CN1832450A - Method for preventing offence between inserted users - Google Patents
Method for preventing offence between inserted users Download PDFInfo
- Publication number
- CN1832450A CN1832450A CNA2005100535568A CN200510053556A CN1832450A CN 1832450 A CN1832450 A CN 1832450A CN A2005100535568 A CNA2005100535568 A CN A2005100535568A CN 200510053556 A CN200510053556 A CN 200510053556A CN 1832450 A CN1832450 A CN 1832450A
- Authority
- CN
- China
- Prior art keywords
- message
- compartment wall
- fire compartment
- access device
- heading
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
This invention provides a method for preventing attacking among access users, in which, a fire wall is set between an access device and the external packet data network, the method includes: A, the access device receives an inbound message to judge if it is one sent to another access user, if so, it sends it to the fire wall, B, the fire wall receives the message to test and filter to send the legal messages to the access device, C, the access device sends the message to related access user.
Description
Technical field
The present invention relates to GPRS access technology field, be meant a kind of method that prevents offence between inserted users especially.
Background technology
Show the GPRS/WCDMA network configuration as Fig. 1.Wherein, GGSN and SGSN are two basic equipments in the GPRS/WCDMA packet domain core network.The major function of SGSN provides the access function of UTRAN/BSS, and the major function of GGSN is as the gateway between GPRS/WCDMA system and the external packet data net (PDN).The data service that inserts user (TE, Terminal Equipment) initiation inserts through SGSN equipment, mails to GGSN then, mails to the external packet data net via GGSN then, the inverse process that the process of reception data can think to initiate data.
In order to protect the access user not attacked, between GGSN and external packet data net (being generally Internet), be provided with fire compartment wall (Firewall) usually.Stop the invalid data from the external packet data net that may exist to flow the attack of docking access customer by fire compartment wall.
Along with the growth that inserts customer service, inserting the possibility of running foul of each other potential between the user is also increasing gradually.And the position of the residing network configuration of fire compartment wall has determined that its effect is the invalid data stream that is used for filtering from the external packet data net, and the data flow that can't dock between the access customer is filtered.Analyze below:
From the network configuration shown in Fig. 1 as can be seen, insert when transmitting data between the user, TE uploads to GGSN with data flow through SGSN, and GGSN just directly is handed down to another TE through SGSN after with Data Stream Processing, and data flow can not passed through fire compartment wall.
Data flow transmitted detects the words of attacking to take precautions against between the increase fire compartment wall comes TE between GGSN and subordinate equipment such as the SGSN if adopt, then can increase networking cost, and, packet from the external packet data net can just can pass to TE through two fire compartment walls, will certainly reduce the data transmission bauds of TE and external packet data net.
Therefore, prevent that at present the method for offence between inserted users from being: directly realize simple message packet filtering by GGSN, the data flow of transmitting between the access customer that achieves a butt joint detects filtration, prevents to insert the attack between the user.Packet filtering is a kind of simple filtering means, can only filter as parameters such as source address, destination address, source port, destination interface, TTL by the simple attributes of data message.But the packet filtering strategy that is based on the GGSN detection can only prevent to insert the attack between the user in limited extent, is difficult to prevent for the complex attack that inserts user's employing.This reason also is understood that: GGSN itself is not special-purpose firewall box, so be difficult to reach the high level ability that prevents complex attack of fire compartment wall, can not satisfy higher security requirement.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of method that prevents offence between inserted users, makes realizing satisfying the strick precaution of attacking between other butt joint access customer of fire compartment wall level under the situation that does not change existing network.
Realize the method that prevents offence between inserted users of the present invention, between access device and external packet data network, be provided with fire compartment wall, may further comprise the steps:
A, access device receive the message of uploading, and judge whether this message is to send to the message that another inserts the user, if then this message is sent to fire compartment wall;
B, fire compartment wall receive described message, carry out after fire compartment wall detects filtration legal message being sent it back access device;
C, access device are handed down to corresponding access user with described message.
Optionally, steps A is described sends to fire compartment wall with this message and takes a step forward and comprise: the heading that message is added appointment; Step B is described further to be comprised after receiving described message: the appointment heading of removing this message.
Optionally, access device is provided with and detects rule, judges when message need detect, and adds the heading of described appointment.
Preferable, also comprise in the heading of appointment: the flag bit that whether needs fire compartment wall to detect; Step B further comprises: fire compartment wall determines whether to detect according to this flag bit.
The described fire compartment wall of step B detects the step of filtering and comprises: detects according to message source address, destination address, source port, destination interface, TTL1 parameter by fire compartment wall,
Filter according to the filtering rule that is disposed.Further comprise: the data to the message encapsulation detect, or/and detect after the data recombination with the message encapsulation.
Optionally, described access device is GGSN.
By said method as can be seen, the present invention cooperates the firewall filtering of realizing inserting message between the user by access device GGSN and firewall box, prevents to insert the rogue attacks between the user.Implementation method of the present invention does not need existing networking mode is changed, and does not need to be provided with in addition fire compartment wall, is implemented in the strobe utility based on fire compartment wall that does not change under the network configuration situation, can satisfy other high security requirement of fire compartment wall level.And kept low cost owing to existing networking not being changed.
Description of drawings
Fig. 1 is the GPRS/WCDMA network structure.
Fig. 2 fits into line data detection figure for GGSN and fire compartment wall.
Fig. 3 docks the testing process figure of data flow between the access customer for the present invention.
Embodiment
The present invention is not changing on the basis of existing networking structure, and by cooperatively interacting of GGSN and firewall box, the data flow that achieves a butt joint between the access customer detects filtration, thereby the attack that reaches between the butt joint access customer is taken precautions against.Referring to accompanying drawing, the method for offence between inserted users that prevents of the present invention is described in detail.
Still adopt the network structure shown in Fig. 1, fire compartment wall still is arranged between GGSN and the external packet data net.As shown in Figures 2 and 3, this method may further comprise the steps:
Step 301: access device GGSN receives the message of the TE transmission of uploading through SGSN, GGSN judges whether this message is to send to the message that another inserts the user, can go up the TE address configuration information of record according to GGSN, destination address to this message is judged, when judging this message is when sending to another user's message, then this message is added the heading of appointment, then this message is sent to fire compartment wall.The form of the appointment heading here can be consulted by GGSN and fire compartment wall, to guarantee that both sides can both identify this heading.
In addition, can also on GGSN, be provided with in advance and detect strategy, for example can not specify the message from the TE that trusts is detected.Like this, in step 301, when judging strategy that GGSN is provided with is when not needing message to certain TE to filter, and can not add the heading of described appointment to this message, and certain flag bit that perhaps comprises by being provided with in the heading is represented will not detect this message.
The implementation of a heading can for: can comprise information such as sign sequence number of message and flag bit in the heading, wherein flag bit can be used for representing whether this message needs fire compartment wall to detect.Provided the example of a structure message below, message can be configured to: Sequence Number+Flag+Length+ (UDP/IP initial data message), Sequence Number is above-mentioned sequence number, and Flag is above-mentioned flag bit, and Length represents the length of back message.Certainly, GGSN also will encapsulate the address of fire compartment wall, here no longer explanation when transmitting this message to fire compartment wall.
Step 302: after fire compartment wall receives message, it is the message that GGSN sends up that the appointment heading that carries according to message is judged, and then removes the heading of appointment, and the fire compartment wall of proceeding standard detects and filters, detected abnormal packet filtering is fallen, no longer transmitted.
If the heading in the step 301 is provided with the flag bit that whether detects, fire compartment wall also will determine whether to detect according to this flag bit.
Wherein, the function that can make full use of fire compartment wall and provide detects message.Can detect filtration according to parameters such as message source address, destination address, source port, destination interface, TTL by fire compartment wall.For example can be in advance on fire compartment wall configuration pin to the filtering rule of source address and destination address, also can be at the configurating filtered rule of some protocol ports, for example forbid the message (promptly prevent MS1 attack to MS2) of MS1 if desired to MS2, just can dispose on fire compartment wall and forbid that source address is the rule that the data message of MS2 passes through for the MS1 destination address, such message will be dropped and can not be handed down to GGSN again this moment.Moreover, also can utilize fire compartment wall to carry out more complicated detection, the detection rule of message content for example is set on fire compartment wall, fire compartment wall can detect according to the data of message content, i.e. encapsulation, and after the data recombination with encapsulation, carry out detection of upper layer data or the like.
Step 303: fire compartment wall will detect the normal above-mentioned message in back and be handed down to GGSN, carry out the forwarding of normal message by GGSN, be handed down to corresponding access user.
Above process as can be seen, this process does not need existing network is changed, and does not need to increase new fire compartment wall.And can not exert an influence to the original fire prevention measuring ability of fire compartment wall at external packet data net and GPRS core net.All are constant to the data flow of Internet as: original TE, still be by TE through SGSN to GGSN, pass through fire compartment wall and arrive Internet afterwards; And Internet is also constant to the data flow of TE, still is to GGSN, again through SGSN arrival TE via firewall filtering.
With the GPRS/WCDMA network configuration the present invention is described in this example.For different network configurations, its networking entity can be distinct, therefore, for above-mentioned GGSN, perhaps the entity that is other in other network configurations is realized, so long as and the essentially identical entity of GGSN function, use method of the present invention all can realize inserting the strick precaution that accuses each other between the user.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (7)
1, a kind of method that prevents offence between inserted users is provided with fire compartment wall between access device and the external packet data network, it is characterized in that, may further comprise the steps:
A, access device receive the message of uploading, and judge whether this message is to send to the message that another inserts the user, if then this message is sent to fire compartment wall;
B, fire compartment wall receive described message, carry out will confirming as legal message after the fire compartment wall detection is filtered and send it back access device;
C, access device are handed down to described message the access user who receives this message.
2, method according to claim 1 is characterized in that, steps A is described to send to fire compartment wall with this message and take a step forward and comprise: the heading that message is added appointment;
Step B is described further to be comprised after receiving described message: the appointment heading of removing this message.
3, method according to claim 2 is characterized in that, further comprises: access device is provided with and detects rule, in the time of need being detected by the described message of detection rule judgment, adds the heading of described appointment.
4, method according to claim 2 is characterized in that, further comprises in the heading of appointment: the flag bit that whether needs fire compartment wall to detect;
Step B further comprises: fire compartment wall determines whether this message is detected according to this flag bit.
5, method according to claim 1 is characterized in that, described access device is GGSN.
6, method according to claim 1, it is characterized in that, the described fire compartment wall of step B detects the step of filtering and comprises: detected according to message source address, destination address, source port, destination interface, TTL1 parameter by fire compartment wall, filter according to the filtering rule that is disposed.
7, method according to claim 6 is characterized in that, further comprises: the data to the message encapsulation detect, or/and detect after the data recombination with the message encapsulation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100535568A CN100414928C (en) | 2005-03-08 | 2005-03-08 | Method for preventing offence between inserted users |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100535568A CN100414928C (en) | 2005-03-08 | 2005-03-08 | Method for preventing offence between inserted users |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1832450A true CN1832450A (en) | 2006-09-13 |
| CN100414928C CN100414928C (en) | 2008-08-27 |
Family
ID=36994457
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100535568A Expired - Fee Related CN100414928C (en) | 2005-03-08 | 2005-03-08 | Method for preventing offence between inserted users |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100414928C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009079933A1 (en) * | 2007-12-20 | 2009-07-02 | Hangzhou H3C Technologies Co., Ltd. | Message processing method and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1244250A1 (en) * | 2001-03-21 | 2002-09-25 | Siemens Aktiengesellschaft | Method and telecommunication system for monitoring data streams in a data network |
| CN100417153C (en) * | 2002-10-10 | 2008-09-03 | 华为技术有限公司 | Network system and method for processing VOIP business based on media net-link control protocol |
| CN1282347C (en) * | 2003-10-08 | 2006-10-25 | 中兴通讯股份有限公司 | Method for realing signalling fire wall in soft exchange network |
-
2005
- 2005-03-08 CN CNB2005100535568A patent/CN100414928C/en not_active Expired - Fee Related
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009079933A1 (en) * | 2007-12-20 | 2009-07-02 | Hangzhou H3C Technologies Co., Ltd. | Message processing method and device |
| US8259740B2 (en) | 2007-12-20 | 2012-09-04 | Hangzhou H3C Technologies Co., Ltd. | Method and an apparatus for processing packets |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100414928C (en) | 2008-08-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101616129B (en) | Method, device and system for network attack defense and traffic overload protection | |
| US7774849B2 (en) | Methods, systems, and computer program products for detecting and mitigating denial of service attacks in a telecommunications signaling network | |
| US10057213B2 (en) | Examining and controlling IPv6 extension headers | |
| US20100138920A1 (en) | Method and system for detecting and responding to harmful traffic | |
| CN101447996B (en) | Defending method for distributed service-refusing attack and system and device thereof | |
| JP2005229614A (en) | Method and apparatus for defendable from denial-of-service attack camouflaging ip transmission source address | |
| CN105991637A (en) | Network attack protection method and network attack protection device | |
| CN101056222A (en) | A deep message detection method, network device and system | |
| CN101227289A (en) | Uniform intimidation managing device and loading method of intimidation defense module | |
| EP1540921B1 (en) | Method and apparatus for inspecting inter-layer address binding protocols | |
| US8006303B1 (en) | System, method and program product for intrusion protection of a network | |
| EP1843624B1 (en) | Method for protecting digital subscriber line access multiplexer, DSLAM and XDSL single service board | |
| US8904534B2 (en) | Method and apparatus for detecting scans in real-time | |
| EP1521397A3 (en) | Determination of the location of flow entry points in a communications network | |
| CN101494639A (en) | Method and apparatus for preventing aggression in packet communication system | |
| US8769665B2 (en) | IP communication device as firewall between network and computer system | |
| CN1697397A (en) | Method for guarding against attack realized for networked devices | |
| JP4284248B2 (en) | Application service rejection attack prevention method, system, and program | |
| JP4278593B2 (en) | Protection method against application denial of service attack and edge router | |
| CN1832450A (en) | Method for preventing offence between inserted users | |
| JP3760919B2 (en) | Unauthorized access prevention method, apparatus and program | |
| CN110198298A (en) | A kind of information processing method, device and storage medium | |
| RU2005107480A (en) | METHOD FOR PROCESSING NETWORK PACKAGES FOR DETECTION OF COMPUTER ATTACKS | |
| KR20030042318A (en) | Attacker isolation method and system using packet filtering at the border router of ISP | |
| KR100726814B1 (en) | Method for setting the fire wall |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080827 Termination date: 20130308 |