CN115514501A - Method and device for blocking network attack - Google Patents
Method and device for blocking network attack Download PDFInfo
- Publication number
- CN115514501A CN115514501A CN202110618433.3A CN202110618433A CN115514501A CN 115514501 A CN115514501 A CN 115514501A CN 202110618433 A CN202110618433 A CN 202110618433A CN 115514501 A CN115514501 A CN 115514501A
- Authority
- CN
- China
- Prior art keywords
- network
- network device
- internet protocol
- network equipment
- local
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000000903 blocking effect Effects 0.000 title claims abstract description 72
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000004590 computer program Methods 0.000 claims description 14
- 238000012545 processing Methods 0.000 claims description 5
- 230000000977 initiatory effect Effects 0.000 abstract description 10
- 238000009792 diffusion process Methods 0.000 abstract description 6
- 230000008569 process Effects 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The invention discloses a method and a device for blocking network attacks, which are used for solving the problem of low effectiveness of blocking network attacks. The scheme provided by the application comprises the following steps: acquiring an internet protocol address of at least one device of a data packet path sent by target network equipment, wherein the target network equipment represents a device initiating network attack; determining a border network device from the at least one device of the data packet path based on a local network device list, the border network device including local network devices connected between the local network and a non-local network, the local network device list including internet protocol addresses of the local network devices; and controlling the boundary network equipment to execute a blocking operation on the Internet protocol address of the target network equipment. Whether the target network equipment initiating the network attack is the local network equipment or not, the scheme of the embodiment of the invention can quickly determine the boundary network equipment, thereby effectively realizing the blocking, avoiding the network attack diffusion and improving the network security.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method and an apparatus for blocking network attacks.
Background
The popularization of information technology improves the quality of life of people, but the problem of network security cannot be ignored. Various harmful contents, garbage traffic, network attacks, viruses, malicious codes and the like become new problems for the healthy development of the internet.
The network attack has various forms, the connection relation of each network device in the network is complex, and when a plurality of exits and a plurality of paths need to be blocked, the blocking is difficult to be quickly and effectively realized.
How to improve the effectiveness of blocking network attacks is a technical problem to be solved by the application.
Disclosure of Invention
The embodiment of the application aims to provide a method and a device for blocking network attacks, which are used for solving the problem of low effectiveness of blocking network attacks.
In a first aspect, a method for blocking a network attack is provided, including:
the method comprises the steps of obtaining an internet protocol address of at least one device of a data packet path sent by a target network device, wherein the target network device represents a device which initiates network attack;
determining a border network device from at least one device of the packet path according to a local network device list, the border network device comprising local network devices connected between a local network and a non-local network, the local network device list comprising internet protocol addresses of local network devices;
and controlling the boundary network equipment to execute a blocking operation on the Internet protocol address of the target network equipment.
In a second aspect, an apparatus for blocking a network attack is provided, including:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring the Internet protocol address of at least one device of a data packet path sent by target network equipment, and the target network equipment represents equipment for launching network attack;
a determining module that determines a border network device from at least one device of the packet path according to a local network device list, the border network device comprising local network devices connected between a local network and a non-local network, the local network device list comprising internet protocol addresses of the local network devices;
and the control module is used for controlling the boundary network equipment to execute a blocking operation on the Internet protocol address of the target network equipment.
In a third aspect, an electronic device is provided, the electronic device comprising a processor, a memory and a computer program stored on the memory and executable on the processor, the computer program, when executed by the processor, implementing the steps of the method according to the first aspect.
In a fourth aspect, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, realizes the steps of the method as in the first aspect.
In the embodiment of the application, the target network device represents the device which initiates the network attack by acquiring the internet protocol address of at least one device of a data packet path sent by the target network device; determining a border network device from the at least one device of the data packet path based on a local network device list, the border network device including local network devices connected between the local network and a non-local network, the local network device list including internet protocol addresses of the local network devices; and controlling the boundary network equipment to execute a blocking operation on the Internet protocol address of the target network equipment. Whether the target network equipment initiating the network attack is the local network equipment or not, the scheme of the embodiment of the invention can quickly determine the boundary network equipment, thereby effectively realizing the blocking, avoiding the network attack diffusion and improving the network security.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a flowchart illustrating a method for blocking a network attack according to an embodiment of the present invention.
Fig. 2 is a second flowchart of a method for blocking a network attack according to an embodiment of the present invention.
Fig. 3 is a third flowchart of a method for blocking a network attack according to an embodiment of the present invention.
Fig. 4 is a fourth flowchart illustrating a method for blocking a network attack according to an embodiment of the present invention.
Fig. 5 is a fifth flowchart illustrating a method for blocking a network attack according to an embodiment of the present invention.
Fig. 6 is a sixth flowchart illustrating a method for blocking a network attack according to an embodiment of the present invention.
Fig. 7 is a seventh schematic flow chart of a method for blocking a network attack according to an embodiment of the present invention.
FIG. 8 is a network topology of one embodiment of the present invention;
fig. 9 is a schematic structural diagram of an apparatus for blocking a network attack according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. The reference numbers in the present application are only used for distinguishing the steps in the scheme and are not used for limiting the execution sequence of the steps, and the specific execution sequence is described in the specification.
The network attack can be initiated by an external network or an internal network, the safety control device can deploy software and hardware at a specific position of the network to monitor and analyze the data entering and exiting, and can automatically or manually block part of common network attacks by matching corresponding processing rules through a characteristic library of the safety control device.
However, there are still some network attacks that cannot be automatically intercepted by the security device. For these special network attacks, manual intervention is usually required to realize blocking interception. For example, the information security center notifies an external IP that an attack is being initiated, and the security administrator needs to log in the security boundary device and configure a related command to perform blocking so as to intercept a related attack data message. Although the manual interception can achieve effective interception, the method needs more manpower and has poor instantaneity.
The network attack blocking mode has at least the following disadvantages: plugging can be carried out only at a specific node; when a plurality of outlets and a plurality of paths need to be plugged, the plugging instantaneity is poor, and automatic plugging cannot be realized; when an attack is initiated inside, the internal network cannot be blocked.
In order to solve the problems in the prior art, an embodiment of the present application provides a method for blocking a network attack, as shown in fig. 1, including:
s11: the method comprises the steps of obtaining an internet protocol address of at least one device of a data packet path sent by a target network device, wherein the target network device represents a device which initiates network attack.
In practical applications, the target network device initiating the network attack may be a local network device or a non-local network device. In this step, an internet protocol address of at least one device of a packet path sent by the target network device is obtained, where the at least one device of the packet path includes the target network device and usually also includes a network device directly or indirectly connected to the target network device. The Internet Protocol Address (IP Address) is a unified Address format provided by the IP Protocol, and allocates a logical Address to each network and each host on the Internet, so as to mask the difference of physical addresses. The acquired at least one internet protocol address can characterize a network route of the target network device for launching the attack.
S12: determining a border network device from the at least one device of the packet path based on a local network device list, the border network device comprising local network devices connected between a local network and a non-local network, the local network device list comprising internet protocol addresses of the local network devices.
The local network device list includes an internet protocol address of the local network device, and in this step, the internet protocol address acquired in the above step may be compared with the local network device list, and the network device corresponding to the internet protocol address included in the local network list is the local network device, otherwise, the network device is a non-local network device. By the step, which of the at least one device of the data packet path is the local network device can be respectively judged, and the boundary network device is further determined from the devices.
The border network device described in this step is a local network device connected between a local network and a non-local network. Whether the target network device initiating the network attack is a local network device or a non-local network device, the attack is often initiated through the border network device. The boundary network equipment is used for plugging the internet protocol address of the target network equipment, so that the target network equipment can be effectively inhibited from launching network attack, and the network attack diffusion is avoided.
S13: and controlling the boundary network equipment to execute a blocking operation on the Internet protocol address of the target network equipment.
By the scheme provided by the embodiment of the application, whether the target network equipment initiating the network attack is the local network equipment or not can be quickly determined by the scheme provided by the embodiment of the invention. Because the boundary network device is often a necessary node for the target network device to initiate network attack, the IP of the target network device is blocked by the boundary network device, so that the blocking of the target network device can be effectively realized, the network attack diffusion is avoided, and the network security is improved.
Optionally, the present solution is further described below with reference to a network topology. The network topology diagram described in this embodiment is used to show the communication relationship between network devices. When performing blocking, decapsulation, or other network repair operations, the operation flow may be optimized based on the network topology provided by the present embodiment.
In practical application, the network and the security device can be logged in, managed and maintained, and information of all nodes in the network is collected, so that a full-network topological graph is generated. The specifically acquired information may include information about connection relationships of all devices in the network, route trends, service policies, and the like. In addition, relevant information required for login and operation of each network device can be included, so that the blocking effectiveness is improved when network attacks occur. Specifically, the data may be periodically maintained according to a preset time period to update information of each node in the network, so as to update the network topology. Optionally, the network topology includes a plurality of nodes characterizing the network device and a plurality of wires characterizing a communication relationship of the network device.
When network attacks occur, relevant information of target network equipment which initiates the attacks can be generated in an automatic identification or manual input mode. And further, the communication relationship between the target network device and other network devices can be presented through the network topology. Specifically, the IP address of the target network device is used as a starting point, and whether the network device is a local network device is queried step by step according to the routing table entry, so as to determine the boundary network device. The network attack initiated by the target network equipment can be effectively blocked by blocking the IP address of the target network equipment through the boundary network equipment, thereby avoiding the network attack diffusion and ensuring the network safety.
The scheme provided by the embodiment of the application can solve the problems that the equipment deployment position is single, the plugging point cannot be selected, the plugging speed is low, and plugging at any position cannot be performed, and the boundary network equipment can be automatically positioned step by step based on the routing table entries, so that the intelligent positioning of the attack point is realized, and the optimal plugging point position is determined. In addition, the scheme can also present each network device in a network view form by combining with a network topological graph, so that readability is enhanced, plugging, unsealing or other control operations can be conveniently executed on the network devices, and function expansion is facilitated.
Based on the solution provided by the foregoing embodiment, optionally, as shown in fig. 2, in step S12, the method includes:
s21: and determining a first network device and a second network device according to a local network device list, wherein the first network device and the second network device are network devices which are connected with each other in at least one device of the data packet path, the internet protocol address of the first network device represents that the first network device is a local network device, and the internet protocol address of the second network device represents that the second network device is a non-local network device.
In this step, the internet protocol address of each network device obtained in the above step may be queried in the list of network devices to determine whether each network device is a local network device, so as to determine a first network device and a second network device that are connected to each other. Optionally, the first network device is directly connected to the second network device, that is, no other network device is included between the first network device and the second network device.
S22: determining the first network device as the border network device.
Since the first network device is a local network device connected to a non-local network device, the first network device can be regarded as a boundary between the local network and the non-local network, and each local network device needs to pass through the first network device when the non-local network device performs communication. According to the scheme provided by the embodiment of the application, the plugging effectiveness can be improved, and the situation that the plugging effect is reduced by a plurality of outlets and paths in a network is avoided.
Based on the solution provided by the foregoing embodiment, optionally, as shown in fig. 3, the foregoing step S13 includes:
s31: and when the internet protocol address of the target network equipment represents that the target network equipment is non-local network equipment, generating an access control list containing the internet protocol address of the target network equipment, wherein the access control list is used for refusing the target network equipment to access a local network.
Specifically, the ip address of the target network device may be looked up in the list of local network devices to determine whether the target network device is a local network device. When the target network device is a non-local network device, it indicates that the attack initiated by the target network device belongs to an external network attack, and at this time, network blocking for the internet protocol address of the target network device needs to be implemented by prohibiting the target network device from accessing the local network.
In this step, blocking is achieved by generating an access control list containing the IP address of the target network device. Access Control Lists (ACLs) are a packet filtering based Access Control technique that can filter packets on an interface, allow them to pass or drop, depending on set conditions. The access control list is widely applied to routers and three-layer switches, and the access of users to the network can be effectively controlled by means of the access control list, so that the network security is guaranteed to the greatest extent, and the personalized setting can be specifically carried out by combining other parameters of the existing network.
S32: and controlling the first network equipment to execute a blocking operation on the Internet protocol address of the target network equipment according to the access control list.
In this step, the blocking operation may be performed by the traveling with the access control list generated in step S31 described above added to the first network device located at the network boundary. In practical applications, a target network device that needs to be blocked may correspond to an ACL. By adding a plurality of ACLs to the access control list of the first network device, a plurality of target network devices can be plugged simultaneously.
Based on the solution provided by the foregoing embodiment, optionally, as shown in fig. 4, the foregoing step S13 includes:
s41: and when the internet protocol address of the target network equipment represents that the target network equipment is non-local network equipment, generating a black hole routing entry containing the internet protocol address of the target network equipment, wherein the black hole routing entry is used for turning the internet protocol address of the target network equipment to a pseudo interface.
S42: and controlling the first network equipment to execute a blocking operation on the Internet protocol address of the target network equipment according to the black hole routing entry.
When the target network device is a non-local network device, it indicates that the attack initiated by the target network device belongs to an external network attack, and at this time, network blocking for the internet protocol address of the target network device needs to be realized by a mode of prohibiting the target network device from accessing the local network.
Except for executing the blocking by increasing the ACL provided by the embodiment, the scheme provided by the embodiment of the application realizes the blocking by the black hole route. The black hole route can suck all irrelevant routes into the black hole route, so that the black hole route has routes without loops. For example, assuming that the IP address of the target network device that initiates the attack is 1.1.1.1, a black hole route is generated in this step: ip route-static 1.1.1.1255.255.255.255nul0, and then the black hole routing entry can be issued to the first network device in the form of an issue instruction. In this embodiment, the null0 port is a never-down port, and the IP address of the target network device that initiates the attack can be diverted to the null0 port through the black hole routing entry, so that the IP address of the target network device is blocked.
Based on the solution provided by the foregoing embodiment, optionally, as shown in fig. 5, the foregoing step S13 includes:
s51: and when the internet protocol address of the target network equipment represents that the target network equipment is local network equipment, generating address resolution protocol information according to the internet protocol address of the target network equipment, wherein the address resolution protocol information is used for refusing the target network equipment to access the local network.
S52: and controlling the first network equipment to execute a blocking operation on the Internet protocol address of the target network equipment according to the address resolution protocol information.
When the target network device is a local network device, it indicates that the attack initiated by the target network device belongs to an intranet attack, and at this time, the local network device initiating the attack needs to be blocked in the intranet.
Specifically, in this step, the target network device is blocked by generating the address resolution protocol information. The Address Resolution Protocol (ARP) is a TCP/IP Protocol that obtains a physical Address according to an IP Address. When the host sends information, the ARP request containing the target IP address is broadcasted to all the hosts on the local area network, and the return message is received, so that the physical address of the target is determined; after receiving the return message, the IP address and the physical address are stored in the local ARP cache and are kept for a certain time, and the ARP cache is directly inquired when the next request is made so as to save resources. The address resolution protocol is established on the basis that all hosts trust each other in the network, the hosts on the local area network can independently send ARP response messages, and when other hosts receive the response messages, the authenticity of the messages can be recorded into the ARP cache of the local hosts without detecting the authenticity of the messages. In this step, the target network device may be blocked by generating the pseudo ARP, so that the information sent by the target network device cannot reach an expected host or reach a wrong host, thereby achieving blocking of the target network device and avoiding expansion of attacks initiated by the target network device. Assuming that the IP address of the target network device is 1.1.1.1, the address resolution protocol information may be, for example, arp static 1.1.1.1 1111-1111-1111.
Based on the solution provided in the foregoing embodiment, optionally, as shown in fig. 6, the arp information includes an internet protocol address of the target network device and a physical address that does not correspond to the target network device.
In the solution provided in this embodiment, the generated address resolution protocol information includes a physical address that does not correspond to the IP address of the target network device, so that the target network device cannot access the local network. The Physical Address may specifically refer to a MAC Address (Media Access Control Address), which is translated into a MAC Address, also called a local area network Address (LAN Address), an Ethernet Address (Ethernet Address), or a Physical Address. Which is an address used to identify the location of the network device.
Wherein, the step S52 includes:
s61: and binding the ARP information to a local port of the first network device so as to refuse the target network device to access a local network through the Internet protocol address of the target network device.
In this step, by binding the arp information containing the wrong physical address to the local port of the first network device, the target network device can be effectively denied access to the local network through its IP address, so as to plug the target network device and avoid the expansion of network attack.
Based on the solution provided by the foregoing embodiment, optionally, as shown in fig. 7, after the foregoing step S61, the method further includes:
s71: acquiring address resolution protocol information of the first network equipment;
s72: and determining a blocking result of the internet protocol address of the target network equipment according to the internet protocol address of the target network equipment and the address resolution protocol information of the first network equipment.
In the solution provided in this embodiment, the blocking result of the target network device is checked based on the step S61. Specifically, routing and ARP information may be queried on a first network device that performs blocking through an instruction, and a blocking result for an IP address of a target network device may be determined according to the queried information. If the blocking is invalid, the steps can be executed again until the target network device is effectively blocked.
To further illustrate the solution provided by the present embodiment, further description is made with reference to fig. 8. Fig. 8 shows a network topology diagram containing different attack sources and blocking locations. Regardless of whether the attack source is from an external network or an internal network, the scheme provided by the embodiment can be used for blocking the attack source at the nearest place, so that the minimum range of attack influence is ensured.
Since the scheme applies a route query mode to judge the position from which the attack source enters the local network, the boundary network equipment can be determined until the next hop equipment is not the local network, and further effective plugging is realized. The blocking is carried out on the boundary network equipment, so that the attack of the outside to the local network can be effectively prevented; when the attacker comes from the local, the system can also inquire the position accessed by the attack source and perform blocking aiming at the local attack source.
Specifically, the scheme may include the following operation steps:
step 1, filling an IP address of an attack source to be blocked in a system interface, clicking a blocking button, starting a background program, sending a login instruction to core network equipment, filling an account password according to feedback information of the core network equipment, and completing automatic login.
And 2, after logging in the core network equipment, the background program sends a routing query command, finds out the IP address of the next-hop equipment needing to block the IP address, and captures the IP address to be matched with a network equipment list stored in the background.
And 3, if the network equipment list is matched, proving that the next hop equipment also belongs to the local system, continuously logging in the equipment corresponding to the IP address, and repeating the route inquiry operation until the next hop address is the local or external system address.
Step 4, judging whether the last hop equipment is boundary network equipment, if the address is an external address, automatically adding an ACL on the equipment according to rules and formats set by a background, and refusing to block the IP address to enter the network; if the IP needing to be blocked is a local internal address, an error ARP information is automatically bound for the IP needing to be blocked on the equipment, and the fact that the address can not be accessed to the network is ensured.
And 5, inquiring routing and ARP information on the boundary equipment, and verifying the plugging effect.
And 6, outputting detailed processes and time through a system interface, so that the checking, debugging or other operations can be conveniently carried out by workers, and the average plugging time can reach 4 seconds.
The scheme provided by the embodiment of the application is combined with a network topological graph, and based on the connection relation, route trend, service strategy and the like among all network devices, the device login and operation are quickly carried out, and visual topological presentation can be realized. And moreover, by combining a network topological graph and routing table entries, the position of an attack source can be automatically positioned step by step until the network boundary, and intelligent positioning of an attack point is realized, so that the optimal plugging point position is determined, and the optimal plugging point is automatically positioned by the attack source. In addition, the IP address information needing to be blocked can be acquired through the interface, the core device accessing the network can be automatically logged in, the address route needing to be blocked can be inquired, and the corresponding next-hop device can be found until the next-hop is the non-home terminal network device. The network boundary equipment is judged on the last hop equipment, routing and ARP information are inquired on the boundary equipment, the plugging effect is verified, plugging can be carried out at the position closest to an attack source, the minimum range of attack influence is ensured, network attack expansion is effectively avoided, and the network security is improved.
In order to solve the problems in the prior art, an embodiment of the present application further provides an apparatus 90 for blocking a network attack, as shown in fig. 9, including:
the acquiring module 91 acquires an internet protocol address of at least one device of a data packet path sent by a target network device, wherein the target network device represents a device initiating network attack;
a determining module 92 for determining a border network device from the at least one device of the packet route according to a local network device list, the border network device comprising local network devices connected between the local network and the non-local network, the local network device list comprising internet protocol addresses of the local network devices;
and the control module 93 is configured to control the border network device to perform a blocking operation on the internet protocol address of the target network device.
By the device provided by the embodiment of the application, the target network equipment represents the equipment initiating the network attack by acquiring the Internet protocol address of at least one piece of equipment of a data packet path sent by the target network equipment; determining a border network device from the at least one device of the packet path based on a local network device list, the border network device comprising local network devices connected between the local network and the non-local network, the local network device list including internet protocol addresses of the local network devices; and controlling the boundary network equipment to execute a blocking operation on the Internet protocol address of the target network equipment. No matter whether the target network equipment initiating the network attack is the local network equipment or not, the scheme of the embodiment of the invention can quickly determine the boundary network equipment, thereby effectively realizing the blocking, avoiding the network attack diffusion and improving the network security.
Preferably, an embodiment of the present invention further provides an electronic device, which includes a processor, a memory, and a computer program stored in the memory and capable of running on the processor, where the computer program, when executed by the processor, implements each process of the above method for blocking a network attack, and can achieve the same technical effect, and in order to avoid repetition, details are not described here again.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements each process of the above method for blocking a network attack, and can achieve the same technical effect, and in order to avoid repetition, the computer program is not described herein again. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (10)
1. A method for blocking network attacks, comprising:
the method comprises the steps that an internet protocol address of at least one device of a data packet path sent by a target network device is obtained, and the target network device represents a device which initiates network attack;
determining a border network device from at least one device of the packet path according to a local network device list, the border network device comprising local network devices connected between a local network and a non-local network, the local network device list comprising internet protocol addresses of local network devices;
and controlling the boundary network equipment to execute a blocking operation on the Internet protocol address of the target network equipment.
2. The method of claim 1, wherein determining a border network device from a list of local network devices comprises:
determining a first network device and a second network device according to a local network device list, wherein the first network device and the second network device are network devices which are connected with each other in at least one device of the data packet path, the internet protocol address of the first network device characterizes that the first network device is a local network device, and the internet protocol address of the second network device characterizes that the second network device is a non-local network device;
determining the first network device as the border network device.
3. The method of claim 2, wherein controlling the border network device to perform a blocking operation on the internet protocol address of the target network device comprises:
when the internet protocol address of the target network equipment represents that the target network equipment is non-local network equipment, generating an access control list containing the internet protocol address of the target network equipment, wherein the access control list is used for refusing the target network equipment to access a local network;
and controlling the first network equipment to execute a blocking operation on the Internet protocol address of the target network equipment according to the access control list.
4. The method of claim 2, wherein controlling the border network device to perform a blocking operation on the internet protocol address of the target network device comprises:
when the internet protocol address of the target network equipment represents that the target network equipment is non-local network equipment, generating a black hole routing entry containing the internet protocol address of the target network equipment, wherein the black hole routing entry is used for turning the internet protocol address of the target network equipment to a pseudo interface;
and controlling the first network equipment to execute a blocking operation on the Internet protocol address of the target network equipment according to the black hole routing entry.
5. The method of claim 2, wherein controlling the border network device to perform a blocking operation on the internet protocol address of the target network device comprises:
when the internet protocol address of the target network equipment represents that the target network equipment is local network equipment, generating address resolution protocol information according to the internet protocol address of the target network equipment, wherein the address resolution protocol information is used for refusing the target network equipment to access a local network;
and controlling the first network equipment to execute a blocking operation on the Internet protocol address of the target network equipment according to the address resolution protocol information.
6. The method of claim 5, wherein the ARP information comprises an Internet protocol address of the target network device and a physical address that does not correspond to the target network device;
wherein, controlling the first network device to execute a blocking operation on the internet protocol address of the target network device according to the arp information includes:
and binding the ARP information to a local port of the first network device to reject the target network device from accessing a local network through the IP address of the target network device.
7. The method of claim 6, after binding the address resolution protocol information to the local port of the first network device, further comprising:
acquiring address resolution protocol information of the first network equipment;
and determining a blocking result of the Internet protocol address of the target network equipment according to the Internet protocol address of the target network equipment and the ARP information of the first network equipment.
8. An apparatus for blocking a cyber attack, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring the Internet protocol address of at least one device of a data packet path sent by target network equipment, and the target network equipment represents equipment for launching network attack;
a determining module that determines a border network device from at least one device of the packet path according to a local network device list, the border network device comprising local network devices connected between a local network and a non-local network, the local network device list comprising internet protocol addresses of the local network devices;
and the control module is used for controlling the boundary network equipment to execute the blocking operation on the internet protocol address of the target network equipment.
9. An electronic device, comprising: memory, processor and computer program stored on the memory and executable on the processor, which computer program, when executed by the processor, carries out the steps of the method according to any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110618433.3A CN115514501A (en) | 2021-06-03 | 2021-06-03 | Method and device for blocking network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110618433.3A CN115514501A (en) | 2021-06-03 | 2021-06-03 | Method and device for blocking network attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115514501A true CN115514501A (en) | 2022-12-23 |
Family
ID=84499798
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110618433.3A Pending CN115514501A (en) | 2021-06-03 | 2021-06-03 | Method and device for blocking network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115514501A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105357180A (en) * | 2015-09-30 | 2016-02-24 | 华为技术有限公司 | Network system, attack message intercepting method, attack message intercepting apparatus, and device |
| WO2017166047A1 (en) * | 2016-03-29 | 2017-10-05 | 华为技术有限公司 | Method and device for transmitting network attack defense policy and method and device for defending against network attack |
| CN111698110A (en) * | 2019-03-14 | 2020-09-22 | 深信服科技股份有限公司 | Network equipment performance analysis method, system, equipment and computer medium |
| CN111970261A (en) * | 2020-08-06 | 2020-11-20 | 完美世界(北京)软件科技发展有限公司 | Network attack identification method, device and equipment |
-
2021
- 2021-06-03 CN CN202110618433.3A patent/CN115514501A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105357180A (en) * | 2015-09-30 | 2016-02-24 | 华为技术有限公司 | Network system, attack message intercepting method, attack message intercepting apparatus, and device |
| WO2017166047A1 (en) * | 2016-03-29 | 2017-10-05 | 华为技术有限公司 | Method and device for transmitting network attack defense policy and method and device for defending against network attack |
| CN107710680A (en) * | 2016-03-29 | 2018-02-16 | 华为技术有限公司 | Network attack defence policies are sent, the method and apparatus of network attack defence |
| CN111698110A (en) * | 2019-03-14 | 2020-09-22 | 深信服科技股份有限公司 | Network equipment performance analysis method, system, equipment and computer medium |
| CN111970261A (en) * | 2020-08-06 | 2020-11-20 | 完美世界(北京)软件科技发展有限公司 | Network attack identification method, device and equipment |
Non-Patent Citations (1)
| Title |
|---|
| 王琪强;尚春雷;殷正伟;杨念祖;: "网络攻击行为的自动封堵与压制系统方案简述", 网络安全技术与应用, no. 05, 15 May 2020 (2020-05-15) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9723019B1 (en) | Infected endpoint containment using aggregated security status information | |
| Jero et al. | Identifier binding attacks and defenses in {Software-Defined} networks | |
| US7725932B2 (en) | Restricting communication service | |
| US8055800B1 (en) | Enforcing host routing settings on a network device | |
| CN110311929B (en) | Access control method and device, electronic equipment and storage medium | |
| WO2018023692A1 (en) | Security-on-demand architecture | |
| CN110493195B (en) | Network access control method and system | |
| EP1956463A2 (en) | Method and apparatus for providing network security based on device security status | |
| EP2991292B1 (en) | Network collaborative defense method, device and system | |
| US20060248229A1 (en) | Network including snooping | |
| WO2005036831A1 (en) | Frame relay device | |
| CN108156079B (en) | Data packet forwarding system and method based on cloud service platform | |
| US20130298220A1 (en) | System and method for managing filtering information of attack traffic | |
| EP1571806A2 (en) | Network management method and network managing server | |
| WO2018116123A1 (en) | Protecting against unauthorized access to iot devices | |
| JP5134141B2 (en) | Unauthorized access blocking control method | |
| US20110023088A1 (en) | Flow-based dynamic access control system and method | |
| EP1739921A1 (en) | Progressive wiretap | |
| CN116260618A (en) | Method and device for blocking IP address, electronic equipment and storage medium | |
| JP2004242222A (en) | Method and apparatus of network control | |
| US8893271B1 (en) | End node discovery and tracking in layer-2 of an internet protocol version 6 network | |
| US9686311B2 (en) | Interdicting undesired service | |
| Nelle et al. | Securing IPv6 neighbor discovery and SLAAC in access networks through SDN | |
| CN115514501A (en) | Method and device for blocking network attack | |
| CN112565203B (en) | Centralized management platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |