CN1509003A - Method for monitoring unauthorized dial accessing in local area network - Google Patents
Method for monitoring unauthorized dial accessing in local area network Download PDFInfo
- Publication number
- CN1509003A CN1509003A CNA021580200A CN02158020A CN1509003A CN 1509003 A CN1509003 A CN 1509003A CN A021580200 A CNA021580200 A CN A021580200A CN 02158020 A CN02158020 A CN 02158020A CN 1509003 A CN1509003 A CN 1509003A
- Authority
- CN
- China
- Prior art keywords
- address
- monitor
- particular value
- arbitrarily
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
A method for bypassing monitoring communication between local area network (LAN) and Internet; a method for obtaining list of IP/MAC address by querying MAC addresses of all IP addresses in Intranet from Sensor/Monitor/Monitor; a initiative detecting procedure is taken at switching in gateway between LAN and Internet. Initiative detecting mode is adopted in the invention so as to be able to find computers logged on Internet through dialing mode in time. Integrated analysis and judgement is carried out through multiple different detecting data packets so as to ensure accuracy of detection. The invented method can be developed as a self-contained security product, as well as can be as a module to be integrated with system for detecting intrusion on network or system of safety assessment.
Description
Technical field
The present invention relates to a kind of IPC classification G06F13/00, the computer network security monitoring method in H04L9/00 field, especially a kind of method of LAN unauthorized dial-up access monitoring.
Background technology
Along with fast development of computer technology and application, computer network has infiltrated social every nook and cranny.Modern commerce company almost none LAN of not setting up oneself to realize application system such as office automation.LAN is issued, obtains, shares, exchanged with realization information with Internet connection, universal day by day along with network access technique development with rapid changepl. never-ending changes and improvements especially.But follow access to netwoks efficiently of these facilities and application, also caused safety problem together.
In the Internet access technology, Dial-up Network is early stage modal a kind of method.Account number/password that the user only need have a computer that disposes modem, telephone wire and ISP to provide just can be linked in the Internet.Though Dial-up Network inserts simple and flexible, there is potential safety hazard in it, causes safety problem easily.Because insert in the local area network (LAN) of the Internet, all disposed safety products such as anti-virus, fire compartment wall, intrusion detection, application proxy and protected LAN to avoid from the rogue attacks on the Internet in the overwhelming majority.But when computer user is arranged without authorization during the dial-up access the Internet in office or net, just walked around safety product protections such as enterprise firewall, this computer will become the preferred object of malicious attacker invasion intranet network.In case infected computer virus or be mounted trojan horse program or victim is directly controlled, whole local area network will expose fully, faces great security threat, the loss that may cause will be difficult to estimate.
Therefore, be necessary very much to find a kind of technical method that can monitor in real time and can carry out timely and effective alarm to the computer of dial-up access the Internet wherein local area network (LAN).
Summary of the invention
Problem to be solved by this invention provides a kind of method of LAN unauthorized dial-up access monitoring.Implementation step with this method can make LAN avoid from the rogue attacks on the Internet, can prevent that also malicious attacker from destroying LAN in the mode that detours.For this reason, the technical solution adopted in the present invention is: a kind of method of LAN unauthorized dial-up access monitoring, this method comprise to the communication of local area network (LAN) and the Internet carry out the step of bypass monitoring and from the MAC Address of all IP addresses of Sensor/Monitor/Monitor inquiry in-house network, obtain the step that IP-MAC tabulates, and the step that on the position of the IAD of described local area network (LAN) and described the Internet, adopts active probe
The dialing detector of all computer Sending dialled number probe data packet that can be in local area network (LAN) is set on described local area network (LAN);
On described the Internet, be provided with by receiving, carry out judging whether to exist after the technical Analysis dial monitor of unauthorized dial-up access again by being detected computer to the response data packet that probe data packet sent;
During this period according to the response data packet analysis that whether receives or receive and the existence of judging dial-up access whether the dissimilar probe data packet of timed sending is provided with timer on described dial monitor on described dialing detector.
What the present invention adopted is the active probe mode, can in time find the computer by dialling up on the telephone in the local area network (LAN).And, guaranteed the accuracy of surveying by multiple different probe data packet is carried out comprehensive analysis and judgement.The present invention both can develop separately becomes independently safety product, also can be integrated together with network intrusion monitoring system or safety estimation system, becomes one of them functional module.
Description of drawings
Fig. 1 is for using the network topological diagram example of system that the present invention realizes in typical intranet;
Fig. 2 is for existing the network topological diagram example of unauthorized dialing computer in the intranet of having used system that the present invention realizes;
Fig. 3 is a workflow diagram of the present invention.
Specific embodiments
As depicted in figs. 1 and 2, the convenience of specific embodiments be to be described, for each equipment and computer " have supposed " to distribute IP address as shown in the figure.In use, detector/monitor is linked to each other with network by HUB/Switch, attention will make the network communication (Switch that shares the monitoring of formula HUB and network enabled can realize that all this point requires) of its all the Internet couple in routers of flowing through of energy monitor bypass.
The present invention can be based on the following technology fact to the monitoring of dialing computer:
Under the normal condition Servers-all (SVR1...SVRn) and client computer (PC1...PCn) access internet (or from internet access) all " necessary " through internet router (Router) (or fire compartment wall), promptly usually said default route: Default gateway:192.168.0.1 network topology is illustrated as Fig. 1.
2. if certain main frame (server or client computer) is dialling up on the telephone, then default route must change: Default gateway:61.169.169.254 network topology is illustrated as Fig. 2.
By on detector, sending the probe data packet of number of different types, when the default route that detects PC3 no longer is legal 192.168.0.1, can judge that then PC3 is using the route of other IP address as access internet, promptly have the unauthorized behavior of dialling up on the telephone.The step that specifically realizes active monitoring is:
(1) at local area network (LAN) the dialing detector is installed.The effect of this detector is all the computer Sending dialled number probe data packet in local area network (LAN); Usually dialing detector and monitor (seeing below) are installed on same the bypass equipment (or computer) at Internet access gateway place, with the realization of simplification technology in application and development.
(2) go up the installation dial monitor at the bypass equipment (or computer) at Internet access gateway place, the effect of this monitor is by receiving by being detected computer to the response data packet that probe data packet sent, carrying out judging whether to exist the unauthorized dial-up access after the technical Analysis again.
(3) the dissimilar probe data packet of timed sending on the dialing detector is provided with timer on the dial monitor, and during this period according to the response data packet that whether receives or receive, the existence of analyzing and judge dial-up access whether.
Said detection steps then is:
(4) from the MAC Address of all IP addresses of Sensor/Monitor/Monitor inquiry in-house network, obtain the IP-MAC tabulation
(5) the IP address that is provided with the keeper is used and is distributed inventory contrast (if not this inventory, then be considered as all IP addresses), and the IP address that occurs in the IP-MAC tabulation may not be one of following situation:
This IP address of A is not assigned with use,
This IP address respective hosts of B is not connected (shutdown or netting twine are obstructed) with in-house network,
(6) each IP address in the IP-MAC tabulation,
(7) setting respectively responds timer when sending each described packet.
3. in addition, each the IP address transmission data bag in described IP-MAC tabulation also comprises the steps:
3.1 send 1~n tcp data bag:
The address, source: arbitrarily different internet address (as the external interface IP address of Router etc.)
Destination address: be detected host IP address
ISN: any or particular value (ISNcookie)
Come source port: arbitrarily
Destination interface: any port that is not used (0 or 1 or 65535 etc.)
TCP sign: SYN position zero clearing (ACK or FIN or position, RST position)
SYN: any or particular value (SYNcookie)
ACK: any or feature value (ACKcookie)
3.2 send 1~n tcp data bag:
The address, source: arbitrarily different internet address (as the external interface IP address of Router etc.)
Destination address: be detected host IP address
ISN: any or particular value (ISNcookie)
Come source port: arbitrarily
Destination interface: any port that is not used (0 or 1 or 65535 etc.)
TCP sign: position, SYN position (other zero clearing)
SYN: any or particular value (SYNcookie)
ACK: any or feature value (ACKcookie)
3.3 send 1~n tcp data bag:
The address, source: arbitrarily different internet address (as the external interface IP address of Router etc.)
Destination address: be detected host IP address
ISN: any or particular value (ISNcookie)
Come source port: arbitrarily
Destination interface: well known port (as 21/23/25/53/80/110/135 etc.) arbitrarily
TCP sign: SYN position zero clearing (ACK or FIN or position, RST position)
SYN: any or particular value (SYNcookie)
ACK: any or feature value (ACKcookie)
3.4 send 1~n tcp data bag:
The address, source: arbitrarily different internet address (as the external interface IP address of Router etc.)
Destination address: be detected host IP address
ISN: any or particular value (ISNcookie)
Come source port: arbitrarily
Destination interface: well known port (as 21/23/25/53/80/110/135 etc.) arbitrarily
TCP sign: position, SYN position (other zero clearing)
SYN: any or particular value (SYNcookie)
ACK: any or feature value (ACKcookie)
3.5 send 1~n UDP message bag:
The address, source: arbitrarily different internet address (as the external interface IP address of Router etc.)
Destination address: be detected host IP address
ISN: any or particular value (ISNcookie)
Come source port: arbitrarily
Destination interface: any port that is not used (0 or 1 or 65535 etc.)
3.6 send 1~n ICMP packet:
The address, source: arbitrarily different internet address (as the external interface IP address of Router etc.)
Destination address: be detected host IP address
ISN: any or particular value (ISNcookie)
ICMP type: echo request
3.7 send 1~n ICMP packet:
The address, source: arbitrarily different internet address (as the external interface IP address of Router etc.)
Destination address: be detected host IP address
ISN: any or particular value (ISNcookie)
ICMP type: type of message (as timestamp/maskreq etc.) arbitrarily
3.8 other packet (XXX: source routing etc.).
4. have again, when sending each packet, be provided with in the step that respectively responds timer further comprising the steps of:
4.1 as long as Sensor/Monitor monitors the corresponding response packet before certain response timer expiry:
(definition: " corresponding " refer to meet simultaneously
A ISN/SYN/ACK value satisfies the cookie algorithm
The B source IP addresses is for being detected main frame)
1), is the RST bag for 3.1
2), be RST bag (XXX: or ACK bag, because of destination interface may be available) for 3.2
3), be the RST bag for 3.3
4), be ACK bag (XXX: or RST bag, because of destination interface may be unavailable) for 3.4
5), be ICMP error message (port unreachable) for 3.5
6), be ICMP response message (echo reply) for 3.6
7), be the ICMP response message for 3.7
(annotate: if the TCP/UDP port then may respond monitoring, Sensor/Monitor should not reply ICMP error message or RST bag at this moment.Promptly based on any response that is detected machine not being replied)
The default route that then can judge this IP address respective hosts is legal value: 192.168.0.1
If 4.2 all response timer Sensor/Monitor when overtime do not monitor the corresponding response packet, then this IP address respective hosts is being used illegal default route (dial-up access)
4.3 if Sensor/Monitor monitors response data packet partly, then:
This IP address respective hosts of A has been installed fire compartment wall and some filtering rules has been set
The B internal network has problem (the big or circuit of flow is undesired etc. cause packet loss)
3. point out (to 4.3) or report to the police (to 4.2) according to The above results
Fig. 3 is a workflow diagram of the present invention, and the groundwork step all describes in detail in above-mentioned example.
What the present invention adopted is the active probe mode, can in time find the computer by dialling up on the telephone in the local area network (LAN).And, guaranteed the accuracy of surveying by multiple different probe data packet is carried out comprehensive analysis and judgement.The present invention both can develop separately becomes independently safety product, also can be integrated together with network intrusion monitoring system or safety estimation system, becomes one of them functional module.
Claims (4)
1, a kind of method of LAN unauthorized dial-up access monitoring, the step that comprises the IP address that the keeper is provided with, it is characterized in that, described method comprise to the communication of local area network (LAN) and the Internet carry out the step of bypass monitoring and from the MAC Address of all IP addresses of Sensor/Monitor/Monitor inquiry in-house network, obtain the step of IP-MAC tabulation, and on the position of the IAD of described local area network (LAN) and described the Internet the step of employing active probe:
(1) the dialing detector of all computer Sending dialled number probe data packet that can be in local area network (LAN) is set on described local area network (LAN);
(2) be provided with on the described the Internet by receiving by being detected the dial monitor that judges whether to exist the unauthorized dial-up access after computer carries out technical Analysis again to the response data packet that probe data packet sent;
(3) during this period according to the response data packet analysis that whether receives or receive and the existence of judging dial-up access whether the dissimilar probe data packet of timed sending on described dialing detector is provided with timer on described dial monitor.
2, method according to claim 1 is characterized in that, and is further comprising the steps of to the technical Analysis of the probe data packet of described transmission and response data packet:
(4) from the MAC Address of all IP addresses of described Sensor/Monitor/Monitor inquiry in-house network, obtain the IP-MAC tabulation,
(5) step of the IP address that is provided with the described keeper contrast that distributes inventory to use,
(6) each IP address transmission data bag in described IP-MAC tabulation,
(7) setting respectively responds timer when sending each described packet.
3. method according to claim 2 is characterized in that, each the IP address transmission data bag in described IP-MAC tabulation also comprises the steps:
3.1 send 1~n tcp data bag,
The address, source: any different internet address,
Destination address: be detected host IP address,
ISN: any or particular value,
Come source port: arbitrarily,
Destination interface: any port that is not used,
The TCP sign: the zero clearing of SYN position,
SYN: any or particular value,
ACK: any or feature value;
3.2 send 1~n tcp data bag:
The address, source: any different internet address,
Destination address: be detected host IP address,
ISN: any or particular value,
Come source port: arbitrarily,
Destination interface: any port that is not used,
The TCP sign: position, SYN position,
SYN. arbitrarily or particular value,
ACK: any or feature value;
3.3 send 1~n tcp data bag:
The address, source: any different internet address,
Destination address: be detected host IP address,
ISN: any or particular value,
Come source port: arbitrarily,
Destination interface: well known port arbitrarily,
The TCP sign: the zero clearing of SYN position,
SYN: any or particular value,
ACK: any or feature value;
3.4 send 1~n tcp data bag:
The address, source: any different internet address,
Destination address: be detected host IP address,
ISN: any or particular value,
Come source port: arbitrarily,
Destination interface: well known port arbitrarily,
The TCP sign: position, SYN position,
SYN: any or particular value,
ACK: any or feature value;
3.5 send 1~n UDP message bag:
The address, source: any different internet address,
Destination address: be detected host IP address,
ISN: any or particular value,
Come source port: arbitrarily,
Destination interface: any port that is not used;
3.6 send 1~n ICMP packet:
The address, source: any different internet address,
Destination address: be detected host IP address,
ISN: any or particular value,
ICMP type: echo request;
3.7 send 1~n ICMP packet:
The address, source: any different internet address,
Destination address: be detected host IP address,
ISN: any or particular value,
ICMP type: type of message arbitrarily;
3.8 other packet (XXX: source routing etc.).
4. method according to claim 2 is characterized in that, is provided with in the step that respectively responds timer further comprising the steps of when sending each described packet:
4.1 as long as Sensor/Monitor monitors the corresponding response packet and then is before certain response timer expiry:
1) for described 3.1 step, be the RST bag,
2) for described 3.2 step, be the RST bag,
3) for described 3.3 step, be the RST bag,
4) for described 3.4 step, be the ACK bag,
5) for described 3.5 step, be the ICMP error message,
6) for described 3.6 step, be the ICMP response message,
7) for described 3.7 step, be the ICMP response message;
If 4.2 all response timer Sensor/Monitor when overtime do not monitor the corresponding response packet, then this IP address respective hosts is being used illegal default route,
4.3 if Sensor/Monitor monitors response data packet partly, then:
4.3.1 this IP address respective hosts has been installed fire compartment wall and some filtering rules has been set,
4.3.2 internal network has problem.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA021580200A CN1509003A (en) | 2002-12-20 | 2002-12-20 | Method for monitoring unauthorized dial accessing in local area network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA021580200A CN1509003A (en) | 2002-12-20 | 2002-12-20 | Method for monitoring unauthorized dial accessing in local area network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN1509003A true CN1509003A (en) | 2004-06-30 |
Family
ID=34236817
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA021580200A Pending CN1509003A (en) | 2002-12-20 | 2002-12-20 | Method for monitoring unauthorized dial accessing in local area network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN1509003A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100372296C (en) * | 2004-07-16 | 2008-02-27 | 北京航空航天大学 | Network invading detection system with two-level decision structure and its alarm optimization method |
-
2002
- 2002-12-20 CN CNA021580200A patent/CN1509003A/en active Pending
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100372296C (en) * | 2004-07-16 | 2008-02-27 | 北京航空航天大学 | Network invading detection system with two-level decision structure and its alarm optimization method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2017148263A1 (en) | Prevention and control method, apparatus and system for network attack | |
US7467408B1 (en) | Method and apparatus for capturing and filtering datagrams for network security monitoring | |
EP1817685B1 (en) | Intrusion detection in a data center environment | |
US9497212B2 (en) | Detecting malicious resources in a network based upon active client reputation monitoring | |
CN1160899C (en) | Distributed dynamic network security protecting system | |
US7610624B1 (en) | System and method for detecting and preventing attacks to a target computer system | |
CN1871612A (en) | Network isolation techniques suitable for virus protection | |
WO2005043820A1 (en) | System and method for traffic analysis | |
CN1578212A (en) | Illegal communication detector | |
US20040103314A1 (en) | System and method for network intrusion prevention | |
CN1725709A (en) | Method of linking network equipment and invading detection system | |
JP2006319982A (en) | Worm-specifying and non-activating method and apparatus in communications network | |
WO2005038598A2 (en) | Policy-based network security management | |
JP2016535557A (en) | Context-aware network forensics | |
KR20130124692A (en) | System and method for managing filtering information of attack traffic | |
CN1820452A (en) | Detecting and protecting against worm traffic on a network | |
CN1906905A (en) | Service disabling attack protecting system, service disabling attack protecting method, and service disabling attack protecting program | |
US8234503B2 (en) | Method and systems for computer security | |
Saad et al. | A study on detecting ICMPv6 flooding attack based on IDS | |
JP2006067078A (en) | Network system and attack defense method | |
Benson et al. | Sounding the bell for improving Internet (of Things) security | |
Ford et al. | Initial results from an ipv6 darknet13 | |
JP4014599B2 (en) | Source address spoofed packet detection device, source address spoofed packet detection method, source address spoofed packet detection program | |
JP2008178100A (en) | Method for protecting computer network against packet flood | |
CN1509003A (en) | Method for monitoring unauthorized dial accessing in local area network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |