CN114793180A - Method and device for intercepting abnormal network traffic, intercepting equipment and medium - Google Patents
Method and device for intercepting abnormal network traffic, intercepting equipment and medium Download PDFInfo
- Publication number
- CN114793180A CN114793180A CN202210586010.2A CN202210586010A CN114793180A CN 114793180 A CN114793180 A CN 114793180A CN 202210586010 A CN202210586010 A CN 202210586010A CN 114793180 A CN114793180 A CN 114793180A
- Authority
- CN
- China
- Prior art keywords
- information
- website
- target
- terminal
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 132
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 104
- 230000000903 blocking effect Effects 0.000 claims abstract description 88
- 230000008569 process Effects 0.000 claims abstract description 67
- 230000004044 response Effects 0.000 claims description 24
- 238000004590 computer program Methods 0.000 claims description 16
- 230000006399 behavior Effects 0.000 claims description 14
- 230000005540 biological transmission Effects 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 10
- 238000000605 extraction Methods 0.000 claims description 5
- 230000003362 replicative effect Effects 0.000 claims 1
- 239000000126 substance Substances 0.000 claims 1
- 238000004891 communication Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000002452 interceptive effect Effects 0.000 description 5
- 230000003993 interaction Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for intercepting abnormal network traffic, intercepting equipment and a medium. The method is executed by an intercepting device connected in parallel with a network switching device, and comprises the following steps: collecting the copy data flow from the bypass of the network switching equipment, and identifying the connection establishment process information for establishing the TCP connection in the copy data flow; extracting domain name information of a website to be accessed by the terminal in the connection establishment process information, and detecting an abnormal website according to the domain name information; when a target website to be accessed by a target terminal is determined to be an abnormal website according to the target connection establishment process information, generating TCP connection terminal blocking information matched with the target terminal; and transmitting the TCP connection terminal blocking information to the target terminal so as to intercept the behavior of the target terminal for accessing the target website. By adopting the technical scheme, the effective connection blocking of mass abnormal websites can be realized.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a method, a device, an interception device and a medium for intercepting abnormal network traffic.
Background
With the development of internet technology, obtaining information by using a network has become a relatively common information obtaining method at present.
However, when the user acquires the required information through the network, the user may mistakenly enter some abnormal websites, and the abnormal websites may not only propagate some illegal information, but also cause economic loss for the user.
At present, methods for blocking abnormal websites include DNS (Domain Name System) blocking and tandem blocking, but DNS blocking has a small support capacity and a single object, and tandem blocking may cause network failure accidents.
Disclosure of Invention
The invention provides a method and a device for intercepting abnormal network traffic, intercepting equipment and a medium, which are used for effectively blocking connection of massive abnormal websites.
According to an aspect of the present invention, there is provided a method for intercepting abnormal network traffic, the method being performed by an intercepting device connected in parallel to a network switching device, the method including:
collecting the copy data flow from a bypass on the network switching equipment, and identifying connection establishment process information used for establishing a Transmission Control Protocol (TCP) connection in the copy data flow, wherein the connection establishment process information is non-encrypted information;
extracting domain name information of a website to be accessed by the terminal in the connection establishing process information, and detecting an abnormal website according to the domain name information;
when a target website to be accessed by a target terminal is determined to be an abnormal website according to the target connection establishment process information, generating TCP connection terminal blocking information matched with the target terminal;
and transmitting the TCP connection terminal blocking information to the target terminal so as to intercept the behavior of the target terminal for accessing the target website.
According to another aspect of the present invention, there is provided an apparatus for intercepting abnormal network traffic, including:
the system comprises a copy data flow acquisition module, a network switching device and a control module, wherein the copy data flow acquisition module is used for acquiring copy data flow from a bypass on the network switching device and identifying connection establishment process information used for establishing TCP connection in the copy data flow, and the connection establishment process information is non-encrypted information;
the domain name extraction module is used for extracting domain name information of a website which the terminal needs to access in the connection establishment process information and detecting abnormal websites according to the domain name information;
the terminal blocking information generating module is used for generating TCP connection terminal blocking information matched with the target terminal when the target website required to be accessed by the target terminal is determined to be an abnormal website according to the target connection establishing process information;
and the terminal blocking information sending module is used for sending the TCP connection terminal blocking information to the target terminal so as to intercept the behavior of the target terminal accessing the target website.
According to another aspect of the present invention, there is provided an intercepting apparatus, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the first and the second end of the pipe are connected with each other,
the memory stores a computer program executable by the at least one processor, and the computer program is executed by the at least one processor to enable the at least one processor to execute the method for intercepting abnormal network traffic according to any embodiment of the present invention.
According to another aspect of the present invention, there is provided a computer-readable storage medium storing computer instructions for causing a processor to implement the method for intercepting abnormal network traffic according to any one of the embodiments of the present invention when the computer instructions are executed.
According to the technical scheme of the embodiment of the invention, by connecting the intercepting equipment to the bypass of the network switching equipment in parallel, acquiring the connection establishment process information between the terminal and the website in the copied data flow, and extracting and identifying the domain name information in the connection establishment process information, whether the terminal accesses the abnormal website can be judged in the process of establishing TCP three-way handshake between the terminal and the website, and then the access of the terminal to the abnormal website can be blocked in the mode of blocking the normal TCP handshake establishment flow, before the TCP connection is established, a new mode of effectively blocking the connection of the abnormal website in the parallel connection mode is provided, and the original service flow of the network switching equipment can not be influenced while the effective blocking effect is ensured.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of an intercepting method of abnormal network traffic according to an embodiment of the present invention;
fig. 2a is a flowchart of a method for intercepting abnormal network traffic according to a second embodiment of the present invention;
fig. 2b is a network architecture diagram of a specific application scenario to which the technical solution of the embodiment of the present invention is applied;
fig. 3 is a schematic structural diagram of an intercepting apparatus for abnormal network traffic according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an intercepting device for implementing the method for intercepting abnormal network traffic according to the embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of an intercepting method for abnormal network traffic according to an embodiment of the present invention, where the embodiment is applicable to a situation where when a terminal initiates a website access, it identifies whether an access website is an abnormal website, and intercepts an access determined as the abnormal website, and the method may be executed by an abnormal network traffic intercepting apparatus, which may be implemented in a form of hardware and/or software and may be generally configured in an intercepting device with a network data processing function. Wherein, in the internet, the interception device is connected in parallel with the network switching device. As shown in fig. 1, the method includes:
s110, collecting the copy data flow from the bypass of the network switching equipment, and identifying the connection establishment process information for establishing the TCP connection in the copy data flow, wherein the connection establishment process information is non-encrypted information.
In this embodiment, the network switching device is a networking device in the internet, and is configured to transmit the transmission data packet between the terminal and the website in the internet in a store-and-forward manner. Generally, the network switching device is generally a switch or a router that is connected (directly or indirectly) in close proximity to the terminal. The intercepting equipment is connected with the network switching equipment in parallel and is used for acquiring a backup version of data traffic transmitted in two directions through the network switching equipment, namely, copying the data traffic, and analyzing the behavior of the terminal for accessing the abnormal website based on the copied data traffic.
The specific method for collecting the copy data traffic from the network switching device by-pass may include: and the link light splitting or the switch mirror image mode is adopted to bypass and collect the copy data flow from the network switching equipment. The method for collecting and copying data traffic adopts a traffic parallel connection handling mode, and cannot affect network communication while acquiring the copied traffic.
The link light splitting can copy and distribute energy to the accessed optical fiber transmission signals through the light splitter, and the flow can be reasonably collected under the condition that the original link transmission is not influenced; the switch mirror image can copy the message passing through the appointed port to another appointed port under the condition of not influencing the normal processing of the message by the equipment. Specifically, when the network switching device is directly connected to a designated port of the switch, the replicated data traffic may be obtained from the designated port.
The duplicated data traffic may be duplicated data traffic that is bypass-acquired from a network switching device and is based on HTTP (Hyper Text Transfer Protocol), where the duplicated data traffic includes connection establishment process information used to establish a TCP connection.
The connection establishment process information used for establishing the TCP connection is the connection establishment process information which is sent by at least one of the terminal and the website and matched with the TCP three-way handshake process in the copy data flow.
In a specific example, a three-way TCP handshake is performed between a client and a server. First handshake: when establishing connection, a client sends a SYN (synchronization Sequence number) packet (seq ═ x) to a server, enters a SYN _ SENT state and waits for the confirmation of the server; second handshake: when the server receives the SYN packet, it must acknowledge the SYN (seq ═ y) of the client, and at the same time, it also sends an ACK (Acknowledgement character) packet (ACK ═ x +1), that is, SYN + ACK packet, at this time, the server enters SYN _ RECV state; third handshake: the client receives the SYN + ACK packet from the server, and sends an acknowledgement packet ACK (ACK + y +1) to the server, and after the packet is sent, the client and the server enter an ESTABLISHED (TCP connection success) state, and the three-way handshake is completed. The lower case words seq, ack in the above embodiments represent sequence numbers; the capitalized words SYN, ACK represent flag bits, whose values are only 1 or 0.
The seq is a serial number, takes 4 bytes, and is used for marking the sequence of the data segments, the TCP codes a serial number for all data bytes sent in the connection, the serial number of the first byte is generated locally at random, after the serial number is coded for the byte, each segment is assigned with a serial number, and the sequence number seq is the data number of the first byte in the segment; the ack is an acknowledgement number, occupies 4 bytes, specifically refers to a sequence number of a first data byte of a next segment expected to be received by the opposite party, and the number of a last byte of the current segment plus 1 is the acknowledgement number; the acknowledgement character ACK occupies 1 bit, the acknowledgement number field is valid only when ACK is 1, and the acknowledgement number is invalid when ACK is 0; the synchronization sequence number SYN is used for a synchronization sequence number when a connection is established, and indicates that it is a connection request segment when SYN is 1 and ACK is 0, and indicates that it is a connection request segment when the connection is granted, and indicates that it is a connection request or a connection acceptance message because SYN is 1 and ACK is 1 in a response segment, and the flag bit of SYN is set to 1 only when TCP establishes a connection, and the flag bit of SYN is set to 0 after handshake is completed.
In this embodiment, by means of collecting and copying the data traffic by the bypass, it is possible to avoid the influence on the normal forwarding service in the network switching device during the identification process of the abnormal website, and ensure the normal network transmission quality while providing the function of detecting the abnormal website.
Meanwhile, the abnormal website is identified based on the connection establishment process information for establishing the TCP connection, so that the abnormal website can be identified in advance to be blocked before the terminal establishes the TCP connection with the abnormal website, namely, the access of the terminal to the abnormal website is blocked before the terminal receives the webpage content sent by the abnormal website.
And S120, extracting domain name information of the website to be accessed by the terminal in the connection establishing process information, and detecting the abnormal website according to the domain name information.
Because the connection establishment process information is non-encrypted information, the information of the receiving end and the transmitting end is transmitted in the network in a plaintext mode. Further, by analyzing the connection establishment procedure information, it is possible to identify a transmission side and a reception side corresponding to the connection establishment procedure information, for example, connection establishment procedure information transmitted from a certain terminal to a certain website, or connection establishment procedure information transmitted from a certain website to a certain terminal.
Correspondingly, the domain name information of the website which the terminal needs to access can be extracted from the information in the connection establishment process by adopting a mode of identifying the domain name information identification field.
The specific method for detecting the abnormal website according to the domain name information may include: and comparing the domain name information with a pre-established abnormal website domain name library, and detecting whether the domain name information is stored in the abnormal website domain name library.
The method comprises the steps that a plurality of pre-labeled abnormal website domain names are stored in an abnormal website domain name library, and if domain name information of a website to be accessed by a terminal is matched with any abnormal website domain name in the abnormal website domain name library, the website is determined to be an abnormal website; and if the domain name information of the website required to be accessed by the terminal is determined not to be matched with all the domain names of the abnormal websites in the domain name library of the abnormal websites, determining the website to be a normal website.
S130, when the target website required to be accessed by the target terminal is determined to be an abnormal website according to the target connection establishment process information, generating TCP connection terminal blocking information matched with the target terminal.
The TCP connection terminal blocking information is generated aiming at the target terminal and used for blocking the TCP connection establishment process of the target terminal and the target website. Specifically, the TCP connection terminal blocking information may be information having a significant difference from connection establishment process information transmitted in the TCP three-way handshake.
When the target terminal receives the TCP connection terminal blocking information, since the information is obviously different from the connection establishment process information sent by the target website that the target terminal expects to receive, the target terminal does not try to establish the TCP connection with the target website any more, and from the perspective of the user, the target terminal directly receives a blank page which prompts that the webpage cannot be opened.
In an optional implementation manner of this embodiment, a specific method for generating TCP connection terminal blocking information matched with the target terminal may include: and constructing denial of service information which points to the target terminal by the target website according to the identification information of the target terminal and the target website, wherein the denial of service information is used as the TCP connection terminal blocking information.
And S140, transmitting the TCP connection terminal blocking information to the target terminal so as to intercept the behavior of the target terminal for accessing the target website.
It should be emphasized that, in order to ensure that the TCP connection terminal blocking information can be smoothly sent to the target terminal, it is required to ensure that a port of the target terminal closes a URPF (Unicast Reverse Path Forwarding) function.
Further, after intercepting the behavior of the target terminal accessing the target website, the effect that the method can be used for simulating can be further expanded according to different states of the webpage, for example, a webpage return state code is displayed in the webpage of the terminal, and the main webpage return state code can include: 200. the request is successful, and the response header or data body expected by the request is returned with the response; 201. the request has been fulfilled, and a new Resource has been established according to the request, and its URI (Uniform Resource Identifier) has been returned with the Location header; 202. the server has accepted the request but has not yet processed it; 301 (permanent move), the requested web page has been permanently moved to a new location, and when the server returns this response (response to GET or HEAD request), the requester is automatically moved to the new location; 302 (temporarily moved), the server currently responds to the request from a web page in a different location, but the requester should continue to use the original location for subsequent requests; 303 (view other locations), the server returns this code when the requestor should retrieve responses using separate GET requests for different locations; 304 (unmodified), the requested web page has not been modified since the last request, and the server does not return the web page content when returning the response; 305 (using the proxy), the requester can only access the requested web page using the proxy, and if the server returns this response, it also indicates that the requester should use the proxy; 307 (temporary redirect), the server currently responds to the request from a web page in a different location, but the requester should continue to use the original location for future requests; 401. the current request requires user authentication, if the current request already contains Authorization credentials, then the 401 response is on behalf of the server verifying that those credentials have been rejected; 403. the server has understood the request but refused to perform it, unlike the 401 response, authentication does not provide any assistance, nor should the request be submitted repeatedly; 404. the request fails, and the resource desired by the request is not discovered on the server; 500. the server encounters an unexpected condition that results in its failure to complete processing of the request; 501. the server does not support a certain function required by the current request, and when the server cannot identify the method of the request and cannot support the request of the server to any resource; 502. receiving an invalid response from an upstream server when a server operating as a gateway or a proxy attempts to execute a request; 503. the server is currently unable to process requests due to temporary server maintenance or overloading, a condition that is temporary and will recover after a period of time.
Further, after the TCP connection blocking information is sent to the target terminal to intercept the behavior of the target terminal accessing the target website, the method further includes:
generating TCP connection website blocking information matched with the target website; and sending the TCP connection website blocking information to the target website so as to intercept the behavior of the target website for feeding back response information to a target terminal.
The TCP connection website blocking information is generated aiming at the target website and is used for blocking the target website from continuously feeding back response information to the target terminal. Specifically, the TCP connection website blocking information may be information indicating that the target terminal disconnects the TCP connection with the target website. When the target website receives the TCP connection website blocking information, response information can not be fed back to any request information sent by the target terminal.
The reason for this is that the manner of transmitting the TCP connection terminal blocking information to the destination terminal is only to avoid the behavior of the destination terminal to continue accessing the destination web site from the destination terminal side. However, the target website cannot be prevented from feeding back the request information which is sent by the target terminal before the target terminal receives the TCP connection terminal blocking information, and then the TCP connection website blocking information can be synchronously sent to the target website, so as to ensure the success rate of blocking.
Generating TCP connection website blocking information matched with the target website may include:
and according to the identification information of the target terminal and the target website, constructing disconnection information pointed to the target website by the target terminal, and using the disconnection information as the TCP connection website blocking information.
Based on the embodiment, the invention takes the protocol standard of three-way session handshake transmitted by TCP as a core, realizes the link disconnection of the access link by interfering the three-way session handshake, and can achieve the purpose of blocking the target terminal from accessing the abnormal website by modifying the information of the return packet pointing to the target terminal.
The embodiment of the invention creatively provides a method for interfering the access of the target terminal to the abnormal website by constructing the service refusing information of the target terminal pointed by the target website and the disconnection information of the target terminal pointed by the target website according to the identification information of the target terminal and the target website and utilizing the information to directly block the TCP transmission between the target terminal and the target website.
According to the technical scheme of the embodiment of the invention, by connecting the intercepting equipment to the bypass of the network switching equipment in parallel, acquiring the connection establishment process information between the terminal and the website in the copied data flow, and extracting the identification domain name information in the connection establishment process information, whether the terminal accesses the abnormal website can be judged in the process of establishing TCP three-way handshake between the terminal and the website, and then the access of the terminal to the abnormal website can be blocked in the mode of blocking the normal TCP handshake establishment flow, before the TCP connection is established, a new mode of effectively blocking the connection of the abnormal website in the parallel connection mode is provided, and the original service flow of the network switching equipment can not be influenced while the effective blocking effect is ensured.
Example two
Fig. 2 is a flowchart of an intercepting method of abnormal network traffic according to a second embodiment of the present invention, and this embodiment further embodies the intercepting process of the network traffic on the basis of the foregoing embodiment. As shown in fig. 2, the method includes:
s210, collecting the copy data flow based on the HTTP from the network switching equipment in a bypass mode.
S220, in the replicated data traffic, identifying connection establishment procedure information for establishing the TCP connection.
And S230, extracting domain name information of a target website which the terminal needs to access from the connection establishment process information.
The extracting of the domain name information of the website to be accessed by the terminal specifically includes: reading connection establishment process information; in the non-encrypted connection establishment process information, the domain name information contained in the connection establishment process information is detected by means of identifying the domain name information identification field.
S240, comparing the extracted domain name information with a domain name library of the abnormal website established in advance.
The abnormal website domain name library is an information library which is collected in advance and contains all the domain names determined to be abnormal website domain names. Specifically, the abnormal domain name information may be obtained through a manual labeling platform, or abnormal labels added by different users for the accessed abnormal websites may be collected to identify and obtain the abnormal domain name information.
S250, judging whether the domain name information is the domain name information of the abnormal website: if yes, go to S260; if not, returning to execute the step S210 to continue monitoring the subsequent copied data traffic without interfering with the normal website access.
S260, according to the identification information of the target terminal and the target website, constructing denial-of-service information which points to the target terminal by the target website and is used as the TCP connection terminal blocking information; and constructing disconnection information pointed to the target website by the target terminal to serve as TCP connection website blocking information.
And S270, transmitting the TCP connection terminal blocking information to a target terminal, and transmitting the TCP connection website blocking information to the target website.
Specifically, the TCP connection terminal blocking information is sent to the target terminal, and the TCP connection website blocking information is sent to the target website, which may be performed simultaneously, as long as at least one of the target terminal and the target website receives and responds to the corresponding blocking information before the normal service request is ended, so that access blocking to the abnormal website may be implemented.
S280, any party of the target terminal and the target website reads corresponding blocking information and responds, and the interception is regarded as successful.
In a specific embodiment, after receiving the TCP connection terminal blocking information, the target terminal reads information that the target website cannot respond or provide request service, and the like, and at this time, the target terminal determines that the access request is failed, and suspends the access; similarly, after the target website receives the TCP connection website blocking information, the read information may be information such as a target terminal terminating access request or a target terminal browser disconnecting, and at this time, the target website determines that the access request is failed, and suspends the response request; if the target website has already performed access response and data transmission before any party reads the corresponding blocking information, the response is terminated after any party reads the corresponding blocking information, and the page in the target terminal stops rendering.
And S290, after the target website accessed by the target terminal is intercepted, displaying the matched access failure description information on the target terminal according to different state conditions of the webpage.
The method has the advantages that the webpage return state code can be displayed in the webpage of the terminal, the information of access failure can be fed back to the user in time by displaying the webpage return state code, user experience is improved, and seamless interference is achieved.
According to the technical scheme of the embodiment of the invention, the copy data flow is obtained under the condition that normal network communication is not influenced by adopting a flow parallel connection mode, the TCP connection terminal blocking information and the TCP connection website blocking information are respectively sent to the target terminal and the target website, and the matched access failure description information is displayed on the target terminal after the interception is successful, so that the access of the traceless interference target terminal to an abnormal website is realized.
Specific application scenarios
Fig. 2b shows a network architecture diagram of a specific application scenario to which the technical solution of the embodiment of the present invention is applied. As shown in fig. 2b, the terminal sends an access request to the website server, the network switching device splits the traffic to the intercepting device while requesting access, and the intercepting device extracts and determines whether the website accessed by the terminal is an abnormal website. For the access request of the normal website, the interception equipment does not interfere, and the network server directly sends a response packet of the request to the terminal; if the website is judged to be an abnormal website, the interception equipment sends a terminal return packet to the terminal and simultaneously sends a server return packet to the website server, and the network server cannot normally send a requested response packet to the terminal by the above mode so as to realize abnormal network flow interception.
The method aims to realize the link disconnection of the access link by interfering three-way dialogue handshake transmitted by TCP, and can achieve the purpose of blocking the target terminal from accessing the abnormal website by modifying the information of a return packet.
Specifically, a user inputs a URL (Uniform Resource Locator) in an address bar through a browser on the terminal, parses the URL, and detects whether the URL address is legal; the browser checks whether records exist in a browser cache, a system cache and a router cache or not, if the records exist in the caches, page content is directly displayed, and if the records do not exist in the caches, domain name resolution is carried out and corresponding IP addresses are obtained; the browser initiates TCP connection to a server of a target website and establishes three-way session handshake; carrying out parallel light splitting on the flow, and acquiring and copying data flow; in the process of copying data flow, identifying connection establishment process information used for establishing TCP connection, namely a SYN packet sent by a client during first handshake; extracting domain name information of a target website to be accessed from the SYN packet; comparing the extracted domain name information with a domain name library of a pre-established abnormal website, if the domain name information is the domain name of the normal website, not interfering the normal interaction between the terminal and the server, if the domain name information is the domain name of the abnormal website, modifying the information of a return packet according to the identification information of the target terminal and the target website, generating a new terminal return packet and a new server return packet, and respectively sending the modified terminal return packet and the modified server return packet to the terminal and the abnormal website server; after the terminal reads the package returned by the terminal, the server can be considered to be incapable of providing the service, the access request is closed, after the abnormal website server reads the package returned by the server, the access request of the equipment requesting the access can be considered to be stopped, and the response to the access request is stopped; if the abnormal website has already performed access response and data transmission before any party reads the corresponding modified return packet, stopping response after any party reads the corresponding modified return packet, and stopping rendering of a page in the browser, wherein the interception is regarded as successful; and displaying a webpage return status code in the webpage to remind the user of the access failure.
EXAMPLE III
Fig. 3 is a schematic structural diagram of an intercepting apparatus for abnormal network traffic according to a third embodiment of the present invention. As shown in fig. 3, the apparatus includes: a data traffic collection module 310, a domain name extraction module 320, a terminal blocking information generation module 330, and a terminal blocking information transmission module 340, wherein:
a duplicated data traffic collection module 310, configured to collect duplicated data traffic from a network switching device by-pass, and identify, in the duplicated data traffic, connection establishment process information used for establishing a TCP connection, where the connection establishment process information is non-encrypted information.
The domain name extraction module 320 is configured to extract domain name information of a website that the terminal needs to access in the connection establishment process information, and perform detection on an abnormal website according to the domain name information.
And a terminal blocking information generating module 330, configured to generate TCP connection terminal blocking information matched with the target terminal when it is determined that the target website to be accessed by the target terminal is an abnormal website according to the target connection establishment process information.
And the terminal blocking information sending module 340 is configured to send TCP connection terminal blocking information to the target terminal so as to intercept a behavior of the target terminal accessing the target website.
According to the technical scheme of the embodiment of the invention, by connecting the intercepting equipment to the bypass of the network switching equipment in parallel, acquiring the connection establishment process information between the terminal and the website in the copied data flow, and extracting the identification domain name information in the connection establishment process information, whether the terminal accesses the abnormal website can be judged in the process of establishing TCP three-way handshake between the terminal and the website, and then the access of the terminal to the abnormal website can be blocked in the mode of blocking the normal TCP handshake establishment flow, before the TCP connection is established, a new mode of effectively blocking the connection of the abnormal website in the parallel connection mode is provided, and the original service flow of the network switching equipment can not be influenced while the effective blocking effect is ensured.
On the basis of the foregoing embodiments, the replication data traffic collection module 310 may be further specifically configured to:
collecting the copied data flow based on the HTTP from the network switching equipment in a bypass way by adopting link light splitting or a mode of a switch mirror image;
and acquiring connection establishment process information which is sent by the terminal and/or the website and is matched with the TCP three-way handshake process in the copy data flow.
On the basis of the foregoing embodiments, the domain name extraction module 320 may be further specifically configured to: and comparing the domain name information with a pre-established abnormal website domain name library, and detecting whether the domain name information is stored in the abnormal website domain name library.
On the basis of the above embodiments, the method may further include:
and the website blocking information generating module is used for generating TCP connection website blocking information matched with the target website when the target website required to be accessed by the target terminal is determined to be an abnormal website according to the target connection establishment process information.
On the basis of the above embodiments, the method may further include:
and the website blocking information sending module is used for sending the TCP connection website blocking information to the target website so as to intercept the behavior of the target website feeding back the response information to the target terminal.
The device for intercepting abnormal network traffic provided by the embodiment of the invention can execute the method for intercepting abnormal network traffic provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example four
Fig. 4 shows a schematic structural diagram of an intercepting device 40 that can be used to implement an embodiment of the present invention. The intercepting device is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other suitable computers. The intercepting device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, the intercepting device 40 includes at least one processor 41, and a memory communicatively connected to the at least one processor 41, such as a Read Only Memory (ROM)42, a Random Access Memory (RAM)43, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 41 can perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM)42 or the computer program loaded from the storage unit 48 into the Random Access Memory (RAM) 43. In the RAM 43, various programs and data necessary for the operation of the intercepting apparatus 40 can also be stored. The processor 41, the ROM 42, and the RAM 43 are connected to each other via a bus 44. An input/output (I/O) interface 45 is also connected to the bus 44.
A number of components in the intercepting device 40 are connected to the I/O interface 45, including: an input unit 46 such as a keyboard, a mouse, or the like; an output unit 47 such as various types of displays, speakers, and the like; a storage unit 48 such as a magnetic disk, optical disk, or the like; and a communication unit 49 such as a network card, modem, wireless communication transceiver, etc. The communication unit 49 allows the intercepting device 40 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
collecting the copy data flow from a bypass on the network switching equipment, and identifying connection establishment process information used for establishing TCP connection in the copy data flow, wherein the connection establishment process information is non-encrypted information;
extracting domain name information of a website to be accessed by the terminal in the connection establishing process information, and detecting an abnormal website according to the domain name information;
when a target website to be accessed by a target terminal is determined to be an abnormal website according to the target connection establishment process information, generating TCP connection terminal blocking information matched with the target terminal;
and sending the TCP connection terminal blocking information to the target terminal so as to intercept the behavior of the target terminal accessing the target website.
In some embodiments, the method of intercepting abnormal network traffic may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 48. In some embodiments, part or all of the computer program may be loaded and/or installed on the intercepting device 40 via the ROM 42 and/or the communication unit 49. When the computer program is loaded into the RAM 43 and executed by the processor 41, one or more steps of the above described method of intercepting abnormal network traffic may be performed. Alternatively, in other embodiments, processor 41 may be configured by any other suitable means (e.g., by way of firmware) to perform the method of intercepting abnormal network traffic.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Computer programs for implementing the methods of the present invention can be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described herein may be implemented on an intercepting device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the intercepting device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), blockchain networks, and the Internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. An interception method of abnormal network traffic, characterized by being executed by an interception device connected in parallel with a network switching device, the method comprising:
collecting the copy data flow from a bypass on the network switching equipment, and identifying the connection establishment process information for establishing a Transmission Control Protocol (TCP) connection in the copy data flow, wherein the connection establishment process information is non-encrypted information;
extracting domain name information of a website to be accessed by the terminal in the connection establishing process information, and detecting an abnormal website according to the domain name information;
when a target website to be accessed by a target terminal is determined to be an abnormal website according to the target connection establishment process information, generating TCP connection terminal blocking information matched with the target terminal;
and sending the TCP connection terminal blocking information to the target terminal so as to intercept the behavior of the target terminal accessing the target website.
2. The method of claim 1, wherein bypassing the collection of replicated data traffic from the network switching device comprises:
and collecting and copying data flow from the network switching equipment in a bypass mode by adopting link light splitting or a mode of switch mirroring.
3. The method of claim 2, wherein bypassing the collection of replicated data traffic from the network switching device comprises:
and bypass collecting copied data traffic based on the HTTP from the network switching equipment.
4. The method of claim 1, wherein identifying connection establishment procedure information for establishing a TCP connection in replicating data traffic comprises:
and acquiring connection establishment process information which is sent by the terminal and/or the website and is matched with the TCP three-way handshake process in the copy data flow.
5. The method according to claim 1, wherein the detecting the abnormal website according to the domain name information comprises:
and comparing the domain name information with a pre-established abnormal website domain name library, and detecting whether the domain name information is stored in the abnormal website domain name library.
6. The method according to any one of claims 1 to 5, wherein, while generating TCP connection terminal blocking information matching the target terminal, the method further comprises:
generating TCP connection website blocking information matched with the target website;
and sending the TCP connection website blocking information to the target website so as to intercept the behavior of the target website for feeding back response information to a target terminal.
7. The method according to any one of claims 1-5, wherein generating TCP connection termination blocking information matching the target termination comprises:
according to the identification information of the target terminal and the target website, constructing denial of service information which points to the target terminal by the target website and is used as the TCP connection terminal blocking information;
generating TCP connection website blocking information matched with the target website, including:
and according to the identification information of the target terminal and the target website, constructing disconnection information pointed to the target website by the target terminal as TCP connection website blocking information.
8. An apparatus for intercepting abnormal network traffic, which is configured on an intercepting device connected in parallel to a network switching device, comprising:
the system comprises a copy data flow acquisition module, a network switching device and a data processing module, wherein the copy data flow acquisition module is used for acquiring copy data flow from a bypass on the network switching device and identifying connection establishment process information used for establishing Transmission Control Protocol (TCP) connection in the copy data flow, and the connection establishment process information is non-encrypted information;
the domain name extraction module is used for extracting domain name information of a website which the terminal needs to access in the connection establishment process information and detecting abnormal websites according to the domain name information;
the terminal blocking information generating module is used for generating TCP connection terminal blocking information matched with the target terminal when the target website required to be accessed by the target terminal is determined to be an abnormal website according to the target connection establishing process information;
and the terminal blocking information sending module is used for sending the TCP connection terminal blocking information to the target terminal so as to intercept the behavior of the target terminal accessing the target website.
9. An intercepting device, characterized in that the intercepting device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of intercepting abnormal network traffic of any one of claims 1-7.
10. A computer-readable storage medium, having stored thereon computer instructions for causing a processor to execute a method for intercepting abnormal network traffic according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210586010.2A CN114793180A (en) | 2022-05-26 | 2022-05-26 | Method and device for intercepting abnormal network traffic, intercepting equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210586010.2A CN114793180A (en) | 2022-05-26 | 2022-05-26 | Method and device for intercepting abnormal network traffic, intercepting equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114793180A true CN114793180A (en) | 2022-07-26 |
Family
ID=82463821
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210586010.2A Pending CN114793180A (en) | 2022-05-26 | 2022-05-26 | Method and device for intercepting abnormal network traffic, intercepting equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114793180A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101355587A (en) * | 2008-09-17 | 2009-01-28 | 杭州华三通信技术有限公司 | Method and apparatus for obtaining URL information as well as method and system for implementing searching engine |
| CN109672651A (en) * | 2017-10-17 | 2019-04-23 | 阿里巴巴集团控股有限公司 | Intercepting processing method, system and the data processing method of website visiting |
| CN113595784A (en) * | 2021-07-26 | 2021-11-02 | 招商银行股份有限公司 | Network flow detection method, device, equipment, storage medium and program product |
| CN113965385A (en) * | 2021-10-25 | 2022-01-21 | 恒安嘉新(北京)科技股份公司 | Monitoring processing method, device, equipment and medium for abnormal website |
-
2022
- 2022-05-26 CN CN202210586010.2A patent/CN114793180A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101355587A (en) * | 2008-09-17 | 2009-01-28 | 杭州华三通信技术有限公司 | Method and apparatus for obtaining URL information as well as method and system for implementing searching engine |
| CN109672651A (en) * | 2017-10-17 | 2019-04-23 | 阿里巴巴集团控股有限公司 | Intercepting processing method, system and the data processing method of website visiting |
| CN113595784A (en) * | 2021-07-26 | 2021-11-02 | 招商银行股份有限公司 | Network flow detection method, device, equipment, storage medium and program product |
| CN113965385A (en) * | 2021-10-25 | 2022-01-21 | 恒安嘉新(北京)科技股份公司 | Monitoring processing method, device, equipment and medium for abnormal website |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8448233B2 (en) | Dealing with web attacks using cryptographically signed HTTP cookies | |
| US20130151587A1 (en) | Filtering system and filtering method | |
| CN108833950B (en) | Barrage message issuing method, server, system and storage medium | |
| KR102167613B1 (en) | Message push method and device | |
| EP2895981B1 (en) | System and method for sharing login status between an application platform and an application | |
| CN108200218B (en) | Method and device for realizing load balance and electronic equipment | |
| US11416564B1 (en) | Web scraper history management across multiple data centers | |
| CN102143177A (en) | Portal authentication method, Portal authentication device,Portal authentication equipment and Portal authentication system | |
| CN112134960B (en) | Data request method and device | |
| CN107682442A (en) | A kind of Web connection methods and device | |
| US20230208839A1 (en) | Access control policy for proxy services | |
| GB2562535A (en) | Method for privacy protection | |
| EP2640035B1 (en) | Hypertext transfer protocol (http) stream association method and device | |
| CN106411978B (en) | Resource caching method and device | |
| CN107241451B (en) | Interference method, apparatus and system are distorted based on content distributing network | |
| CN115037537A (en) | Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium | |
| CN107070947A (en) | A kind of method and system of the access network based on access authentication | |
| CN115514682B (en) | Data transmission method, device, equipment and storage medium | |
| CN114793180A (en) | Method and device for intercepting abnormal network traffic, intercepting equipment and medium | |
| CN111416851A (en) | Method for session synchronization among multiple load balancers and load balancer | |
| CN113596105B (en) | Content acquisition method, edge node and computer readable storage medium | |
| US9674052B2 (en) | Data packet stream fingerprint | |
| CN113411228A (en) | Network condition determining method and server | |
| EP3691208A1 (en) | Traffic optimization method for transparent cache, load balancer and storage medium | |
| TW201644249A (en) | Devices and methods for performing TCP handshakes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |