CN116471258A - Method for determining network address and related equipment - Google Patents

Method for determining network address and related equipment Download PDF

Info

Publication number
CN116471258A
CN116471258A CN202210031784.9A CN202210031784A CN116471258A CN 116471258 A CN116471258 A CN 116471258A CN 202210031784 A CN202210031784 A CN 202210031784A CN 116471258 A CN116471258 A CN 116471258A
Authority
CN
China
Prior art keywords
address
network
rule
addressing
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210031784.9A
Other languages
Chinese (zh)
Inventor
杨言
陈哲
薛景安
王闯
龚向阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202210031784.9A priority Critical patent/CN116471258A/en
Publication of CN116471258A publication Critical patent/CN116471258A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/255Maintenance or indexing of mapping tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The embodiment of the application provides a method for determining a network address and related equipment. The method comprises the following steps: the network equipment allocates a first Internet Protocol (IP) address to the first terminal equipment according to the address allocation rule; the network equipment determines a second IP address according to the addressing rule and the first IP address; the network equipment sends a second IP address to the first terminal equipment; the network device sends address mapping information to the compute node. When the malicious equipment scans the address, the method cannot forge the legal address because the malicious equipment cannot acquire the first IP address of equipment except the malicious equipment in the network or cannot acquire the first IP address of equipment in the network. The computing node obtaining the address mapping information can obtain the first IP address according to the second IP address, so that whether the second IP address is a legal address or not is determined, and therefore network address scanning by malicious equipment can be prevented, and network attacks initiated by the malicious equipment can be prevented.

Description

Method for determining network address and related equipment
Technical Field
Embodiments of the present application relate to the field of network security, and more particularly, to a method of determining a network address, a network device, a computing node, a chip system, and a computer readable storage medium.
Background
Along with the continuous evolution of the internet and the security technology thereof, a network attacker (attacker) can directly inject abnormal traffic from the outside, and can also perform secondary destruction through an internal sink point, so that the influence range is enlarged. The current network security scheme mainly aims at boundary protection, namely, rule filtering is performed at a gateway to prevent malicious or abnormal traffic from accessing in-network equipment. However, as the demand for security increases by users, the approach of border protection cannot detect and prevent network attacks initiated internally. During an internally initiated network attack, a network attacker may be located outside the network and, after detecting a device inside the network, control the device so that it becomes a sink host. Alternatively, the network attacker may be directly located inside the network, and control devices inside the network to perform network attacks. For ease of description, the sinking host and network attacker may be referred to as a malicious device. The network attacker can scan addresses of other devices in the network through the malicious device, so that more devices in the network are detected, and the attack range is enlarged. When a malicious device scans an address, since the address of the malicious device itself is real, it is difficult to detect and prevent a network attack by a method of verifying a source address. In order to avoid network attacks initiated by malicious devices, the malicious devices need to be unable to scan and detect network addresses. Meanwhile, when the equipment in the network finds out abnormal behaviors, the equipment can be rapidly detected, and the equipment with the abnormal behaviors can be accurately positioned.
How to prevent a malicious device from scanning a network address to prevent a network attack initiated by the malicious device is a technical problem to be solved.
Disclosure of Invention
The embodiment of the application provides a method for determining a network address, network equipment, a computing node, a chip system and a computer readable storage medium, which can prevent network address scanning by malicious equipment so as to prevent network attack initiated by the malicious equipment.
In a first aspect, there is provided a method of determining a network address, the method comprising: the network equipment allocates a first Internet protocol (internet protocol, IP) address for the first terminal equipment according to the address allocation rule; the network equipment determines a second IP address according to the addressing rule and the first IP address; the network equipment sends a second IP address to the first terminal equipment; the network device sends address mapping information to the compute node.
It should be appreciated that the addressing rules may include any one or more of the following: sampling rules, calculation rules, or reconstruction rules. The second IP address is an address at which the first terminal device performs network communication. The address mapping information is used for indicating the corresponding relation between the second IP address and the first IP address. The address mapping information may be an inverse operation of the addressing rule or an inverse operation of a part of the rules in the addressing rule. Alternatively, the address mapping information may include a second IP address and a first IP address corresponding to the second IP address.
It should also be appreciated that the network device allocating a first IP address to the first terminal device according to the address allocation rule may include: the network device determines the first IP address from the address pool, or the network device determines the first IP address according to a method of assigning the first IP address. The address pool contains one or more unused addresses. The method of assigning the first IP address includes any one or more of: the preset address length, the number of bits of 0 in the preset address, the number of bits of 1 in the preset address, or the numbering characteristic of the preset address.
It should also be appreciated that the computing node may comprise a terminal device or a network forwarding device.
It should also be appreciated that the network device and the first terminal device may be within the same network, which may include at least one network device, at least one terminal device, and at least one computing node. The at least one computing node includes at least one computing node that may receive address mapping information from a network device.
It should also be appreciated that when the first terminal device within the network is a malicious device, the first terminal device may perform address scanning. However, since the first terminal device cannot obtain the first IP address of the device other than the first terminal device in the network, a legal address cannot be forged according to the addressing rule and the first IP address of the device other than the first terminal device in the network. The computing node that obtains the address mapping information may obtain the first IP address from the second IP address to determine whether the second IP address is a legitimate address. Therefore, the method for determining the network address can prevent the terminal equipment in the network from scanning the network address so as to prevent network attack initiated by the terminal equipment in the network.
It should also be appreciated that when a first network forwarding device within the network is a malicious device, the first network forwarding device may perform address scanning. The first network forwarding device is a network forwarding device which cannot store a first IP address of other devices in the network except for the first network forwarding device itself. However, since the first network forwarding device cannot obtain the first IP address of the devices other than the first network forwarding device in the network, a legal address cannot be forged. The computing node obtaining the address mapping information may detect a destination address contained in the information from the first network forwarding device to determine whether the destination address is a legitimate address. Therefore, the method for determining the network address in the embodiment of the application not only can be used for preventing the terminal equipment in the network from carrying out address scanning, but also can be used for preventing the first network forwarding equipment in the network from carrying out address scanning.
It should also be appreciated that when a terminal device outside the network or a second network forwarding device outside the network is a malicious device, the terminal device outside the network or the second network forwarding device outside the network may perform address scanning. The second network forwarding device is a network forwarding device that cannot store the first IP address of the device within the network. However, since the terminal device or the second network forwarding device outside the network cannot obtain the first IP address of the device in the network, the legal address cannot be forged. The computing node that obtains the address mapping information may detect a destination address contained in the information from the malicious device to determine whether the destination address is a legitimate address. Therefore, the method for determining the network address in the embodiment of the application not only can be used for preventing the malicious equipment inside the network from carrying out address scanning, but also can be used for preventing the malicious equipment outside the network from carrying out address scanning.
It should also be appreciated that the malicious device may be a device within the network that is controlled by a network attacker outside the network, or may be a device that is controlled by a network attacker within the network. The malicious device may also be a device outside the network that is controlled by a network attacker, which the embodiments of the present application are not limited to. The device controlled by the network attacker may be a device controlled by the network attacker in real time, or may be a sinking host in which malicious code is implanted by the network attacker, which is not limited in the embodiment of the present application.
In this embodiment of the present application, the network device may allocate a first IP address to the first terminal device, and may also use an addressing rule to hide the first IP address in the second IP address. When a malicious device scans an address, the malicious device cannot obtain a first IP address of a device other than the malicious device in a network or cannot obtain the first IP address of a device in the network, so that a legal address cannot be forged. The computing node that obtains the address mapping information may obtain the first IP address from the second IP address to determine whether the second IP address is a legitimate address. Therefore, the method for determining the network address can prevent the malicious device from scanning the network address so as to prevent network attacks initiated by the malicious device.
With reference to the first aspect, in certain implementations of the first aspect, the address allocation rule is stored in a first storage space, the addressing rule is stored in a second storage space, and the first storage space or the second storage space is only accessible by the network device. That is, the first storage space or the second storage space cannot be accessed by devices other than the network device.
It should be appreciated that the first storage space or the second storage space may be an internal storage space of the network device. The devices other than the network device may be terminal devices or network forwarding devices, etc.
In the embodiment of the application, the address allocation rule and the addressing rule cannot be accessed by devices other than the network device. The device other than the network device may be a terminal device or a network forwarding device. Therefore, when the terminal device or the network forwarding device is a malicious device, the malicious device cannot determine the first IP address according to the address allocation rule, and cannot pseudo-create a legal second IP address according to the first IP address and the addressing rule. Thus, the malicious device can be prevented from scanning for network addresses to prevent network attacks initiated by the malicious device.
With reference to the first aspect, in some implementations of the first aspect, the addressing rule includes a first addressing rule and a second addressing rule, and the network device transforms the first IP address according to the first addressing rule to obtain the first verification information; and the network equipment converts the first IP address according to the second addressing rule and the first verification information to obtain a second IP address.
It should be appreciated that the second addressing rule may include a correspondence of the second IP address, the first authentication information, and the first IP address. The second addressing rule is reversible.
In the embodiment of the application, the network device can hide the first IP address in the second IP address through the first addressing rule, the first verification information and the second addressing rule, so that the malicious device cannot directly obtain the first IP address according to the second IP address. The computing node that obtains the address mapping information may detect whether the second IP address is a legitimate address, thereby preventing network address scanning by the malicious device to prevent network attacks initiated by the malicious device.
With reference to the first aspect, in certain implementations of the first aspect, the first addressing rule includes a first sampling rule and/or a first encryption rule, and the second addressing rule includes a second sampling rule and/or a second encryption rule.
It should be understood that the first sampling rule may be that data of any n preset positions is obtained from the sampled input data, where the maximum value of n is the length of the sampled input data, and n is a positive integer. The first encryption rule may include any one or more of a calculation rule, a reconstruction rule, or an encryption algorithm. The calculation rule may comprise a mathematical operation or a logical operation. The reconstruction rule may be to reconstruct bits of the first reconstruction data and bits of the second reconstruction data to obtain third reconstruction data. The encryption algorithm may include any one or more of a symmetric encryption algorithm, an asymmetric encryption algorithm, or a hash encryption algorithm. The second sampling rule is to obtain data of any n preset positions from the sampled input data, the maximum value of n is the length of the sampled input data, and n is a positive integer. The second encryption rule may include a reconstruction rule. The second encryption rule may also include a calculation rule or an encryption algorithm.
It should also be appreciated that the specifics of the first addressing rule may be determined based on the computing capabilities of the network device. For example, if the computing power of the network device is high, the first addressing rule may be made to include a first sampling rule and a first encryption rule. If the computing power of the network device is weak, the first addressing rule may include only the first sampling rule or only the first encryption rule, which is not limited in the embodiment of the present application.
In the embodiment of the application, the first verification information may be obtained by configuring different first addressing rules. Therefore, the cost of cracking the first addressing rule can be increased, so that a network attacker cannot obtain the first verification information according to the first IP address or obtain the first IP address according to the first verification information, and the security of the first addressing rule is enhanced.
With reference to the first aspect, in certain implementations of the first aspect, the network device sends the second addressing inverse rule to the computing node.
It should be appreciated that the second addressing inverse rule may be used to determine the first IP address and the first authentication information from the second IP address.
In this embodiment of the present application, when the computing node obtains the second IP address, the second IP address may be processed according to a second addressing inverse rule to obtain the first IP address and the first verification information, so as to detect whether the second IP address is a legal address. Therefore, the embodiment of the application can prevent the malicious equipment from scanning the network address, thereby preventing the network attack initiated by the malicious equipment.
With reference to the first aspect, in certain implementations of the first aspect, the network device sends the first addressing rule to the computing node.
In this embodiment of the present application, when the computing node obtains the first IP address and the first verification information according to the second IP address, the computing node may obtain the fourth verification information according to the first addressing rule, so as to determine whether the second IP address is a legal address according to whether the first verification information is the same as the fourth verification information. Therefore, the embodiment of the application can prevent the malicious equipment from scanning the network address, thereby preventing the network attack initiated by the malicious equipment.
With reference to the first aspect, in certain implementations of the first aspect, the first IP address or the second IP address is an internet protocol version 6 (internet protocol version, ipv 6) address or a flexible internet protocol (flexible internet protocol, flex IP) address.
It should be appreciated that the first IP address or the second IP address may also be internet protocol version4 (internet protocol version, IPv 4) addresses.
In this embodiment of the present application, the first IP address or the second IP address may be an IPv4 address, an IPv6 address, or a FlexIP address, that is, the embodiment of the present application may be applied to a network layer protocol such as IPv4, IPv6, or FlexIP.
In a second aspect, there is provided a method of detecting a network address, the method comprising: the computing node receives information from the second terminal equipment, wherein the information comprises a destination address; the computing node carries out inverse transformation on the destination address according to the second addressing inverse rule to obtain a third IP address and second verification information; the computing node determines third verification information corresponding to a third IP address according to the addressing information; and the computing node determines whether the destination address is a legal address according to the third verification information and the second verification information.
It should be appreciated that the destination address is an internet protocol, IP, address of the third terminal device and the computing node may comprise a terminal device or a network forwarding device.
It should also be appreciated that the second addressing inverse rule may be an inverse operation of the second addressing rule. The second addressing inverse rule may include a third sampling rule and/or a third encryption rule. The third sampling rule is to obtain data of any n preset positions from the sampled input data, the maximum value of n is the length of the sampled input data, and n is a positive integer. The third encryption rule may include a reconstruction rule. The reconstruction rule may be to reconstruct bits of the third reconstruction data to obtain the first reconstruction data and the second reconstruction data. The third encryption rule may also include a calculation rule or an encryption algorithm. The calculation rule may include a mathematical operation or a logical operation. The encryption algorithm may include a symmetric encryption algorithm, an asymmetric encryption algorithm, a hash algorithm, or the like.
It should also be appreciated that the addressing information may comprise a first addressing rule or the addressing information may comprise at least one IP address and at least one authentication information. The at least one IP address and the at least one authentication information may be stored in the form of an authentication information table. That is, the authentication information table may include at least one IP address and authentication information corresponding to each IP address.
In this embodiment of the present application, the computing node may process the destination address according to the second addressing inverse rule, to obtain the third IP address and the second verification information. The computing node may further obtain third authentication information based on the addressing information and the third IP address, so that whether the destination address is a legitimate address may be determined based on the second authentication information and the third authentication information. Therefore, the computing node can timely and accurately judge whether the destination address is a legal address, and prevent the malicious equipment from scanning the network address, thereby preventing network attack initiated by the malicious equipment.
With reference to the second aspect, in some implementations of the second aspect, in a case where the second authentication information is determined to be the same as the third authentication information, determining the destination address as a legal address; determining that the destination address is an illegal address when the second verification information is determined to be different from the third verification information; under the condition that the destination address is determined to be a legal address, forwarding the information to third terminal equipment; and discarding the information and performing error recording of the second terminal equipment under the condition that the destination address is determined to be an illegal address.
In this embodiment of the present application, the computing node may determine whether the destination address is a legal address according to whether the second verification information is the same as the third verification information. And the computing node can process the information containing the destination address according to whether the destination address is a legal address. Therefore, the computing node can discard the information containing the illegal address and record the malicious device for sending the information, and the malicious device is prevented from scanning the network address, so that the network attack initiated by the malicious device is prevented.
With reference to the second aspect, in certain implementations of the second aspect, it is determined whether the number of erroneous recordings of the second terminal device exceeds a preset threshold; if the number of times of error recording of the second terminal equipment exceeds a preset threshold, the computing node determines that the second terminal equipment is malicious equipment.
It will be appreciated that after the computing node determines that the second terminal device is a malicious device, measures may be taken, such as alerting or restricting communication of the malicious device. Limiting communication of a malicious device may include discarding all information from the malicious device.
In this embodiment of the present application, the computing node may determine whether the second terminal device is a malicious device through a size relationship between the number of times of error recording on the second terminal device and a preset threshold. And the computing node can take measures after determining that the second terminal device is a malicious device, so that the malicious device is prevented from scanning the network address, and network attacks initiated by the malicious device are prevented.
With reference to the second aspect, in some implementations of the second aspect, the addressing information includes a first addressing rule, and the computing node transforms the third IP address according to the first addressing rule to obtain third verification information.
It is to be appreciated that the first addressing rule may include a first sampling rule and/or a first encryption rule. The first sampling rule may be that data of any n preset positions are obtained from the sampled input data, a maximum value of n is a length of the sampled input data, and n is a positive integer. The first encryption rule may include any one or more of a calculation rule, a reconstruction rule, or an encryption algorithm. The calculation rule may comprise a mathematical operation or a logical operation. The reconstruction rule may be to reconstruct bits of the first reconstruction data and bits of the second reconstruction data to obtain third reconstruction data. The encryption algorithm may include any one or more of a symmetric encryption algorithm, an asymmetric encryption algorithm, or a hash encryption algorithm.
In this embodiment of the present application, the computing node may process the third IP address according to the first addressing rule, to obtain third verification information. And then the computing node can compare the third verification information with the second verification information to determine whether the destination address is a legal address, so that the malicious equipment is prevented from scanning the network address, and network attacks initiated by the malicious equipment are prevented.
With reference to the second aspect, in some implementations of the second aspect, the addressing information includes at least one IP address and at least one authentication information, and the computing node determines third authentication information from the at least one authentication information according to the third IP address.
It should be appreciated that at least one IP address corresponds one-to-one with at least one authentication information.
It should also be appreciated that the at least one IP address and the at least one authentication information may be maintained in the form of an authentication information table. That is, the computing node may obtain the third authentication information corresponding to the third IP address from the authentication information table.
It should also be understood that the at least one IP address and the at least one authentication information may be obtained by the computing node during the history detection process, or may be obtained by receiving information from the network device, which is not limited in this embodiment of the present application.
In the embodiment of the application, the computing node may search the verification information corresponding to the third IP address through the corresponding relationship between the IP address and the verification information, so as to obtain the third verification information. Therefore, the computing node can save time or computing resources for processing the third IP address according to the first addressing rule, thereby improving the rate of detecting whether the destination address is a legal address.
With reference to the second aspect, in certain implementations of the second aspect, the destination address or the third IP address is an internet protocol version 6 IPv6 address or a flexible internet protocol FlexIP address.
It should be appreciated that the destination address or third IP address may also be an internet protocol version 4 IPv4 address.
In this embodiment of the present application, the destination IP address or the third IP address may be an IPv4 address, an IPv6 address, or a FlexIP address, that is, the embodiment of the present application may be applied to a network layer protocol such as IPv4, IPv6, or FlexIP.
In a third aspect, a network device is provided, the network device comprising means for implementing the first aspect or any one of the possible implementations of the first aspect.
In a fourth aspect, there is provided a computing node comprising means for implementing the second aspect or any one of the possible implementations of the second aspect.
In a fifth aspect, a network device is provided, the network device comprising a processor for coupling with a memory, reading and executing instructions and/or program code in the memory to perform the first aspect or any of the possible implementations of the first aspect.
In a sixth aspect, there is provided a computing node comprising a processor for coupling with a memory, reading and executing instructions and/or program code in the memory to perform the second aspect or any one of the possible implementations of the second aspect.
In a seventh aspect, a chip system is provided, the chip system comprising logic circuitry for coupling with an input/output interface through which data is transferred for performing the first aspect or any one of the possible implementations of the first aspect.
In an eighth aspect, a chip system is provided, the chip system comprising logic circuitry for coupling with an input/output interface through which data is transferred for performing the second aspect or any one of the possible implementations of the second aspect.
In a ninth aspect, a computer readable storage medium is provided, the computer readable storage medium storing program code which, when run on a computer, causes the computer to perform any one of the possible implementations as in the first aspect or the first aspect.
In a tenth aspect, there is provided a computer readable storage medium storing program code which, when run on a computer, causes the computer to perform any one of the possible implementations as in the second aspect or the second aspect.
In an eleventh aspect, embodiments of the present application provide a computer program product comprising: computer program code which, when run on a computer, causes the computer to perform any one of the possible implementations as or in the first aspect.
In a twelfth aspect, embodiments of the present application provide a computer program product comprising: computer program code which, when run on a computer, causes the computer to perform as the second aspect or any one of the possible implementations of the second aspect.
Drawings
Fig. 1 is a schematic architectural diagram of a network attack.
Fig. 2 is a schematic system architecture diagram of a method of determining a network address according to one embodiment of the present application.
Fig. 3 is a schematic system architecture diagram of a method of detecting a network address according to one embodiment of the present application.
Fig. 4 is a schematic flow chart of a method of determining a network address according to one embodiment of the present application.
Fig. 5 is a schematic flow chart diagram of a method of determining a network address according to another embodiment of the present application.
Fig. 6 is a schematic flow chart diagram of a method of detecting a network address according to one embodiment of the present application.
Fig. 7 is a schematic flow chart diagram of a method of detecting a network address according to another embodiment of the present application.
Fig. 8 is a schematic structural diagram of a network device according to an embodiment of the present application.
FIG. 9 is a schematic diagram of a computing node according to one embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings.
The technical scheme of the embodiment of the application can be applied to a local area network, such as a private network scene of a park network, a government network or an industrial manufacturing network.
The terminal device in the embodiments of the present application may refer to a user equipment, an access terminal, a user station, a mobile station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user apparatus. The terminal device may also be a session initiation protocol (session initiation protocol, SIP) phone, a handheld device with wireless communication functionality or other processing device connected to a wireless modem, a vehicle mounted device, a wearable device, a terminal device in a future 5G network or a terminal device in a future evolved public land mobile network (public land mobile network, PLMN), etc., as the embodiments of the application are not limited in this regard.
The network device in the embodiments of the present application may be a device for assigning a network address, for example, a dynamic host configuration protocol (dynamic host configuration protocol, DHCP) server, etc., and the embodiments of the present application are not limited thereto.
The network forwarding device in the embodiment of the present application may be a network device for forwarding signals, such as a switch, or may be a gateway device for forwarding data, such as a router. The switch may be an ethernet switch, a fiber distributed data interface (fiber distributed data interface, FDDI), or the like. The network forwarding device may also be a server or proxy server that initiates a routing protocol, and embodiments of the present application are not limited.
The computing node in the embodiment of the application may include a terminal device or a network forwarding device.
Fig. 1 is a schematic architectural diagram of a network attack. During a network attack, multiple networks and multiple devices each network includes may be involved. Fig. 1 illustrates an example involving one network 110 and three devices included in network 110.
The devices involved in the network attack process shown in fig. 1 are: network forwarding device 111, sink host 112, in-network device 113, and aggressor device 120, where network forwarding device 111, sink host 112, and in-network device 113 are located in network 110.
During a network attack, the attacker device 120 may be a device that is manipulated by a network attacker. The aggressor device 120 shown in fig. 1 is located outside the network 110, alternatively the aggressor device 120 may be located inside the network 110. The attacker device 120 may control the sink host 112 inside the network 110 and control the sink host 112 to send at least one message containing the destination address to the network forwarding device 111. When the destination address in the information sent by the sink host 112 matches the network address of the in-network device 113 in the network 110, the in-network device 113 receives the information from the network forwarding device 111. The attacker device 120 may also control the sink host 112 to carry viruses in this information so that the in-network device 113 can be remotely controlled after receiving this information.
Network forwarding device 111 may be a network forwarding device located within network 110 that may receive information from devices within network 110 and forward each information to a destination address contained in the information. During a network attack, the network forwarding device 111 may receive at least one message from the sink host 112 and forward the message to the in-network device 113 matching the network address of the in-network device 113.
Alternatively, the network forwarding device 111 may be manipulated by a network attacker to become a malicious device. That is, network forwarding device 111 may actively send at least one message containing a destination address or virus to other devices within network 110.
Sink host 112 may be a terminal device located within network 110, may send information to network forwarding device 111, or may receive information from network forwarding device 111 to communicate or connect with other devices within network 110. During a network attack, the sink host 112 may be controlled by the attacker device 120 to perform address scanning. Address scanning by the sink host 112 may specifically send at least one message containing the destination address to other devices, which may be end devices or network forwarding devices other than the host, for the sink host 112. That is, the sink host 112 may send at least one message containing a destination address to the network forwarding device 111, wherein the destination address contained in each message may not be consistent. The sinking host 112 may carry a virus in the information sent to the network forwarding device 111.
Alternatively, the sink host 112 may be directly manipulated by a network attacker, i.e. the sink host 112 may actively send at least one message containing a destination address or virus to the network forwarding device 111.
In-network device 113 may be a terminal device located within network 110, may receive information from network forwarding device 111, or may send information to network forwarding device 111 to communicate or connect with other devices within network 110. During a network attack, the in-network device 113 may receive information from the sink host 112 forwarded by the network forwarding device 111. Wherein the destination address contained in the information matches the network address of the in-network device 113 and the virus may also be contained in the information. On receipt of this information, the in-network device 113 may be implanted with a virus and thus remotely controlled by the attacker device 120.
For the network attack shown in fig. 1, detection cannot be performed by the source address verification technique. For example, the source address verification is performed on the information sent by the sink host 112, and the source address obtained at this time is the network address of the sink host 112. Since the sink host 112 is a real device located inside the network 110, the source address is a real network address. In other words, the source address verification technique cannot detect and block the network attack shown in fig. 1.
Fig. 2 is a schematic system architecture diagram of a method of determining a network address. In a system of a method of determining a network address, a plurality of networks and a plurality of devices included in each network may be included. Fig. 2 illustrates one network 210 and five devices included in network 210 as examples.
In the system shown in fig. 2, a network device 211, a network forwarding device 212, a malicious device 213, an in-network device 214, and a malicious device 215 are located within the network 210.
The network device 211 may be a device that allocates an IP address to a device in the network 210, and may be a DHCP server or the like, for example. The network device 211 may assign a first IP address to a device in the network 210, may also obtain an addressing rule, and determine a second IP address based on the addressing rule and the first IP address. A specific implementation of the network device 211 to determine the second IP address based on the addressing rules and the first IP address may be seen in fig. 4 or fig. 5. The network device 211 may also send the determined second IP address to a device in the network 210. The devices in network 210 may be network forwarding device 212, malicious device 213, in-network device 214, or malicious device 215. Network device 211 may also send addressing rules or address mapping information to network forwarding device 212 to enable the network forwarding device to perform IP address detection. The address mapping information may be an inverse operation of the addressing rule or an inverse operation of a part of the rules in the addressing rule. Alternatively, the address mapping information may include a second IP address and a first IP address corresponding to the second IP address, which is not limited in the embodiment of the present application.
Network forwarding device 212 may be a device that forwards signals or data to network 210, such as a router or switch. The network forwarding device 212 may obtain the addressing rules or address mapping information by receiving information from the network device 211, and may also obtain the addressing rules or address mapping information by manually configuring, which is not limited in this embodiment of the present application. Network forwarding device 212 may receive information from other devices within network 210 and forward, such as from network device 211, malicious device 213, in-network device 214, or malicious device 215. Network forwarding device 212 may also detect a destination address included in the received information based on the obtained addressing rules or address mapping information. A specific implementation of the network forwarding device to detect the destination address according to the addressing rules or the address mapping information may be seen in fig. 6 or fig. 7. When the network forwarding device 212 determines that the destination address included in the information is a legitimate address, the network forwarding device 212 forwards the information to the destination address. When the network forwarding device determines that the destination address included in the information is an illegal address, the network forwarding device 212 discards the information and performs error recording on the device that transmitted the information.
The malicious device 213 may be a terminal device in the network 210, for example, a computer or a mobile phone. The malicious device 213 may obtain the second IP address assigned from the network device 211, or may obtain a manually configured second IP address, so as to use the second IP address to communicate with other devices in the network 210. The malicious device 213 may be controlled by a network attacker to perform address scanning, i.e. send at least one message containing the destination address to the network forwarding device 212, each of which may carry a virus. The malicious device 213 may also receive information from the network forwarding device 212.
The in-network device 214 may be a terminal device in the network 210, for example, a computer or a mobile phone. The in-network device 214 may obtain the second IP address allocated from the network device 211, or may obtain a manually configured second IP address, so as to use the second IP address to communicate with other devices in the network 210. Network device 214 may send information containing the destination address to network forwarding device 212. Network device 214 may also receive information from network forwarding device 212 that matches the network address of network device 214 with the destination address and that may carry a virus. Upon receipt of this information, the network device 214 may be implanted with a virus for remote control by a network attacker.
The malicious device 215 may be a network forwarding device in the network 210, such as a router or switch. Malicious device 215 may receive and forward information from other devices within network 210, such as from network device 211, network forwarding device 212, malicious device 213, or in-network device 214. The malicious device 215 may obtain an IP address assigned from the network device 211, or may obtain a manually configured IP address, to use the IP address to communicate with other devices in the network 210. The malicious device 215 may be controlled by a network attacker and may also send at least one message containing a destination address to the network forwarding device 212, each of which may carry a virus.
Alternatively, a network attacker may be located inside the network 210, directly controlling the malicious device 213 or the malicious device 215, and may remotely control the in-network device 214 after the in-network device 214 is infected with a virus. Alternatively, the network attacker may be located outside of the network 210, remotely controlling the malicious device 213, the malicious device 215, or the virus-implanted in-network device 214.
In the system 200 shown in fig. 2, network devices may determine available IP addresses based on the obtained addressing rules so that each device in the network 210 may communicate using the network addresses. When the malicious device 213 or the malicious device 215 transmits information containing a destination address to the network forwarding device 212, the network forwarding device 212 may detect the destination address contained in the information according to an addressing rule or address mapping information, thereby determining whether the destination address is a legal address. If the destination address included in the information is a legal address, the network forwarding device 212 may forward the information to a device corresponding to the destination address. If the destination address included in the information is an illegal address, the network forwarding device 212 may discard the information and perform error recording on the malicious device 213 or the malicious device 215 that sent the information. When the number of erroneous recordings of the malicious device 213 exceeds a preset threshold, the network forwarding device 212 may determine that the device 213 is a malicious device and take measures, such as alerting or limiting the communication of the malicious device 213. Thereby preventing the network address scanning by the malicious device inside the network to prevent the network attack initiated by the malicious device inside the network.
Alternatively, when a malicious device 220 (not shown) located outside the network 210 scans for addresses of devices within the network 210, the network forwarding device 212 within the network 210 may detect the destination address contained in the information from the malicious device. Network forwarding device 212 may determine whether the destination address is a legitimate address, thereby preventing network attacks by the malicious device. That is, the system 200 shown in fig. 2 can prevent not only the network address scanning by the malicious device inside the network, but also the network address scanning by the malicious device outside the network.
Optionally, the network 210 may include a plurality of network devices 211 and a plurality of network forwarding devices 212. Wherein one or more of the plurality of network forwarding devices 212 included in the network 210 may detect the received destination address according to addressing rules or address mapping information. That is, some network forwarding devices may obtain the addressing rule or the address mapping information in the network 210 to detect the destination address, or some network forwarding devices may not obtain the addressing rule or the address mapping information to detect the destination address.
Network forwarding device 212 of fig. 2 may perform destination address detection on the received information to detect and prevent any one or more devices from performing network address scanning in time. In the system 200 shown in fig. 2, when the network attacker controls the malicious device 213, the in-network device 214 or the malicious device 215, the first IP address of other devices in the network cannot be obtained through the malicious device 213, the in-network device 214 or the malicious device 215, or the second IP address of other devices in the network cannot be obtained through the malicious device 213, the in-network device 214 or the malicious device 215, so that the IP address in the network 210 cannot be forged or cracked, and the security is enhanced. Other devices within the network refer to devices within the network other than the controlled device. For example, the network attacker has controlled the malicious device 213, then the malicious device 213 is the controlled device, and the other devices in the network are the network device 211, the network forwarding device 212, the in-network device 214, or the malicious device 215.
Fig. 3 is a schematic system architecture diagram of a method of detecting a network address. In a system of a method of detecting a network address, a plurality of networks and a plurality of devices included in each network may be included. Fig. 3 illustrates an example of a network 310, a network 320, four devices included in the network 310, and three devices included in the network 320.
The system 300 shown in fig. 3 involves a network 310 and a network 320. Network 310 may include therein a network forwarding device 311, a malicious device 312, an in-network device 313, and a network forwarding device 314. Network 310 may also include a network device 315 (not shown). Network 320 may include a network forwarding device 321, a network forwarding device 322, and an in-network device 323. Network 320 may also include a network device 324 (not shown). Network device 315, network device 324 are similar to network device 211 of fig. 2 and are not described in detail herein for brevity.
Network forwarding device 311, network forwarding device 314, network forwarding device 321, and network forwarding device 322 in fig. 3 are similar to network forwarding device 212 in fig. 2, and in-network device 313 and in-network device 323 in fig. 3 are similar to in-network device 214 in fig. 2, and malicious device 312 in fig. 3 is similar to malicious device 213 in fig. 2, and for brevity of description, will not be described in detail herein.
The network forwarding device 311 and the network forwarding device 321 in fig. 3 may obtain addressing rules or address mapping information, i.e. have address detection capabilities, so as to perform network address detection. For example, network forwarding device 311 may obtain address mapping information 1 and network forwarding device 321 may obtain address mapping information 2. The address mapping information 1 and the address mapping information 2 may be the same or different, and the embodiment of the present application is not limited thereto. Network forwarding device 314 and network forwarding device 322 in fig. 3 may not obtain address mapping information and addressing rules, i.e., have no address detection capabilities. Network forwarding device 314 and network forwarding device 322 may forward information from other devices within the network.
When the network forwarding device 311 receives information transmitted from the malicious device 312, the network forwarding device 311 may first determine whether a destination address included in the information is within a detection range of the network 310. When the destination address is within the detection range of the network 310, the network forwarding device 311 may detect whether the destination address conforms to the address mapping information 1, i.e., whether the destination address is a legal address. If the destination address is a legal address, the network forwarding device 311 may send the information to a device corresponding to the destination address. If the destination address is an illegal address, the network forwarding device 311 may discard the information and make an error record for the malicious device 312 that sent the information. If the number of error records of the malicious device 312 exceeds a preset threshold, the network forwarding device 311 may determine that the device 312 is a malicious device, and take measures, such as alerting or limiting communication of the malicious device 312.
When the destination address included in the information received by the network forwarding device 311 is not within the detection range of the network 310, the network forwarding device 311 may directly forward the information to a device in the network corresponding to the destination address, for example, the network forwarding device 321 in the network 320. The network forwarding device 321 may detect whether the destination address corresponds to the address mapping information 2, i.e. whether the destination address is a legitimate address. If the destination address is a legitimate address, the information may be sent to the in-network device 323 via the network forwarding device 322. If the destination address is an illegal address, the information may be discarded and error recorded for the malicious device 312 that sent the information. If the number of error records of the malicious device 312 exceeds a preset threshold, the network forwarding device 321 or the network forwarding device 311 may determine that the device 312 is a malicious device, and take measures, such as alerting or limiting communication of the malicious device 312.
Different addressing rules may be used in the system 300 shown in fig. 3 to divide different networks, so that the computing nodes in the different networks only detect whether the destination address in the network is a legal address, thereby improving the detection efficiency.
Fig. 4 is a schematic flow chart of a method of determining a network address. The method of fig. 4 includes the following steps.
And S410, the network equipment allocates a first IP address for the first terminal equipment according to the address allocation rule.
The network device may assign a first IP address to the first terminal device according to the address assignment rule. The first IP address may be used to generate the second IP address, or may be used to detect whether the second IP address is a legitimate address.
Alternatively, the first IP address may be an IPv6 address or Flex IP address. Alternatively, the first IP address may be an IPv4 address.
Optionally, according to the address allocation rule, allocating the first IP address to the first terminal device may include: the first IP address is determined from the address pool or according to a method of assigning the first IP address.
Alternatively, the network device may determine the first IP address from a pool of addresses, which may contain one or more unused addresses.
Alternatively, the network device may determine the first IP address according to a method of assigning the first IP address. The method of assigning the first IP address may include any one or more of: the preset address length, the number of bits of 0 in the preset address, the number of bits of 1 in the preset address, or the numbering characteristic of the preset address. The number feature of the preset address may be a feature that the number of the first IP address needs to conform to.
Alternatively, the network device may determine the first IP address from the address pool according to a method of assigning the first IP address.
Alternatively, the address allocation rule may be stored in a first memory space that is only accessible by the network device. In other words, the first storage space is not accessible by other devices than the network device, which may be network forwarding devices or terminal devices. That is, devices other than the network device cannot obtain the address allocation rule.
Alternatively, the network device may not send the first IP address to the first terminal device. Alternatively, the network device may send the first IP address to the first terminal device, which is not limited in this application.
Alternatively, the network device may determine the address allocation rule by itself, or may obtain the address allocation rule by manually configuring, which is not limited in the embodiment of the present application.
Optionally, before the network device allocates the first IP address to the first terminal device, the network device may receive an IP address allocation request from the first terminal device, so as to allocate the second IP address to the first terminal device.
And S420, the network equipment determines a second IP address according to the addressing rule and the first IP address.
The network device may process the first IP address determined in step S410 according to the addressing rule, thereby determining the second IP address.
Alternatively, the addressing rules may be stored in the second memory space. The second storage space is only accessible by the network device. In other words, the second storage space is not accessible by other devices than the network device, which may be network forwarding devices or terminal devices. That is, devices other than the network device cannot obtain the addressing rule.
Alternatively, the second IP address may be an IPv6 address or a Flex IP address, or the second IP address may also be an IPv4 address.
Alternatively, the addressing rules may comprise a first type of addressing rules, which is reversible. In other words, the first type of addressing rule may be used to obtain the second IP address from the first IP address, and may also be used to obtain the first IP address from the second IP address. The first type of addressing rules may include any one or more of the following: sampling rules, calculation rules, or reconstruction rules, to which embodiments of the present application are not limited. The sampling rule is to obtain data of any n preset positions from the sampled input data, the maximum value of n is the length of the sampled input data, and n is a positive integer. The calculation rule includes a mathematical operation or a logical operation. The mathematical operation may include any one or more of the following: adding, subtracting, multiplying, dividing, taking the remainder, etc. The logical operation may include any one or more of the following: and, or, nor, exclusive or, not, etc. The reconstruction rule may be to reconstruct bits of the first reconstruction data and bits of the second reconstruction data to obtain third reconstruction data.
For example, taking the example that the addressing rule comprises a sampling rule, the sampling rule may be to sample all bits of the first IP address to obtain the second IP address. If the first IP address is 253.195.65, the data that can be obtained through the sampling rule is 253.195.65, that is, the second IP address is 253.195.65. If the second IP address is 253.195.65, the data obtained by the inverse operation of the sampling rule is 253.195.65, i.e. the first IP address is 253.195.65.
For example, taking the example that the addressing rule includes a calculation rule, the calculation rule may be to perform an exclusive nor operation on each piece of data of the first IP address and binary data 10010110, to obtain the second IP address. If the first IP address is 148.170.40, the binary data string of the first IP address is 10010100.10101010.00101000. The binary data string is divided into 3 pieces of data, 10010100, 10101010, 00101000, respectively. The 3 pieces of data can be obtained by the calculation rule as 11111101, 11000011 and 01000001, namely the second IP address is 253.195.65. If the second IP address is 253.195.65, the binary data string of the second IP address is 11111101.11000011.01000001. The binary data string is divided into 3 pieces of data, 11111101, 11000011, 01000001, respectively. The data which can be obtained by the inverse operation of the calculation rule of the 3 segments of data are 10010100, 10101010 and 00101000 respectively, namely the first IP address is 148.170.40.
For example, taking the example that the addressing rule includes a reconstruction rule, the reconstruction rule may reconstruct the 1 st to 4 th bits and the 5 th to 8 th bits of each piece of data of the first IP address to obtain the second IP address. If the first IP address is 223.60.20, the binary data string of the first IP address is 11011111.00111100.00010100. The binary data string is divided into 3 pieces of data, 11011111, 00111100, 00010100, respectively. The 3 pieces of data can obtain data of 11111101, 11000011 and 01000001 through the reconstruction rule, namely the second IP address is 253.195.65. If the second IP address is 253.195.65, the binary data string of the second IP address is 11111101.11000011.01000001. The binary data string is divided into 3 pieces of data, 11111101, 11000011, 01000001, respectively. The data which can be obtained by the inverse operation of the reconstruction rule of the 3 segments of data are 11011111, 00111100 and 00010100 respectively, namely the first IP address is 223.60.20.
For example, consider the case where the addressing rules include calculation rules and reconstruction rules. The calculation rule may be an addition of the first IP address and the decimal data 5 to obtain the first data. The reconstruction rule may reconstruct the 1 st to 4 th bits and the 5 th to 8 th bits of the first data to obtain the second IP address. If the first IP address is 223.195.60, the first data that can be obtained by the first IP address through the calculation rule is 223.195.65. The binary data string of the first data is 11011111.11000011.01000001. The data that can be obtained by the reconstruction rule for this binary data string is 11111101.11000011.01000001, i.e. the second IP address is 253.195.65. If the second IP address is 253.195.65, the binary data string of the second IP address is 11111101.11000011.01000001. The binary data can be obtained as data 11011111.11000011.01000001, namely 223.195.65, through inverse operation of the reconstruction rule, and can be obtained as data 223.195.60 through inverse operation of the calculation rule.
For example, the addressing rules include sampling rules, calculation rules, and reconstruction rules. The sampling rule may be to sample all bits of the first IP address to obtain the first data. The calculation rule may be a union operation of each piece of the first data with the binary data 10010111 to obtain the second data. The reconstruction rule may be to reconstruct the 1 st to 4 th bits and the 5 th to 8 th bits of each piece of data of the second data to obtain the second IP address. If the first IP address is 130.170.73, the first data that can be obtained by the sampling rule is 130.170.73, and the binary data string of the first data is 10000010.10101010.01001001. The binary data string is divided into 3 segments, namely 10000010, 10101010 and 01001001 respectively, and the data which can be obtained through calculation rules are 11101010, 11000010 and 00100001. The data obtained by the reconstruction rule is 10101110, 00101100 and 00010010, namely the second IP address is 174.44.18. If the second IP address is 174.44.18, the binary data string of the second IP address is 10101110.00101100.00010010. The binary data string is divided into 3 segments of data, which are 10101110, 00101100 and 00010010 respectively, and the data which can be obtained through the inverse operation of the reconstruction rule are 11101010, 11000010 and 00100001. The data obtained by the inverse operation of the calculation rule is 10000010, 10101010 and 01001001, namely 130.170.73. The data obtained by the inverse operation of the sampling rule is 130.170.73, namely the first IP address is 130.170.73.
Alternatively, the execution order of any one or more rules included in the first type of addressing rule may be arranged randomly, which is not limited in the embodiment of the present application.
For example, the addressing rules include sampling rules, calculation rules, and reconstruction rules. The reconstruction rule may be to reconstruct the 1 st to 4 th bits and the 5 th to 8 th bits of each piece of data of the first IP address to obtain the first data. The sampling rule may be to sample all bits of the first data to obtain the second data. The calculation rule may be a union or operation of each piece of the second data and the binary data 01101001 to obtain the second IP address. If the first IP address is 130.170.73, the binary data string of the first IP address is 10000010.10101010.01001001. The binary data string is divided into 3 segments 10000010, 10101010, 01001001, respectively. The data of the 3 segments of data can be obtained through reconstruction rules to be 00101000, 10101010 and 10010100, then the data can be obtained through sampling rules to be 00101000, 10101010 and 10010100, and finally the data can be obtained through calculation rules to be 10111110, 00111100 and 00000010, namely the second IP address is 190.60.2. If the second IP address is 190.60.2, the binary data string of the second IP address is 10111110.00111100.00000010. The binary data string is divided into 3 segments, 10111110, 00111100, 00000010, respectively. The data of the 3 segments of data can be obtained through the inverse operation of the calculation rule to be 00101000, 10101010 and 10010100, then the data can be obtained through the inverse operation of the sampling rule to be 00101000, 10101010 and 10010100, and finally the data can be obtained through the inverse operation of the reconstruction rule to be 10000010, 10101010 and 01001001, namely the first IP address is 130.170.73.
Alternatively, the addressing rules may comprise a second type of addressing rules. The second type of addressing rules may include a first addressing rule and a second addressing rule. The network device may transform the first IP address according to the first addressing rule to obtain the first authentication information. The network device may transform the first IP address and the first authentication information according to a second addressing rule to obtain a second IP address.
Optionally, the first addressing rule may include a first sampling rule and/or a first encryption rule. The first sampling rule may be that data of any n preset positions are obtained from the sampled input data, a maximum value of n is a length of the sampled input data, and n is a positive integer. The first encryption rule may include any one or more of a calculation rule, a reconstruction rule, or an encryption algorithm. The calculation rule may comprise a mathematical operation or a logical operation. The reconstruction rule may be to reconstruct bits of the first reconstruction data and bits of the second reconstruction data to obtain third reconstruction data. The encryption algorithm may include any one or more of a symmetric encryption algorithm, an asymmetric encryption algorithm, or a hash encryption algorithm.
Optionally, the second addressing rule may include a second sampling rule and/or a second encryption rule. The second sampling rule is to obtain data of any n preset positions from the sampled input data, the maximum value of n is the length of the sampled input data, and n is a positive integer. The second encryption rule may include a reconstruction rule. Optionally, the second encryption rule may further include a calculation rule or an encryption algorithm.
Alternatively, the network device may not send the addressing rule to the first terminal device. Alternatively, the network device may send the addressing rule to the first terminal device, which is not limited by the embodiment of the present application.
Alternatively, before step S420, the network device may determine the addressing rule by itself, or may obtain the addressing rule by manually configuring, which is not limited in the embodiment of the present application.
And S430, the network equipment sends the second IP address to the first terminal equipment.
The network device may send the second IP address determined in step S420 to the first terminal device, where the second IP address may be used as an address where the first terminal device performs network communication.
Alternatively, the network device may send the second IP address to the first terminal device in response to the IP address allocation request sent by the first terminal device.
Alternatively, the first terminal device and the network device may be located in the same network.
S440, the network device sends the address mapping information to the computing node.
The network device may send address mapping information to the computing node, which may be used to indicate a correspondence of the second IP address and the first IP address.
Alternatively, the computing node may comprise a terminal device or a network forwarding device.
Alternatively, the address mapping information may obtain the first IP address from the second IP address. That is, the address mapping information may be an inverse operation of the addressing rule. Alternatively, the address mapping information may include a second IP address and a first IP address corresponding to the second IP address.
Alternatively, the address mapping information may obtain the first IP address and the first authentication information from the second IP address. That is, the address mapping information may be an inverse operation of the second addressing rule. Alternatively, the address mapping information may include the second IP address and the first authentication information corresponding to the second IP address.
Alternatively, after obtaining the address mapping information, the computing node may obtain the first IP address according to the second IP address, or may obtain the first IP address and the first authentication information according to the second IP address. The computing node may detect the second IP address according to the obtained first IP address or the first authentication information, so as to determine whether the second IP address is a legal address.
The network device may perform a data transformation on the first IP address according to the addressing rules to hide the first IP address in the second IP address. When the first terminal device is a malicious device, the first terminal device may perform address scanning on other devices in the network except for the first terminal device. However, since the first terminal device cannot obtain the first IP address of the device other than the first terminal device in the network, the second IP address cannot be determined to be legal according to the first IP address of the device other than the first terminal device in the network, that is, the legal address cannot be forged. The computing node that obtains the address mapping information may obtain the first IP address from the second IP address according to the address mapping information, thereby detecting whether the second IP address is a legal address according to the first IP address. Therefore, the method for determining the network address can be used for detecting whether the destination address used by the terminal equipment in the network in the communication process is a legal address or not so as to prevent the malicious equipment in the network from scanning the address and prevent the network attack initiated by the malicious equipment in the network.
When a first network forwarding device inside the network is a malicious device, the first network forwarding device may perform address scanning on devices other than the first network forwarding device. The first network forwarding device is a network forwarding device which cannot store a first IP address of other devices in the network except for the first network forwarding device itself. However, since the first network forwarding device cannot obtain the first IP address of the devices other than the first network forwarding device in the network, a legal address cannot be forged. The computing node obtaining the address mapping information may detect a destination address contained in the information from the first network forwarding device to determine whether the destination address is a legitimate address. Therefore, the method for determining the network address can be used for preventing the terminal equipment in the network from carrying out address scanning and preventing the first network forwarding equipment in the network from carrying out address scanning.
When the terminal device outside the network or the second network forwarding device outside the network is a malicious device, the terminal device outside the network or the second network forwarding device outside the network may perform address scanning. The second network forwarding device is a network forwarding device that cannot store the first IP address of the device within the network. However, since the terminal device or the second network forwarding device outside the network cannot obtain the first IP address of the device in the network, the legal address cannot be forged. The computing node that obtains the address mapping information may detect a destination address contained in the information from the terminal device or the second network forwarding device outside the network, thereby determining whether the destination address is a legitimate address. Therefore, the method for determining the network address can be used for preventing the malicious equipment inside the network from carrying out address scanning and also can be used for preventing the malicious equipment outside the network from carrying out address scanning.
Fig. 5 is a schematic flow chart of another method of determining a network address. The method of fig. 5 includes the following steps.
S510, the network equipment determines a first IP address according to the address allocation rule.
The network device determining the first IP address for the second terminal device according to the address allocation rule may include: the first IP address is determined from the address pool or according to a method of assigning the first IP address.
Alternatively, the address allocation rule may be stored in a first memory space that is only accessible to the network device, i.e. that is not available to devices other than the network device. The other devices than the network device may be network forwarding devices or terminal devices.
Alternatively, the network device may determine the first IP address from a pool of addresses, which may contain one or more unused addresses.
For example, the address pool contains 500 unused addresses, and the network device may randomly select one address from the 500 unused addresses, e.g., 253.51, i.e., 253.51 for the first IP address. After the network device determines the first IP address, the number of unused addresses contained in the address pool is reduced to 499 and addresses 253.51 are no longer present in the address pool.
Alternatively, the network device may determine the first IP address according to a method of assigning the first IP address.
Optionally, the method of assigning the first IP address may include any one or more of: the length of the preset address, the number of bits of 0 in the preset address, the number of bits of 1 in the preset address, the number characteristics of the preset address, etc. The number feature of the preset address may be a feature that the number of the first IP address needs to conform to.
For example, if the method of assigning the first IP address is that the preset address length is 16, an unused address with the length of 16, for example 11111101.00110011, i.e. the first IP address is 253.51, may be selected.
For example, if the method of allocating the first IP address is that the number of bits of 0 in the preset address is 8, an address that is not used and contains 8 bits of 0, for example 10010110.01101001, i.e. the first IP address is 150.105, may be selected.
For example, if the method of allocating the first IP address is that the number of bits of 1 in the preset address is 5, an unused address containing 5 bits of 1, for example 11110100.00000000, i.e. the first IP address is 244.0, may be selected.
For example, if the method of assigning the first IP address is that the number of the preset address is a multiple of 5, an unused address with a multiple of 5, for example, 250.150 with a number 80, i.e., the first IP address is 250.150, may be selected.
For example, the method of allocating the first IP address is that the preset address length is 16, and the number of bits of 0 in the preset address is 7, then an unused address with the length of 16 and the number of bits of 0 in the preset address is 7, for example 11110000.00111110, i.e. the first IP address is 240.62 may be selected.
Alternatively, the network device may determine the first IP address from one or more unused addresses contained in the address pool according to a method of assigning the first IP address.
For example, the address pool contains 500 unused addresses. The method of allocating the first IP address is that the preset address length is 16, and the number of bits of 0 in the preset address is 7, then an address with the preset address length being 16 and the number of bits of 0 in the preset address being 7, for example 11110000.00111110, i.e. the first IP address is 240.62, may be selected from the address pool.
And S520, the network equipment converts the first IP address according to the first addressing rule to obtain first verification information.
The network device may transform the first IP address determined in step S510 according to the first addressing rule, thereby determining the first authentication information.
Alternatively, the network device may obtain the first addressing rule before step S520. The first addressing rule may be reversible or irreversible, which is not limited in this embodiment of the present application.
Alternatively, the first addressing rule may be stored in the second memory space. The second storage space is only accessible by the network device. In other words, the second storage space is not accessible by other devices than the network device, which may be network forwarding devices or terminal devices. That is, devices other than the network device cannot obtain the first addressing rule.
Optionally, the first addressing rule may include a first sampling rule and/or a first encryption rule. The first sampling rule may be that data of any n preset positions are obtained from the sampled input data, a maximum value of n is a length of the sampled input data, and n is a positive integer. The first encryption rule may include any one or more of a calculation rule, a reconstruction rule, or an encryption algorithm. The calculation rule may comprise a mathematical operation or a logical operation. The reconstruction rule may be to reconstruct bits of the first reconstruction data and bits of the second reconstruction data to obtain third reconstruction data. The encryption algorithm may include any one or more of a symmetric encryption algorithm, an asymmetric encryption algorithm, or a hash algorithm, etc. The symmetric encryption algorithm may include the united states data encryption standard (data encryption standard, DES), the triple data encryption algorithm (triple data encryption algorithm, TDEA), the advanced encryption standard (advanced encryption standard, AES), and the like. The asymmetric encryption algorithm may include a knapsack algorithm, diffie-hellman key exchange (D-H), elliptic curve encryption algorithm (elliptic curve cryptography, ECC), and the like. The hash algorithm may include a hash (hash) function, a message digest algorithm (message digest algorithm, MD5), a secure hash algorithm (secure hash algorithm, SHA), a hashed message authentication code (hash message authentication code, HMAC), and the like. When the first addressing rule includes an encryption algorithm, the first addressing rule also includes a sampling rule.
Alternatively, the execution order of any one or more rules included in the first addressing rule may be arranged randomly, which is not limited in the embodiment of the present application.
For example, the first addressing rule includes a sampling rule. The sampling rule may be to sample the last 8 bits of the sampled input data. If the first IP address is 253.51, the first authentication information that can be obtained through the sampling rule is 51.
For example, the first addressing method includes a calculation rule. The calculation rule may be an exclusive or operation on the first 8 bits and the last 8 bits of the first data. If the first IP address is 253.51, the binary data string of the first IP address is 11111101.00110011, and the binary data string obtained by the calculation rule is 11001110, i.e. the first verification information is 206.
For example, the first addressing method includes a reconstruction rule. The reconstruction rule may be an extraction reconstruction of the 1 st to 4 th bits and 13 th to 16 th bits of the first data. If the first IP address is 253.51, the binary data string of the first IP address is 11111101.00110011, and the binary data string obtained by the reconstruction rule is 11110011, i.e., the first verification information is 243.
For example, taking as an example the first addressing method includes a sampling rule, a first calculation rule, a second calculation rule, and a reconstruction rule. The sampling rule may be to sample the last 8 bits of the sampled input data to obtain the first data. The first calculation rule is to perform an addition operation on the first data and the decimal data 5 to obtain second data. The reconstruction rule may be to reconstruct the first 4 bits and the last 4 bits of the second data to obtain the third data. The second calculation rule may be a exclusive nor operation of the third data with 10010110. If the first IP address is 253.51, the binary data string of the first IP address is 11111101.00110011, and the first data that can be obtained through the sampling rule is 00110011. The second data that can be obtained by the first data through the first calculation rule is 00111000. The third data that the second data can obtain through the reconstruction rule is 10000011. The third data may be obtained through the second calculation rule as 11101010, that is, the first verification information is 234.
For example, taking the first addressing rule as an example, the first addressing rule includes sampling rule 1, an encryption algorithm, and sampling rule 2. The sampling rule 1 is to sample the last 8 bits of the sampled input data to obtain first data. The encryption algorithm may be MD5 encryption of the last 8 bits of the first data to obtain the second data. The sampling rule 2 may be sampling the last 2 data bits of the second data to obtain hexadecimal data. If the first IP address is 253.52, the binary data string of the first IP address is 11111101.00110100, and the first data that can be obtained through the sampling rule 1 is 00110100. The second data which can be obtained by the MD5 encryption algorithm of the first data is 9a1158154dfa42caddbd0694a4e9bdc8, the data which can be obtained by the sampling rule 2 of the second data is c8, and the first verification information which can be obtained by taking c8 as hexadecimal data is 200.
And S530, the network equipment converts the first IP address and the first verification information according to the second addressing rule to obtain a second IP address.
The network device may process the first IP address obtained in step S510 and the first authentication information obtained in step S520 according to the second addressing rule, thereby obtaining the second IP address. The second addressing rule includes a correspondence of the second IP address, the first authentication information, and the first IP address, and the second addressing rule is reversible. That is, the second addressing rule may obtain the second IP address based on the first IP address and the first authentication information, and may also obtain the first IP address and the first authentication information based on the second IP address.
Alternatively, the second addressing rule may be stored in the second memory space. The second storage space is only accessible by the network device. In other words, the second storage space is not accessible by other devices than the network device, which may be network forwarding devices or terminal devices. That is, devices other than the network device cannot obtain the second addressing rule.
Optionally, before step S530, the network device may determine the second addressing rule by itself, or may obtain the second addressing rule by manually configuring, which is not limited in the embodiment of the present application.
Optionally, the second addressing rule may comprise a second sampling rule and/or a second encryption rule. The second sampling rule is to obtain data of any n preset positions from the sampled input data, the maximum value of n is the length of the sampled input data, and n is a positive integer. The second encryption rule may include a reconstruction rule. The reconstruction rule may be to reconstruct bits of the first reconstruction data and bits of the second reconstruction data to obtain third reconstruction data. Optionally, the second encryption rule may further include a calculation rule or an encryption algorithm.
For example, the reconstruction rule may be to place the first 4 bits of the first authentication information after the 8 th bit of the first IP address and the last 4 bits of the first authentication information in reverse order after the 16 th bit of the first IP address. If the first IP address is 253.51 and the first authentication information is 199, the binary data string of the first IP address is 11111101.00110011 and the binary data string of the first authentication information is 11000111. The binary data string that the first IP address and the first authentication information can obtain through the reconstruction rule is 11111101.11000011.00111110, that is, the second IP address is 253.195.62.
For example, the second addressing rule includes a sampling rule and a reconstruction rule. The sampling rule may be to sample all data of the first IP address and the first authentication information. The reconstruction rule may be that the 1 st to 8 th bits of the first authentication information are placed after the 16 th bit of the first IP address, that is, the first IP address and the first authentication information are sequentially arranged, to obtain the second IP address. If the first IP address is 253.51 and the first authentication information is 199, the two data obtained by the sampling rule are 253.51 and 199, and then the data obtained by the reconstruction rule is 253.51.199, that is, the second IP address is 253.51.199.
For example, taking the example that the second addressing rule includes a calculation rule and a reconstruction rule. The calculation rule may be to perform an exclusive nor operation on the first 8 bits and the last 8 bits of the first IP address to obtain the first data. The reconstruction rule may be to sequentially arrange the first 8 bits of the first IP address, the first data, and the first authentication information to obtain the second IP address. If the first IP address is 253.51 and the first authentication information is 199, the binary data string of the first IP address is 11111101.00110011 and the binary data string of the first authentication information is 11000111. The first data that can be obtained by the binary data string of the first IP address through the calculation rule is 00110001. 11111101, 00110001 and 11000111 can obtain 11111101.00110001.11000111 data by the reconstruction rule, that is, the second IP address is 253.49.199.
For example, taking the example that the second addressing rule includes a reconstruction rule, a calculation rule, and a sampling rule. The reconstruction rule may be to place bits 1 to 16 of the first IP address after bit 8 of the first authentication information to obtain the first data. The calculation rule may be to perform a subtraction operation on the first data and the decimal data 3 to obtain the second data. The sampling rule may be to sample all bits of the second data. If the first IP address is 253.51 and the first authentication information is 199, the first data that can be obtained through the reconstruction rule is 199.253.51. The second data that the first data can obtain through the calculation rule is 199.253.48. The second data may be obtained by sampling the data 199.253.48, i.e. the second IP address 199.253.48.
Alternatively, the execution order of any one or more rules included in the second addressing rule may be arranged randomly, which is not limited in the embodiment of the present application.
Optionally, after step S530, step S540 (not shown) or step S550 (not shown) may be further included.
S540, the network device sends the second addressing inverse rule to the computing node.
The network device may send a second inverse addressing rule to the computing node, which may be an inverse operation of the second addressing rule. After the computing node obtains the second addressing inverse rule, the computing node may transform the second IP address according to the second addressing inverse rule, thereby obtaining the first IP address and the first verification information. The computing node may further detect a second IP address according to the first IP address and the first authentication information, so as to determine whether the second IP address is a legal address.
S550, the network device sends the first addressing rule to the computing node.
The network device may send the first addressing rule to the computing node. After the computing node obtains the first addressing rule, the computing node may transform the first IP address according to the first addressing rule to obtain fourth verification information. The computing node may further determine whether the second IP address is a legal address according to the fourth authentication information and the first authentication information obtained in step S540. Since the first addressing rule is the same, the first authentication information and the fourth authentication information obtained from the first addressing rule and the first IP address are the same. That is, the second IP address is a legitimate address.
The network device may transform the first IP address according to the first addressing rule to obtain the first authentication information. The network device may also process the first IP address and the first authentication information according to the second addressing rule to hide the first IP address and the first authentication information in the second IP address. When the terminal device or the first network forwarding device in the network is a malicious device, the terminal device and the first network forwarding device can perform address scanning. The first network forwarding device is a network forwarding device that cannot store a first IP address of a device within the network other than the first network forwarding device. However, since the terminal device or the first network forwarding device in the network cannot obtain the first IP address of the device other than the terminal device in the network, the first authentication information and the second IP address cannot be determined according to the first IP address of the device other than the terminal device in the network, i.e. the legal address cannot be forged. The obtained computing node of the second addressing inverse rule can directly obtain the first IP address and the first verification information from the second IP address according to the second addressing inverse rule, so as to detect whether the second IP address is a legal address according to the first IP address and the first verification information. Therefore, the method for determining the network address can be used for preventing the malicious equipment in the network from scanning the address and preventing the network attack initiated by the malicious equipment in the network.
When the terminal equipment and the second network forwarding equipment outside the network are malicious equipment, the terminal equipment and the second network forwarding equipment outside the network can perform address scanning. The second network forwarding device is a network forwarding device that cannot store the first IP address of the device within the network. However, since the terminal device or the second network forwarding device outside the network cannot obtain the first IP address of the device in the network, the legal address cannot be forged. Therefore, the method for determining the network address can not only prevent the malicious equipment inside the network from carrying out address scanning, but also prevent the malicious equipment outside the network from carrying out address scanning.
Fig. 6 is a schematic flow chart of a method of detecting a network address. The method in fig. 6 includes the following steps.
S610, the computing node receives information from the second terminal device, where the information includes a destination address.
The computing node may receive information from the second terminal device, which may include a destination address. The destination address may be a second IP address of the third terminal device. The computing node may detect whether the destination address is a legitimate address and process the information containing the destination address.
Alternatively, the computing node may comprise a terminal device or a network forwarding device.
Alternatively, the destination address may be an IPv6 address or Flex IP address. Alternatively, the destination address may be an IPv4 address.
Alternatively, the second terminal device, the third terminal device, or the computing node may or may not be located in the same network, which is not limited by the embodiment of the present application.
S620, the computing node performs inverse transformation on the destination address according to the second addressing inverse rule, and obtains a third IP address and second verification information.
The computing node may process the destination address obtained in step S610 according to the second addressing inverse rule, thereby obtaining the third IP address and the second authentication information included in the destination address.
Alternatively, the second addressing inverse rule may be stored in a third memory space that is not accessible to devices other than the compute node. That is, devices other than the compute node cannot obtain the second inverse addressing rule.
Alternatively, the third IP address may be an IPv6 address or Flex IP address. Alternatively, the third IP address may be an IPv4 address.
Alternatively, the computing node may obtain a second inverse addressing rule prior to step S610. In particular, the computing node may obtain the second inverse addressing rule by receiving information from the network device. Alternatively, the computing node may further obtain the second inverse addressing rule by manually configuring, which is not limited in this embodiment of the present application.
Alternatively, the second addressing inverse rules obtained by the computing nodes located in the same network are the same, and the computing nodes located in different networks may obtain different second addressing inverse rules. That is, each computing node only needs to detect whether the network address in the current network is a legal address, thereby improving the detection efficiency.
Optionally, the second addressing inverse rule is reversible. That is, the computing node may obtain the third IP address and the second authentication information from the destination address, and may also obtain the destination address from the third IP address and the second authentication information.
Optionally, the second addressing inverse rule may include a third sampling rule and/or a third encryption rule. The third sampling rule is to obtain data of any n preset positions from the sampled input data, the maximum value of n is the length of the sampled input data, and n is a positive integer. The third encryption rule may include a reconstruction rule. The reconstruction rule may be to reconstruct bits of the third reconstruction data to obtain the first reconstruction data and the second reconstruction data. Optionally, the third encryption rule may further include a calculation rule or an encryption algorithm. The calculation rule may include a mathematical operation or a logical operation. The encryption algorithm may include a symmetric encryption algorithm, an asymmetric encryption algorithm, a hash algorithm, or the like.
For example, the second addressing inverse rule includes a reconstruction rule. The reconstruction rule may be to extract the 9 th to 12 th bit sequence of the destination address to obtain the first data. And extracting the 21 st bit to the 24 th bit of the destination address in reverse order to obtain second data, sequentially arranging the first data and the second data to obtain second verification information, and sequentially arranging the rest bits in the destination address to obtain a third IP address. If the destination address is 253.195.62, the binary data string of the destination address is 11111101.11000011.00111110. The binary data string can be obtained through the reconstruction rule, the first data is 1100, the second data is 0111, that is, the binary data string of the second verification information is 11000111, and the binary data string of the third IP address is 11111101.00110011. That is, the third IP address is 253.51 and the second authentication information is 199.
For example, the second addressing inverse rule includes a sampling rule and a reconstruction rule. The reconstruction rule may be to extract the 1 st to 16 th bits of the destination address to obtain the first data. And extracting the 17 th to 24 th bits of the destination address to obtain second data. The sampling rule may obtain a third IP address for sampling the first data and second authentication information for sampling the second data. If the destination address is 253.51.199, the data obtained by the destination address through the reconstruction rule is 253.51 and 199, and then the data obtained through the inverse operation of the sampling rule is 253.51 and 199, that is, the third IP address is 253.51, and the second authentication information is 199.
For example, the second addressing inverse rule includes a calculation rule and a reconstruction rule. The reconstruction rule may be to extract the 1 st to 8 th bits of the destination address to obtain the first data. And extracting the 9 th to 16 th bits of the destination address to obtain second data. And extracting the 17 th to 24 th bits of the destination address to obtain second verification information. The sampling rule may be to exclusive nor the first data with the second data to obtain third data. The reconstruction rule may further include sequentially arranging the first data and the third data to obtain a third IP address. If the destination address is 253.49.199, the binary data string of the destination address is 11111101.00110001.11000111. The first data of the binary data string which can be obtained by the reconstruction rule is 11111101, the second data is 00110001, and the binary data string of the second verification information is 11000111, namely the second verification information is 199. The binary data string of the third data which can be obtained by the first data and the second data through the calculation rule is 00110011. The binary data string of the third IP address that can be obtained by the reassembly rule of the first data and the third data is 11111101.00110011, that is, the third IP address is 253.51.
For example, taking the example that the second addressing inverse rule includes a reconstruction rule, a calculation rule, and a sampling rule. The sampling rule may be to sample all bits of the destination address to obtain the first data. The calculation rule is to add the first data and the decimal data 3 to obtain the second data. The reorganization rule is to extract the 1 st to 8 th bits of the second data to obtain the second verification information. And extracting the 9 th to 24 th bits of the second data to obtain a third IP address. If the destination address is 199.253.48, the data obtained by sampling rule is 199.253.48, then the data obtained by calculation rule is 199.253.51, and finally 199 and 253.51 can be obtained by reconstruction rule. That is, the second authentication information is 199 and the third IP address is 253.51.
Alternatively, the execution order of any one or more rules included in the second addressing inverse rule may be arranged randomly, which is not limited by the embodiment of the present application.
S630, the computing node determines third verification information corresponding to the third IP address according to the addressing information.
The computing node may obtain third authentication information according to the addressing information and the third IP address obtained in step S620. The addressing information may include a first addressing rule or the addressing information may include at least one IP address and at least one authentication information, the at least one IP address and the at least one authentication information being in one-to-one correspondence. The third authentication information and the second authentication information obtained in step S620 may be used to detect whether the destination address is a valid address.
Optionally, the computing node may transform the third IP address according to the first addressing rule to obtain third verification information. The first addressing rule may be reversible or irreversible, which is not limited in this embodiment of the present application. The specific implementation manner of transforming the third IP address according to the first addressing rule to obtain the third verification information is similar to step S520, and will not be described here again.
Alternatively, the at least one IP address and the at least one authentication information may be stored in the form of an authentication information table. The at least one IP address comprises a third IP address, and the verification information corresponding to the third IP address is third verification information. That is, the computing node may obtain the third authentication information corresponding to the third IP address according to the authentication information table.
Alternatively, the authentication information table may include a first authentication information table and a second authentication information table.
Alternatively, the first verification information table may include a third IP address obtained by the computation node history detection and third verification information corresponding to the third IP address. Or, the first verification information table may include a third IP address obtained by the computing node through a manual configuration manner and third verification information corresponding to the third IP address. Alternatively, the first authentication information table may include third authentication information received by the computing node from the network device and corresponding to the third IP address.
Alternatively, the second verification information table may include the third IP address obtained by the computation node history detection and fifth verification information corresponding to the third IP address. Or, the second verification information table may include a third IP address obtained by the computing node through a manual configuration manner and fifth verification information corresponding to the third IP address. Alternatively, the second verification information table may include the third IP address from the network device received by the computing node and fifth verification information corresponding to the third IP address. The fifth authentication information may be data obtained by processing the third IP address according to a partial rule of the first addressing rule.
Alternatively, the computing node may obtain third authentication information corresponding to the third IP address from the first authentication information table.
For example, the first authentication information table is shown in table 1 below:
table 1 first authentication information table
Third IP Address Third authentication information
253.50 126
253.51 75
253.52 200
If the third IP address is 253.51, according to the first authentication information table, the third authentication information corresponding to the third IP address can be obtained as 75.
Alternatively, the computing node may obtain the third authentication information according to the first addressing rule, the second authentication information table, and the third IP address. Specifically, the computing node may obtain, according to the second verification information table, fifth verification information corresponding to the third IP address. And then processing the fifth verification information according to the second part rule included in the first addressing rule to obtain third verification information. In other words, the first addressing rule may include a first partial rule for obtaining the fifth authentication information according to the third IP address and a second partial rule for obtaining the third authentication information according to the fifth authentication information. The second authentication information table may include a third IP address and fifth authentication information obtained according to the first partial rule and the third IP address.
For example, the second authentication information obtained according to the first partial rule of the first addressing rule is shown in table 2 below:
table 2 second authentication information table
Third IP Address Fifth authentication information
253.50 c0c7c76d30bd3dcaefc96f40275bdc0a
253.51 2838023a778dfaecdc212708f721b788
253.52 9a1158154dfa42caddbd0694a4e9bdc8
Taking the example that the second partial rule comprises a sampling rule. The sampling rule may sample the last 2 data bits of the fifth authentication information to obtain the first data. And then obtains decimal third authentication information using the first data as hexadecimal data. If the third IP address is 253.51, the fifth authentication information that can be obtained from the second authentication information table is 2838023a778 dfaeccc 212708f721b788. The first data of the fifth verification information which can be obtained through the sampling rule is 88, and the third verification information which can be obtained by taking 88 as hexadecimal data is 136.
And S640, the computing node determines whether the destination address is a legal address according to the second verification information and the third verification information.
The computing node may determine whether the destination address is a legal address according to whether the second authentication information and the third authentication information are the same, so as to process information including the destination address.
Optionally, if the second verification information is the same as the third verification information, the destination address is judged to be a legal address. If the second verification information and the third verification information are different, judging that the destination address is an illegal address.
Optionally, when the destination address is a legal address, the computing node may forward the information to a third terminal device corresponding to the destination address.
Alternatively, when the destination address is an illegal address, the computing node may discard the information and make an error record of the second terminal device. The error record may be the number of times the destination address contained in the information from the second terminal device is an illegal address. When the number of times of error recording of the second terminal device exceeds a preset threshold, the computing node may determine that the second terminal device is a malicious device, and take measures, such as alerting or limiting communication of the malicious device.
The computing node may obtain the third IP address and the second authentication information from the destination address according to the second addressing inverse rule, and obtain the third authentication information according to the third IP address. The computing node can also determine whether the destination address is a legal address according to the second verification information and the third verification information, so that the information containing the destination address is processed, and the malicious equipment is prevented from address scanning, and network attack initiated by the malicious equipment is prevented. The malicious device may be located within the same network as the computing node or may be located within a different network. The embodiments of the present application are not limited in this regard.
Fig. 7 is a schematic flow chart of another method of detecting a network address. The method in fig. 7 includes the following steps.
S710, carrying out inverse transformation on the destination address according to the second addressing inverse rule to obtain a third IP address and second verification information. The specific implementation of step S710 is the same as that of step S620, and will not be described here again.
S720, inquiring whether the third IP address exists in the verification information table.
The network forwarding device may query the authentication information table for a third IP address. If yes, go to step S730; if not, step S740 is performed.
Alternatively, the network forwarding device may obtain the authentication information table by obtaining information from the network device. Or, the network forwarding device may obtain the verification information table through a manual configuration mode. Alternatively, the network forwarding device may obtain the verification information table by recording the history detected information, which is not limited in the embodiment of the present application.
Optionally, the authentication information table may include third IP addresses and third authentication information corresponding to the third IP addresses, as shown in table 1. Alternatively, the third IP address and fifth authentication information obtained from the third IP address may be included in the authentication information table, as shown in table 2.
And S730, obtaining third verification information according to the verification information table and the third IP address.
When the third IP address exists in the verification information table, the verification information corresponding to the third IP address can be obtained by inquiring the verification information table.
For example, the authentication information table is shown in table 1, and the third IP address is 253.52. By referring to table 1, the third authentication information corresponding to 253.52 can be obtained as 200.
And S740, obtaining third verification information according to the first addressing rule and the third IP address.
When the verification information table does not have the third IP address, the third IP address can be converted according to the first addressing rule to obtain third verification information. The specific implementation of S740 is similar to that of step S520, and will not be described here again.
Optionally, if the verification information table does not have the third IP address, after step S740 is performed, the obtained third IP address and the third verification information corresponding to the third IP address may be stored in the verification information table, so as to update the verification information table.
S750, comparing whether the second verification information is identical to the third verification information.
The network forwarding device may compare the obtained second authentication information with the third authentication information to obtain a comparison result. If the comparison result is the same, the destination address is determined to be a legal address, and step S760 is executed; if the comparison result is that the two are different, the destination address is determined to be an illegal address, and step S770 and step S780 may be performed.
S760, determining the destination address as legal address, and forwarding the information to the destination address.
If the destination address is a legal address, the network forwarding device may forward information including the destination address to the destination address, where the destination address is an IP address of the third terminal device. That is, the network forwarding device may forward the information to the third terminal device.
S770, determining the destination address as an illegal address, discarding the information, and performing error recording of the second terminal device.
If the destination address is an illegal address, the network forwarding device may discard the information including the destination address and perform error recording of the second terminal device. The error record of the second terminal device may be the number of times that the destination address contained in the information from the second terminal device is an illegal address.
And S780, if the number of times of error records of the second terminal equipment exceeds a preset threshold, the network forwarding equipment determines that the second terminal equipment is malicious equipment.
If the number of times of error records of the second terminal device exceeds a preset threshold, the network forwarding device may determine that the second terminal device is a malicious device, and take measures, such as alerting or limiting communication of the second terminal device. Limiting the communication of the second terminal device may be discarding all information from the second terminal device.
For example, if the preset threshold is 3, and the network forwarding device has received 5 times of information from the second terminal device, 3 times of information including an illegal address as the destination address exists in the 5 times of information, that is, the number of times of error records of the second terminal device is 3. When the network forwarding device receives the information from the second terminal device again and the destination address contained in the information is an illegal address, the network forwarding device may discard the information and perform error recording of the second terminal device. At this time, the number of times of error recording of the second terminal device is 4, and exceeds the preset threshold value 3, so that the network forwarding device can mark the second terminal device. When the network forwarding device receives the information from the second terminal device again, the network forwarding device may discard the information.
The network forwarding device may inverse transform the destination address according to the second addressing inverse rule, thereby obtaining the third IP address and the second authentication information. The network forwarding device can also obtain third verification information corresponding to the third IP address by querying the verification information table, thereby improving the efficiency of address detection. If the verification information table does not have the third IP address, the third IP address can be processed through the first addressing rule to obtain third verification information, and the third IP address and the third verification information are stored in the verification information table to update the verification information table. According to the method for detecting the network address, the network address scanning of the malicious equipment can be prevented, so that the network attack initiated by the malicious equipment is prevented. The malicious device may be located in the same network as the network forwarding device, or may be located in a different network, which is not limited in the embodiment of the present application.
Alternatively, when the computing node is a terminal device, the terminal device may also perform detection of the destination address. For example, when the fourth terminal device receives information containing the destination address from the second terminal device, the fourth terminal device may inverse-transform the destination address according to the second addressing inverse rule, thereby obtaining the third IP address and the second authentication information. The fourth terminal device may transform the third IP address according to the first addressing rule, thereby obtaining third authentication information. Alternatively, the fourth terminal may obtain third authentication information corresponding to the third IP address according to the authentication information table. The fourth terminal device may further compare the third authentication information with the second authentication information to determine whether the destination address is a legal address. The specific implementation mode can be as follows: if the third verification information is the same as the second verification information, determining the destination address as a legal address; if the third verification information is different from the second verification information, determining the destination address as an illegal address.
When the fourth terminal device determines that the destination address is a legal address and the destination address is an IP address of the fourth terminal device, the fourth terminal device may parse the information. When the fourth terminal device determines that the destination address is a legal address and the destination address is not an IP address of the fourth terminal device, the fourth terminal device may forward the information to the terminal device corresponding to the destination address. When the fourth terminal device determines that the destination address is an illegal address, the fourth terminal device may discard the information and perform error recording of the second terminal device. When the number of erroneous recordings of the second terminal device exceeds a preset threshold, the fourth terminal device may determine that the second terminal device is a malicious device, and may take measures, such as alerting or restricting communication of the second terminal device.
Having described the method of determining a network address according to an embodiment of the present application, a network device, a computing node, and related equipment according to an embodiment of the present application are described below with reference to fig. 8 to 9, respectively.
Fig. 8 is a schematic structural diagram of a network device according to an embodiment of the present application. The network device 800 includes a processing unit 810 and a transmitting unit 820.
The processing unit 810 is configured to allocate a first IP address to the first terminal device according to the address allocation rule, and determine a second IP address according to the address allocation rule and the first IP address. The processing unit 810 may perform part or all of step S410, step S420, and steps S510 to S530 in the method of fig. 4 and 5.
The sending unit 820 is configured to send the second IP address to the first terminal device, and further configured to send address mapping information, a second addressing inverse rule, or a first addressing rule to the computing node. The transmitting unit 820 may perform part or all of steps S430, S440, S540, or S550 in the method of fig. 4.
FIG. 9 is a schematic diagram of a computing node according to one embodiment of the present application. The computing node 900 comprises a transceiving unit 910 and a processing unit 920.
The transceiver unit 910 is configured to receive information from the second terminal device, where the information includes a destination address, and further configured to forward the information to the second terminal device when the destination address is a legal address. The transceiving unit 910 may perform step S610 in the method of fig. 6 or step S760 in the method of fig. 7.
The processing unit 920 is configured to obtain a third IP address and second authentication information according to the second addressing inverse rule and the destination address, and determine third authentication information corresponding to the third IP address according to the addressing information. The processing unit 920 is further configured to determine whether the destination address is a legal address according to the third verification information and the second verification information. The processing unit 920 may perform some or all of steps S620 to S640 in the method of fig. 6, steps S710 to S750 in fig. 7, step S770, or step S780.
Embodiments of the present application also provide a chip system including logic circuitry for coupling with an input/output interface through which data is transferred to perform the various steps of fig. 4 or 5.
Embodiments of the present application also provide a chip system including logic circuitry for coupling with an input/output interface through which data is transferred to perform the various steps of fig. 6 or 7.
According to the method provided by the embodiment of the application, the application further provides a computer program product, which comprises: computer program code which, when run on a computer, causes the computer to perform the steps of fig. 4 or 5.
According to the method provided by the embodiment of the application, the application further provides a computer readable medium, wherein the computer readable medium stores a program code, and when the program code runs on a computer, the program code causes the computer to execute the steps in fig. 6 or fig. 7.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (32)

1. A method of determining a network address, comprising:
the network equipment allocates a first Internet Protocol (IP) address to the first terminal equipment according to the address allocation rule;
the network equipment determines a second IP address according to an addressing rule and the first IP address;
the network equipment sends the second IP address to the first terminal equipment, wherein the second IP address is an address of the first terminal equipment for network communication;
the network device sends address mapping information to a computing node, wherein the address mapping information is used for indicating the corresponding relation between the second IP address and the first IP address.
2. The method of claim 1, wherein the address allocation rule is stored in a first memory space and the addressing rule is stored in a second memory space, the first memory space or the second memory space being accessible only to the network device.
3. The method according to claim 1 or 2, wherein the addressing rules comprise a first addressing rule and a second addressing rule, and wherein the network device determining the second IP address based on the addressing rules and the first IP address comprises:
The network equipment transforms the first IP address according to the first addressing rule to obtain first verification information;
and the network equipment converts the first IP address according to the second addressing rule and the first verification information to obtain the second IP address.
4. A method according to claim 3, wherein the first addressing rule comprises a first sampling rule and/or a first encryption rule and the second addressing rule comprises a second sampling rule and/or a second encryption rule.
5. The method according to claim 3 or 4, characterized in that the method further comprises:
and the network equipment sends a second addressing inverse rule to the computing node, wherein the second addressing inverse rule is used for determining the first IP address and the first verification information according to the second IP address.
6. The method according to any one of claims 3 to 5, further comprising:
the network device sends the first addressing rule to the computing node.
7. The method according to any of claims 1 to 6, wherein the first IP address or the second IP address is an internet protocol version 6 IPv6 address or a flexible internet protocol FlexIP address.
8. A method of detecting a network address, comprising:
the computing node receives information from second terminal equipment, wherein the information comprises a destination address, and the destination address is an Internet Protocol (IP) address of third terminal equipment;
the computing node carries out inverse transformation on the destination address according to a second addressing inverse rule to obtain a third IP address and second verification information;
the computing node determines third verification information corresponding to the third IP address according to the addressing information;
and the computing node determines whether the destination address is a legal address according to the third verification information and the second verification information.
9. The method of claim 8, wherein the determining whether the destination address is a valid address based on the third authentication information and the second authentication information comprises:
determining the destination address as the legal address under the condition that the second verification information is the same as the third verification information;
determining that the destination address is an illegal address when the second authentication information is determined to be different from the third authentication information;
the method further comprises the steps of:
Forwarding the information to the third terminal device in case that the destination address is determined to be the legal address;
and discarding the information and carrying out error recording of the second terminal equipment under the condition that the destination address is determined to be the illegal address.
10. The method according to claim 9, wherein the method further comprises: determining whether the number of error records of the second terminal equipment exceeds a preset threshold value;
and if the number of times of error recording of the second terminal equipment exceeds the preset threshold, the computing node determines that the second terminal equipment is malicious equipment.
11. The method according to any of claims 8 to 10, wherein the addressing information comprises a first addressing rule, and wherein the computing node determines third authentication information corresponding to the third IP address based on the addressing information, comprising:
and the computing node converts the third IP address according to the first addressing rule to obtain the third verification information.
12. The method of any of claims 8 to 10, wherein the addressing information includes at least one IP address and at least one authentication information, the at least one IP address and the at least one authentication information being in one-to-one correspondence, the computing node determining third authentication information corresponding to the third IP address based on the addressing information, comprising:
And the computing node determines the third verification information from the at least one verification information according to the third IP address.
13. The method according to any of claims 8 to 12, wherein the destination address or the third IP address is an internet protocol version 6 IPv6 address or a flexible internet protocol FlexIP address.
14. A network apparatus, comprising:
the processing unit is used for distributing a first Internet Protocol (IP) address to the first terminal equipment according to the address distribution rule;
the processing unit is further configured to determine a second IP address according to an addressing rule and the first IP address;
a sending unit, configured to send the second IP address to the first terminal device, where the second IP address is an address where the first terminal device performs network communication;
the sending unit is further configured to send address mapping information to a computing node, where the address mapping information is used to indicate a correspondence between the second IP address and the first IP address.
15. The method of claim 14, wherein the address allocation rule is stored in a first memory space and the addressing rule is stored in a second memory space, the first memory space or the second memory space being accessible only to the network device.
16. The method according to claim 14 or 15, wherein the addressing rules comprise a first addressing rule and a second addressing rule, and the processing unit is specifically configured to transform the first IP address according to the first addressing rule, so as to obtain first verification information;
the processing unit is further configured to transform the first IP address according to the second addressing rule and the first verification information, so as to obtain the second IP address.
17. The method of claim 16, wherein the first addressing rule comprises a first sampling rule and/or a first encryption rule, and the second addressing rule comprises a second sampling rule and/or a second encryption rule.
18. The method according to claim 16 or 17, wherein the sending unit is further configured to send a second inverse addressing rule to the computing node, the second inverse addressing rule being configured to determine the first IP address and the first authentication information based on the second IP address.
19. The method according to any of the claims 16 to 18, wherein the sending unit is further configured to send the first addressing rule to the computing node.
20. The method according to any of claims 14 to 19, wherein the first IP address or the second IP address is an internet protocol version 6 IPv6 address or a flexible internet protocol FlexIP address.
21. A computing node, comprising:
the receiving and transmitting unit is used for receiving information from the second terminal equipment, wherein the information comprises a destination address, and the destination address is an Internet Protocol (IP) address of the third terminal equipment;
the processing unit is used for carrying out inverse transformation on the destination address according to a second addressing inverse rule to obtain a third IP address and second verification information;
the processing unit is further configured to determine third verification information corresponding to the third IP address according to the addressing information;
the processing unit is further configured to determine whether the destination address is a legal address according to the third verification information and the second verification information.
22. The method according to claim 21, wherein the processing unit is specifically configured to determine that the destination address is the legal address if it is determined that the second authentication information is the same as the third authentication information;
the processing unit is further configured to determine that the destination address is an illegal address when it is determined that the second authentication information is different from the third authentication information;
The receiving and transmitting unit is further configured to forward the information to the third terminal device when the destination address is determined to be the legal address;
the processing unit is further configured to discard the information and perform error recording of the second terminal device when the destination address is determined to be the illegal address.
23. The method of claim 22, wherein the processing unit is further configured to:
determining whether the number of error records of the second terminal equipment exceeds a preset threshold value;
and if the number of times of error recording of the second terminal equipment exceeds the preset threshold, determining that the second terminal equipment is malicious equipment.
24. The method according to any one of claims 21 to 23, wherein the addressing information comprises a first addressing rule, the processing unit being specifically configured to:
and transforming the third IP address according to the first addressing rule to obtain the third verification information.
25. The method according to any one of claims 21 to 23, wherein the addressing information comprises at least one IP address and at least one authentication information, the at least one IP address and the at least one authentication information being in one-to-one correspondence, the processing unit being specifically configured to:
And determining the third verification information from the at least one verification information according to the third IP address.
26. The method according to any of claims 21 to 25, wherein the destination address or the third IP address is an internet protocol version 6 IPv6 address or a flexible internet protocol FlexIP address.
27. A network device, comprising: a processor for coupling with a memory, reading and executing instructions and/or program code in the memory to perform the method of any of claims 1-7.
28. A computing node, comprising: a processor for coupling with a memory, reading and executing instructions and/or program code in the memory to perform the method of any of claims 8-13.
29. A chip system, comprising: logic circuitry for coupling with an input/output interface through which data is transferred for performing the method of any of claims 1-7.
30. A chip system, comprising: logic circuitry for coupling with an input/output interface through which data is transferred for performing the method of any of claims 8-13.
31. A computer readable medium, characterized in that the computer readable medium stores a program code which, when run on a computer, causes the computer to perform the method according to any of claims 1-7.
32. A computer readable medium, characterized in that the computer readable medium stores a program code which, when run on a computer, causes the computer to perform the method according to any of claims 8-13.
CN202210031784.9A 2022-01-12 2022-01-12 Method for determining network address and related equipment Pending CN116471258A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210031784.9A CN116471258A (en) 2022-01-12 2022-01-12 Method for determining network address and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210031784.9A CN116471258A (en) 2022-01-12 2022-01-12 Method for determining network address and related equipment

Publications (1)

Publication Number Publication Date
CN116471258A true CN116471258A (en) 2023-07-21

Family

ID=87172267

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210031784.9A Pending CN116471258A (en) 2022-01-12 2022-01-12 Method for determining network address and related equipment

Country Status (1)

Country Link
CN (1) CN116471258A (en)

Similar Documents

Publication Publication Date Title
CN109983752B (en) Network address with encoded DNS level information
KR100803272B1 (en) Apparatus and method of prosessing certification in IPv6 network
CN108632221B (en) Method, equipment and system for positioning controlled host in intranet
WO2011088657A1 (en) Method, device and internet system for processing internet address information
WO2019129201A1 (en) Session management for communications between a device and a dtls server
CN109688243B (en) Sensing node IPv 6address allocation method based on trusted identity
RU2690749C1 (en) Method of protecting computer networks
Liu et al. Addressless: enhancing IoT server security using IPv6
Rye et al. IPvSeeYou: Exploiting leaked identifiers in IPv6 for street-level geolocation
EP3442195A1 (en) Method and device for parsing packet
CN110913351B (en) Multicast control method, device, network equipment and storage medium
KR100856918B1 (en) Method for IP address authentication in IPv6 network, and IPv6 network system
CN116471258A (en) Method for determining network address and related equipment
CN110620729A (en) Message forwarding method and device and message forwarding equipment
US10015179B2 (en) Interrogating malware
CN106789666B (en) Method and device for determining converted port
CN115941192A (en) IPv6 address prefix coding method and device, storage medium and electronic equipment
Tront et al. Security and privacy produced by DHCP unique identifiers
CN110995738B (en) Violent cracking behavior identification method and device, electronic equipment and readable storage medium
CN114422474A (en) User IPv6 address generation method based on RADIUS server
KR101683013B1 (en) System and method for allocating ip address using dhcp option 60, 61 and 82
Castiglione et al. Device tracking in private networks via napt log analysis
US7995595B1 (en) Method for efficiently detecting node addresses
Guangjia et al. Using multi‐address generation and duplicate address detection to prevent DoS in IPv6
Guo et al. FACA: An effective method for detecting the survivability of large-scale IPv6 addresses

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication