CN115314285A - Interception method of cracking behaviors and security gateway device - Google Patents

Interception method of cracking behaviors and security gateway device Download PDF

Info

Publication number
CN115314285A
CN115314285A CN202210938534.3A CN202210938534A CN115314285A CN 115314285 A CN115314285 A CN 115314285A CN 202210938534 A CN202210938534 A CN 202210938534A CN 115314285 A CN115314285 A CN 115314285A
Authority
CN
China
Prior art keywords
message
login
attacker
forged
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210938534.3A
Other languages
Chinese (zh)
Inventor
娄扬
侯丽英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202210938534.3A priority Critical patent/CN115314285A/en
Publication of CN115314285A publication Critical patent/CN115314285A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The application provides a cracking behavior intercepting method and a security gateway device, wherein a brute force cracking behavior is detected by monitoring the flow of each service, when the brute force cracking behavior is detected, a first login message which is obtained currently is intercepted, a response message which is used for indicating that the first login message is successfully logged in is forged, and the forged response message is sent to an attacker to make the attacker misjudge. In addition, the first login user name and the first password of the first login message are recorded, so that the malicious login behavior of an attacker can be quickly identified when the attacker tries to login by replacing the ip with the first login user name and the first password, and therefore, the behavior of the attacker who replaces other ip addresses to attack can be blocked as soon as possible. And finally, the ip address of the attacker is recorded in an ip blacklist, so that the attacker is prevented from continuously implementing cracking behaviors.

Description

Interception method of cracking behavior and security gateway device
Technical Field
The application relates to the technical field of network security, in particular to an interception method of cracking behaviors and a security gateway device.
Background
Brute force cracking is a common attack means for attackers, and under the condition that the user name and the password are unknown, the user name and the password are tried in sequence by using a dictionary file through attack software, so that the user name or the password is cracked finally. The attack method usually adopted by the attack is default password, null password or weak password, the attack is usually better in effect, and the successful user name and password can be finally found through continuous trial and error for a period of time.
The existing security gateway finds brute force cracking behaviors through message frequency, message content and the like, but does not play a role in defending subsequent login behaviors of a user name and a password which are successfully cracked. Since the attacker starts to attack and finds and blocks the security gateway, the attacker often tries a certain number of user names and passwords within the time difference; and the attacker still can try to crack through other IP addresses, and finally the attacker still can obtain the user name and password which can be successfully logged in, if the attacker tries to log in the successfully cracked user name and password by replacing the IP subsequently, the malicious login behavior cannot be detected, and the safety of the user information is poor.
Disclosure of Invention
The embodiment of the application aims to provide a cracking behavior intercepting method and a security gateway device, which are used for solving the problems that the prior security gateway finds a brute force cracking behavior through message frequency, message contents and the like, but has no defense effect on the subsequent login behavior of a successfully cracked user name password, so that the login behavior of an attacker replacing an ip on the successfully cracked user name password cannot be detected, and the security of user information is poor.
The interception method of the cracking behaviors provided by the embodiment of the application is applied to a security gateway, and comprises the following steps:
monitoring the flow of each service to identify cracking behaviors, and when the cracking behaviors aiming at the first service are detected, executing the following steps:
acquiring a first login message sent by an attacker corresponding to the cracking behavior, and intercepting the first login message;
forging a corresponding response message for the first login message and sending the response message to an attacker;
recording a first login user name and a first password in the first login message; and recording the ip address of the attacker into an ip blacklist, and discarding the first login message.
According to the technical scheme, brute force cracking behaviors are detected by monitoring the flow of each service, when the brute force cracking behaviors are detected, the currently obtained first login message is intercepted, a response message used for indicating that the first login message is successfully logged in is forged, and the forged response message is sent to an attacker to make the attacker misjudge. In addition, the first login user name and the first password of the first login message are recorded, so that the malicious login behavior of an attacker can be quickly identified when the attacker tries to login by replacing the ip with the first login user name and the first password, and therefore, the behavior of the attacker who replaces other ip addresses to attack can be blocked as soon as possible. And finally, the ip address of the attacker is recorded in an ip blacklist, so that the attacker is prevented from continuously implementing cracking behaviors.
In some optional embodiments, the method further comprises:
acquiring a second login message aiming at the first service;
judging whether a second login user name and a second password of a second login message are the same as the first login user name and the first password;
if so, identifying the sender of the second login message as an attacker, recording the ip address of the sender into an ip blacklist, and discarding the second login message.
In the technical scheme, when a brute force cracking behavior is detected, the first login user name and the first password in the first login message of the attacker are recorded, and a response message which makes the attacker misunderstand that the login is successful is replied to the first login message, so that if the attacker replaces the ip address and tries to login by using the first login user name and the first password, the attacker can be quickly identified by the security gateway, the ip address currently used by the attacker is logged into the ip blacklist, and the attack behavior of the attacker is quickly blocked.
In some optional embodiments, for the first login message, forging a corresponding response message and sending the response message to the attacker, the method includes:
constructing a two-layer header of a forged message, wherein the destination mac address of the forged message is the source mac of the first login message, and the source mac address of the forged message is the destination mac of the first login message;
constructing a three-layer header of a forged message, wherein a source ip address of the forged message is an ip address of a first service, a destination ip address of the forged message is an ip address of an attacker, and a protocol of the forged message is a tcp protocol;
constructing a tcp head of a forged message, wherein a source port number of the forged message is a port number of a first service, a destination port number of the forged message is a port number of an attacker, seq of the forged message is ack of the login message, and ack of the forged message is the sum of the seq of the login message and the length of the login message;
and constructing the application layer content of the forged message as the content of successful login of the application layer protocol.
In the technical scheme, the forged response message is sent to the attacker, so that the attacker misunderstanding that the blasting is successful, and because the current ip address is logged into the ip blacklist, the attacker is most likely to replace the ip address and try to log in by using the first login user name and the first password which are misunderstood that the blasting is successful, and therefore, the subsequent security gateway only needs to monitor whether the behavior of trying to log in by using the first login user name and the first password exists or not, and can judge and identify the attack behavior of the attacker.
In some optional embodiments, before recording the first login username and the first password in the first login message, the method further comprises:
and constructing a service pseudo account table, wherein the service pseudo account table is used for storing a first login user name, a first password, and an ip and a port number of the first service.
In the technical scheme, in the service pseudo-account table, key is ip and port number of the attacked service, value is login user name, password and table item timeout time; if an attacker tries to log in by replacing an ip address, malicious login behaviors can be detected through a service pseudo account table, and meanwhile, the information security of the user is protected by destroying the blasting behaviors of the attacker.
In some optional embodiments, after the ip address of the attacker is blacklisted in the ip, the method further includes:
and recording the behavior of logging the ip address of the attacker into the ip blacklist to the alarm log.
In the technical scheme, the behavior of recording the ip address of the attacker into the ip blacklist is recorded into the alarm log, so that a user or a maintenance worker can judge whether the misinformation of the cracking behavior exists or not by inquiring the alarm log, or manually unsealing the ip under the condition of ensuring the information security.
The embodiment of the application provides a security gateway device, the device includes:
the monitoring module is used for monitoring the flow of each service to identify cracking behaviors;
the first interception module is used for executing the following steps when cracking behaviors aiming at the first service are detected:
acquiring a first login message sent by an attacker corresponding to the cracking behavior, and intercepting the first login message;
forging a corresponding response message for the first login message and sending the response message to an attacker;
recording a first login user name and a first password in the first login message; and recording the ip address of the attacker into an ip blacklist, and discarding the first login message.
In the technical scheme, the traffic of each service is monitored by using the monitoring module to detect the brute force cracking behavior. When a brute force cracking behavior is detected, a first intercepting module is used for intercepting a first login message which is obtained currently and forging a response message which is used for indicating that the first login message is successfully logged in, the forged response message is sent to an attacker to make the attacker misjudge, and a first login user name and a first password of the first login message are recorded, so that when the attacker replaces ip and tries to log in by using the first login user name and the first password, the malicious login behavior of the attacker can be quickly identified, and therefore, the behavior that the attacker replaces other ip addresses to attack can be blocked as early as possible. And finally, the first interception module records the ip address of the attacker into an ip blacklist, so that the attacker is prevented from continuously implementing cracking behaviors.
In some optional embodiments, the apparatus further comprises:
the second interception module is used for acquiring a second login message aiming at the first service;
judging whether a second login user name and a second password of a second login message are the same as the first login user name and the first password;
if so, identifying the sender of the second login message as an attacker, recording the ip address of the sender into an ip blacklist, and discarding the second login message.
In the technical scheme, when a brute force cracking behavior is detected, the first login user name and the first password in the first login message of the attacker are recorded, and a response message which makes the attacker misunderstand that the login is successful is replied to the first login message, so that if the attacker replaces the ip address and tries to login by using the first login user name and the first password, the attack behavior of the attacker can be quickly identified by using the second interception module, the ip address currently used by the attacker is recorded in the ip blacklist, and the attack behavior of the attacker is quickly blocked.
In some optional embodiments, the first intercepting module is further configured to:
constructing a two-layer header of a forged message, wherein the destination mac address of the forged message is the source mac of the first login message, and the source mac address of the forged message is the destination mac of the first login message;
constructing a three-layer header of a forged message, wherein a source ip address of the forged message is an ip address of a first service, a destination ip address of the forged message is an ip address of an attacker, and a protocol of the forged message is a tcp protocol;
constructing a tcp head of a forged message, wherein a source port number of the forged message is a port number of a first service, a destination port number of the forged message is a port number of an attacker, seq of the forged message is ack of the login message, and ack of the forged message is the sum of the seq of the login message and the length of the login message;
and constructing the application layer content of the forged message as the content of successful login of the application layer protocol.
In the technical scheme, the first interception module is used for sending the forged response message to the attacker, so that the attacker can misunderstand that the blasting is successful, and because the current ip address is logged into the ip blacklist, the attacker is most likely to replace the ip address and try to log in by using the first login user name and the first password which are misunderstood that the blasting is successful, and therefore, the subsequent security gateway only needs to monitor whether the behavior of trying to log in by using the first login user name and the first password exists or not, and can judge and identify the attack behavior of the attacker.
In some optional embodiments, the apparatus further comprises:
the table building module is used for building a service pseudo-account table, and the service pseudo-account table is used for storing a first login user name, a first password, an ip of a first service and a port number of the first service.
In the technical scheme, in a service pseudo-account table constructed by a table construction module, keys are ip and port numbers of attacked services, and values are login user names, passwords and table item timeout time; if an attacker tries to log in by replacing an ip address, malicious login behaviors can be detected through a service pseudo account table, and meanwhile, the information security of the user is protected by destroying the blasting behaviors of the attacker.
In some optional embodiments, the apparatus further comprises:
and the alarm log module is used for recording the behavior of logging the ip address of the attacker into the ip blacklist to the alarm log.
In the technical scheme, the behavior of logging the ip address of the attacker into the ip blacklist is recorded into the alarm log by using the alarm log module, so that a user or a maintenance person can judge whether the misinformation of the cracking behavior exists or not by inquiring the alarm log, or manually unsealing the ip under the condition of ensuring the information safety.
An electronic device provided in an embodiment of the present application includes: a processor and a memory, the memory storing machine-readable instructions executable by the processor, the machine-readable instructions, when executed by the processor, performing a method as in any above.
An embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, and the computer program is executed by a processor to perform the method as described in any one of the above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a flowchart illustrating steps of a method for intercepting a cracking behavior according to an embodiment of the present disclosure;
fig. 2 is a flowchart illustrating steps of another intercepting method according to an embodiment of the present disclosure;
fig. 3 is a functional block diagram of a security gateway device according to an embodiment of the present application;
fig. 4 shows a possible structure of an electronic device provided in an embodiment of the present application.
Icon: 1-a monitoring module, 2-a first interception module, 3-a second interception module, 4-a table construction module, 5-an alarm log module, 61-a processor, 62-a memory, 63-a communication interface and 64-a communication bus.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Referring to fig. 1, fig. 1 is a flowchart of steps of a method for intercepting a cracking behavior according to an embodiment of the present application, where the method is applied to a security gateway, and the method includes:
step 100, monitoring the flow of each service (such as ftp/telnet/smtp and other services) to identify cracking behaviors, detecting the cracking behaviors aiming at the first service, and executing the following steps 200-500:
200, acquiring a first login message sent by an attacker corresponding to a cracking behavior, and intercepting the first login message;
step 300, for the first login message, forging a corresponding response message and sending the response message to an attacker;
step 400, recording a first login user name and a first password in a first login message; and
step 500, the ip address of the attacker is logged into an ip blacklist, and the first login message is discarded.
In the embodiment of the application, brute force cracking behaviors are detected by monitoring the flow of each service, when the brute force cracking behaviors are detected, the currently acquired first login message is intercepted, a response message used for indicating successful login of the first login message is forged, and the forged response message is sent to an attacker to make the attacker judge by mistake. In addition, the first login user name and the first password of the first login message are recorded, so that when an attacker replaces the ip and tries to log in by using the first login user name and the first password, the malicious login behavior of the attacker can be quickly identified, and therefore, the behavior that the attacker replaces other ip addresses to attack can be blocked as early as possible. And finally, the ip address of the attacker is recorded in an ip blacklist, so that the attacker is prevented from continuously implementing cracking behaviors.
In some optional embodiments, please refer to fig. 2, where fig. 2 is a flowchart illustrating steps of another intercepting method according to an embodiment of the present application, the method further includes:
step 600, acquiring a second login message aiming at the first service;
step 700, judging whether a second login user name and a second password of a second login message are the same as the first login user name and the first password; if yes, go to step 800;
step 800, identifying the sender of the second login message as an attacker, recording the ip address of the sender into an ip blacklist, and discarding the second login message.
In the embodiment of the application, when a brute force cracking behavior is detected, the first login user name and the first password in the first login message of the attacker are recorded, and a response message which makes the attacker mistakenly think that the login is successful is replied to the first login message, so that if the attacker replaces the ip address and tries to log in by using the first login user name and the first password, the ip address currently used by the attacker can be quickly identified by the security gateway, and the attack behavior of the attacker can be quickly blocked.
In some alternative embodiments, prior to step 600, the traffic of the first service is also monitored to identify cracking behavior;
if a cracking behavior aiming at the first service is not detected, executing step 600 to identify whether the login behavior is an attack behavior of an attacker by replacing an ip address and utilizing a first login user name and a first password;
if the cracking behavior aiming at the first service is detected, steps 200-500 are executed, and the current login user name and password are recorded, so that an attacker can be identified when trying to login by replacing the ip address.
In some optional embodiments, for the first login message, forging a corresponding response message and sending the response message to the attacker, the method includes:
constructing a two-layer header of a forged message, wherein the destination mac address of the forged message is the source mac of the first login message, and the source mac address of the forged message is the destination mac of the first login message;
constructing a three-layer header of a forged message, wherein a source ip address of the forged message is an ip address of a first service, a destination ip address of the forged message is an ip address of an attacker, and a protocol of the forged message is a tcp (transmission control protocol) protocol;
constructing a tcp head of a forged message, wherein a source port number of the forged message is a port number of a first service, a destination port number of the forged message is a port number of an attacker, seq of the forged message is ack of the login message, and ack of the forged message is the sum of the seq of the login message and the length of the login message; the seq can reply the received data, and the ack sends the data from the offset position of the ack next time, so that data loss is prevented.
Constructing the application layer content of the forged message as the content of successful login of the application layer protocol, such as ftp protocol: 230User latched in.
In the embodiment of the application, the forged response message is sent to the attacker, so that the attacker mistakenly thinks that the blasting is successful, and because the current ip address is logged into the ip blacklist, the attacker is most likely to replace the ip address and try to log in by using the first login user name and the first password which are mistakenly obtained by the successful blasting, and therefore, the subsequent security gateway only needs to monitor whether the behavior of trying to log in by using the first login user name and the first password exists or not, and can judge and identify the attack behavior of the attacker.
In some optional embodiments, before recording the first login username and the first password in the first login message, the method further comprises: and constructing a service pseudo account table, wherein the service pseudo account table is used for storing a first login user name, a first password, and an ip and a port number of the first service.
In the embodiment of the application, in the service pseudo-account table, key is ip and port number of an attacked service, and value is login user name, password and table item timeout time; if an attacker tries to log in by replacing the ip address, malicious login behaviors can be detected through a service pseudo-account table, and meanwhile, the information security of the user is protected by destroying the blasting behaviors of the attacker.
In some optional embodiments, after the ip address of the attacker is blacklisted in the ip, the method further includes: and recording the behavior of logging the ip address of the attacker into the ip blacklist to an alarm log.
In the embodiment of the application, the behavior of recording the ip address of the attacker into the ip blacklist is recorded into the alarm log, so that a user or a maintenance worker can judge whether the misinformation of the cracking behavior exists or not by inquiring the alarm log, or manually unsealing the ip under the condition of ensuring the information security.
Referring to fig. 3, fig. 3 is a functional block diagram of a security gateway apparatus according to an embodiment of the present application, where the apparatus includes a monitoring module 1 and a first intercepting module 2.
The monitoring module 1 is used for monitoring the flow of each service to identify cracking behaviors. A first intercepting module 2, configured to, when a cracking behavior for the first service is detected, perform the following steps: acquiring a first login message sent by an attacker corresponding to the cracking behavior, and intercepting the first login message; forging a corresponding response message for the first login message and sending the response message to an attacker; recording a first login user name and a first password in the first login message; and recording the ip address of the attacker into an ip blacklist, and discarding the first login message.
In the embodiment of the application, the monitoring module 1 is used for monitoring the flow of each service to detect the brute force cracking behavior. When a brute force cracking behavior is detected, the first intercepting module 2 is used for intercepting a first login message which is obtained currently and forging a response message which is used for indicating that the first login message is successfully logged in, the forged response message is sent to an attacker to make the attacker misjudge, and a first login user name and a first password of the first login message are recorded, so that the malicious login behavior of the attacker can be quickly identified when the attacker replaces the ip and tries to log in by using the first login user name and the first password, and therefore, the behavior that the attacker replaces other ip addresses to attack can be blocked as early as possible. And finally, the first interception module 2 records the ip address of the attacker into an ip blacklist, so that the attacker is prevented from continuously implementing cracking behaviors.
In some optional embodiments, the apparatus further comprises: the second interception module 3 is configured to obtain a second login message for the first service; judging whether a second login user name and a second password of a second login message are the same as the first login user name and the first password; if so, identifying the sender of the second login message as an attacker, recording the ip address of the sender into an ip blacklist, and discarding the second login message.
In the embodiment of the application, when a brute force cracking behavior is detected, the first login user name and the first password in the first login message of the attacker are recorded, and a response message which makes the attacker mistakenly think that the login is successful is replied to the first login message, so that if the attacker replaces the ip address and tries to log in by using the first login user name and the first password, the attack behavior of the attacker can be quickly identified by using the second intercepting module 3, the ip address currently used by the attacker is recorded in the ip blacklist, and the attack behavior of the attacker is quickly blocked.
In some optional embodiments, the first intercepting module 2 is further configured to: constructing a two-layer header of a forged message, wherein the destination mac address of the forged message is the source mac of the first login message, and the source mac address of the forged message is the destination mac of the first login message; constructing a three-layer header of a forged message, wherein a source ip address of the forged message is an ip address of a first service, a destination ip address of the forged message is an ip address of an attacker, and a protocol of the forged message is a tcp (transmission control protocol) protocol; constructing a tcp (transmission control protocol) head of a fake message, wherein a source port number of the fake message is a port number of a first service, a destination port number of the fake message is a port number of an attacker, seq of the fake message is ack of the login message, and ack of the fake message is the sum of the seq of the login message and the length of the login message; and constructing the application layer content of the forged message as the content of successful login of the application layer protocol.
In the embodiment of the application, the first interception module 2 is used for sending the forged response message to the attacker, so that the attacker mistakenly thinks that the blasting is successful, and because the current ip address is logged into the ip blacklist, the attacker is most likely to replace the ip address and try to log in by using the first login user name and the first password which are mistakenly obtained for the successful blasting, and therefore, the subsequent security gateway only needs to monitor whether the behavior of trying to log in by using the first login user name and the first password exists or not, and can judge and identify the attack behavior of the attacker.
In some optional embodiments, the apparatus further comprises: and the table building module 4 is used for building a service pseudo account table, and the service pseudo account table is used for storing the first login user name, the first password, and the ip and port number of the first service.
In the embodiment of the application, in the service pseudo-account table constructed by the table construction module 4, key is an ip and a port number of an attacked service, and value is a login user name, a password and table item timeout time; if an attacker tries to log in by replacing the ip address, malicious login behaviors can be detected through a service pseudo-account table, and meanwhile, the information security of the user is protected by destroying the blasting behaviors of the attacker.
In some optional embodiments, the apparatus further comprises: and the alarm log module 5 is used for recording the behavior of logging the ip address of the attacker into the ip blacklist to the alarm log.
In the embodiment of the application, the behavior of logging the ip address of the attacker into the ip blacklist is recorded into the alarm log by using the alarm log module 5, so that a user or a maintenance person can judge whether the misinformation of the cracking behavior exists or not by inquiring the alarm log, or manually unsealing the ip under the condition of ensuring the information safety.
Fig. 4 shows a possible structure of an electronic device provided in an embodiment of the present application. Referring to fig. 4, the electronic device includes: a processor 61, a memory 62, and a communication interface 63, which are interconnected and in communication with each other via a communication bus 64 and/or other form of connection mechanism (not shown).
The Memory 62 includes one or more (Only one shown in the figure), which may be, but not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an electrically Erasable Programmable Read-Only Memory (EEPROM), and the like. The processor 61, and possibly other components, may access, read from, and/or write to the memory 62.
The processor 61 includes one or more (only one shown) which may be an integrated circuit chip having signal processing capabilities. The Processor 61 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Micro Control Unit (MCU), a Network Processor (NP), or other conventional processors; the Processor may also be a dedicated Processor, including a Neural-Network Processing Unit (NPU), a Graphics Processing Unit (GPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, and a discrete hardware component. Also, when the processor 61 is plural, a part thereof may be a general-purpose processor, and another part thereof may be a dedicated processor.
Communication interface 63 includes one or more (only one shown) that can be used to communicate directly or indirectly with other devices for data interaction. Communication interface 63 may include an interface for wired and/or wireless communication.
One or more computer program instructions may be stored in the memory 62, and the processor 61 may read and execute the computer program instructions to implement the interception method provided by the embodiment of the present application.
It will be appreciated that the configuration shown in fig. 4 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 4 or may have a different configuration than shown in fig. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof. The electronic device may be a physical device, such as a PC, a laptop, a tablet, a cell phone, a server, an embedded device, etc., or may be a virtual device, such as a virtual machine, a virtualized container, etc. The electronic device is not limited to a single device, and may be a combination of a plurality of devices or a cluster including a large number of devices.
The embodiment of the present application further provides a computer-readable storage medium, where computer program instructions are stored on the computer-readable storage medium, and when the computer program instructions are read and executed by a processor of a computer, the interception method provided by the embodiment of the present application is executed. The computer readable storage medium may be embodied as the memory 62 in the electronic device of fig. 4, for example.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist alone, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made to the present application by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A method for intercepting cracking behaviors is applied to a security gateway, and comprises the following steps:
monitoring the flow of each service to identify cracking behaviors, and when the cracking behaviors aiming at the first service are detected, executing the following steps:
acquiring a first login message sent by an attacker corresponding to a cracking behavior, and intercepting the first login message;
for the first login message, forging a corresponding response message and sending the response message to an attacker;
recording a first login user name and a first password in the first login message; and
and recording the ip address of the attacker into an ip blacklist, and discarding the first login message.
2. The method of claim 1, further comprising:
acquiring a second login message aiming at the first service;
judging whether a second login user name and a second password of the second login message are the same as the first login user name and the first password;
if so, identifying the sender of the second login message as an attacker, recording the ip address of the sender into an ip blacklist, and discarding the second login message.
3. The method of claim 1, wherein the forging and sending a corresponding response message to the attacker for the first login message comprises:
constructing a two-layer header of a forged message, wherein the destination mac address of the forged message is the source mac of the first login message, and the source mac address of the forged message is the destination mac of the first login message;
constructing a three-layer header of a forged message, wherein a source ip address of the forged message is an ip address of a first service, a destination ip address of the forged message is an ip address of an attacker, and a protocol of the forged message is a tcp protocol;
constructing a tcp head of a forged message, wherein a source port number of the forged message is a port number of a first service, a destination port number of the forged message is a port number of an attacker, seq of the forged message is ack of the login message, and ack of the forged message is the sum of the seq of the login message and the length of the login message;
and constructing the application layer content of the forged message as the content of successful login of the application layer protocol.
4. The method of claim 1, wherein prior to recording the first login username and the first password in the first login message, the method further comprises:
and constructing a service pseudo account table, wherein the service pseudo account table is used for storing a first login user name, a first password, and an ip and a port number of a first service.
5. The method of claim 1, wherein after the blacklisting the ip address of the attacker to ip, the method further comprises:
and recording the behavior of logging the ip address of the attacker into an ip blacklist to an alarm log.
6. A security gateway apparatus, the apparatus comprising:
the monitoring module is used for monitoring the flow of each service so as to identify cracking behaviors;
the first interception module is used for executing the following steps when cracking behaviors aiming at the first service are detected:
acquiring a first login message sent by an attacker corresponding to the cracking behavior, and intercepting the first login message;
forging a corresponding response message for the first login message and sending the response message to an attacker;
recording a first login user name and a first password in the first login message; and
and recording the ip address of the attacker into an ip blacklist, and discarding the first login message.
7. The apparatus of claim 6, wherein the apparatus further comprises:
the second interception module is used for acquiring a second login message aiming at the first service;
judging whether a second login user name and a second password of a second login message are the same as the first login user name and the first password;
if yes, identifying the sender of the second login message as an attacker, recording the ip address of the sender into an ip blacklist, and discarding the second login message.
8. The apparatus of claim 6, wherein the first interception module is further to:
constructing a two-layer header of a forged message, wherein the destination mac address of the forged message is the source mac of the first login message, and the source mac address of the forged message is the destination mac of the first login message;
constructing a three-layer header of a forged message, wherein a source ip address of the forged message is an ip address of a first service, a destination ip address of the forged message is an ip address of an attacker, and a protocol of the forged message is a tcp protocol;
constructing a tcp head of a forged message, wherein a source port number of the forged message is a port number of a first service, a destination port number of the forged message is a port number of an attacker, seq of the forged message is ack of the login message, and ack of the forged message is the sum of the seq of the login message and the length of the login message;
and constructing the application layer content of the forged message as the content of successful login of the application layer protocol.
9. The apparatus of claim 6, wherein the apparatus further comprises:
the table building module is used for building a service pseudo account table, and the service pseudo account table is used for storing a first login user name, a first password, and an ip and a port number of a first service.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 5.
CN202210938534.3A 2022-08-05 2022-08-05 Interception method of cracking behaviors and security gateway device Pending CN115314285A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210938534.3A CN115314285A (en) 2022-08-05 2022-08-05 Interception method of cracking behaviors and security gateway device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210938534.3A CN115314285A (en) 2022-08-05 2022-08-05 Interception method of cracking behaviors and security gateway device

Publications (1)

Publication Number Publication Date
CN115314285A true CN115314285A (en) 2022-11-08

Family

ID=83861723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210938534.3A Pending CN115314285A (en) 2022-08-05 2022-08-05 Interception method of cracking behaviors and security gateway device

Country Status (1)

Country Link
CN (1) CN115314285A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116992433A (en) * 2023-09-28 2023-11-03 江苏友谱信息科技有限公司 Password cracking attack detection method and assembly based on WEB application system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116992433A (en) * 2023-09-28 2023-11-03 江苏友谱信息科技有限公司 Password cracking attack detection method and assembly based on WEB application system
CN116992433B (en) * 2023-09-28 2023-12-01 江苏友谱信息科技有限公司 Password cracking attack detection method and assembly based on WEB application system

Similar Documents

Publication Publication Date Title
Vishwakarma et al. A survey of DDoS attacking techniques and defence mechanisms in the IoT network
US10581915B2 (en) Network attack detection
US10095866B2 (en) System and method for threat risk scoring of security threats
US20170257339A1 (en) Logical / physical address state lifecycle management
US10326778B2 (en) System and method for detecting lateral movement and data exfiltration
US11902303B2 (en) System and method for detecting lateral movement and data exfiltration
US7734776B2 (en) Automatically detecting malicious computer network reconnaissance by updating state codes in a histogram
US8490190B1 (en) Use of interactive messaging channels to verify endpoints
CN105430011B (en) A kind of method and apparatus detecting distributed denial of service attack
CN111010409B (en) Encryption attack network flow detection method
US10218717B1 (en) System and method for detecting a malicious activity in a computing environment
CN108270722B (en) Attack behavior detection method and device
US20190020664A1 (en) System and Method for Blocking Persistent Malware
EP3783857A1 (en) System and method for detecting lateral movement and data exfiltration
EP3374870A1 (en) System and method for threat risk scoring of security threats
CN111327592B (en) Network monitoring method and related device
CN115314285A (en) Interception method of cracking behaviors and security gateway device
CN110912898A (en) Method and device for disguising equipment assets, electronic equipment and storage medium
US8819285B1 (en) System and method for managing network communications
CN115883170A (en) Network flow data monitoring and analyzing method and device, electronic equipment and storage medium
CN113037779B (en) Intelligent self-learning white list method and system in active defense system
KR101041997B1 (en) System for counterplaning web firewall using conative detection?interception and method therefor
US10757078B2 (en) Systems and methods for providing multi-level network security
CN117201189B (en) Firewall linkage method and device, computer equipment and storage medium
CN113660666B (en) Bidirectional request response detection method for man-in-the-middle attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination