CN115314425A

CN115314425A - Network scanning device

Info

Publication number: CN115314425A
Application number: CN202210822656.6A
Authority: CN
Inventors: 徐明伟; 张梦豪; 李冠宇; 郭诚; 包涵
Original assignee: Tsinghua University
Current assignee: Tsinghua University
Priority date: 2022-07-12
Filing date: 2022-07-12
Publication date: 2022-11-08
Anticipated expiration: 2042-07-12
Also published as: CN115314425B

Abstract

The application provides a network scanning device, network scanning device includes: the system comprises a control module and a data processing module, wherein the control module is used for inputting a template data packet into the data processing module, the data processing module is used for accelerating the template data packet to a data packet with a preset linear speed, copying the data packet with the preset linear speed, editing a packet head of the copied data packet to generate a detection data packet, and sending the detection data packet out for network scanning, so that high-speed scanning can be realized.

Description

Network scanning device

Technical Field

The present application relates to the field of internet technologies, and in particular, to a network scanning device.

Background

Network scanning is a typical way to discover active hosts, ports, and services in a network, primarily for use by network administrators or researchers to perform security assessments and maintenance of the network. Network scanning has become a standard measurement technique to understand host behavior in a target network and even the entire internet, with scanning tools such as Nmap, ZMap, and Masscan. The network scanning technology plays an irreplaceable role in the fields of discovering new security vulnerabilities, monitoring service deployment, recognizing opaque distributed systems and the like.

Today, with the rapid expansion of scanning space and the frequent occurrence of security events, the existing network scanning tools are increasingly difficult to keep up with this development trend. With the recent large-scale deployment of IPv6 networks and the large-scale popularization of IoT (Internet of Things) devices and mobile devices, the scanning space to be handled by a network scanner becomes increasingly larger, which puts high requirements on the scalability of the network scanner. Meanwhile, due to frequent on-line and off-line of the IoT devices and the mobile devices, the network has very high dynamic, which requires the network scanner to complete a comprehensive scan as soon as possible; otherwise, some security events cannot be captured, and some important security accidents may be missed.

However, today's network scanners are very slow and difficult to meet the scalability and fast scan requirements described above. Even with the most advanced network scanner Zipper Zmap, the scanning capability can only achieve a throughput of 10Gbps and a rate of 14.2 Mpps. The underlying reason for this is also the implementation and deployment location of existing network scanners. First, in implementation, current network scanners are implemented in commercial servers. Since the CPU on the server is not specifically designed for high-speed packet processing, these CPU-based network scanners are limited in scanning speed and cannot cover a large scanning space in time. Second, with respect to deployment location, all network scanners are currently located on end hosts at the edge of the network. Scanning from the network edge is typically limited by the end host upstream bandwidth, which inevitably limits the maximum scanning speed of the network scanning task. In addition, scanning the path end-to-end also means that more bandwidth is wasted in the network and there is a greater likelihood of dropping probe/response packets.

Disclosure of Invention

In view of the above problems, the present application provides a network scanning device.

The application provides a network scanning device is applied to the switch, includes:

the system comprises a control module and a data processing module, wherein the control module is used for inputting a template data packet into the data processing module, the data processing module is used for accelerating the template data packet to a data packet with a preset linear speed, copying the data packet with the preset linear speed, editing a packet head of the copied data packet to generate a detection data packet, and sending the detection data packet out for network scanning.

In some embodiments, the data processing module comprises:

the accelerator is used for accelerating the template data packet to a data packet with a preset linear speed;

the duplicator is used for duplicating the data packet with the preset linear speed and parallelly forwarding the duplicated data packet to a designated port;

and the editor acquires the copied data packet from each designated port and modifies the copied data packet to obtain a detection data packet.

And the sending unit is used for sending the detection data packet out.

In some embodiments, the control module includes an entry generator, the editor is further configured to store a probe IP range table, the entry generator is configured to perform random permutation based on at least some probe IP addresses in the probe IP range table and fill entries, and the editor is further configured to obtain a random IP address from the entries and modify a packet based on the random IP address to obtain a probe packet.

In some embodiments, the entry comprises: the table entry generator is used for randomly arranging the detection IP addresses based on at least part of the detection IP range table when the editor obtains the random IP addresses from the first register array, and filling the second register array.

In some embodiments, the data processing module is further configured to send a completion signal to an entry generator after the editor has obtained the random IP address in the first register array, and the entry generator fills the first register array when receiving the completion signal.

In some embodiments, the control module is further configured to set a time threshold; the data processing module further comprises: a throttle for controlling whether the replicator replicates the packets accelerated to a preset line speed to the editor based on the time threshold.

In some embodiments, the editor is further configured to edit the key into a header of each data packet to generate a probe data packet; the data processing module further comprises: and the verifier is used for determining whether the received data packet is a response data packet of the probe data packet or not based on the secret key.

In some embodiments, the control module further comprises: a key generating unit, configured to periodically update the key.

In some embodiments, the data processing module further comprises: the system comprises a key storage unit, a editor and a verifier, wherein the key storage unit is used for storing keys of at least 3 periods, each key is provided with an index code, the editor is further used for editing the index codes into packet headers of all data packets, and the verifier is further used for determining whether the received data packets are response data packets of the detection data packets or not based on the keys and the index codes.

In some embodiments, the switch is a programmable switch.

Drawings

The present application will be described in more detail below on the basis of embodiments and with reference to the accompanying drawings.

Fig. 1 is a schematic structural diagram of a network scanning apparatus according to an embodiment of the present disclosure;

fig. 2 is a schematic diagram illustrating a generation process of a probe packet according to an embodiment of the present disclosure;

fig. 3 is a schematic diagram of a key updating process according to an embodiment of the present application.

In the drawings, like parts are designated with like reference numerals, and the drawings are not drawn to scale.

Detailed Description

In order to make the objectives, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the attached drawings, the described embodiments should not be considered as limiting the present application, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.

The following description will be added if similar descriptions of "first \ second \ third" appear in the application file, and the terms "first \ second \ third" referred to in the following description are merely used for distinguishing similar objects and do not represent a specific ordering for the objects, it should be understood that "first \ second \ third" may be interchanged under the permission of a specific order or sequence, so that the embodiments of the present application described herein can be implemented in an order other than that shown or described herein.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the application.

Based on the problems in the related art, an embodiment of the present application provides a network scanning apparatus, which is applied to a switch, and fig. 1 is a schematic structural diagram of the network scanning apparatus provided in the embodiment of the present application, as shown in fig. 1, the network scanning apparatus includes: the system comprises a control module 101 and a data processing module 102, wherein the control module 101 is used for inputting a template data packet into the data processing module, and the data processing module 102 is used for accelerating the template data packet to a data packet with a preset linear speed, copying the data packet with the preset linear speed, editing a packet header of the copied data packet to generate a detection data packet, and sending the detection data packet out for network scanning.

In the embodiment of the application, the switch is a programmable switch, and the programmable switch can provide the advantages of high-speed message processing capability, programmable capability and deployment position, so that high-speed and safe network scanning is realized.

In the embodiment of the application, control module can be the CPU of switch, data processing module can be the switch chip, because the switch chip can not naturally produce the data package, consequently adopts switch CPU to pour into the thinking that stencil data package, switch chip modified the data package and produces high-speed detection package.

In some embodiments, the data processing module comprises:

the accelerator is used for accelerating the template data packet to a data packet with a preset linear speed; the duplicator is used for duplicating the data packet with the preset linear speed and parallelly forwarding the duplicated data packet to a designated port; and the editor acquires the copied data packet from each designated port and modifies the copied data packet to obtain a detection data packet. And the sending unit is used for sending the detection data packet out.

Fig. 2 is a schematic diagram of a generation flow of a probe packet according to an embodiment of the present invention, and as shown in fig. 2, a switch CPU first prepares a group of template packets with initialization headers and injects them into a switch chip. After receiving these template packets, the Switch chip continues to loop through the Switch pipeline (Switch pipeline). In the switching pipe, each packet goes through three successive elements: an Accelerator (Accelerator) that accelerates a template packet to a line speed of 100Gbps, a Replicator (Replicator) that replicates the template packet to a plurality of switch ports, and an Editor (Editor) that edits the replicated template packet header into a desired probe packet. After editing, the sending unit sends out the detection data packet.

In the embodiment of the application, the accelerator is located on an Ingress pipeline (Ingress pipeline) of the switch chip, and maintains the accelerated circulation of the template packets by injecting the packets into a recirculation port (recirculation port). A recirculation port is a special port in the switch pipe where an injected packet will be immediately sent back to the ingress pipe. Thus, we have obtained a 100Gbps stable line-speed source of packets for the replicator after injecting a set of template packets to fill the switch pipe.

The replicator is located at the Traffic manager (Traffic manager) and takes mostly template packets from the accelerators as input and uses a Packet replication engine (Packet replication engine) to replicate these packets to a given set of ports. The packet replication engine is a hardware component in the traffic manager that is widely supported by current programmable switches. By configuring a set of ports for multicast from the control module, incoming packets will be replicated and forwarded in parallel to a given set of ports. The template packets from the accelerator will continue to circulate through the switch pipe to ensure a stable line rate packet source for the replicator, and the replicated template packets will be further processed by the editor.

The editor resides in the Egress pipe (Egress pipeline) and is responsible for modifying the replicated template packets into the required probe packets. The header may be set to a given value, such as a constant or a value from a register, as long as the packet header can be parsed by the programmable switch. To convert the copied template packet into a probe packet, some header fields (e.g., destination IP address, destination port) need to be modified by the editor, while other fields (e.g., protocol type, source IP address) inherit from the template packet originally created by the switch CPU.

After the template packet is processed through the accelerator, the duplicator and the editor, continuous detection packets are obtained at a linear speed in a plurality of exit ports.

In the embodiment of the present application, the network probing apparatus (IMap) should be able to generate a probe packet that completely covers the scanning space (i.e., address space × | port space |), and support adjustment of the scanning rate according to the network condition. Thus, to fully cover the scan address space, an intuitive approach is to scan one by one from the starting IP address to the ending IP address. However, simply probing IP addresses in numerical order would subject the target network to too concentrated scanning traffic, which could produce inconsistent probing results and cause complaints with the target network. To avoid this, the IMap is able to scan addresses according to a random arrangement of the address space without duplication and omission. However, switch chips have limited programmability and memory resources and cannot support complex computations or maintain a large amount of state. The address generation method in prior art zmaps requires multiplication and modulo arithmetic and is therefore not feasible in a switch chip.

To solve this problem, the switch chip is supplemented with the flexibility of the switch CPU to generate probe packets with random addresses. In the editor of the switch chip, a probe IP range Table (PIPR Table) based on a Register Array is designed. In the switch CPU, an entry generator is provided. The table entry generator is used for filling table entries, and the table entries can be called PIPR tables.

In embodiments of the present application, the PIPR entry generator may generate a random arrangement of probe IP ranges for a given address space using an address generation method similar to Zmap. After the PIPR table entry generator populates the PIPR table with a portion of the generated probe IP range, the probe packet may iterate through the PIPR table to obtain a random target IP address.

However, performing a new round of PIPR table filling is a time consuming task. It also takes approximately 0.3 seconds to fill a PIPR table of size 65536. This means that after one scan round we have to wait at least 0.3 seconds before starting the next scan round. This is unacceptable for high speed scanning, as the intermediate wait can significantly reduce the scanning rate.

Thus, in some embodiments, the entry comprises: the table entry generator is used for randomly arranging the detection IP addresses based on at least part of the detection IP range table when the editor obtains the random IP addresses from the first register array, and filling the second register array.

Since the scan speed of the data plane is very fast, the PIPR table with entry size 1 will be scanned out quickly, so we store a probing IP range in each entry of the PIPR table. To achieve this, our PIPR table consists of two register arrays, a first register array and a second register array.

Illustratively, the first register array is a PIPR _ Start array for storing the beginning of the Probe IP range; the second register array is the PIPR _ End array, which is used to store the End of the probe IP range. Before the PIPR table, a PIPR _ Index register (Resgiter) is set for indexing the PIPR table. The CPU sets the initial value of the PIPR _ Index register to 0; the value of the PIPR _ Index is increased by 1 over one probing packet up to the size of the PIPR table; thereafter, the PIPR _ index is reset to 0 and another cycle begins. For the PIPR _ Start array, after each packet is passed, the corresponding PIPR _ Start register is also incremented by 1 until the PIPR _ End register. When the value of the last PIPR _ Start register equals the value of the last PIPR _ End register, indicating that the scan of the current PIPR table is complete, the PIPR entry generator module may populate the PIPR table with a new round of probed IP ranges.

Two PIPR tables and PIPR _ Index registers are introduced. While scanning one PIPR table, the other PIPR table will fill the next round of probe IP ranges. In order to make the two PIPR tables switch seamlessly, we design a Probe _ Table register in the first Stage (Stage) of the egress pipe, which switches between 0 and 1 to control the flow of Probe packets. The switching of the Probe _ Table register is triggered by the completion signal of the egr to egr mirror primitive.

However, the above design considers only one port scenario and should be extended to support a port range scheme, such as scanning from port 22 to port 80. Since the scan address is already very random, scan port by scan port is chosen. However, updating the Port registers from the control module would be competitive because the high speed probe packets are already circulating in the switch pipe. In order to solve the problem, a port self-adding mechanism is designed on the data module. Since the control module knows in advance the number of times the scan address space needs to be cycled through the PIPR table, a Port _ Stride register is designed in the switch pipe to be filled by the CPU with the number of cycles. Each time a scan of the PIPR table is completed, the corresponding counter will increment by 1 until the value of Port _ Stride. Then, the Port register is incremented by 1 and the counter is set to 0 again. Thereby enabling the generation of address random probe packets to completely cover the scan space without overloading the target network.

In some embodiments, the data processing module is further configured to send a completion signal to an entry generator after the editor finishes acquiring the random IP address in the first register array, and the entry generator fills the first register array when receiving the completion signal.

In this embodiment, in order to send the completion signal to the CPU, an egr to egr minor primitive in the switch pipe is used, which may carry a predefined flag to the switch CPU to notify the PIPR entry generator.

In some embodiments, the control module is further configured to set a time threshold; the data processing module further comprises: a throttle for controlling the replicator to replicate the time of the packets accelerated to a preset line speed based on the time threshold.

In the embodiment of the present application, in order to avoid affecting the normal routing function of the network, the IMap needs to be able to adjust the scanning rate. For this purpose, we design a rate adjustment interface in the data processing module, which can receive commands from the control module to precisely adjust the scanning rate.

In the embodiment of the application, a throttler is added in the switch chip and can be flexibly adjusted from the control module. A throttle is located in the ingress pipe for determining when the replicator can replicate a template packet. Typically, a switch chip may provide 100Gbps message processing capability per port, thereby enabling nanosecond-level time stamping of each packet (e.g., 6 nanoseconds for a 64-byte packet). The throttler consists of two registers in the switch pipe. The first is named timestamp register to record the timestamp of the last template packet that was successfully copied and sent to the editor. For each incoming template packet, the throttle calculates the difference between the timestamp of the current packet and the timestamp recorded in the timestamp register. When the difference exceeds a time threshold, the throttle passes the template packet to the replicator and updates the recorded timestamp. The second is named rate register for storing configurable time thresholds on the slave control module. In the ingress pipe, the rate register is located before the timestamp register, and the control module may fill the rate register with a specific value to implement rate control.

In the embodiment of the present application, as a network scanning device located on a switch, an input of an IMap has both a data packet that needs to be forwarded normally and a response packet that responds to a probe packet. The IMap should be able to correctly distinguish between normal and response data packets. In order to distinguish the response packet from the normal packet, one method is to maintain a secret state (key) for each probe packet, and then verify whether the response packet corresponds to the secret state accordingly. However, the memory resources of the switching ASIC are limited and cannot maintain a large number of secret states.

Thus, in the embodiment of the present application, instead of maintaining state in the switch chip, the editor encodes the secret state into the variable field of each probe packet. This field should have an identifiable effect on the field of the corresponding response packet. Specifically, for TCP scan, we select the source port and initial sequence number; for ICMP, we use an ICMP identifier and a sequence number; for UDP, we use the source port. Taking TCP as a specific example, in the egress pipe, when the IMap sends a probe packet, the editor sets SrcPort to hash (Key, proto, srcIP, dstIP) and SeqNo to hash (Key, proto, srcIP, dstIP, srcPort, dstPort), where Key is a Key maintained in a register of the switch chip. Accordingly, in the ingress pipeline, the IMap has a Verifier (Verifier) that examines DstPort and AckNo to determine whether the received packet is a valid response to the probe packet. ICMP scanning and UDP scanning operate similarly, except for different header fields. Similar to the ZMap, the IMap also replies with a TCP RST packet to each SYN-ACK packet to close the TCP connection after the response packet is validated by the validator's check.

In the embodiment of the present application, the hash function (such as CRC 32) supported in the switch chip is relatively simple, is not a truly secure encryption function, and is easily attacked by selecting plaintext. Thus, an attacker may make such an attack to recover the key and deliberately inject a fake response packet to contaminate the scan results. To further enhance the security of the verifier and achieve a non-polluting scan result, the IMap updates the key every t seconds. This can reduce the damage caused by the leaked key to a great extent: even if the attacker somehow obtains the current key, this knowledge will become useless after a maximum of t seconds.

This results in inconsistent scanning results due to simply updating the key. For example, after IMap sends a probe packet, key1 is updated to Key2. After the response packet arrives, the verifier determines that the data packet is invalid because the current key cannot correctly verify the data packet header. To address the inconsistency problem described above, the IMap stores the last key used within a certain time period. Fig. 3 is a schematic diagram of a key update process according to an embodiment of the present application, and as shown in fig. 3, an IMap maintains three keys (i.e., a previous key, a current key, and a next key) at any given time. Every t seconds, IMap rotates the slot index from 0 to 2, and the key in slot i is used for the hash function. Each key can stay in the slot for 3t seconds at most; after 3t seconds, the key is updated by the control module. Where T represents the maximum time interval between any probe packet and the corresponding response packet. The editor will encode the 2-bit slot index of the key into the header fields of the probe packet, which should also be added to the corresponding response packet within the connection. We now encode this index into the source port of TCP/UDP and the identifier of ICMP. Based on the slot index, the verifier can correctly verify.

In some embodiments, the switch is a programmable switch.

The network scanning device runs on a programmable switch and is divided into a data processing module and a control module. The data processing module is written by using P4 language, and comprises modules of normal data packet forwarding, an accelerator, a duplicator, an editor, a throttler, a verifier and the like, and the program of the control module is written by using C and is responsible for initializing corresponding data plane table entries, sending initial template data packets, receiving update notifications and updating table entries/registers of the data plane. When the system is deployed, firstly, a tool chain provided by a programmable switch system is used for compiling the P4 program and the C program, then the compiled C program is operated to load the P4 program into a switch chip, and a data plane state is configured, so that the system can enter a normal operation state, and high-speed and safe network scanning can be carried out.

It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application. The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or in other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

Those of ordinary skill in the art will understand that: all or part of the steps of implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer-readable storage medium, and when executed, executes the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as a removable Memory device, a Read Only Memory (ROM), a magnetic disk, or an optical disk.

Alternatively, the integrated unit described above may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present application may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a controller to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a magnetic or optical disk, or other various media that can store program code.

The above description is only for the embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A network scanning apparatus, applied to a switch, the network scanning apparatus comprising: the system comprises a control module and a data processing module, wherein the control module is used for inputting a template data packet into the data processing module, the data processing module is used for accelerating the template data packet to a data packet with a preset linear speed, copying the data packet with the preset linear speed, editing a packet head of the copied data packet to generate a detection data packet, and sending the detection data packet out for network scanning.

2. The network scanning device of claim 1, wherein the data processing module comprises:

And the sending unit is used for sending the detection data packet out.

3. The network scanning device of claim 2, wherein the control module comprises an entry generator, the editor is further configured to store a probe IP range table, the entry generator is configured to randomly arrange and fill entries based on at least some probe IP addresses in the probe IP range table, and the editor is further configured to obtain random IP addresses from the entries and modify packets based on the random IP addresses to obtain probe packets.

4. The network scanning device of claim 3, wherein the entry comprises: the table entry generator is used for randomly arranging the detection IP addresses based on at least part of the detection IP range table when the editor obtains the random IP addresses from the first register array, and filling the second register array.

5. The network scanning device of claim 4, wherein the data processing module is further configured to send a completion signal to an entry generator after the editor has obtained the random IP address in the first register array, and the entry generator fills the first register array when receiving the completion signal.

6. The network scanning device of claim 2, wherein the control module is further configured to set a time threshold; the data processing module further comprises: a throttle for controlling whether the replicator replicates the packets accelerated to a preset line speed to an editor based on the time threshold.

7. The network scanning device of claim 2, wherein the editor is further configured to edit the key into a header of each data packet to generate a probe data packet; the data processing module further comprises: and the verifier is used for determining whether the received data packet is a response data packet of the probe data packet or not based on the secret key.

8. The network scanning device of claim 7, the control module further comprising: a key generating unit, configured to periodically update the key.

9. The network scanning device of claim 8, wherein the data processing module further comprises: the system comprises a key storage unit, a editor and a verifier, wherein the key storage unit is used for storing keys of at least 3 periods, each key is provided with an index code, the editor is further used for editing the index codes into packet headers of all data packets, and the verifier is further used for determining whether the received data packets are response data packets of the detection data packets or not based on the keys and the index codes.

10. A network scanning device according to any one of claims 1 to 9, wherein the switch is a programmable switch.