
and determining a target network corresponding to a target first attribution which is the same as the second attribution according to each target first attribution corresponding to each network and a second attribution corresponding to the target IP address acquired in advance, and determining target asset information corresponding to the source IP address in the target network.
Further, the determining, according to the target IP address and the IP address segment included in each piece of first routing information, a target first attribution corresponding to target first routing information including the target IP address includes:
determining each target IP address segment containing the target IP address according to the target IP address and the IP address segment contained in each first routing message;
and determining a first attribution corresponding to the target first routing information of the target IP address segment with the minimum range as the target first attribution according to the range of the IP address segment included in each target IP address segment.
Further, the determining, in the target network, target asset information corresponding to the source IP address includes:
performing routing attribution query on the source IP address in the target network to obtain each piece of second routing information corresponding to the source IP address and a third attribution corresponding to each piece of second routing information, and determining a target third attribution corresponding to target second routing information of a target IP address section containing the source IP address according to the source IP address and an IP address section included in each piece of second routing information;
and inquiring target asset information corresponding to the source IP address in a database according to the pre-stored database corresponding to the target third attribution.
Further, the querying, according to a pre-stored database corresponding to a third attribution, the target asset information corresponding to the source IP address in the database includes:
judging whether each IP address does not correspond to a local area network or not according to each IP address in the target network and equipment or the local area network corresponding to each IP address in the target network which is stored in advance;
if yes, determining target asset information corresponding to the source IP address according to asset information corresponding to each IP address included in the database;
if not, determining the IP address of the source IP address after Network Address Translation (NAT) according to the source IP address, the pre-acquired timestamp and the address port, and determining the asset information corresponding to the IP address after NAT as the target asset information corresponding to the source IP address according to the asset information corresponding to each IP address in the database.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A network attack tracing and positioning method is characterized by comprising the following steps:
acquiring a source IP address of network attack and an attacked target IP address;
for each kind of network stored in advance, performing route attribution query on the target IP address in the network to obtain each first route information and a first attribution corresponding to each first route information, and determining a target first attribution corresponding to the target first route information containing the target IP address according to the target IP address and an IP address segment included in each first route information;
and determining a target network corresponding to a target first attribution which is the same as the second attribution according to each target first attribution corresponding to each network and a second attribution corresponding to the target IP address acquired in advance, and determining target asset information corresponding to the source IP address in the target network.
2. The method according to claim 1, wherein said determining, according to the target IP address and the IP address segment included in each of the first routing information, a target first home location corresponding to the target first routing information including the target IP address comprises:
determining each target IP address segment containing the target IP address according to the target IP address and the IP address segment contained in each first routing message;
and determining a first attribution corresponding to the target first routing information of the target IP address segment with the minimum range as the target first attribution according to the range of the IP address segment included in each target IP address segment.
3. The method of claim 1, wherein the determining target asset information corresponding to the source IP address in the target network comprises:
performing routing attribution query on the source IP address in the target network to obtain each piece of second routing information corresponding to the source IP address and a third attribution corresponding to each piece of second routing information, and determining a target third attribution corresponding to target second routing information of a target IP address segment containing the source IP address according to the source IP address and an IP address segment contained in each piece of second routing information;
and inquiring target asset information corresponding to the source IP address in a database according to the pre-stored database corresponding to the target third attribution.
4. The method according to claim 3, wherein said querying the repository for target asset information corresponding to the source IP address according to a pre-stored repository corresponding to a third attribution comprises:
judging whether each IP address does not correspond to a local area network or not according to each IP address in the target network and equipment or the local area network corresponding to each IP address in the target network which is stored in advance;
if yes, determining target asset information corresponding to the source IP address according to asset information corresponding to each IP address included in the database;
if not, determining the IP address of the source IP address after Network Address Translation (NAT) according to the source IP address, the pre-acquired timestamp and the address port, and determining the asset information corresponding to the IP address after NAT as the target asset information corresponding to the source IP address according to the asset information corresponding to each IP address in the database.
5. A cyber attack tracing positioning apparatus, wherein the apparatus comprises:
the acquisition module is used for acquiring a source IP address of the network attack and an attacked target IP address;
a determining module, configured to perform route affiliation query on the target IP address in each network that is pre-stored in the network, to obtain each first routing information and a first affiliation location corresponding to each first routing information, and determine a target first affiliation location corresponding to target first routing information that includes the target IP address according to the target IP address and an IP address segment included in each first routing information;
and the source tracing positioning module is used for determining a target network corresponding to a target first attribution which is the same as the second attribution according to each target first attribution corresponding to each network and a second attribution corresponding to the target IP address acquired in advance, and determining target asset information corresponding to the source IP address in the target network.
6. The apparatus according to claim 5, wherein the determining module is specifically configured to determine, according to the target IP address and the IP address segment included in each piece of first routing information, each target IP address segment including the target IP address; and determining a first attribution corresponding to the target first routing information of the target IP address segment with the minimum range as the target first attribution according to the range of the IP address segment included in each target IP address segment.
7. The apparatus according to claim 5, wherein the source tracing location module is specifically configured to perform a route attribution query on the source IP address in the target network, obtain each piece of second routing information corresponding to the source IP address and a third attribution corresponding to each piece of second routing information, and determine, according to the source IP address and an IP address segment included in each piece of second routing information, a target third attribution corresponding to target second routing information that includes a target IP address segment of the source IP address; and inquiring target asset information corresponding to the source IP address in a database according to the pre-stored database corresponding to the target third attribution.
8. The apparatus according to claim 7, wherein the source tracing and positioning module is further configured to determine whether each IP address in the target network does not correspond to a local area network according to each IP address in the target network and a device or a local area network corresponding to each IP address in the target network that is pre-stored; if yes, determining target asset information corresponding to the source IP address according to asset information corresponding to each IP address included in the database; if not, determining the IP address of the source IP address after Network Address Translation (NAT) according to the source IP address, the pre-acquired timestamp and the address port, and determining the asset information corresponding to the IP address after NAT as the target asset information corresponding to the source IP address according to the asset information corresponding to each IP address in the database.
9. An electronic device, comprising: the system comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;
the memory stores a computer program, and when the program is executed by the processor, the processor executes the computer program stored in the memory to implement the steps of the network attack tracing location method according to any one of claims 1-4.
10. A computer-readable storage medium, storing a computer program, which when executed by a processor implements the steps of the network attack tracing location method according to any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210191657.5A CN114567615A (en) | 2022-02-28 | 2022-02-28 | Network attack tracing positioning method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210191657.5A CN114567615A (en) | 2022-02-28 | 2022-02-28 | Network attack tracing positioning method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114567615A true CN114567615A (en) | 2022-05-31 |
Family
ID=81715977
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210191657.5A Pending CN114567615A (en) | 2022-02-28 | 2022-02-28 | Network attack tracing positioning method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114567615A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107135187A (en) * | 2016-02-29 | 2017-09-05 | 阿里巴巴集团控股有限公司 | Preventing control method, the apparatus and system of network attack |
| CN110764969A (en) * | 2019-10-25 | 2020-02-07 | 新华三信息安全技术有限公司 | Network attack tracing method and device |
-
2022
- 2022-02-28 CN CN202210191657.5A patent/CN114567615A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107135187A (en) * | 2016-02-29 | 2017-09-05 | 阿里巴巴集团控股有限公司 | Preventing control method, the apparatus and system of network attack |
| CN110764969A (en) * | 2019-10-25 | 2020-02-07 | 新华三信息安全技术有限公司 | Network attack tracing method and device |
Non-Patent Citations (1)
| Title |
|---|
| 李冬静;蒋平;: "攻击源追踪技术概述", 中国公共安全, no. 02, 10 June 2005 (2005-06-10) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6740379B2 (en) | Botmaster discovery system and method | |
| US8073936B2 (en) | Providing support for responding to location protocol queries within a network node | |
| JP5480265B2 (en) | Secure resource name resolution | |
| US8549609B2 (en) | Updating firewall rules | |
| EP2823624B1 (en) | Method and apparatus for identifying an application associated with an ip flow using dns data | |
| US9258289B2 (en) | Authentication of IP source addresses | |
| JP2011530867A (en) | Secure resource name resolution using cache | |
| CN110061921B (en) | Cloud platform data packet distribution method and system | |
| EP3275151A1 (en) | Collecting domain name system traffic | |
| US11283757B2 (en) | Mapping internet routing with anycast and utilizing such maps for deploying and operating anycast points of presence (PoPs) | |
| WO2014062629A1 (en) | System and method for correlating security events with subscriber information in a mobile network environment | |
| JP2019097133A (en) | Communication monitoring system and communication monitoring method | |
| CN113825129A (en) | Industrial internet asset mapping method under 5G network environment | |
| CN114567615A (en) | Network attack tracing positioning method, device, equipment and medium | |
| CN111800338A (en) | Cross-AS EVPN route interaction method and device | |
| CN112688884B (en) | Encrypted flow custom application identification method, system, device and storage medium | |
| US11196666B2 (en) | Receiver directed anonymization of identifier flows in identity enabled networks | |
| CN114285818A (en) | Terminal device positioning method and device and terminal device | |
| Castiglione et al. | Device tracking in private networks via napt log analysis | |
| CN109040330B (en) | Flow switching method and device | |
| CN118158101A (en) | Method and device for determining network topology diagram | |
| CN117176694B (en) | Network construction method, device, electronic equipment and storage medium | |
| CN117336015A (en) | Attack tracing realization method and device | |
| CN107547685B (en) | Network equipment positioning method, network management equipment and electronic equipment | |
| CN117998345A (en) | Information transmission method, device, node and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |