CN115052004A - Network access bypass monitoring method and electronic equipment - Google Patents
Network access bypass monitoring method and electronic equipment Download PDFInfo
- Publication number
- CN115052004A CN115052004A CN202210661338.6A CN202210661338A CN115052004A CN 115052004 A CN115052004 A CN 115052004A CN 202210661338 A CN202210661338 A CN 202210661338A CN 115052004 A CN115052004 A CN 115052004A
- Authority
- CN
- China
- Prior art keywords
- message
- access
- source
- equipment
- condition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses a network access bypass monitoring method and electronic equipment, wherein the method comprises the following steps: acquiring a mirror image message of the access message through a mirror image port; guiding a target message in the mirror image message to a Netfilter framework through a receiving function in an operating system kernel; determining whether a source device accessing the message meets an access condition or not based on the target message through a first hook function in the Netfilter frame; and under the condition that the source equipment does not accord with the access condition, sending a forged blocking message to the source equipment and the target equipment of the access message through a second hook function in the Netfilter frame so as to request to disconnect the network connection between the source equipment and the target equipment. The whole monitoring process of the method is completed in the kernel of the operating system, data transmission between the kernel layer and the application layer is not needed, the data processing efficiency and the response speed can be improved, the monitoring failure is avoided, and the method is beneficial to reducing the occupancy rate of system resources and cache space.
Description
Technical Field
The embodiment of the application relates to the technical field of security protection, in particular to a network access bypass monitoring method and electronic equipment.
Background
Generally, a gateway realizes an equipment admission control function, and gateway equipment needs to be connected in series in a network, and network data can reach corresponding equipment only by forwarding through the gateway. However, some customers do not want gateway devices to be cascaded in their network systems. Therefore, the communication connection can be blocked only by receiving the mirror image message of the network core switch and by pretending to reply to the blocking packet under the condition that the source equipment is determined not to meet the admission condition.
In the prior art, the bypass admission control is performed by copying a network data packet entering a network card from a kernel layer to an application layer through a packet capturing tool for application program analysis, and for communication connection needing to be blocked, an application program in the application layer forges a packet, and then copies the packet to the kernel layer and transmits the packet through the network card. The problem existing in the mode is that there is time delay between packet capturing and response, and a user captures the packet through a tool and analyzes and detects that the blocking packet sent out needs to be copied twice from the kernel layer to the application layer and from the application layer to the kernel layer, so that there is time delay to a certain extent, and blocking operation failure is easily caused because a forged packet is discarded or communication connection is completed.
Disclosure of Invention
In view of the foregoing problems in the prior art, embodiments of the present application provide a network access bypass monitoring method and an electronic device with high monitoring efficiency.
In order to solve the above problems, the embodiments of the present application provide a technical solution that:
a network access bypass monitoring method is applied to electronic equipment and comprises the following steps:
acquiring a mirror image message of the access message through a mirror image port;
guiding the target message in the mirror image message to a Netfilter framework through a receiving function in an operating system kernel; the target message is the mirror image message of which the destination address does not point to the electronic equipment;
determining whether the source equipment of the access message meets the access condition or not based on the target message through a first hook function in a Netfilter frame;
and under the condition that the source equipment does not accord with the access condition, sending a forged blocking message to the source equipment and the target equipment of the access message through a second hook function in the Netfilter frame so as to request to disconnect the network connection between the source equipment and the target equipment.
In some embodiments, the method further comprises:
and under the condition that the source equipment meets the access condition, discarding the target message.
In some embodiments, the determining, by the first hook function in the Netfilter framework, whether the source device of the access packet meets the access condition based on the target packet includes:
acquiring a source address of the target message through a first hook function in a Netfilter frame;
determining whether the source address is matched with address information in a preset form or not;
under the condition that the source address is matched with at least one piece of address information in a preset form, determining that the source equipment does not accord with the access condition; or
And under the condition that the source address does not match address information in a preset form, determining that the source equipment does not meet the access condition.
In some embodiments, the preset form contains address information and a first hash value corresponding to each of the address information; the determining whether the source address is matched with the address information in the preset form includes:
generating a second hash value based on the source address;
determining whether the second hash value matches the first hash value in the preset form.
In some embodiments, the sending a forged blocking message to the source device and the target device of the access message through a second hook function in the Netfilter framework includes:
and sending forged blocking messages to the source equipment and the target equipment of the access message through a second hook function under a PREROUTING chain in a raw table in the Netfilter frame.
In some embodiments, the sending a forged blocking message to the source device and the target device of the access message through a second hook function in the Netfilter framework includes:
under the condition that the access message conforms to a TCP (transmission control protocol), sending forged blocking messages to source equipment and target equipment of the access message through an nf _ send _ reset function in a Netfilter framework;
and under the condition that the access message conforms to the UDP protocol, sending forged blocking messages to the source equipment and the target equipment of the access message through an nf _ send _ unreeach function in the Netfilter framework.
An electronic device, comprising:
the acquisition module is used for acquiring a mirror image message of the access message through a mirror image port;
the guiding module is used for guiding the target message in the mirror image message to the Netfilter framework through a receiving function in an operating system kernel; the target message is the mirror image message of which the destination address does not point to the electronic equipment;
the determining module is used for determining whether the source equipment of the access message meets the access condition or not based on the target message through a first hook function in the Netfilter frame;
and the sending module is used for sending a forged blocking message to the source equipment and the target equipment of the access message through a second hook function in the Netfilter frame under the condition that the source equipment does not accord with the access condition so as to request to disconnect the network connection between the source equipment and the target equipment.
In some embodiments, further comprising:
and the discarding module is used for discarding the target message under the condition that the source equipment meets the access condition.
In some embodiments, the determining module is specifically configured to:
acquiring a source address of the target message through a first hook function in a Netfilter frame;
determining whether the source address is matched with address information in a preset form or not;
under the condition that the source address is matched with at least one piece of address information in a preset form, determining that the source equipment does not accord with the access condition; or alternatively
And under the condition that the source address does not match address information in a preset form, determining that the source equipment does not meet the access condition.
In some embodiments, the sending module is specifically configured to:
and sending forged blocking messages to the source equipment and the target equipment of the access messages through a second hook function under a PREROUTING chain in a raw table in the Netfilter framework.
The network access bypass monitoring method comprises the steps of obtaining a mirror image message of an access message through a mirror image port, guiding the mirror image message to a Netfilter frame through a receiving function in an operating system kernel, determining whether a source device of the access message meets an access condition or not based on a target message through a first hook function in the Netfilter frame, and sending a forged blocking message to the source device and the target device of the access message through a second hook function in the Netfilter frame under the condition that the source device does not meet the access condition so as to request to disconnect network connection between the source device and the target device. Therefore, the whole monitoring process is completed in the kernel of the operating system, data transmission between the kernel layer and the application layer is not needed, the data processing efficiency and the response speed can be improved, the monitoring failure is avoided, and the reduction of the occupancy rate of system resources and cache space is facilitated.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
fig. 1 is a scene diagram of a network access bypass monitoring method according to an embodiment of the present application;
fig. 2 is a flowchart of a network access bypass monitoring method according to an embodiment of the present application;
fig. 3 is a flowchart of step S230 in the network access bypass monitoring method according to the embodiment of the present application;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present application;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
The embodiment of the application provides a network access bypass monitoring method, which is applied to electronic equipment, wherein the electronic equipment can be equipment capable of monitoring network access bypass, such as a server. As shown in fig. 1, taking a scenario of protecting an intranet 104 as an example, the intranet 104 may be provided with a plurality of terminal devices, an intermediate device such as a gateway 103 may be provided between the router 102 and the intranet 104, the gateway 103 may be provided with a mirror image port, and the electronic device 101 may be connected to the gateway 103 through the mirror image port. The access message sent from the internal network 104 via the router 102 flows through the gateway 103, and the mirror image message of the access message can be acquired by using the mirror image port, so that the electronic device 101 can perform bypass monitoring on the network access directed to the internal network 104 based on the mirror image message.
It should be noted that the network access bypass monitoring method according to the embodiment of the present application is not limited to protecting content, and may also be used to protect a target device that is an accessed target, such as a server. The mirror port is not limited to be provided on, for example, a gateway, but may be provided on an intermediate network device such as a router.
Fig. 2 is a flowchart of a network access bypass monitoring method according to an embodiment of the present application, and referring to fig. 2, the network access bypass monitoring method according to the embodiment of the present application may specifically include the following steps.
S210, acquiring the mirror image message of the access message through the mirror image port.
The access message is a message sent from the source device to the target device. Taking the protection of the terminal device in the intranet as an example, the source device may be a terminal device in the extranet, the target device may be a terminal device in the content, and the access packet is a packet sent from the terminal device in the extranet to the terminal device in the intranet. Taking the application as an example of protecting the server, the target device may be a protected server, and the source device may be a terminal device that performs an access operation on the server. Optionally, a mirror image port may be set on the gateway between the router and the intranet, and a mirror image packet of the access packet is obtained through the mirror image port, so that normal transmission of the access packet is not affected, and the purpose of bypass monitoring is achieved.
And S220, guiding the target message in the mirror image message to a Netfilter framework through a receiving function in an operating system kernel. The target message is the mirror image message of which the destination address does not point to the electronic equipment.
Optionally, the receiving function may obtain a destination address of the mirror image packet when the mirror image packet is obtained, and determine whether the destination address points to the electronic device itself for performing network access bypass monitoring. If the target address points to the electronic equipment, the access message is a message sent to the electronic equipment, and the mirror image message can be transmitted to an application layer of an operating system for processing. If the target address does not point to the electronic device, it indicates that the access packet is a packet pointing to a device such as a terminal device or a server in an intranet, and the access packet needs to be monitored, and the packet may be forwarded to a Netfilter framework in an operating system kernel. Optionally, the destination address may include an IP address, a MAC address, and the like.
Optionally, the receiving function may be, for example, an ip _ rcv function of the network layer, where the ip _ rcv function is used as an entry function of the network layer and is responsible for receiving the packet data transmitted by the link layer. The conventional ip _ rcv function discards the message if it is determined that the destination address of the message does not point to the electronic device itself. In order to enable the ip _ rcv function to guide the destination message of which the destination address does not point to the electronic device to the Netfilter frame, the code of the conventional ip _ rcv function can be modified, so that the ip _ rcv function can guide the destination message to the Netfilter frame when the destination message is identified.
Of course, the receiving function is not limited to the ip _ rcv function, and may be formed by other functions as long as the target packet can be identified from the mirror packet and can be forwarded to the Netfilter framework.
And S230, determining whether the source equipment of the access message meets the access condition or not based on the target message through a first hook function in the Netfilter frame.
The Netfilter framework comprises a plurality of tables such as a raw table, a mangle table, a nat table and a filter table, and each table can comprise a plurality of chains. For example, the raw table may include a PREROUTING chain and an OUTPUT chain. The first hook function may be a hook function registered on any one of the chains in the plurality of tables. Any message data in the Netfilter framework can trigger a first hook function, and whether the source equipment meets the access condition or not is determined through the first hook function.
Optionally, the access condition may be a condition for allowing the source device to access the target device. The access condition may be, for example, that the source device is a non-malicious device. For example, the first hooking function may extract a source IP address and a source port number from the message data that identify the source device, and determine whether the source device is a non-malicious device based on the source IP address and the source port number.
And S240, under the condition that the source equipment does not meet the access condition, sending a forged blocking message to the source equipment and the target equipment of the access message through a second hook function in the Netfilter frame so as to request to disconnect the network connection between the source equipment and the target equipment.
Optionally, the second hook function may obtain a source IP address and a source port number pointing to the source device, and a destination IP address and a destination port number pointing to the destination device from the message data, forge a blocking message for sending to the source device and a blocking message for sending to the destination device based on the source IP address, the source port number, the destination IP address, and the destination port number, directly invoke the network card driver, and drive the network card device to respectively send the blocking messages to the source device and the destination device through the network card driver, so that the source device and the destination device disconnect a network connection therebetween.
Alternatively, similar to the first hook function, the second hook function may be registered under any one of the plurality of tables. For example, the first hook function and the second hook function can be added to the same table in the Netfilter framework under the same chain.
And S250, discarding the target message under the condition that the source equipment meets the access condition.
That is, if the source device meets the access condition, the target packet may be directly discarded, so as to avoid occupying the cache space. Optionally, a rule may be added in the Netfilter framework under the same chain of the second hook function, so as to discard the target packet in response to the first hook function determining that the source device meets the access condition.
The network access bypass monitoring method comprises the steps of obtaining a mirror image message of an access message through a mirror image port, guiding the mirror image message to a Netfilter frame through a receiving function in an operating system kernel, determining whether a source device of the access message meets an access condition or not based on a target message through a first hook function in the Netfilter frame, and sending a forged blocking message to the source device and the target device of the access message through a second hook function in the Netfilter frame under the condition that the source device does not meet the access condition so as to request to disconnect network connection between the source device and the target device. Therefore, the whole monitoring process is completed in the kernel of the operating system, data transmission between the kernel layer and the application layer is not needed, the data processing efficiency and the response speed can be improved, the monitoring failure is avoided, and the reduction of the occupancy rate of system resources and cache space is facilitated.
In some embodiments, as shown in fig. 3, in step S230, determining whether the source device of the access packet meets the access condition based on the target packet by using the first hook function in the Netfilter framework may include the following steps.
S231, obtaining the source address of the target message through a first hook function in the Netfilter framework.
S232, whether the source address is matched with the address information in the preset form is determined.
S233, determining that the source device does not comply with the access condition when the source address matches at least one address information in a preset form.
S234, determining that the source device meets the access condition when the preset form does not have address information matching the source address.
Optionally, a preset form may be optionally configured, and address information of the malicious device may be recorded in the preset form. For example, the IP address and port number of the malicious device, etc. may be recorded. At this time, the preset form is actually a blacklist.
And under the condition that the target message is identified, the source address of the target message can be acquired through a first hook function in the Netfilter framework. For example, the source IP address may be obtained from the header of the destination packet, or both the source IP address and the source port number may be obtained.
Matching the source IP address with the IP address in the preset form, if the source IP address is matched with the IP address in the blacklist, indicating that the source equipment sending the corresponding access message is malicious equipment, and determining that the source equipment does not accord with the access condition; if the source IP address is not matched with the IP address in the blacklist, the source equipment is indicated to be non-malicious equipment and meets the access condition.
Under the condition that the IP address and the port number are recorded in the blacklist at the same time, the source IP address and the source port number can be matched with the IP address and the port number in the blacklist at the same time, and if the IP address and the port number in the same record in the blacklist are matched with the source IP address and the source port number, the source equipment is determined not to be in accordance with the access condition.
It should be noted that, in specific implementation, the preset form is not limited to record address information of a malicious device, but may also record address information of a non-malicious device. For example, the preset form may record the IP address and port number of a legitimate device. At this time, under the condition that the source address is not matched with the address information in the preset form, the source device is determined not to be in accordance with the access condition. That is, in the case where it is determined that the source device does not belong to a legitimate device, it is determined that the source device does not comply with the access condition.
In some embodiments, the preset form contains address information and a first hash value corresponding to each of the address information; step S232, determining whether the source address matches with the address information in the preset form, may include the following steps.
S2321, a second hash value is generated based on the source address.
S2322, determining whether the second hash value matches the first hash value in the preset form.
Alternatively, in the case where only an IP address is recorded in the preset form, the first hash value may be generated based on the IP address. In the case where an IP address and a port number are simultaneously recorded in the preset form, the first hash value may be generated based on the IP address and the port number. Correspondingly, the second hash value may be generated based on the source IP address, and may also be generated based on the source IP address and the source port number.
And then, the second hash value is matched with the first hash value in the preset form in a memorability mode. Under the condition that the preset form is a blacklist, if the second hash value is matched with one first hash value in the preset form, determining that the source equipment does not accord with the access condition; and if the preset form does not have the first hash value matched with the second hash value, determining that the source equipment meets the access condition.
Under the condition that the preset form is a white list, if the preset form does not have a first hash value matched with a second hash value, determining that the source equipment does not accord with the access condition; and if the preset form has the first hash value matched with the second hash value, determining that the source equipment meets the access condition. The address information is matched through the Hash value, the matching speed is high, and the monitoring efficiency and the response speed are improved beneficially.
In some embodiments, step S240, sending a forged blocking message to the source device and the destination device of the access message through a second hook function in the Netfilter framework may include the following steps.
And sending forged blocking messages to the source equipment and the target equipment of the access messages through a second hook function under a PREROUTING chain in a raw table in the Netfilter framework.
The Netfilter frame comprises a raw table, a mangle table, a nat table and a filter table which are sequentially arranged, and the raw table can comprise a PREROUTING chain and an OUTPUT chain which are sequentially arranged. Therefore, the raw table is the first table in the Netfilter framework, and the PREROUTING chain is the first chain in the raw table. The first hook function and the second hook function are registered under a first chain of a first table in the Netfilter frame, and after the target message is guided into the Netfilter frame, the first hook function and the second hook function can immediately process the target message, so that the data processing speed is favorably improved, and the detection efficiency is further improved.
Alternatively, the REJECT rule may be registered in the raw table under the forwarding chain by, for example, the Iptables program, so as to form the second hook function under the forwarding chain. Since the PREROUTING chain does not support adding conventional REJECT rules, the kernel source code file ipt _ REJECT.c can be modified to modify the default configuration of the operating system kernel so that the PREROUTING chain supports adding REJECT rules.
In some embodiments, step S240, sending a forged blocking message to the source device and the destination device of the access message through a second hook function in the Netfilter framework may include the following steps.
And under the condition that the access message conforms to a Transmission Control Protocol (TCP), sending a forged blocking message to the source device and the target device of the access message through an nf _ send _ reset function in the Netfilter framework.
And under the condition that the access message conforms to a User Datagram Protocol (UDP), sending a forged blocking message to the source equipment and the target equipment of the access message through an nf _ send _ unreach function in the Netfilter frame.
That is, the second hook function may include two functions of nf _ send _ reset and nf _ send _ unrereach. The nf _ send _ reset function is set for the TCP protocol, and the nf _ send _ unreeach function is set for the UDP protocol. Since the blocking message can be generated and the network card driver is called to send the packet only when the conventional nf _ send _ reset function and nf _ send _ unreach function need to identify the routing table, the blocking message can be generated directly based on the target message and the network card driver is called to send the packet in order to enable the nf _ send _ reset function and the nf _ send _ unreach function to generate the blocking message and directly call the network card driver to send the packet under the condition that the routing table is not available, and the source code file nf _ reject _ ipvv4. c in the kernel of the operating system can be modified.
And under the condition that the access message is determined to accord with the TCP protocol, an nf _ send _ reset function can be called to generate an RST message containing an RST mark bit, a network card drive is called through the nf _ send _ reset function, and the RST message is respectively sent to the source equipment and the target equipment. Under the condition that the access message is determined to accord with the UDP protocol, an nf _ send _ unreeach function can be called to generate an unreeacble message containing an unreeacble zone bit, a network card drive is called through the nf _ send _ unreeach function, and the unreeacble message is respectively sent to the source equipment and the target equipment. Therefore, the method and the device can monitor the access message of the TCP protocol and the access message of the UDP protocol respectively and execute blocking operation.
Referring to fig. 4, an embodiment of the present application further provides an electronic device, including:
an obtaining module 301, configured to obtain a mirror image packet of the access packet through a mirror image port;
a guiding module 302, configured to guide a target packet in the mirror image packet to a Netfilter framework through a receiving function in an operating system kernel; the target message is the mirror image message of which the destination address does not point to the electronic equipment;
a determining module 303, configured to determine, based on the target packet, whether a source device of the access packet meets an access condition through a first hook function in the Netfilter framework;
a sending module 304, configured to send a forged blocking packet to the source device and the target device of the access packet through a second hook function in the Netfilter frame when the source device does not meet the access condition, so as to request to disconnect the network connection between the source device and the target device.
In some embodiments, further comprising:
and the discarding module is used for discarding the target message under the condition that the source equipment meets the access condition.
In some embodiments, the determining module 303 is specifically configured to:
acquiring a source address of the target message through a first hook function in a Netfilter frame;
determining whether the source address is matched with address information in a preset form or not;
under the condition that the source address is matched with at least one piece of address information in a preset form, determining that the source equipment does not accord with the access condition; or
And under the condition that the source address does not match address information in a preset form, determining that the source equipment does not meet the access condition.
In some embodiments, the preset form contains address information and a first hash value corresponding to each of the address information; the determining module 303 is specifically configured to:
generating a second hash value based on the source address;
determining whether the second hash value matches the first hash value in the preset form.
In some embodiments, the sending module 304 is specifically configured to:
and sending forged blocking messages to the source equipment and the target equipment of the access messages through a second hook function under a PREROUTING chain in a RAW table in the Netfilter framework.
In some embodiments, the sending module 304 is specifically configured to:
under the condition that the access message conforms to a TCP (transmission control protocol), sending forged blocking messages to source equipment and target equipment of the access message through an nf _ send _ reset function in a Netfilter framework;
and under the condition that the access message conforms to the UDP protocol, sending forged blocking messages to the source equipment and the target equipment of the access message through an nf _ send _ unreeach function in the Netfilter framework.
Referring to fig. 5, an electronic device according to an embodiment of the present application further includes at least a memory 401 and a processor 402, where the memory 401 stores a program, and the processor 402 implements the method according to any of the above embodiments when executing the program on the memory 401.
It will be apparent to one skilled in the art that embodiments of the present application may be provided as methods, electronic devices, computer-readable storage media, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied in the medium. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The processor may be a general purpose processor, a digital signal processor, an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. The general purpose processor may be a microprocessor or any conventional processor or the like.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
The readable storage medium may be a magnetic disk, an optical disk, a DVD, a USB, a Read Only Memory (ROM), a Random Access Memory (RAM), etc., and the application does not limit the specific storage medium form.
The above embodiments are only exemplary embodiments of the present application, and are not intended to limit the present application, and the protection scope of the present application is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present application and such modifications and equivalents should also be considered to be within the scope of the present application.
Claims (10)
1. A network access bypass monitoring method is applied to electronic equipment, and is characterized by comprising the following steps:
acquiring a mirror image message of the access message through a mirror image port;
guiding the target message in the mirror image message to a Netfilter framework through a receiving function in an operating system kernel; the target message is the mirror image message of which the destination address does not point to the electronic equipment;
determining whether the source equipment of the access message meets the access condition or not based on the target message through a first hook function in a Netfilter frame;
and under the condition that the source equipment does not accord with the access condition, sending a forged blocking message to the source equipment and the target equipment of the access message through a second hook function in the Netfilter frame so as to request to disconnect the network connection between the source equipment and the target equipment.
2. The method of claim 1, further comprising:
and under the condition that the source equipment meets the access condition, discarding the target message.
3. The method of claim 1, wherein determining whether a source device of the access packet meets an access condition based on the target packet by a first hook function in a Netfilter framework comprises:
acquiring a source address of the target message through a first hook function in a Netfilter framework;
determining whether the source address is matched with address information in a preset form or not;
under the condition that the source address is matched with at least one piece of address information in a preset form, determining that the source equipment does not accord with the access condition; or
And under the condition that the source address does not match address information in a preset form, determining that the source equipment does not meet the access condition.
4. The method of claim 3, wherein the preset form includes address information and a first hash value corresponding to each of the address information; the determining whether the source address is matched with the address information in the preset form includes:
generating a second hash value based on the source address;
determining whether the second hash value matches the first hash value in the preset form.
5. The method of claim 1, wherein sending the forged blocking message to the source device and the destination device of the access message through a second hook function in a Netfilter framework comprises:
and sending forged blocking messages to the source equipment and the target equipment of the access messages through a second hook function under a PREROUTING chain in a raw table in the Netfilter framework.
6. The method of claim 1, wherein sending the forged blocking message to the source device and the destination device of the access message through a second hook function in a Netfilter framework comprises:
under the condition that the access message conforms to a TCP (transmission control protocol), sending forged blocking messages to source equipment and target equipment of the access message through an nf _ send _ reset function in a Netfilter framework;
and under the condition that the access message conforms to the UDP protocol, sending forged blocking messages to the source equipment and the target equipment of the access message through an nf _ send _ unreeach function in the Netfilter framework.
7. An electronic device, comprising:
the acquisition module is used for acquiring a mirror image message of the access message through a mirror image port;
the guiding module is used for guiding the target message in the mirror image message to the Netfilter framework through a receiving function in an operating system kernel; the target message is the mirror image message of which the destination address does not point to the electronic equipment;
the determining module is used for determining whether the source equipment of the access message meets the access condition or not based on the target message through a first hook function in the Netfilter frame;
and the sending module is used for sending a forged blocking message to the source equipment and the target equipment of the access message through a second hook function in the Netfilter frame under the condition that the source equipment does not accord with the access condition so as to request to disconnect the network connection between the source equipment and the target equipment.
8. The electronic device of claim 7, further comprising:
and the discarding module is used for discarding the target message under the condition that the source equipment meets the access condition.
9. The electronic device of claim 7, wherein the determination module is specifically configured to:
acquiring a source address of the target message through a first hook function in a Netfilter frame;
determining whether the source address is matched with address information in a preset form or not;
under the condition that the source address is matched with at least one piece of address information in a preset form, determining that the source equipment does not accord with the access condition; or
And under the condition that the source address does not match address information in a preset form, determining that the source equipment does not meet the access condition.
10. The electronic device of claim 7, wherein the sending module is specifically configured to:
and sending forged blocking messages to the source equipment and the target equipment of the access messages through a second hook function under a PREROUTING chain in a raw table in the Netfilter framework.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210661338.6A CN115052004A (en) | 2022-06-13 | 2022-06-13 | Network access bypass monitoring method and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210661338.6A CN115052004A (en) | 2022-06-13 | 2022-06-13 | Network access bypass monitoring method and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115052004A true CN115052004A (en) | 2022-09-13 |
Family
ID=83161429
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210661338.6A Pending CN115052004A (en) | 2022-06-13 | 2022-06-13 | Network access bypass monitoring method and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115052004A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105939325A (en) * | 2016-01-12 | 2016-09-14 | 杭州迪普科技有限公司 | TCP (Transmission Control Protocol) bypass blocking method and device |
| WO2017004952A1 (en) * | 2015-07-09 | 2017-01-12 | 安一恒通(北京)科技有限公司 | Method and apparatus for detecting and stopping malicious clicking of advertisement link |
| CN107623661A (en) * | 2016-07-15 | 2018-01-23 | 阿里巴巴集团控股有限公司 | Block system, the method and device of access request, server |
| CN107645470A (en) * | 2016-07-20 | 2018-01-30 | 阿里巴巴集团控股有限公司 | A kind of method for blocking bypass by, device, system, electronic equipment |
| CN113163443A (en) * | 2020-01-22 | 2021-07-23 | 普天信息技术有限公司 | Core network data transmission method and system |
| CN113726917A (en) * | 2020-05-26 | 2021-11-30 | 网神信息技术(北京)股份有限公司 | Domain name determination method and device and electronic equipment |
-
2022
- 2022-06-13 CN CN202210661338.6A patent/CN115052004A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017004952A1 (en) * | 2015-07-09 | 2017-01-12 | 安一恒通(北京)科技有限公司 | Method and apparatus for detecting and stopping malicious clicking of advertisement link |
| CN105939325A (en) * | 2016-01-12 | 2016-09-14 | 杭州迪普科技有限公司 | TCP (Transmission Control Protocol) bypass blocking method and device |
| CN107623661A (en) * | 2016-07-15 | 2018-01-23 | 阿里巴巴集团控股有限公司 | Block system, the method and device of access request, server |
| CN107645470A (en) * | 2016-07-20 | 2018-01-30 | 阿里巴巴集团控股有限公司 | A kind of method for blocking bypass by, device, system, electronic equipment |
| CN113163443A (en) * | 2020-01-22 | 2021-07-23 | 普天信息技术有限公司 | Core network data transmission method and system |
| CN113726917A (en) * | 2020-05-26 | 2021-11-30 | 网神信息技术(北京)股份有限公司 | Domain name determination method and device and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| "《Linux网络服务器配置》", 云南科技出版社, pages: 195 - 197 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111181932B (en) | DDOS attack detection and defense method, device, terminal equipment and storage medium | |
| US9787700B1 (en) | System and method for offloading packet processing and static analysis operations | |
| US7853689B2 (en) | Multi-stage deep packet inspection for lightweight devices | |
| US10313372B2 (en) | Identifying malware-infected network devices through traffic monitoring | |
| CN111010409B (en) | Encryption attack network flow detection method | |
| KR20090006838A (en) | Malicious attack detection system and an associated method of use | |
| US11777971B2 (en) | Bind shell attack detection | |
| KR20140045448A (en) | System and method for protocol fingerprinting and reputation correlation | |
| CN115398860A (en) | Session detection method, device, detection equipment and computer storage medium | |
| CN110380935B (en) | Port scanning method and device | |
| US20230412591A1 (en) | Traffic processing method and protection system | |
| CN110958245B (en) | Attack detection method, device, equipment and storage medium | |
| KR101593897B1 (en) | Network scan method for circumventing firewall, IDS or IPS | |
| CN112235329A (en) | Method, device and network equipment for identifying authenticity of SYN message | |
| CN111865876B (en) | Network access control method and equipment | |
| CN116723020A (en) | Network service simulation method and device, electronic equipment and storage medium | |
| CN115052004A (en) | Network access bypass monitoring method and electronic equipment | |
| CN112640392B (en) | Trojan horse detection method, device and equipment | |
| CN114024731B (en) | Message processing method and device | |
| US20210344704A1 (en) | Network Defense Method and Security Detection Device | |
| CN112565259B (en) | Method and device for filtering DNS tunnel Trojan communication data | |
| CN114050917A (en) | Audio data processing method, device, terminal, server and storage medium | |
| CN114465746B (en) | Network attack control method and system | |
| CN114363083B (en) | Security protection method, device and equipment of intelligent gateway | |
| CN113872953B (en) | Access message processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |