CN116566726A - Internet Protocol (IP) processing method, device, equipment and storage medium - Google Patents

Internet Protocol (IP) processing method, device, equipment and storage medium Download PDF

Info

Publication number
CN116566726A
CN116566726A CN202310687245.5A CN202310687245A CN116566726A CN 116566726 A CN116566726 A CN 116566726A CN 202310687245 A CN202310687245 A CN 202310687245A CN 116566726 A CN116566726 A CN 116566726A
Authority
CN
China
Prior art keywords
address
addresses
blocked
state
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310687245.5A
Other languages
Chinese (zh)
Inventor
王东
刘源浩
尹津其
张晖
林伟
王延军
伍军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202310687245.5A priority Critical patent/CN116566726A/en
Publication of CN116566726A publication Critical patent/CN116566726A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses an Internet Protocol (IP) processing method, an apparatus, a device and a storage medium, which relate to the technical field of communication and are used for improving the efficiency and accuracy of processing IP. The method comprises the following steps: acquiring an IP disposal work order comprising a plurality of IP addresses from a secure operation center SOC platform in real time, and formatting the plurality of IP addresses to obtain a plurality of IP addresses to be processed; acquiring a state identifier corresponding to each to-be-processed IP address in a plurality of to-be-processed IP addresses from a preset database; and based on the state identification corresponding to each of the plurality of the to-be-processed IP addresses, controlling the firewall to execute target operation on each of the plurality of to-be-processed IP addresses. The method and the device are applied to the scene of processing the IP.

Description

Internet Protocol (IP) processing method, device, equipment and storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a storage medium for processing an internet protocol IP.
Background
With the rapid development of internet technology, the range of network interconnection is wider and wider, the situation of network security protection work is more and more severe, the protection scene is more and more increased, and the protection workload and difficulty are more and more enhanced. Especially when large enterprise websites are frequently accessed by a large number of malicious internet protocols (Internet Protocol, IP), normal operation of the website may be affected. Therefore, in daily network security protection work, in order to ensure the security of enterprise network information, operation and maintenance personnel can perform plugging or unplugging operation on abnormal IP from the external network at an Internet outlet firewall of the enterprise intranet.
In the prior art, a manual operation mode can be adopted to perform plugging or unblocking operation on the IP. Specifically, when a large number of IPs are plugged or unplugged, firstly, the IPs to be plugged in a plugging file or the IPs to be unplugged in a unplugged file are manually obtained, the IPs to be plugged or the IPs to be unplugged are input one by one, then the electronic device searches security rule information corresponding to the IPs one by one in the firewall according to the input IPs, and finally, the IPs are added or deleted in the security rule information to realize the plugging or unplugging operation.
In the method, the operation of plugging or unplugging the IP by a manual mode is time-consuming and labor-consuming, and the problems of untimely operation and operation errors of the IP plugging or unplugging operation are easily caused due to manual uncertainty. Therefore, the efficiency of plugging or unplugging the IP is poor, and the accuracy is low.
Disclosure of Invention
The application provides an internet protocol IP processing method, device, equipment and storage medium, which are used for solving the problems that when an IP is plugged or unplugged manually, time and labor are wasted, the IP is plugged or unplugged untimely and errors occur in the operation of plugging or unplugging the IP easily, so that the efficiency and the accuracy of plugging or unplugging the IP are improved.
In order to achieve the above purpose, the present application adopts the following technical scheme:
in a first aspect, there is provided an IP processing method, including: the method comprises the steps of acquiring an IP disposal work order comprising a plurality of IP addresses from a secure operation center SOC platform in real time, and formatting the plurality of IP addresses to obtain a plurality of to-be-processed IP addresses, wherein the formatting process is used for converting the IP addresses with different formats into the IP addresses with the same format, and the types of the to-be-processed IP addresses comprise at least one of the following: an IP address to be blocked and an IP address to be unblocked; acquiring a state identifier corresponding to each to-be-processed IP address in a plurality of to-be-processed IP addresses from a preset database, wherein the state identifier is any one of the following: the method comprises the following steps of blocking state, deblocking state and unknown state, wherein a preset database comprises: a history blocking IP address list and a history deblocking IP address list; based on the state identifier corresponding to each of the plurality of to-be-processed IP addresses, the control firewall performs a target operation on each of the plurality of to-be-processed IP addresses, wherein the target operation is any one of the following: plugging operation, deblocking operation and maintaining the current state.
In one possible implementation, the method further includes: instruction information corresponding to each of a plurality of to-be-processed IP addresses indicated in a work order, and determining at least one to-be-plugged IP address and at least one to-be-unsealed IP address from the plurality of to-be-processed IPs; generating a file to be blocked based on at least one IP address to be blocked, and determining a timestamp signature corresponding to the file to be blocked based on a generation time point of the file to be blocked; generating a file to be unsealed based on at least one IP address to be unsealed, and determining a timestamp signature corresponding to the file to be unsealed based on a generation time point of the file to be unsealed.
In one possible implementation, the method further includes: acquiring a file to be blocked and a file to be unsealed, which are generated in a preset time period, based on a timestamp signature corresponding to the file to be blocked and a timestamp signature corresponding to the file to be unsealed; the method comprises the steps of obtaining a preset white list from a preset database, and removing IP addresses included in the preset white list from a plurality of IP addresses to be blocked included in a file to be blocked generated in a preset time period based on the preset white list, wherein the preset white list comprises at least one IP address which is not allowed to execute blocking operation.
In one possible implementation, the plurality of pending IP addresses includes: at least one IP address to be blocked and at least one IP address to be unblocked; based on the state identifier corresponding to each of the plurality of pending IP addresses, the control firewall performs a target operation on each of the plurality of pending IP addresses, including: aiming at least one first IP address with a state identifier of an unsealing state and an unknown state in at least one IP address to be plugged, controlling a firewall to execute plugging operation on the at least one first IP address, and updating a state identifier corresponding to the at least one first IP address in a preset database; aiming at least one second IP address with the state mark of the at least one IP address to be blocked as a blocking state, the blocking operation is not required to be executed on the at least one second IP address; aiming at least one third IP address with a blocking state and an unknown state in at least one IP address to be unsealed, controlling a firewall to execute unsealing operation on the at least one third IP address, and updating a state identifier corresponding to the at least one third IP address in a preset database; for at least one fourth IP address with the state identification of the at least one IP address to be unsealed as the unsealed state, the plugging operation is not required to be executed for the at least one fourth IP address.
In one possible implementation manner, for at least one first IP address whose state is identified as an unsealed state and an unknown state in at least one IP address to be plugged, controlling the firewall to perform a plugging operation on the at least one first IP address includes: judging the size relation between the sum of the number of at least one first IP address and the number of the IP addresses to be plugged contained in the first list to be plugged and a preset threshold value; and if the sum of the number of the at least one first IP address and the number of the to-be-blocked IP addresses included in the first to-be-blocked list is smaller than or equal to a preset threshold value, adding the at least one first IP address into the first to-be-blocked list, and controlling the firewall to execute blocking operation on the to-be-blocked IP addresses included in the first to-be-blocked list.
In one possible implementation, the method further includes: if the sum of the number of at least one first IP address and the number of the to-be-blocked IP addresses included in the first to-be-blocked list is larger than a preset threshold value, a second to-be-blocked list is created, the at least one first IP address is added into the second to-be-blocked list, and the firewall is controlled to execute blocking operation on the to-be-blocked IP addresses included in the second to-be-blocked list.
In a second aspect, there is provided an IP processing apparatus including: an acquisition unit and a processing unit; an acquiring unit, configured to acquire, in real time, an IP disposal worksheet including a plurality of IP addresses from a secure operation center SOC platform; the processing unit is used for carrying out formatting processing on the plurality of IP addresses to obtain a plurality of IP addresses to be processed, the formatting processing is used for converting the IP addresses with different formats into the IP addresses with the same format, and the types of the IP addresses to be processed comprise at least one of the following: an IP address to be blocked and an IP address to be unblocked; the acquiring unit is further configured to acquire a state identifier corresponding to each of the plurality of to-be-processed IP addresses from a preset database, where the state identifier is any one of the following: the method comprises the following steps of blocking state, deblocking state and unknown state, wherein a preset database comprises: a history blocking IP address list and a history deblocking IP address list; the processing unit is further configured to control, based on the status identifier corresponding to each of the plurality of IP addresses to be processed, the firewall to perform a target operation on each of the plurality of IP addresses to be processed, where the target operation is any one of the following: plugging operation, deblocking operation and maintaining the current state.
In a possible implementation manner, the IP processing apparatus further includes a determining unit; the determining unit is used for determining at least one to-be-plugged IP address and at least one to-be-unsealed IP address from the plurality of to-be-processed IPs based on instruction information corresponding to each to-be-processed IP address in the plurality of to-be-processed IP addresses indicated in the IP treatment worksheet; the processing unit is further used for generating a file to be blocked based on at least one IP address to be blocked; the determining unit is further used for determining a timestamp signature corresponding to the file to be blocked based on the generation time point of the file to be blocked; the processing unit is further used for generating a file to be unsealed based on at least one IP address to be unsealed; the determining unit is further used for determining a timestamp signature corresponding to the file to be unsealed based on the generation time point of the file to be unsealed.
In one possible implementation manner, the obtaining unit is further configured to obtain the file to be blocked and the file to be unsealed generated in the preset time period based on the timestamp signature corresponding to the file to be blocked and the timestamp signature corresponding to the file to be unsealed; the acquisition unit is also used for acquiring a preset white list from a preset database; the processing unit is further configured to reject, based on a preset whitelist, an IP address included in the preset whitelist from a plurality of IP addresses to be blocked included in a file to be blocked generated in a preset time period, where the preset whitelist includes at least one IP address that is not allowed to perform a blocking operation.
In one possible implementation, the plurality of pending IP addresses includes: at least one IP address to be blocked and at least one IP address to be unblocked; the processing unit is further used for controlling the firewall to execute blocking operation on at least one first IP address according to at least one first IP address of which the state identifier is an unpacking state and an unknown state in at least one IP address to be blocked, and updating the state identifier corresponding to the at least one first IP address in a preset database; the processing unit is further used for aiming at least one second IP address with the state marked as a blocking state in at least one IP address to be blocked, and blocking operation is not required to be performed on the at least one second IP address; the processing unit is further used for controlling the firewall to execute the deblocking operation on at least one third IP address aiming at least one third IP address with the state identifier of the blocking state and the unknown state in at least one IP address to be deblocked, and updating the state identifier corresponding to the at least one third IP address in the preset database; the processing unit is further configured to identify, for at least one fourth IP address whose state is an unsealed state, from among the at least one IP address to be unsealed, without performing a plugging operation on the at least one fourth IP address.
In a possible implementation manner, the processing unit is further configured to determine a size relationship between a sum of the number of at least one first IP address and the number of IP addresses to be plugged included in the first to-be-plugged list and a preset threshold; and the processing unit is further used for adding the at least one first IP address to the first to-be-plugged list and controlling the firewall to execute plugging operation on the to-be-plugged IP address included in the first to-be-plugged list if the sum of the number of the at least one first IP address and the number of the to-be-plugged IP addresses included in the first to-be-plugged list is smaller than or equal to a preset threshold value.
In one possible implementation manner, the processing unit is further configured to create a second to-be-plugged list if the sum of the number of at least one first IP address and the number of to-be-plugged IP addresses included in the first to-be-plugged list is greater than a preset threshold, and add the at least one first IP address to the second to-be-plugged list, and control the firewall to perform the plugging operation on the to-be-plugged IP addresses included in the second to-be-plugged list.
In a third aspect, an electronic device, comprising: a processor and a memory; wherein the memory is configured to store one or more programs, the one or more programs comprising computer-executable instructions that, when executed by the electronic device, cause the electronic device to perform an IP processing method as in the first aspect.
In a fourth aspect, there is provided a computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a computer, cause the computer to perform an IP processing method as in the first aspect.
The application provides an IP processing method, an IP processing device, IP processing equipment and a storage medium, which are applied to an IP processing scene. When the IP is required to be processed, a plurality of IP addresses to be processed can be automatically obtained in real time, and the firewall is controlled to execute blocking operation on the IP addresses to be blocked, to execute deblocking operation on the IP addresses to be unblocked and to maintain the current state of the IP addresses to be blocked or the IP addresses to be unblocked according to the corresponding state identifiers of the IP addresses to be processed in a preset database, so that the problem of repeated blocking or deblocking of the IP addresses can be avoided by inquiring the historical blocking condition of the IP addresses to be processed. By the method, the blocking operation can be automatically carried out on the IP addresses to be blocked in batches or the unblocking operation can be automatically carried out on the IP addresses to be unblocked, so that the problems that the IP blocking or unblocking operation is not timely and errors occur in the IP blocking or unblocking operation are easily caused when the IP addresses to be processed are manually carried out on the IP addresses one by one in the prior art are solved, and the efficiency and the accuracy of processing the IP are improved.
Drawings
Fig. 1 is a schematic structural diagram of an IP processing system according to an embodiment of the present application;
fig. 2 is a schematic flow chart of an IP processing method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a large screen presentation IP address handling workflow provided by an embodiment of the present application;
fig. 4 is a schematic flow chart II of an IP processing method according to an embodiment of the present application;
fig. 5 is a schematic flow chart III of an IP processing method according to an embodiment of the present application;
fig. 6 is a schematic flow chart of an IP processing method according to an embodiment of the present application;
fig. 7 is a schematic flow chart fifth of an IP processing method according to an embodiment of the present application;
fig. 8 is a flowchart sixth of an IP processing method provided in an embodiment of the present application;
FIG. 9 is a flow diagram of intelligent IP handling provided by an embodiment of the present application;
fig. 10 is a schematic structural diagram of an IP processing apparatus according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
In the description of the present application, "/" means "or" unless otherwise indicated, for example, a/B may mean a or B. "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. Further, "at least one", "a plurality" means two or more. The terms "first," "second," and the like do not limit the number and order of execution, and the terms "first," "second," and the like do not necessarily differ.
In the prior art, a manual operation mode can be adopted to perform plugging or unblocking operation on the IP. Specifically, firstly, an address blocking list (for example, an address blocking list 1 and an address blocking list 2) and an address deblocking list issued by a secure operation center (security operations center, SOC) platform are manually downloaded, then corresponding firewall configuration scripts are manually written aiming at the IP to be blocked in the address blocking list, and the firewall configuration scripts are logged in and pasted one by one so as to perform blocking operation. Aiming at the IP to be unsealed in the address unsealing list, a security rule (rulename) where the IP to be unsealed is located can be searched in the firewall, and a corresponding firewall configuration script is written so as to delete a source address corresponding to the IP to be unsealed in the firewall for unsealing operation.
Illustratively, the IP to be blocked in the address blocking list 1 may include 192.168.100.10, 192.168.100.11, 192.168.100.12, 192.168.100.13, 192.168.100.14, 192.168.100.15, 192.168.100.16, 192.168.100.17, 192.168.100.18, 192.168.100.19, 192.168.100.20, 192.168.100.21, and 192.168.100.22, and the firewall configuration script written for the IP to be blocked in the address blocking list 1 may be: creating security rules/source-zone untrusts/designated source security zone/source-address 192.168.100.10 32/adding to-be-plugged IP address/source-address 192.168.100.11 32source-address 192.168.100.12 32source-address 192.168.100.13 32source-address 192.168.100.1432source-address 192.168.100.15 32source-address 192.168.100.16 32sourc e-address 192.168.100.17 32source-address 192.168.100.18 32source-addresses 192.168.100.19 32source-address 192.168.100.20 32source-address 192.168.100.21 32source-address 192.168.100.22 32actiom deny/configuration action as a block/rule move huwanggongji1 before moving security rules to the forefront/.
The IP to be blocked in the address blocking list 2 may include 192.168.101.10, 192.168.101.11, 192.168.101.12, 192.168.101.13, 192.168.101.14, 192.168.101.15, 192.168.101.16, 192.168.101.17, 192.168.101.18 and 192.168.101.19, and the firewall configuration script written for the IP to be blocked in the address blocking list 2 may be: rule name huwanggo ngji2 source-zone untrust source-address 192.168.101.10 32source-address192.168.101.11 source-address 192.168.101.12 32source-address 192.168.101.13 32source-address 192.168.101.14 32source-address 192.168.101.1532source-address 192.168.101.16 32source-address 192.168.101.17 32sour ce-address 192.168.101.18 32source-address 192.168.101.19 32action deny quit rule move huwanggongji2 after huwanggongji1.
The IP to be unsealed in the address unsealing list may include 192.168.100.10, 192.168.100.11, 192.168.101.10, and 192.168.101.11, and the firewall configuration script written for the IP to be unsealed in the address unsealing list may be: sys security-policy rule name huwanggongji1 und o source-address 192.168.100.10 32/delete source address/undo source-address 192.168.100.11 32quit rule name huwanggongji2 undo source-address 192.168.101.10 32undo source-address192.168.101.11 32quit.
In the method, operation and maintenance personnel with a certain network and safety technology are required to conduct plugging or unplugging operation on the IP by adopting manual duty, manual claim, manual dispatch, manual disposal and manual receipt mode shifts, so that the operation and maintenance personnel have huge working pressure. Meanwhile, in daily disposal and important activities or reinsurance work, the safety blocking and deblocking tasks are generally issued in real time within 24 hours, tens of times are issued every day, a few IP addresses are issued every time, a plurality of thousands of IP addresses are issued, the time limit of operation completion is required to be short, and the conditions of untimely IP address processing and operation errors are easy to occur due to manual uncertainty. And after processing the IP address, only a firewall log is generated, so that the problem is not easy to find after the operation is in error.
Before blocking or deblocking the IP address, in order to process a plurality of IP addresses in one instruction file at a time, the historical blocking condition of the IP address is not checked generally, the IP blocking and the deblocking cannot be carried out repeatedly, the condition of repeatedly blocking or deblocking the same IP address easily occurs, and the performance of the firewall is reduced. And in the process of processing the IP address, no monitoring and early warning means is provided, the IP disposal result cannot be monitored in real time, and the problem can only be queried from massive firewall logs, so that the condition of failure in IP disposal is difficult to query.
The application provides an IP processing method, when the IP is required to be processed, a plurality of to-be-processed IP addresses can be automatically obtained in real time, and according to corresponding state identifiers of the to-be-processed IP addresses in a preset database, a firewall is controlled to execute blocking operation on the to-be-blocked IP addresses, to execute deblocking operation on the to-be-deblocked IP addresses and to maintain the current state of the to-be-blocked IP addresses or the to-be-deblocked IP addresses, so that the problem of repeated blocking or deblocking of the IP addresses can be avoided by inquiring the historical blocking condition of the to-be-processed IP addresses. By the method, the blocking operation can be automatically carried out on the IP addresses to be blocked in batches or the unblocking operation can be automatically carried out on the IP addresses to be unblocked, so that the problems that the IP blocking or unblocking operation is not timely and errors occur in the IP blocking or unblocking operation are easily caused when the IP addresses to be processed are manually carried out on the IP addresses one by one in the prior art are solved, and the efficiency and the accuracy of processing the IP are improved.
The IP processing method provided by the embodiment of the application can be applied to an IP processing system. Fig. 1 shows a schematic configuration of an IP processing system. As shown in fig. 1, the IP processing system 10 includes: the system comprises a safe operation center platform 11, an intelligent chemical engineering bill grabbing and processing module 12, an IP address automatic handling system 13, a large screen monitoring and alarming module 14 and a public network outlet firewall module 15. The IP address automatic handling system 13 includes an application server 131 and a database 132. The safe operation center platform 11, the intelligent chemical engineering single grabbing and processing module 12, the IP address automatic handling system 13 and the large screen monitoring and alarming module 14 are all located in an intranet of a data communication network (date communicate net, DCN), and the public network outlet firewall module 15 is located in an isolation zone (demilitarized zone, DMZ).
The secure operation center platform 11 is configured to issue an IP disposal worksheet including a plurality of IP addresses in real time; the intelligent chemical engineering bill grabbing and processing module 12 is used for automatically acquiring an IP disposal work bill comprising a plurality of IP addresses from the secure operation center platform 11 in real time, automatically formatting the plurality of IP addresses to obtain a plurality of to-be-processed IP addresses, sending the plurality of to-be-processed IP addresses to the IP address automatic disposal system 13, receiving a processing result of the to-be-processed IP addresses from the IP address automatic disposal system 13, and sending a processing result of the to-be-processed IP addresses to the secure operation center platform 11.
The IP address automatic handling system 13 is configured to form an instruction to control the public network egress firewall module 15 (i.e., firewall) to perform a target operation on each of the plurality of IP addresses to be processed based on the status identifier corresponding to each of the plurality of IP addresses to be processed; the large screen monitoring and alarming module 14 is used for displaying the processing flow and the processing result of the to-be-processed IP address of the IP address automatic processing system 13 in real time and providing an IP address query function; the public network egress firewall module 15 is configured to perform a target operation on each of the plurality of pending IP addresses based on the instruction.
The application server 131 is configured to obtain a status identifier corresponding to each of the plurality of to-be-processed IP addresses from the database (i.e., a preset database) 132, form an instruction to control the public network egress firewall module 15 to perform a target operation on each of the plurality of to-be-processed IP addresses, and send a processing result of the to-be-processed IP addresses to the database 132.
The database 132 is used for storing a status identifier corresponding to each of the plurality of to-be-processed IP addresses, obtaining a processing result of the to-be-processed IP address from the application server 131, generating a result log, and sending the result log to the intelligent chemical engineering bill grabbing and processing module 12 through the application server 131 to implement closed loop, so as to implement processing of the IP address through the secure operation center platform 11, the intelligent chemical engineering bill grabbing and processing module 12, the IP address automatic handling system 13, the large screen monitoring alarm module 14, and the public network outlet firewall module 15.
An IP processing method provided in the embodiments of the present application is described below with reference to the accompanying drawings. As shown in fig. 2, the method for processing IP provided in the embodiment of the present application is applied to an electronic device, and the method includes S201-S203:
s201, acquiring an IP disposal work order comprising a plurality of IP addresses from a secure operation center SOC platform in real time, and formatting the IP addresses to obtain a plurality of to-be-processed IP addresses.
The formatting process is used for converting the IP addresses with different formats into the IP addresses with the same format, and the type of the IP addresses to be processed comprises at least one of the following: the IP address to be blocked and the IP address to be unblocked.
It can be understood that the electronic device may obtain, in real time, an IP disposal worksheet including a plurality of IP addresses from the SOC platform, and format the plurality of IP addresses to convert IP addresses in different formats into IP addresses in the same format, so as to obtain a plurality of to-be-processed IP addresses including at least one of an to-be-blocked IP address and an to-be-unsealed IP address.
Alternatively, the IP disposal worksheet issued by the instruction platform (i.e., SOC platform) may be automatically grabbed and processed by the intelligent chemical sheet grabbing and processing module. Specifically, the IP disposal worksheet may be automatically scanned and grabbed in real time, and content analysis may be performed on the IP disposal worksheet, so that each of a plurality of IP addresses in different formats included in the IP disposal worksheet may be automatically formatted into a text file form (i.e., formatting process) of synonymous IP addresses or address segments plus masks. The format of the IP address may include at least one of: single IP address, address network segment.
Illustratively, the format of the IP disposition worksheet may be a word form, an execel form. The plurality of IP addresses may include 5 single IP addresses and 1 address network segment, and the 5 single IP addresses may be: 132.168.4.1 255.255.255.255, 132.168.4.1/32, 132.168.4.0 255.255.255.0, 132.168.4.0/24 and 132.168.4/24,1 address field may be 132.168.4.1.
S202, acquiring a state identifier corresponding to each to-be-processed IP address in a plurality of to-be-processed IP addresses from a preset database.
Wherein the status identifier is any one of the following: the method comprises the following steps of blocking state, deblocking state and unknown state, wherein a preset database comprises: a history blocking IP address list and a history unblocking IP address list.
It can be understood that the electronic device may obtain, from a preset database including a historical blocking IP address list and a historical unblocking IP address list, a state identifier corresponding to each of the plurality of to-be-processed IP addresses, where the state identifier is a blocking state, an unblocking state, or an unknown state.
Optionally, a target list (i.e. a history blocking IP address list and a history unblocking IP address list) may be created in advance in a preset database, and the target list may include five fields: rule name (rule), IP, subnet MASK (MASK), status identification (FLAG), and STORAGE TIME (storage_time).
Illustratively, the destination list may be a huwangxingdong table, flag=0 indicating that the IP address (single IP address or address segment) is in the blocking state, and flag=1 indicating that the IP address is in the decapsulating state.
When the corresponding state identifier of any IP address to be processed in the preset database is 0, the corresponding state identifier of the IP address to be processed is a blocking state; when the corresponding state identifier of any IP address to be processed in the preset database is 1, the corresponding state identifier of the IP address to be processed is an unpacking state; when any IP address to be processed does not exist in the preset database, the state identification corresponding to the IP address to be processed is an unknown state.
It should be noted that, the RULENAME is used to name a security rule created in the firewall, the IP is a blocked IP address or an unsealed IP address in the preset database, and the storage_time indicates the TIME when the IP address is written into the preset database. The database of the automatic plugging and unsealing program is consistent with the related operation of the database of the manual plugging and unsealing program.
In a possible implementation manner, in the process of performing blocking or deblocking, whether an IP address to be blocked has performed blocking operation and whether an IP address to be deblocking has performed deblocking operation can be judged by querying a database IP handling record (i.e., a preset database), so that the repeatability of the IP to be performed is automatically judged, and the problem that the firewall performance is reduced due to massive repeated blocking or deblocking data in the prior art can be solved by performing a duplication removing operation, so that repeated data on the firewall is reduced, and the firewall performance is improved.
S203, based on the state identification corresponding to each of the plurality of the to-be-processed IP addresses, the control firewall executes target operation on each of the plurality of the to-be-processed IP addresses.
Wherein the target operation is any one of: plugging operation, deblocking operation and maintaining the current state.
It can be appreciated that the electronic device may control the firewall to perform a blocking operation, a unblocking operation, or maintain a current state for each of the plurality of pending IP addresses based on a state identifier corresponding to each of the plurality of pending IP addresses.
Optionally, after determining the target operation performed on each of the plurality of to-be-processed IP addresses, writing the IP handling details corresponding to each to-be-processed IP address (i.e., what target operation is performed on the to-be-processed IP address) into a preset database, and retrieving the log of the blocked file and the unblocked file where the to-be-processed IP address is located through myfw.log file record, the log of the execution process through test.log file record, the log of the blocked file name where the last blocked IP address is located through blocklast file record, and the log of the unblocked file name where the last unblocked IP address is located through unblock file record.
The large screen display of the IP address disposal flow and the result can be realized through a static webpage dynamic data separation mode. Specifically, the dynamic data can be pushed to the WEB page of the WEB server by using a timing task through a global wide area network (WEB) static frame, a real-time dynamic time acquisition program, a dynamic data WEB page and a real-time dynamic data pushing program, so that the work flow and the result of IP address disposal can be monitored and displayed through a large screen.
As shown in fig. 3, a schematic diagram showing an IP address handling workflow is shown with a large screen through which real-time processing progress of each work order can be viewed. Specifically, each to-be-processed IP processing progress in the work order can be manually inquired, the IP processing progress comprises an IP issuing center stage, a grabbing instruction stage, an IP processing stage and a real-time result stage, the to-be-processed instruction can be checked by clicking the detailed information of the IP issuing center stage, the file where the to-be-processed IP is located can be checked by clicking the detailed information of the grabbing instruction stage, the file where the to-be-processed IP is located is checked to be in a to-be-blocked state or a to-be-unblocked state by clicking the detailed information of the IP processing stage, and the file processing result where the to-be-processed IP is located is checked to be blocked successfully or unblocked successfully by clicking the detailed information of the real-time result stage.
The total number of blocked and unblocked IPs, the number of daily blocked and unblocked IPs, and the number and results of each treatment of IPs can be presented by a large screen. If the IP blocking fails, the large screen monitoring can prompt that the IP disposal fails and send an alarm short message to operation and maintenance personnel.
It should be noted that the electronic device supports IP addresses and address fields in the internet communication protocol fourth version (internet protocol version, IPV 4) format and the internet communication protocol sixth version (internet protocol version, IPV 6) format.
In one possible implementation manner, the IP address treatment progress flow and result are monitored and displayed in real time through a large screen, so that operation and maintenance personnel can conveniently monitor IP treatment.
In one design, as shown in fig. 4, the method for processing IP provided in the embodiment of the present application further includes S301 to S303:
s301, determining at least one to-be-blocked IP address and at least one to-be-unblocked IP address from a plurality of to-be-processed IPs based on instruction information corresponding to each to-be-processed IP address in a plurality of to-be-processed IP addresses indicated in an IP handling work order.
It can be appreciated that the at least one to-be-blocked IP address and the at least one to-be-unblocked IP address may be determined from the plurality of to-be-processed IPs based on instruction information corresponding to each of the plurality of to-be-processed IP addresses indicated in the IP disposal worksheet.
Optionally, if the instruction information corresponding to any one of the to-be-processed IP addresses is to-be-blocked, the to-be-processed IP address is the to-be-blocked IP address; if the instruction information corresponding to any one of the to-be-processed IP addresses is to-be-unsealed, the to-be-processed IP address is to-be-unsealed IP address.
S302, generating a file to be blocked based on at least one IP address to be blocked, and determining a timestamp signature corresponding to the file to be blocked based on a generation time point of the file to be blocked.
It can be appreciated that the file to be blocked can be generated based on at least one IP address to be blocked, and the timestamp signature corresponding to the file to be blocked can be determined based on the generation time point of the file to be blocked.
Optionally, the to-be-blocked file can be automatically generated in real time based on at least one to-be-blocked IP address, and then the to-be-blocked file is sent to a block (blocking) folder in an interface of the application server, and a timestamp signature corresponding to the to-be-blocked file in the block folder is determined.
It should be noted that the block folder is a folder for storing files to be blocked.
For example, the timestamp signature corresponding to the file to be blocked may be 1658894664540.Txt, 1658895927529.Txt, or 165889634578. Txt.
S303, generating a file to be unsealed based on at least one IP address to be unsealed, and determining a timestamp signature corresponding to the file to be unsealed based on a generation time point of the file to be unsealed.
It can be appreciated that the to-be-unsealed file can be generated based on at least one to-be-unsealed IP address, and the timestamp signature corresponding to the to-be-unsealed file can be determined based on the generation time point of the to-be-unsealed file.
Optionally, the to-be-unsealed file may be automatically generated in real time based on at least one to-be-unsealed IP address, and then the to-be-unsealed file is sent to an undo (unsealing) folder in an interface of the application server, and a timestamp signature corresponding to the to-be-unsealed file in the undo folder is determined.
It should be noted that, the undo folder is a folder storing files to be unpacked.
Illustratively, the timestamp signature corresponding to the file to be unpacked may be a reasonable number such as 1661152455875.Txt, 1661165927529.Txt, 1661166341578.Txt, and the like.
In one possible implementation, the uniqueness and time sequence of generation of the text files can be guaranteed by time-stamp signing the text files uploaded into the block folder and the undo folder.
In one design, as shown in fig. 5, the method for processing IP provided in the embodiment of the present application further includes S401-S402:
s401, acquiring the files to be blocked and the files to be unblocked generated in a preset time period based on the timestamp signature corresponding to the files to be blocked and the timestamp signature corresponding to the files to be unblocked.
It can be understood that the file to be blocked and the file to be unblocked generated in the preset time period can be obtained based on the timestamp signature corresponding to the file to be blocked and the timestamp signature corresponding to the file to be unblocked.
Optionally, the unexecuted blocked file and the unexecuted file generated in the preset time period can be automatically extracted in batches by the application server based on the timestamp signature corresponding to the blocked file and the timestamp signature corresponding to the unexecuted file, and whether the generation time length of the text file (i.e. the blocked file and the unexecuted file) exceeds the preset transmission time length is automatically judged when the blocked file and the unexecuted file are extracted, so that the generation time length of the extracted text file exceeds the preset transmission time length.
The preset transmission duration may be, for example, 1 minute.
In one possible implementation, extracting text files exceeding a preset transmission duration may ensure that the file is executed after the file transmission is completed.
S402, acquiring a preset white list from a preset database, and removing IP addresses included in the preset white list from a plurality of IP addresses to be blocked included in a file to be blocked generated in a preset time period based on the preset white list.
The preset white list comprises at least one IP address which does not allow plugging operation to be performed.
It may be appreciated that a preset whitelist including at least one IP address that is not allowed to perform the blocking operation may be obtained from a preset database, and based on the preset whitelist, the IP addresses included in the preset whitelist are removed from a plurality of IP addresses to be blocked included in the file to be blocked generated in a preset period of time.
Alternatively, a legal white list (i.e., a preset white list) may be created in advance in a preset database, where the legal white list includes five fields: IP, MASK, FLAG, STORAGE _time and Creator (CREATMAN), which may include creator department (part) and creator contact phone (phonumber).
Illustratively, the validity white list may be a whisteip list, flag=0 indicating that the IP address is in use, and flag=1 indicating that the IP address is in failure.
Optionally, if any one of the to-be-plugged IP addresses corresponds to flag=0 in the legal white list, rejecting the to-be-plugged IP address; if any one of the to-be-plugged IP addresses is in the corresponding flag=1 in the legal white list, the to-be-plugged IP address is reserved.
In one design, as shown in fig. 6, in an IP processing method provided in the embodiment of the present application, a plurality of IP addresses to be processed include: the method in the step S203 specifically includes S501-S505:
s501, aiming at least one first IP address with a state mark of an unsealing state and an unknown state in at least one IP address to be plugged, controlling a firewall to execute plugging operation on the at least one first IP address.
It can be appreciated that, for at least one first IP address whose state is identified as an unsealed state and an unknown state in the at least one IP address to be plugged, the firewall can be controlled to perform a plugging operation on the at least one first IP address.
Optionally, if any one of the at least one IP address to be blocked is in the unsealed state or the unknown state, the firewall is controlled to perform the blocking operation on the IP address.
S502, updating a state identifier corresponding to at least one first IP address in a preset database.
It can be appreciated that the state identifier corresponding to at least one first IP address in the preset database may be updated.
Optionally, after the blocking operation is performed on each first IP address in the at least one first IP address, a state identifier corresponding to each first IP address in the at least one first IP address in the preset database is updated, that is, an unpacking state and an unknown state corresponding to the first IP address are updated to be blocking states.
S503, aiming at least one second IP address with the state marked as the blocking state in the at least one IP address to be blocked, the blocking operation is not required to be executed on the at least one second IP address.
It is understood that, for at least one second IP address whose state is identified as a blocking state in the at least one IP address to be blocked, the blocking operation may not need to be performed on the at least one second IP address.
Optionally, if the state of any one of the at least one IP address to be blocked is identified as the blocking state, the blocking operation is not performed on the IP address to be blocked.
S504, aiming at least one third IP address with a blocking state and an unknown state in at least one IP address to be unsealed, controlling the firewall to execute the unsealing operation on the at least one third IP address, and updating the state identifier corresponding to the at least one third IP address in a preset database.
It can be understood that, for at least one third IP address whose state identifier is a blocking state and an unknown state in at least one IP address to be decapsulated, the firewall may be controlled to perform an decapsulation operation on the at least one third IP address, and the state identifier corresponding to the at least one third IP address in the preset database may be updated.
Optionally, if any one of the at least one IP address to be unsealed is in a blocking state or an unknown state, the firewall is controlled to perform an unsealing operation on the IP address, and after performing the unsealing operation on each third IP address in the at least one third IP address, a state identifier corresponding to each third IP address in the at least one third IP address in the preset database is updated, that is, the blocking state corresponding to the third IP address and the unknown state are updated to be in the unsealing state.
S505, for at least one fourth IP address with the state marked as the unsealed state in the at least one IP address to be unsealed, the plugging operation is not required to be executed for the at least one fourth IP address.
It is understood that, for at least one fourth IP address whose state is identified as an unsealed state in the at least one IP address to be unsealed, it may not be necessary to perform a plugging operation on the at least one fourth IP address.
Optionally, if the state identifier of any one of the at least one IP address to be unsealed is an unsealed state, the unsealing operation is not performed on the IP address to be unsealed.
In one design, as shown in fig. 7, in an IP processing method provided in the embodiment of the present application, the method in step S501 specifically includes S601-S602:
s601, judging the relation between the sum of the number of at least one first IP address and the number of the IP addresses to be plugged in the first list to be plugged and the preset threshold value.
It can be appreciated that the magnitude relation between the sum of the number of at least one first IP address and the number of IP addresses to be plugged included in the first list to be plugged and the preset threshold may be determined.
Optionally, the number of at least one first IP address may be added to the number of IP addresses included in the rulename with the largest number on the firewall (i.e. the first to-be-plugged list), and the relationship between the sum of the number of at least one first IP address and the number of to-be-plugged IP addresses included in the first to-be-plugged list and the preset threshold may be automatically determined.
Illustratively, the rulename on the firewall may include huwangngji 1, huwangngji 2, huwangngji 3, huwangngji 4, and huwangngji 5, with the largest rulename numbered on the firewall being huwangngji 5. The preset threshold value can be 2800, 3000, 3200 and other reasonable values.
S602, if the sum of the number of at least one first IP address and the number of the to-be-blocked IP addresses included in the first to-be-blocked list is smaller than or equal to a preset threshold value, adding the at least one first IP address into the first to-be-blocked list, and controlling the firewall to execute blocking operation on the to-be-blocked IP addresses included in the first to-be-blocked list.
Optionally, if the sum of the number of the at least one first IP address and the number of the to-be-blocked IP addresses included in the first to-be-blocked list is less than or equal to a preset threshold, the at least one first IP address may be written in the maximum numbered rulename (i.e. the at least one first IP address is added to the first to-be-blocked list), so as to control the firewall to perform the blocking operation on the to-be-blocked IP addresses included in the first to-be-blocked list.
In one design, as shown in fig. 8, the method for processing IP provided in the embodiment of the present application further includes S701:
s701, if the sum of the number of at least one first IP address and the number of the to-be-blocked IP addresses included in the first to-be-blocked list is greater than a preset threshold, creating a second to-be-blocked list, adding the at least one first IP address into the second to-be-blocked list, and controlling the firewall to execute blocking operation on the to-be-blocked IP addresses included in the second to-be-blocked list.
Optionally, if the sum of the number of the at least one first IP address and the number of the IP addresses to be blocked included in the first list to be blocked is greater than a preset threshold, a new rulename may be created on the firewall (i.e. the second list to be blocked is created), and the at least one first IP address is written in the new rulename (i.e. the at least one first IP address is added to the second list to be blocked), so as to control the firewall to perform the blocking operation on the IP addresses to be blocked included in the second list to be blocked.
By way of example, the new rulename created on the firewall may be huwanglongji 6.
In a possible implementation manner, as shown in fig. 9, a flow diagram of intelligent IP handling is shown, a security operation center issues an IP handling work order, and can automatically extract IP addresses to be blocked and unblocked from the IP handling work order, and generate corresponding files to be blocked and unblocked, and upload the files to be blocked and unblocked to a folder to be blocked and unblocked of an application server. And then, automatically extracting unexecuted files to be blocked and unsealed in batches by the IP processing program, and carrying out blocking and unsealing operations in batches according to the generation time sequence of the files, wherein when the unexecuted files to be blocked and unsealed are extracted, whether the generation time of the files exceeds the preset transmission time length can be automatically judged, so that the files are prevented from being executed in the transmission process.
Further, the blocking operation can be performed on the extracted file to be blocked, specifically, whether the IP address to be blocked, which is not in the preset white list, exists in the file to be blocked or not can be judged, and if the IP address to be blocked does not exist in the preset white list, the blocking operation is terminated; if so, judging whether an unblocked IP address exists in the IP addresses to be blocked which are not in the preset white list based on a preset database, and if not, terminating the blocking operation; if so, generating a blocking command executable by the firewall based on the unblocked IP address. Then judging whether the sum of the number of the unblocked IP addresses and the number of the IP addresses contained in the rulename with the largest number on the fireproof wall is larger than a threshold supported by the rulename, if so, creating a new rulename, automatically executing a blocking command based on the new rulename, and recording a blocking file name; if not, automatically executing the blocking command based on the rulename with the largest number, and recording the blocking file name. After the blocking command is executed, the unblocked IP address is written into a preset database, and FLAG of the unblocked IP address is set to 0.
Likewise, the deblocking operation may be performed on the extracted file to be deblocked, specifically, whether an unsealed IP address exists in the IP addresses to be deblocked may be determined based on a preset database, and if not, the deblocking operation may be terminated; if the address exists, generating an unpacking command which can be executed by the firewall based on the unpacking IP address, automatically executing the unpacking command, and recording the unpacking file name. After the deblocking command is executed, the non-deblocking IP address is written into a preset database, and FLAG of the non-deblocking IP address is set to 1. After the plugging command and the deblocking command are executed, a log file is generated, an IP disposal work order is automatically replied based on the log file, plugging and deblocking conditions in the log file are displayed in a large screen, and plugging or deblocking failure conditions are notified through a short message.
The embodiment of the application provides an IP processing method, which can use Python, JAVA and other technologies to realize that an IP processing work order issued by an instruction platform is automatically grabbed by an IP grabbing and formatting module and formatted, automatically sent to the IP processing module, automatically judged whether blocking or deblocking operation is legal in batches by the IP processing module, a plurality of blocking and deblocking files are automatically carried out at one time, blocking and deblocking operations of a plurality of IPs are automatically carried out, automatic reply processing results realize work order closed loop, and flow and result are automatically displayed by monitoring through a large screen, and through end-to-end full-flow automatic processing, work order grabbing, IP processing ending, flow and result displaying are realized, and manual intervention is not needed in the whole process.
The foregoing description of the solution provided in the embodiments of the present application has been mainly presented in terms of a method. To achieve the above functions, it includes corresponding hardware structures and/or software modules that perform the respective functions. Those of skill in the art will readily appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The embodiment of the application may divide functional modules according to the above method example for an IP processing method, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated modules may be implemented in hardware or in software functional modules. Optionally, the division of the modules in the embodiments of the present application is schematic, which is merely a logic function division, and other division manners may be actually implemented.
Fig. 10 is a schematic structural diagram of an IP processing apparatus according to an embodiment of the present application. As shown in fig. 10, an IP processing apparatus 40 is used to improve the efficiency and accuracy of processing IP, for example, to perform an IP processing method shown in fig. 2. The IP processing apparatus 40 includes: an acquisition unit 401 and a processing unit 402;
an acquiring unit 401, configured to acquire, in real time, an IP disposal worksheet including a plurality of IP addresses from a secure operation center SOC platform;
the processing unit 402 is configured to perform formatting processing on the plurality of IP addresses to obtain a plurality of to-be-processed IP addresses, where the formatting processing is configured to convert IP addresses with different formats into IP addresses with the same format, and the type of the to-be-processed IP address includes at least one of the following: an IP address to be blocked and an IP address to be unblocked;
The obtaining unit 401 is further configured to obtain, from a preset database, a status identifier corresponding to each of the plurality of to-be-processed IP addresses, where the status identifier is any one of the following: the method comprises the following steps of blocking state, deblocking state and unknown state, wherein a preset database comprises: a history blocking IP address list and a history deblocking IP address list;
the processing unit 402 is further configured to control, based on the status identifier corresponding to each of the plurality of pending IP addresses, the firewall to perform a target operation on each of the plurality of pending IP addresses, where the target operation is any one of: plugging operation, deblocking operation and maintaining the current state.
In a possible implementation, the IP processing apparatus 40 further includes a determining unit 403; a determining unit 403, configured to determine at least one to-be-plugged IP address and at least one to-be-unsealed IP address from the plurality of to-be-processed IPs based on instruction information corresponding to each of the plurality of to-be-processed IP addresses indicated in the IP handling worksheet; the processing unit 402 is further configured to generate a file to be blocked based on at least one IP address to be blocked; the determining unit 403 is further configured to determine a timestamp signature corresponding to the file to be blocked based on a generation time point of the file to be blocked; the processing unit 402 is further configured to generate a file to be unsealed based on at least one IP address to be unsealed; the determining unit 403 is further configured to determine a timestamp signature corresponding to the file to be unsealed based on a generation time point of the file to be unsealed.
In a possible implementation manner, the obtaining unit 401 is further configured to obtain the file to be blocked and the file to be unsealed generated in the preset time period based on the timestamp signature corresponding to the file to be blocked and the timestamp signature corresponding to the file to be unsealed; the obtaining unit 401 is further configured to obtain a preset whitelist from a preset database; the processing unit 402 is further configured to reject, based on a preset whitelist, an IP address included in the preset whitelist from a plurality of IP addresses to be blocked included in a file to be blocked generated in a preset period of time, where the preset whitelist includes at least one IP address that is not allowed to perform a blocking operation.
In one possible implementation, the plurality of pending IP addresses includes: at least one IP address to be blocked and at least one IP address to be unblocked; the processing unit 402 is further configured to control, for at least one first IP address whose status identifier is an unsealed status and an unknown status in at least one IP address to be plugged, the firewall to perform a plugging operation on the at least one first IP address, and update a status identifier corresponding to the at least one first IP address in a preset database; the processing unit 402 is further configured to perform blocking operation on at least one second IP address, where the state is identified as a blocking state, of the at least one IP address to be blocked, without performing blocking operation on the at least one second IP address; the processing unit 402 is further configured to control, for at least one third IP address whose status identifier is a blocking status and an unknown status in the at least one IP address to be decapsulated, the firewall to perform an decapsulation operation on the at least one third IP address, and update a status identifier corresponding to the at least one third IP address in the preset database; the processing unit 402 is further configured to identify, for at least one fourth IP address whose state is an unsealed state, from among the at least one IP address to be unsealed, without performing a plugging operation on the at least one fourth IP address.
In a possible implementation manner, the processing unit 402 is further configured to determine a magnitude relation between a sum of the number of at least one first IP address and the number of IP addresses to be plugged included in the first list to be plugged and a preset threshold; the processing unit 402 is further configured to, if the sum of the number of at least one first IP address and the number of to-be-plugged IP addresses included in the first to-be-plugged list is less than or equal to a preset threshold, add the at least one first IP address to the first to-be-plugged list, and control the firewall to perform the plugging operation on the to-be-plugged IP addresses included in the first to-be-plugged list.
In a possible implementation manner, the processing unit 402 is further configured to create a second to-be-plugged list if the sum of the number of at least one first IP address and the number of to-be-plugged IP addresses included in the first to-be-plugged list is greater than a preset threshold, add the at least one first IP address to the second to-be-plugged list, and control the firewall to perform the plugging operation on the to-be-plugged IP addresses included in the second to-be-plugged list.
In the case of implementing the functions of the integrated modules in the form of hardware, the embodiments of the present application provide a possible structural schematic diagram of the electronic device involved in the above embodiments. As shown in fig. 11, an electronic device 60 is provided for improving the efficiency and accuracy of processing IP, for example, for performing an IP processing method as shown in fig. 2. The electronic device 60 comprises a processor 601, a memory 602 and a bus 603. The processor 601 and the memory 602 may be connected by a bus 603.
The processor 601 is a control center of the communication device, and may be one processor or a collective term of a plurality of processing elements. For example, the processor 601 may be a general-purpose central processing unit (central processing unit, CPU), or may be another general-purpose processor. Wherein the general purpose processor may be a microprocessor or any conventional processor or the like.
As one example, processor 601 may include one or more CPUs, such as CPU 0 and CPU 1 shown in fig. 11.
The memory 602 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable read-only memory (EEPROM), magnetic disk storage or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
As a possible implementation, the memory 602 may exist separately from the processor 601, and the memory 602 may be connected to the processor 601 through the bus 603 for storing instructions or program codes. The processor 601, when calling and executing instructions or program codes stored in the memory 602, can implement an IP processing method provided in the embodiments of the present application.
In another possible implementation, the memory 602 may also be integrated with the processor 601.
Bus 603 may be an industry standard architecture (industry standard architecture, ISA) bus, a peripheral component interconnect (peripheral component interconnect, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The bus may be classified as an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 11, but not only one bus or one type of bus.
It should be noted that the structure shown in fig. 11 does not constitute a limitation of the electronic device 60. The electronic device 60 may include more or fewer components than shown in fig. 11, or may combine certain components or a different arrangement of components.
As an example, in connection with fig. 10, the acquisition unit 401, the processing unit 402, and the determination unit 403 in the ip processing apparatus 40 realize the same functions as those of the processor 601 in fig. 11.
Optionally, as shown in fig. 11, the electronic device 60 provided in the embodiment of the present application may further include a communication interface 604.
Communication interface 604 for connecting with other devices via a communication network. The communication network may be an ethernet, a radio access network, a wireless local area network (wireless local area networks, WLAN), etc. The communication interface 604 may include a receiving unit for receiving data and a transmitting unit for transmitting data.
In one design, the electronic device provided in the embodiments of the present application may further include a communication interface integrated into the processor.
From the above description of embodiments, it will be apparent to those skilled in the art that the foregoing functional unit divisions are merely illustrative for convenience and brevity of description. In practical applications, the above-mentioned function allocation may be performed by different functional units, i.e. the internal structure of the device is divided into different functional units, as needed, to perform all or part of the functions described above. The specific working processes of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which are not described herein.
The embodiment of the application further provides a computer readable storage medium, in which instructions are stored, and when the computer executes the instructions, the computer executes each step in the method flow shown in the method embodiment.
Embodiments of the present application provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform an IP processing method as in the method embodiments described above.
The computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: electrical connections having one or more wires, portable computer diskette, hard disk. Random access memory (random access memory, RAM), read-only memory (ROM), erasable programmable read-only memory (erasable programmable read only memory, EPROM), registers, hard disk, optical fiber, portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any other form of computer-readable storage medium suitable for use by a person or combination of the foregoing, or as a value in the art.
An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an application specific integrated circuit (application specific integrated circuit, ASIC).
In the context of the present application, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Since the electronic device, the computer readable storage medium, and the computer program product in the embodiments of the present application may be applied to the above-mentioned method, the technical effects that can be obtained by the electronic device, the computer readable storage medium, and the computer program product may also refer to the above-mentioned method embodiments, and the embodiments of the present application are not repeated herein.
The foregoing is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered in the protection scope of the present application.

Claims (14)

1. A method of internet protocol, IP, processing, the method comprising:
acquiring an IP disposal work order comprising a plurality of IP addresses from a secure operation center SOC platform in real time, and formatting the IP addresses to obtain a plurality of to-be-processed IP addresses, wherein the formatting is used for converting the IP addresses with different formats into the IP addresses with the same format, and the types of the to-be-processed IP addresses comprise at least one of the following: an IP address to be blocked and an IP address to be unblocked;
Acquiring a state identifier corresponding to each of the plurality of to-be-processed IP addresses from a preset database, wherein the state identifier is any one of the following: the method comprises the following steps of blocking state, deblocking state and unknown state, wherein the preset database comprises the following steps: a history blocking IP address list and a history deblocking IP address list;
based on the state identifier corresponding to each of the plurality of to-be-processed IP addresses, the control firewall executes a target operation on each of the plurality of to-be-processed IP addresses, wherein the target operation is any one of the following: plugging operation, deblocking operation and maintaining the current state.
2. The method according to claim 1, wherein the method further comprises:
determining at least one to-be-plugged IP address and at least one to-be-unsealed IP address from the plurality of to-be-processed IPs based on instruction information corresponding to each to-be-processed IP address in the plurality of to-be-processed IP addresses indicated in the IP treatment worksheet;
generating a file to be blocked based on the at least one IP address to be blocked, and determining a timestamp signature corresponding to the file to be blocked based on a generation time point of the file to be blocked;
Generating a file to be unsealed based on the at least one IP address to be unsealed, and determining a timestamp signature corresponding to the file to be unsealed based on a generation time point of the file to be unsealed.
3. The method according to claim 2, wherein the method further comprises:
acquiring a file to be blocked and a file to be unblocked, which are generated in a preset time period, based on the timestamp signature corresponding to the file to be blocked and the timestamp signature corresponding to the file to be unblocked;
acquiring a preset white list from the preset database, and removing IP addresses included in the preset white list from a plurality of IP addresses to be blocked included in a file to be blocked generated in the preset time period based on the preset white list, wherein the preset white list comprises at least one IP address which is not allowed to execute blocking operation.
4. A method according to any one of claims 1 to 3, wherein the plurality of pending IP addresses comprises: at least one IP address to be blocked and at least one IP address to be unblocked;
the controlling the firewall to execute the target operation on each of the plurality of IP addresses based on the state identifier corresponding to each of the plurality of IP addresses includes:
Controlling the firewall to execute blocking operation on at least one first IP address aiming at least one first IP address with a state identifier of an unsealed state and an unknown state in the at least one IP address to be blocked, and updating a state identifier corresponding to the at least one first IP address in the preset database;
for at least one second IP address with a blocking state identified as a blocking state in the at least one IP address to be blocked, blocking operation is not required to be performed on the at least one second IP address;
aiming at least one third IP address with a state identifier of a blocking state and an unknown state in the at least one IP address to be unsealed, controlling the firewall to execute an unsealing operation on the at least one third IP address, and updating a state identifier corresponding to the at least one third IP address in the preset database;
and aiming at least one fourth IP address with the state marked as an unsealed state in the at least one IP address to be unsealed, the plugging operation is not required to be executed for the at least one fourth IP address.
5. The method of claim 4, wherein the controlling the firewall to perform the blocking operation on the at least one first IP address for at least one first IP address whose state is identified as an unsealed state and an unknown state of the at least one IP address comprises:
Judging the size relation between the sum of the number of the at least one first IP address and the number of the IP addresses to be plugged contained in the first list to be plugged and a preset threshold value;
and if the sum of the number of the at least one first IP address and the number of the to-be-blocked IP addresses included in the first to-be-blocked list is smaller than or equal to the preset threshold value, adding the at least one first IP address into the first to-be-blocked list, and controlling the firewall to execute blocking operation on the to-be-blocked IP addresses included in the first to-be-blocked list.
6. The method of claim 5, wherein the method further comprises:
if the sum of the number of the at least one first IP address and the number of the to-be-blocked IP addresses included in the first to-be-blocked list is larger than the preset threshold value, a second to-be-blocked list is created, the at least one first IP address is added into the second to-be-blocked list, and the firewall is controlled to execute blocking operation on the to-be-blocked IP addresses included in the second to-be-blocked list.
7. An IP processing apparatus, comprising: an acquisition unit and a processing unit;
the acquiring unit is used for acquiring the IP disposal worksheet comprising a plurality of IP addresses from the secure operation center SOC platform in real time;
The processing unit is configured to perform formatting processing on the plurality of IP addresses to obtain a plurality of IP addresses to be processed, where the formatting processing is configured to convert IP addresses in different formats into IP addresses in the same format, and the type of the IP addresses to be processed includes at least one of the following: an IP address to be blocked and an IP address to be unblocked;
the obtaining unit is further configured to obtain, from a preset database, a status identifier corresponding to each of the plurality of to-be-processed IP addresses, where the status identifier is any one of the following: the method comprises the following steps of blocking state, deblocking state and unknown state, wherein the preset database comprises the following steps: a history blocking IP address list and a history deblocking IP address list;
the processing unit is further configured to control, based on the status identifier corresponding to each of the plurality of IP addresses to be processed, the firewall to perform a target operation on each of the plurality of IP addresses to be processed, where the target operation is any one of: plugging operation, deblocking operation and maintaining the current state.
8. The IP processing apparatus according to claim 7, wherein the IP processing apparatus further comprises a determination unit;
The determining unit is configured to determine at least one IP address to be blocked and at least one IP address to be unblocked from the plurality of IP addresses to be processed based on instruction information corresponding to each of the plurality of IP addresses to be processed indicated in the IP handling worksheet;
the processing unit is further used for generating a file to be blocked based on the at least one IP address to be blocked;
the determining unit is further configured to determine a timestamp signature corresponding to the file to be blocked based on a generation time point of the file to be blocked;
the processing unit is further configured to generate a file to be unsealed based on the at least one IP address to be unsealed;
the determining unit is further configured to determine a timestamp signature corresponding to the file to be unsealed based on a generation time point of the file to be unsealed.
9. The IP processing apparatus of claim 8, wherein the obtaining unit is further configured to obtain the file to be blocked and the file to be unsealed generated in a preset period of time based on the timestamp signature corresponding to the file to be blocked and the timestamp signature corresponding to the file to be unsealed;
the acquisition unit is further used for acquiring a preset white list from the preset database;
The processing unit is further configured to reject, based on the preset whitelist, an IP address included in the preset whitelist from a plurality of IP addresses to be blocked included in the file to be blocked generated in the preset time period, where the preset whitelist includes at least one IP address that is not allowed to perform a blocking operation.
10. The IP processing apparatus according to any one of claims 7 to 9, wherein the plurality of IP addresses to be processed include: at least one IP address to be blocked and at least one IP address to be unblocked;
the processing unit is further configured to control, for at least one first IP address, of the at least one IP address to be blocked, whose status identifier is an unsealed status and an unknown status, the firewall to perform a blocking operation on the at least one first IP address, and update a status identifier corresponding to the at least one first IP address in the preset database;
the processing unit is further configured to perform blocking operation on at least one second IP address, where the state of the at least one second IP address is identified as a blocking state, without performing blocking operation on the at least one second IP address;
the processing unit is further configured to control, for at least one third IP address whose status identifier is a blocking status and an unknown status in the at least one IP address to be unsealed, the firewall to perform an unsealing operation on the at least one third IP address, and update a status identifier corresponding to the at least one third IP address in the preset database;
The processing unit is further configured to identify, for at least one fourth IP address whose state is an unsealed state, from the at least one IP address to be unsealed, without performing a blocking operation on the at least one fourth IP address.
11. The IP processing apparatus of claim 10, wherein the processing unit is further configured to determine a size relationship between a sum of the number of the at least one first IP address and the number of IP addresses to be plugged included in the first list to be plugged and a preset threshold;
the processing unit is further configured to, if the sum of the number of the at least one first IP address and the number of the to-be-plugged IP addresses included in the first to-be-plugged list is less than or equal to the preset threshold, add the at least one first IP address to the first to-be-plugged list, and control the firewall to perform a plugging operation on the to-be-plugged IP addresses included in the first to-be-plugged list.
12. The IP processing apparatus of claim 11, wherein the processing unit is further configured to, if a sum of the number of the at least one first IP address and the number of the IP addresses to be blocked included in the first list to be blocked is greater than the preset threshold, create a second list to be blocked, add the at least one first IP address to the second list to be blocked, and control the firewall to perform a blocking operation on the IP addresses to be blocked included in the second list to be blocked.
13. An electronic device, comprising: a processor and a memory; wherein the memory is configured to store one or more programs, the one or more programs comprising computer-executable instructions that, when executed by the electronic device, cause the electronic device to perform an IP processing method as claimed in any one of claims 1-6.
14. A computer readable storage medium storing one or more programs, wherein the one or more programs comprise instructions, which when executed by a computer, cause the computer to perform an IP processing method as claimed in any of claims 1-6.
CN202310687245.5A 2023-06-09 2023-06-09 Internet Protocol (IP) processing method, device, equipment and storage medium Pending CN116566726A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310687245.5A CN116566726A (en) 2023-06-09 2023-06-09 Internet Protocol (IP) processing method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310687245.5A CN116566726A (en) 2023-06-09 2023-06-09 Internet Protocol (IP) processing method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116566726A true CN116566726A (en) 2023-08-08

Family

ID=87501938

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310687245.5A Pending CN116566726A (en) 2023-06-09 2023-06-09 Internet Protocol (IP) processing method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116566726A (en)

Similar Documents

Publication Publication Date Title
CN108600029B (en) Configuration file updating method and device, terminal equipment and storage medium
CN108900353B (en) Fault warning method and terminal equipment
CN111478966A (en) Internet of things protocol analysis method and device, computer equipment and storage medium
CN110266670A (en) A kind of processing method and processing device of terminal network external connection behavior
CN112039900B (en) Network security risk detection method, system, computer device and storage medium
CN111866016A (en) Log analysis method and system
CN113360475B (en) Data operation and maintenance method, device and equipment based on intranet terminal and storage medium
CN110610196A (en) Desensitization method, system, computer device and computer-readable storage medium
CN110932918B (en) Log data acquisition method and device and storage medium
CN111464513A (en) Data detection method, device, server and storage medium
CN109800571B (en) Event processing method and device, storage medium and electronic device
CN110941823B (en) Threat information acquisition method and device
CN111831275A (en) Method, server, medium and computer equipment for arranging micro-scene script
CN113098852B (en) Log processing method and device
CN116566726A (en) Internet Protocol (IP) processing method, device, equipment and storage medium
CN113301049B (en) Industrial control equipment auditing method, device, equipment and readable storage medium
CN113852623B (en) Virus industrial control behavior detection method and device
CN111274089B (en) Server abnormal behavior perception system based on bypass technology
CN113014587A (en) API detection method and device, electronic equipment and storage medium
CN110166421B (en) Intrusion control method and device based on log monitoring and terminal equipment
CN110543470A (en) Message early warning method and device, storage medium and electronic device
CN113194075B (en) Access request processing method, device, equipment and storage medium
US11552965B2 (en) Abnormality cause specification support system and abnormality cause specification support method
CN114338175B (en) Data collection management system and data collection management method
CN111464516B (en) Safety network computer for effectively blocking attack from internal network system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination