CN115277135A - Dynamic safety protection method based on tunnel technology and application - Google Patents
Dynamic safety protection method based on tunnel technology and application Download PDFInfo
- Publication number
- CN115277135A CN115277135A CN202210831340.3A CN202210831340A CN115277135A CN 115277135 A CN115277135 A CN 115277135A CN 202210831340 A CN202210831340 A CN 202210831340A CN 115277135 A CN115277135 A CN 115277135A
- Authority
- CN
- China
- Prior art keywords
- hopping
- network
- equipment
- address
- hop
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000005516 engineering process Methods 0.000 title claims abstract description 33
- 238000004891 communication Methods 0.000 claims abstract description 22
- 230000005641 tunneling Effects 0.000 claims description 14
- 238000013507 mapping Methods 0.000 claims description 8
- 238000004422 calculation algorithm Methods 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000008859 change Effects 0.000 description 5
- 230000015654 memory Effects 0.000 description 5
- 238000005538 encapsulation Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04J—MULTIPLEX COMMUNICATION
- H04J3/00—Time-division multiplex systems
- H04J3/02—Details
- H04J3/06—Synchronising arrangements
- H04J3/0635—Clock or time synchronisation in a network
- H04J3/0638—Clock or time synchronisation among nodes; Internode synchronisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a dynamic safety protection method based on a tunnel technology and application thereof. The method comprises the steps that network hopping equipment is deployed at an external outlet of each hopping network, and at a data sending end, the network hopping equipment is used for adding packet headers to data packets sent to the outside and filling the packet headers with hopping IP addresses and hopping ports serving as both sides of previous time communication; at the data receiving end, the network jump device is used for verifying whether the receiving end jump IP address and the jump port in the data packet received from the external network are consistent with the jump IP address and the jump port of the device at the current time, if so, the packet head is removed, and the original data packet is recovered. The invention does not reduce the forwarding efficiency of the data packet no matter how the jump space of the IP address and the port is increased, thereby improving the applicability of the jump of the address and the port.
Description
Technical Field
The present application relates to the field of network technologies, and in particular, to a dynamic security protection method and application based on a tunnel technology.
Background
With the development of information technology, network attack means are continuously updated, and new viruses, trojans and attacks implemented by using system vulnerabilities emerge endlessly. The traditional passive network security protection is difficult to resist novel virus, trojan and bug attacks by using network security equipment such as a firewall, antivirus software and the like. Meanwhile, the 'high-value' network target faces various network attacks with strong purposiveness, organization and specialization, attack tools and means thereof utilize various known or unknown system vulnerabilities to attack, and the traditional network security protection equipment cannot be used.
The dynamic security protection breaks through the original security system protection idea of 'fixed death', increases the difficulty and cost of attack through continuous change, provides a new security idea which tolerates security holes but does not allow the opposite side to utilize, opens a new path of the network security protection technology, and becomes the trend of the network security technology development. IP address and port hopping based on SDN is one of important technologies in the field of dynamic security protection, and an attacker is difficult to detect an attack target through continuous change of an external service IP address and a port, so that the network attack threat formed by an attacker is broken down.
The larger the jump range of the IP address and the port is, the larger the dynamic change space of the IP address and the port is, and the better the protection effect is. However, the larger change space means that the SDN flow table is significantly increased, which will result in a decrease in data forwarding efficiency.
Disclosure of Invention
In view of at least one of the defects or the improvement requirements of the prior art, the present invention provides a dynamic security protection method based on a tunneling technique and an application thereof, which can improve the applicability of address and port hopping without reducing the forwarding efficiency of data packets no matter how the hopping space of the IP address and port increases.
In order to achieve the above object, according to a first aspect of the present invention, a dynamic security protection method based on a tunneling technique is provided, where a network hop device is deployed at an external exit of each hop network, and the network hop device is configured to encapsulate a data packet that is sent to the outside based on the tunneling technique and then send the encapsulated data packet, where the encapsulation includes adding a packet header to the data packet, and filling the packet header with a hop IP address and a hop port of both parties of previous time communication.
Further, the dynamic security protection method based on the tunnel technology further includes: the network hopping equipment is also used for verifying whether a receiving end hopping IP address and a hopping port in a data packet received from an external network are consistent with the hopping IP address and the hopping port of the equipment at the current time, and if so, tunnel decapsulation processing is carried out, a packet header is removed, and the original data packet is recovered.
Further, the determining of the hop IP addresses and the hop ports of the two communication parties includes:
each network hopping device is provided with a unique ID mark;
the network hopping equipment generates a hopping IP address and a hopping port of the equipment at the current time according to the ID identification, the current time and the hopping pattern of the equipment;
and the network hopping equipment inquires the ID identification of the receiving terminal network hopping equipment, and generates a hopping IP address and a hopping port of the receiving terminal network hopping equipment at the current time according to the ID identification, the current time and the hopping pattern of the receiving terminal network hopping equipment.
Furthermore, clock synchronization equipment shared by all hopping networks is deployed, and all network hopping equipment acquires time from the clock synchronization equipment to realize clock synchronization.
Further, a mapping function is preset, the mapping function describes an algorithm for generating a hop IP address and a hop port of the network hop device according to the ID identification, the time and the hop pattern of the network hop device, and an algorithm for generating a hop IP address and a hop port of the network hop device according to the mapping function at the current time.
Further, the ID of the network hopping equipment is calculated according to the IP address of the hopping network where the network hopping equipment is located and a preset method;
and the ID identification of the inquiry receiving terminal network hopping equipment is obtained by calculation according to the IP address of the hopping network where the receiving terminal network hopping equipment is located.
Further, hash calculation is carried out on the IP address network segment of the hopping network where the network hopping equipment is located to obtain the ID of the network hopping equipment.
According to a second aspect of the present invention, a dynamic security protection system based on a tunnel technology is further provided, where a network hopping device is deployed at an external exit of each hopping network, the network hopping device is configured to encapsulate a data packet that is sent to the outside based on the tunnel technology and then send the encapsulated data packet, and the encapsulation includes adding a packet header to the data packet and filling the packet header with hopping IP addresses and hopping ports of both parties in the previous time communication.
Further, the dynamic security protection system based on the tunnel technology further includes: the network hopping equipment is also used for verifying whether a receiving end hopping IP address and a hopping port in a data packet received from an external network are consistent with the hopping IP address and the hopping port of the equipment at the current time, and if so, tunnel decapsulation processing is carried out, a packet header is removed, and the original data packet is recovered.
According to a third aspect of the present invention, there is also provided a storage medium storing a computer program executable by a processor, the computer program, when run on the processor, causing the processor to perform the steps of any of the methods described above.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects: no matter how the jump space of the IP address and the port is increased, the forwarding efficiency of the data packet cannot be reduced, the contradiction between the jump space of the IP address/the port and the forwarding efficiency of the data packet is solved, and the performance of the system is ensured while the dynamic safety protection capability is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is an architecture diagram of a dynamic security protection system based on tunneling according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating tunneling encapsulation and decapsulation of a data packet according to an embodiment of the present application;
fig. 3 is an architecture diagram of a dynamic security protection system based on tunneling according to another embodiment of the present application;
fig. 4 is a schematic diagram of adding a packet header according to another embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The terms "including" and "having," and any variations thereof, in the description and claims of this application and the drawings described above, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or modules is not limited to the listed steps or modules but may alternatively include other steps or modules not listed or inherent to such process, method, article, or apparatus.
As shown in fig. 1, the dynamic security protection system based on the tunneling technique according to the embodiment of the present invention is oriented to a computing network, each hop network may be an independent data center or an independent internal network, and the hop networks are connected to each other through a dedicated data communication network. And the application and service system in each hop network communicates with the outside through the network hop equipment, shields the IP address and port information in the data center and provides hop IP and hop ports to the outside uniformly. The client host is deployed in the hop network, and directly accesses application services in other hop networks through the real IP address of the application system.
Furthermore, clock synchronization equipment shared by all hopping networks is deployed, and all network hopping equipment acquires time from the clock synchronization equipment to realize clock synchronization. Clock synchronization is achieved among the hopping networks through the precision clock synchronization equipment, and clock synchronization information of the precision clock synchronization equipment is transmitted and acquired through the independent network, so that the phenomenon that data transmission is interrupted due to asynchronous clocks and dead cycles which cannot transmit the clock synchronization information due to the interruption of the data transmission is avoided.
IP address hopping: each network hopping device has its IP of outbound traffic continuously changing at different times. IP addresses are usually expressed in the form of (a.b.c.d) in "dotted decimal". Taking class C IP address as an example, a.b.c is the network segment number and d is the device number. In the process of network jump, the network segment number (a.b.c) is kept unchanged, the equipment number (d) is continuously changed according to the algorithm defined by the system, and the change rule of the equipment number (d) is known by legal users and unknown by illegal users, so that the requests and accesses of the illegal users are shielded.
Port hopping: each network hopping device has its application port for external communication continuously changing at different time. The port use range of the application system is 1 to 65535, which includes ports used by a known service (such as ftp:21, http.
In the dynamic security protection system and method based on the tunnel technology of the embodiment of the invention, in the network hopping process, two communication parties are respectively deployed in two different hopping networks, and network hopping equipment is deployed at an external outlet of each hopping network to realize address hopping and port hopping.
At a data sending end, network hopping equipment is used for encapsulating and sending a data packet sent to the outside based on a tunnel technology, and the encapsulating comprises adding a packet header for the data packet, and filling the packet header with a hopping IP address and a hopping port of both parties of previous time communication, so as to realize address hopping and port hopping.
At a data receiving end, after a network hopping device receives a data packet from an external network, verifying whether a receiving end hopping IP address and a hopping port in the data packet received from the external network are consistent with a hopping IP address and a hopping port of the device at the current time, if so, performing tunnel decapsulation processing, removing a packet header, recovering an original data packet, forwarding the original data packet to the data receiving end, and realizing a complete data packet sending process.
As shown in fig. 2, if a data packet is received, it is determined whether the data packet is from an extranet port or an intranet port, and if the data packet received by the network hopping apparatus is from an intranet port, the data packet needs to be tunneled, and the data packet is sent to the extranet after being encapsulated. If the data packet received by the network hopping equipment comes from an external network port, the legality of the data packet needs to be judged, and if the data packet is legal, the tunnel header of the data packet is removed, and the data packet is restored. If the packet is illegal, the packet is discarded.
Example 1
The dynamic safety protection method based on the tunnel technology comprises the following steps:
s1.1, network hopping equipment is deployed at an outlet of each hopping network, and data communication between the hopping networks needs to pass through the network hopping equipment. The data packets sent by the application systems on the servers in the hop network to the outside of the hop network must be forwarded to the outside network by the network hop device. Similarly, a packet sent by the extranet to a server within the hop network must also be forwarded by the network hop device to the intranet.
S1.2, the network hopping equipment generates own hopping IP and hopping ports.
A preferred implementation of generating the own hop IP and hop port is as follows.
(1) Each network hopping device has a unique ID as an identification.
Further, the ID of the network hopping apparatus is calculated according to the IP address of the hopping network where the network hopping apparatus is located, by a preset method. The preset method may be a hash algorithm.
(2) At the starting time of each hopping period, the network hopping equipment takes the hopping pattern shared by the whole network, the network hopping equipment ID and the current time as input values, and calculates the hopping IP address and the hopping port of the network hopping equipment in the current time period.
Further, the hopping pattern can be dynamically updated.
S1.3, the network hopping equipment calculates the current hopping IP address and hopping port of the opposite network hopping equipment according to the data packet received from the intranet.
(1) And inquiring to obtain the ID identification of the receiver.
Further, the method is obtained by calculation according to a preset method according to the IP address network segment of the receiving party.
(2) And calculating the hopping IP address and the hopping port of the receiver by taking the hopping pattern, the ID of the receiver network hopping equipment and the current time as input values.
S1.4, the network hopping equipment encapsulates the data packet and forwards the encapsulated data packet to the opposite communication terminal network hopping equipment.
(1) And the network hopping equipment encapsulates the data packet, constructs a packet head of a tunnel packet according to hopping IP addresses and ports of both communication parties and encapsulates the data packet.
(2) And the network hopping equipment sends the encapsulated data packet to a data transmission network. And the data transmission network forwards the encapsulated data packet to the network hopping equipment of the receiving end hopping network through a routing protocol.
S1.5, the network hopping equipment receives the data packet sent by the external network and verifies the data packet.
Specifically, whether the IP address and the port number of the receiving end are consistent with the IP address and the port number of the current equipment is verified, and if so, the next operation is carried out. If not, the data packet is an illegal data packet, and the data packet is discarded. Here, the "current time of the device" refers to the time when the current hop IP address and hop port of the peer network hop device are calculated in step S1.3.
S1.6, the network hopping equipment removes the tunnel head of the successfully verified data packet to obtain an original data packet, and forwards the data packet to a target server.
Example 2
As shown in fig. 3, the following device entities are given:
the hopping network server side and the hopping network client side are two communication domains respectively;
the application server and the client host are devices of two communication parties;
the hopping network nodes are respectively deployed in the two communication domains and used as data communication gateways;
the dynamic safety protection method based on the tunnel technology comprises the following steps:
s2.1, network hopping equipment is deployed at the exit of each hopping network, and data communication between the hopping networks needs to pass through the network hopping equipment. The data packets sent by the application systems on the servers in the hop network to the outside of the hop network must be forwarded to the outside network by the network hop device. Similarly, a packet sent by the extranet to a server within the hop network must also be forwarded by the network hop device to the intranet.
S2.2, the network hopping equipment generates own hop IP and hop ports.
(1) Each network hopping device has a unique ID as an identification.
(2) At the starting time of each hopping period, the network hopping equipment takes the ID of the network hopping equipment, the current time and the hopping pattern as input values, and calculates the hopping IP address and the hopping port of the network hopping equipment in the current time period through a mapping function map ().
Hi(ip,port)=map(id,time,Mkey); (1)
And Hi (IP, port) is a hop IP address and a hop port of the network hop device in the ith hop period. And ID is the global unique ID of the network hopping equipment, and time is the starting time of the current hopping period and the hopping pattern corresponding to the Mkey current hopping period.
And S2.3, the network hopping equipment calculates the current hopping IP address and hopping port of the opposite-end network hopping equipment according to the destination address and port of the data packet received from the intranet.
(1) And according to the IP address network segment of the receiver, the ID identification of the receiver can be obtained through inquiring.
id=hash(ip) (2)
(2) And the network hopping equipment takes the id and the time of the network hopping equipment of the receiver as input values according to a formula (1) to calculate the hopping IP address and the hopping port of the receiver.
And S2.4, the network hopping equipment encapsulates the data packet and forwards the encapsulated data packet to the network hopping equipment of the opposite communication terminal.
(1) And the network hopping equipment encapsulates the data packet, constructs a packet header of the tunnel packet according to the hopping IP address and the hopping port of the two communication parties and encapsulates the data packet. The network hop device encapsulates the original IP packet with the UDP packet, the IP packet payload is encapsulated in a new UDP header, and the network hop device provides the UDP port number of the UDP packet for hopping. As shown in fig. 4. In this way, when network hopping is performed, the network hopping device can perform network level hopping with respect to the IP address and port carried in the external tunnel header, and provide transparent transmission for the service, because the internal packet as a payload is not changed. Address hopping and port hopping would share the same set of pattern algorithms to hop.
The hopping IP and the hopping port are directly filled into corresponding fields in the tunnel header instead of being based on a SDN flow entry matching mode, so that the scale of the SDN flow entry cannot be increased no matter how the value ranges of the hopping IP and the hopping port are expanded, and the data packet forwarding efficiency cannot be reduced.
(2) And the network hopping equipment sends the encapsulated data packet to a data transmission network. And the data transmission network forwards the encapsulated data packet to the network hopping equipment of the receiving end hopping network according to the tunnel IP address through a routing protocol.
S2.5, the network hopping equipment receives a data packet sent by an external network, verifies the data packet, verifies whether a hopping IP address and a hopping port number of a receiving end are consistent with a current hopping IP address and a hopping port number of the equipment, and if the hopping IP address and the hopping port number are consistent, the data packet sender knows the hopping rule of the network hopping equipment and is a legal user, the operation of the step S2.6 is carried out. If not, the data packet is an illegal data packet, and the data packet is lost.
And S2.6, the network hopping equipment removes the tunnel head of the successfully verified data packet to obtain an original data packet, and forwards the data packet to the target server.
The dynamic safety protection method based on the tunnel technology of the embodiment of the invention has the following characteristics:
(1) High efficiency: based on the tunnel technology, the IP address and the hopping space of the port are irrelevant to the flow table scale of the SDN switch, and the network hopping node can efficiently realize the encapsulation and the decapsulation of the original IP data packet and reduce the resource consumption of the system caused by network hopping.
(2) High safety: the larger hop space of the IP address and the port means larger randomness, for example, the hop space of the class B IP address is 65534, the hop space of the port is 10000-65534, and in one hop period, the IP address and the port of the network hop node are combined into 36 hundred million (3,639,365,156), so that the huge hop space greatly reduces the success probability of hostile attack.
(3) High adaptability: the dynamic security protection method based on the tunnel technology can be better compatible with the existing network, can be in seamless butt joint with the existing network security equipment (such as a firewall, intrusion detection, WAF gateway and the like), has no special requirements on an application system, and can be better adapted to the existing network equipment and the application system.
(4) Flexibility: the invention can adapt to various mapping functions, namely the mapping functions for calculating the IP address of the jump site and the jump port can be flexibly adjusted according to actual needs so as to deal with different network IP address planning schemes, adapt to the jump ranges of various IP addresses, greatly reduce the deployment difficulty of the system and have remarkable flexibility.
The specific implementation of the dynamic security protection system based on the tunnel technology is the same as the method described above, and details are not described here.
The present application further provides a storage medium storing a computer program executable by a processor, and when the computer program runs on the processor, the processor executes the steps of any one of the above dynamic security protection methods based on tunnel technology. The computer-readable storage medium may include, but is not limited to, any type of disk including floppy disks, optical disks, DVD, CD-ROMs, microdrive, and magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, DRAMs, VRAMs, flash memory devices, magnetic or optical cards, nanosystems (including molecular memory ICs), or any type of media or device suitable for storing instructions and/or data.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed system may be implemented in other ways. For example, the above-described system embodiments are merely illustrative, and for example, the division of the modules is merely a logical division, and other divisions may be realized in practice, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be through some service interfaces, indirect coupling or communication connection of systems or modules, and may be in electrical or other forms.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one position, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program, which is stored in a computer-readable memory, and the memory may include: flash disks, read-Only memories (ROMs), random Access Memories (RAMs), magnetic or optical disks, and the like.
The above description is only an exemplary embodiment of the present disclosure, and the scope of the present disclosure should not be limited thereby. That is, all equivalent changes and modifications made in accordance with the teachings of the present disclosure are intended to be included within the scope of the present disclosure. Embodiments of the present disclosure will be readily apparent to those skilled in the art from consideration of the specification and practice of the disclosure herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
Claims (10)
1. A dynamic security protection method based on a tunnel technology is characterized in that network hopping equipment is deployed at an external outlet of each hopping network, the network hopping equipment is used for encapsulating and sending externally sent data packets based on the tunnel technology, and the encapsulating process comprises adding packet headers for the data packets and filling hop IP addresses and hop ports serving as both sides of previous time communication in the packet headers.
2. The dynamic security defending method based on tunneling technology as claimed in claim 1, further comprising: the network hopping equipment is also used for verifying whether a receiving end hopping IP address and a hopping port in a data packet received from an external network are consistent with the hopping IP address and the hopping port of the equipment at the current time, and if so, tunnel decapsulation processing is carried out, a packet header is removed, and the original data packet is recovered.
3. The dynamic security protection method based on tunneling technology of claim 1, wherein the determining of hop IP addresses and hop ports of the two communicating parties comprises:
each network hopping device has a unique ID;
the network hopping equipment generates a hopping IP address and a hopping port of the equipment at the current time according to the ID identification, the current time and the hopping pattern of the equipment;
and the network hopping equipment inquires the ID identification of the receiving terminal network hopping equipment, and generates a hopping IP address and a hopping port of the receiving terminal network hopping equipment at the current time according to the ID identification, the current time and the hopping pattern of the receiving terminal network hopping equipment.
4. The dynamic security protection method based on tunneling technology of claim 1, wherein a clock synchronization device common to each hopping network is deployed, and each network hopping device acquires time from the clock synchronization device to achieve clock synchronization.
5. The dynamic security protection method based on tunneling technology of claim 3, wherein a mapping function describing an algorithm for generating hop IP address and hop port of the device according to ID, time and hop pattern of the network hop device and an algorithm for generating hop IP address and hop port of the device according to the mapping function at the current time are preset.
6. The dynamic security protection method based on tunneling technology of claim 3, wherein the ID of the network hop device is calculated according to the IP address of the hop network where the network hop device is located according to a preset method;
and the ID identification of the inquiry receiving terminal network hopping equipment is obtained by calculation according to the IP address of the hopping network where the receiving terminal network hopping equipment is located.
7. The dynamic security protection method based on tunneling technology of claim 1, wherein the hash calculation is performed on the IP address network segment of the hopping network where the network hopping device is located to obtain the ID of the network hopping device.
8. A dynamic security protection system based on a tunnel technology is characterized in that network hopping equipment is deployed at an external outlet of each hopping network, the network hopping equipment is used for encapsulating and sending externally sent data packets based on the tunnel technology, and the encapsulating process comprises adding packet headers for the data packets and filling the packet headers with hopping IP addresses and hopping ports serving as both parties of previous time communication.
9. The dynamic security protection system based on tunneling technology of claim 8, further comprising: the network hopping equipment is also used for verifying whether a receiving end hopping IP address and a hopping port in a data packet received from an external network are consistent with the hopping IP address and the hopping port of the equipment at the current time, and if so, tunnel decapsulation processing is carried out, a packet header is removed, and the original data packet is recovered.
10. A storage medium, characterized in that it stores a computer program which, when run on a processor, causes the processor to perform the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210831340.3A CN115277135B (en) | 2022-07-15 | 2022-07-15 | Dynamic safety protection method based on tunnel technology and application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210831340.3A CN115277135B (en) | 2022-07-15 | 2022-07-15 | Dynamic safety protection method based on tunnel technology and application |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115277135A true CN115277135A (en) | 2022-11-01 |
| CN115277135B CN115277135B (en) | 2023-10-27 |
Family
ID=83765702
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210831340.3A Active CN115277135B (en) | 2022-07-15 | 2022-07-15 | Dynamic safety protection method based on tunnel technology and application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115277135B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104853003A (en) * | 2015-04-30 | 2015-08-19 | 中国人民解放军国防科学技术大学 | Netfilter-based address and port hopping communication implementation method |
| US20150236752A1 (en) * | 2014-02-20 | 2015-08-20 | Raytheon Bbn Technologies Corp. | Method for selection of unique next-time-interval internet protocol address and port |
| CN105978875A (en) * | 2016-05-11 | 2016-09-28 | 中国人民解放军国防信息学院 | Dynamic service realization method and system base on service hopping and intelligent cleaning |
| CN106060184A (en) * | 2016-05-11 | 2016-10-26 | 中国人民解放军国防信息学院 | Three dimensional-based IP address hop pattern generation method and hop controllers |
| CN106201930A (en) * | 2016-07-26 | 2016-12-07 | 努比亚技术有限公司 | A kind of device port determines device, terminal and method |
| CN112134684A (en) * | 2020-07-06 | 2020-12-25 | 武汉量子风暴信息科技有限公司 | Method, communication method, system and related equipment for generating hopping pattern |
| US11012259B1 (en) * | 2018-09-13 | 2021-05-18 | Ca, Inc. | Systems and methods for preserving system contextual information in an encapsulated packet |
-
2022
- 2022-07-15 CN CN202210831340.3A patent/CN115277135B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150236752A1 (en) * | 2014-02-20 | 2015-08-20 | Raytheon Bbn Technologies Corp. | Method for selection of unique next-time-interval internet protocol address and port |
| CN104853003A (en) * | 2015-04-30 | 2015-08-19 | 中国人民解放军国防科学技术大学 | Netfilter-based address and port hopping communication implementation method |
| CN105978875A (en) * | 2016-05-11 | 2016-09-28 | 中国人民解放军国防信息学院 | Dynamic service realization method and system base on service hopping and intelligent cleaning |
| CN106060184A (en) * | 2016-05-11 | 2016-10-26 | 中国人民解放军国防信息学院 | Three dimensional-based IP address hop pattern generation method and hop controllers |
| CN106201930A (en) * | 2016-07-26 | 2016-12-07 | 努比亚技术有限公司 | A kind of device port determines device, terminal and method |
| US11012259B1 (en) * | 2018-09-13 | 2021-05-18 | Ca, Inc. | Systems and methods for preserving system contextual information in an encapsulated packet |
| CN112134684A (en) * | 2020-07-06 | 2020-12-25 | 武汉量子风暴信息科技有限公司 | Method, communication method, system and related equipment for generating hopping pattern |
Non-Patent Citations (1)
| Title |
|---|
| 高诚;陈世康;王宏;董青;: "基于SDN架构的地址跳变技术研究", 通信技术, no. 04 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115277135B (en) | 2023-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Abou El Houda et al. | Cochain-SC: An intra-and inter-domain DDoS mitigation scheme based on blockchain using SDN and smart contract | |
| CN112422481B (en) | Trapping method, system and forwarding equipment for network threats | |
| US11882150B2 (en) | Dynamic security actions for network tunnels against spoofing | |
| US7062782B1 (en) | Overlay network for tracking denial-of-service floods in unreliable datagram delivery networks | |
| US7360245B1 (en) | Method and system for filtering spoofed packets in a network | |
| EP2164207B1 (en) | Message routing method, system and node equipment | |
| Maximov et al. | Network topology masking in distributed information systems | |
| Simpson et al. | An inter-domain collaboration scheme to remedy DDoS attacks in computer networks | |
| US9258213B2 (en) | Detecting and mitigating forwarding loops in stateful network devices | |
| Kwon et al. | An incrementally deployable anti-spoofing mechanism for software-defined networks | |
| Cai et al. | Source authentication and path validation in networks using orthogonal sequences | |
| CN113242269A (en) | Data transmission method and system based on virtualization network and network security equipment | |
| Nur et al. | Single packet AS traceback against DoS attacks | |
| Kaur et al. | Countermeasures for covert channel-internal control protocols | |
| Kwon et al. | SVLAN: Secure & scalable network virtualization | |
| CN110995763B (en) | Data processing method and device, electronic equipment and computer storage medium | |
| CN114531270B (en) | Defensive method and device for detecting segmented routing labels | |
| CN115277135B (en) | Dynamic safety protection method based on tunnel technology and application | |
| CN114205152B (en) | Method for deploying backtracking heterogeneous resources and planning optimal path | |
| CN117375862A (en) | Message forwarding method, system, network device, storage medium and program product | |
| US10771391B2 (en) | Policy enforcement based on host value classification | |
| US11171915B2 (en) | Server apparatus, client apparatus and method for communication based on network address mutation | |
| Colajanni et al. | The problem of NIDS evasion in mobile networks | |
| Muthurajkumar et al. | UDP flooding attack detection using entropy in software-defined networking | |
| Park et al. | Strengthening network-based moving target defense with disposable identifiers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |