RU2696330C1 - Method of protecting computer networks - Google Patents

Abstract

FIELD: computer equipment.

SUBSTANCE: method of protecting computer networks consists in the fact that the address space of the protected network is previously divided into regions, which enables to detect unauthorized actions on the computer network at the initial stage and block them. To reduce the probability of identifying characteristics of security means at the initial stage of establishing connection with a sender of message packets, in case of its access to temporarily inactive addresses of subscribers of a computer network, random values of the service field "window size" are used to simulate loss or violation of the order of reception of received message packets, speed of transfer of acknowledgments on repeated reception of message packets is reduced, what is created in the intruder representation about communication channel with bad quality, after that, long-term connection with message packets sender is held in two-way order.

EFFECT: technical result consists in improvement of protection efficiency and deception of intruder relative to structure of computer network due to reduced probability of intruder detection of use of protection means and identification of their characteristics.

4 cl, 10 dwg

Description

The invention relates to telecommunications and can be used in attack detection systems to quickly detect and counteract unauthorized influences in computer networks, in particular, in an Internet-type data network based on the TCP / IP {Transmission Control Protocol / Internet family of communication protocols Protocol) and described in the book Olifer V., Olifer N. Computer Networks. Principles, technologies, protocols: Textbook for universities. 5th ed. - SPb .: Peter, 2016 .-- 992 s: ill.

The well-known "Method of protecting a computer network" according to the patent of the Russian Federation No. 2422892, class G06F 21/20 (2006.01), decl. 04/13/2010. The known method includes the following sequence of actions. Install a gateway computer with a firewall in the communication channels of the protected computer network. They form the base of parameters of legitimate packets and block packets coming from the open network for the period of establishing legitimacy. The recipient’s address is remembered, packets arriving from an open network are analyzed, for which their parameters are compared with a pre-formed base of parameters of legitimate packets. After the analysis is completed, an ICMP receipt is generated, in which the sender address is replaced with the previously stored recipient address. Send it to an illegitimate sender.

The disadvantage of this method is the relatively low security against unauthorized influences, the signs of which are unauthorized information flows (IP). This is due to the fact that when determining the presence of unauthorized IP in computer networks, the transmission of a message packet is blocked, which is insufficient to protect computer networks from unauthorized influences. The implementation of this approach to protection forces the attacker to further influence the computer networks and (or) change the strategy of exposure.

The well-known "Method (options) for protecting computer networks" according to the patent of the Russian Federation No. 2307392, class G06F 21/00, publ. 09/27/2007. The known method includes the following sequence of actions. N> l reference identifiers of authorized IPs containing the addresses of senders and recipients of message packets are pre-set, a message packet is received from the communication channel, the identifier of the IP is extracted from the header of the received message packet, the selected identifier is compared with predefined reference identifiers

authorized IPs and, if they coincide, they transmit the message packet to the recipient, and if they do not match, the sender address specified in the identifier of the received message packet is compared with the senders addresses specified in the reference identifiers of the authorized IPs, they specify P≥1 false addresses of the subscribers of the computer network and the delay time for sending packets messages t _ass - If the sender address in the received message packet coincides with one of the sender addresses of the reference identifiers of authorized IPs, the address is compared the recipient in the received packet of messages with the addresses of the recipients of the reference identifiers of authorized IP. If the recipient address in the received message packet does not match the recipient addresses of the reference identifiers of the authorized IPs, the recipient address in the received message packet is additionally compared with the pre-set false addresses of the subscribers of the computer network. In case of mismatch of the recipient address in the received message packet with predefined false addresses of the subscribers, the message packet is blocked. And if the sender’s address in the received message packet does not match one of the addresses of the senders of the reference identifiers of authorized IPs or the recipient’s address in the received message packet matches the addresses of the recipients of the reference identifiers of authorized IPs, or if it coincides with the pre-set false addresses of the subscribers of the computer network, they form a response message packet, and then, after a predetermined delay time for sending message packets t _ass reduce the transmission rate of the generated message packet. It is transmitted to the sender, after which another message packet is received from the communication channel. To identify the interaction protocol, an identifier of the type of interaction protocol is extracted and compared with standards of identifiers of the type of interaction protocol. To reduce the transmission speed of the generated message packet, the message packet is fragmented, the message packet is transmitted after a predetermined delay time for sending message packets t _ass .

The disadvantages of this method are the relatively low efficiency of protection of computer networks and the narrow scope of the protection method. The low effectiveness of protection is due to the fact that in the prototype an increase in the intensity of unauthorized information flows and the preservation of a specified delay time for sending response message packets to the sender will lead to an overload of the computer network. The narrow scope is due to the fact that to implement the protection method, the speed of information exchange with the sender of unauthorized information flows is reduced only from the side of the computer network, that is, unilaterally, and they do not take into account the ability of the sender to disconnect.

The closest in technical essence to the claimed one is the method of protecting computer networks, described, for example, in the book Grimes, RA Honeypots for Windows // Apress. 2005.442 p. on pages 191-192. The known method includes the following sequence of actions. Connect network devices to a computer network. After receiving the ARP requests (from the English Address Resolution Protocol), the response message packet is formed to the i-th unused IP address of the network device of the computer network and the value W _{beginning is} written in the window size field of the TCP header of the response message packet equal to ten bytes, after which they receive the next packet of messages. Then, a response message packet is generated and the value of W _{knots is set} to zero bytes in the “window size” field of the TCP-header of the response message packet. After that, the generated response message packets are sent to the sender, and to block attempts to disconnect from the sender of the message packets, all incoming message packets are ignored until the connection timeout expires.

The known prototype method provides higher security of computer networks from unauthorized influences compared to peers by misleading the intruder regarding the structure of computer networks by simulating the availability of the entire array of IP addresses of the computer network, thereby ensuring the maximum probability of redirecting the intruder to the resource trap, and by keeping in a two-way connection with the sender of message packets, thereby increasing discomfort the offender also has the time gain necessary to implement the response.

The disadvantage of the prototype method is the relatively low effectiveness of the protection, due to the high probability of an intruder detecting the use of computer network protection means and identifying their characteristics. This is due to the fact that in the prototype, when accessing any IP address from the range of IP addresses of a computer network, the intruder always receives a response about the availability of any IP address from their entire set, which unmasks the availability and capabilities of the means of protection. In addition, when answering ARP requests to the i-th unused IP address of the network device of the computer network, the prototype uses a value of the service field “window size” of the header of the response TCP message packet equal to zero, which allows the attacker to identify the means of protection of the computer network by examining network sharing settings.

The purpose of the claimed technical solution is to develop a method of protecting computer networks that improves the effectiveness of protection by reducing the likelihood of an intruder detecting the use of protective equipment and identifying their characteristics, achieved by dividing the address space of a computer network into areas that ensure the functioning of the protected computer network, simulating a communication channel poor quality retention of two-way connection with the sender We receive message packets, as well as blocking attempts by the sender to disconnect.

This goal is achieved by the fact that in the known method of protecting computer networks, network devices are connected to the computer network, and after receiving ARP-zaros to the i-th unused IP address of the network device of the computer network, a response message packet is generated. Then, the value of W _beginning equal to ten bytes is written in the window size field of the TCP header of the response message packet. After that, the next message packet is received and a response message packet is formed. Then, in the “window size” field of the TCP-header of the response message packet, the value W _{beats is} equal to zero bytes and the generated response message packets are sent to the sender. To block attempts to disconnect from the sender side of the message packet, all incoming message packets are ignored until the connection timeout expires. The predefined initial data additionally sets the set {M _IP } of all i IP addresses of the network devices of the computer network, where i = 1, 2, n, and n is the maximum allowable value of the range of IP addresses for the computer network. Then, a set of {A _IP } IP addresses of network devices allowed for use in a computer network is pre-set, where {A _IP } ∈ {M _IP } and a set of {D _IP } IP network addresses prohibited for use in a computer network, where { D _IP } = {M _IP \ A _IP } = {D _IP ∈ M _IP ∧ D _IP ∉ A _IP }.

After that, a plurality of {U _IP } resolved and temporarily unconnected IP addresses of network devices in the computer network from the set of {A _IP } and a plurality of {R _IP } resolved and connected IP addresses of network devices in the computer network from the set of {A _IP } are additionally set , where {U _IP ) = {A _IP \ R _IP ] = {U _IP ∈ A _IP ∧ U _IP ∉ R _IP } and {R _IP } = {A _IP \ U _IP } = {R _IP ∈ A _IP ∧ R _IP ∉ U _IP }. Then, a memory array Sp is preliminarily set for storing k fragments received from the sender of the TCP message packets, where k = 1, 2, F, and F is the total number of received fragments of the TCP message packet. Also, a memory array G _{P is} preliminarily set for storing m generated response fragments of the TCP message packet, where m = 1, 2, M, and M is the total number of generated response fragments of the TCP message packet and an AG memory array for storing the correspondence matrix k the received fragment of the TCP message packet from the array Sp of the tth generated fragment of the TCP message packet from the memory array Gp. After this, the time interval t _{ass is} preliminarily set, during which three duplicates of ACK confirmation will be sent to the sender of the TCP messages packets. After connecting network devices to the computer network, the IP addresses of temporarily unconnected network devices are stored in a set of {U _IP }, after which an ARP request is received to any i-th IP address of a network device from the set of {M _IP } and the recipient IP address is compared ARP requests with IP addresses of network devices from the set of {D _IP } prohibited for use in the computer network IP addresses of network devices. According to the results of comparison, if the IP address of the recipient of the ARP request coincides with the IP addresses from the set of {D _IP } prohibited for use in the computer network IP addresses of network devices, the ARP request is ignored. Otherwise, that is, if the IP address of the recipient of the ARP request does not match the IP addresses of the set {D _IP }, the IP address of the recipient of the ARP request is compared with the IP addresses of network devices from the set of {R _IP } allowed and connected IP -addresses of network devices. Based on the comparison results, if the IP address of the recipient of the ARP request coincides with the IP addresses from the set of {R _IP } allowed and connected IP addresses, a message is generated about the availability of the recipient node of the message packet, otherwise, if the IP address does not match the recipient of the ARP request with IP addresses from the set {R _IP }, compare the IP address of the recipient; ARP requests with IP addresses of network devices from the set of {U _IP } temporarily unconnected IP addresses. Then, based on the results of the comparison, if the IP address of the recipient of the ARP request does not match the IP addresses from the set of {U _IP } temporarily unconnected IP addresses, a message is generated about the availability of the recipient node of the message packet. Otherwise, that is, if the IP address of the recipient of the ARP request coincides with the IP addresses from the set {U _IP }, a TCP connection is established with the sender of the message packets, for which they receive a request fragment to establish a connection with the SYN flag set, write to the “window size” field of the response fragment randomly set value W _beg and send the response fragment with the set SYN ASK flags and the set value of the “window size” field W _beg . After that, a TCP packet of messages from F fragments is received from the sender, F fragments of the TCP packet of messages received from the sender are stored in the memory array Sp and M response fragments of the TCP packet of messages are formed. Then, the M generated response fragments of the TCP message packet are stored in the memory array Gp and the correspondence to the kth received fragment of the TCP message packet from the array Sp of the tth generated response fragment of the TCP message packet from the memory array Gp is stored in the memory AG. After that, the counter value l is set for the number of generated response fragments of the TCP packet of messages stored in the memory array Gp equal to M and the sender of the TCP packet of messages is sent a confirmation of the receipt of the first fragment from the F received fragments of the TCP packet of messages. Then, the first of the F received TSC segments from the sender of the TCP message packets is removed from the memory array Sp and the first of the M generated response fragments of the TCP message packet is deleted from the Gp memory array. Then, the counter value l of the number of M response fragments of the TCP message packet generated is reduced by one and three duplicates of ACK confirmation are sent to the sender of the TCP message packets, indicating the receipt of the next of the received TCP message packet fragments in violation of the delivery order for t _ass . After that, the next (k + 1) -th of the previously received F fragments of the TCP message packet is received again from the message sender. A message is sent to the message sender confirming the successful receipt of the next (k + 1) th out of F previously received fragments of the TCP message packet and the next (k + 1) th out of F received fragments of the TCP message packet is sent from the sender of the TCP message packets from the array memory Sp. Then, the next (m + 1) th from M formed TSR segments from the Gp memory array is deleted and the counter of l of the number M of generated response fragments of the TSR message packet is reduced by one, and so on until the sender of the TSR message packets is the last but one (Fi) -ft is retransmitted from the received F fragments of the TCP message packet, i.e. until the value of the counter l of the number M of the generated response fragments of the TCP message packet becomes equal to unity 1 = 1. After receiving the penultimate (Fl) -ro again from F fragments of the TCP message packet, the window size field of the response fragment W _beats = 0 is set and the response fragment of the TCP message packet with W _beats = 0 is formed. Then, the response fragment with W _beats -0 is sent to the sender of the TCP message packets, and to block attempts to disconnect from the sender of the TCP message packets, all incoming fragments are ignored until the connection timeout expires.

The correspondence to the kth received fragment of the GSR message packet from the array Sp of the tth generated response fragment of the GSR message packet from the memory array is stored in the memory array AG by writing a logical unit to the cell \ k, m \ of the memory array AG.

The value of W _beginning service field "window size" for the formation of the response fragment of the GSR packet of messages is selected in the range from 11 to 30 bytes.

Value t _ass time interval during which the three duplicate ACK confirmation will be sent to the sender messages GSR packets is selected in the range of 5 to 9 seconds.

Thanks to the new combination of essential features in the claimed method, it is possible to increase the effectiveness of protection by reducing the likelihood of an intruder detecting the use of protective equipment and identifying their characteristics, achieved by dividing the address space of the computer network into areas that ensure the functioning of the protected computer network, simulating a communication channel with poor quality , hold in a two-way connection with the sender of message packets, and t Also blocking attempts by the sender to disconnect.

The claimed objects of the invention are illustrated by drawings, which show:

FIG. 1 - structure of the GSR header of the message packet;

FIG. 2 is an example illustrating the protection of a computer network using a network "trap" before dividing the address space;

FIG. 3 is an example illustrating the protection of a computer network using a network "trap" after dividing the address space;

FIG. 4 is a graphical interpretation of the separation of the address space of a computer network;

FIG. 5 is a flowchart illustrating the claimed method of protecting computer networks;

6 is an illustration of the use of the default value of the window size field of the network "trap";

FIG. 7 is an illustration of the use of a random value of the window size field of a network "trap";

FIG. 8 is a screen form showing the length of time of the controlled interaction of the intruder and the network "trap", the value of the "window size" field is zero bytes;

FIG. 9 is a screen form showing the length of time of the controlled interaction of the intruder and the network "trap", the value of the "window size" field is zero bytes, using the duplicated ASK mechanism;

FIG. 10 is a screen form showing the length of time of the controlled interaction of the intruder and the network "trap", the value of the "window size" field is zero bytes, using the GSR client and the duplicated ASK mechanism.

The implementation of the claimed method is explained as follows. It is known that at present a sufficiently large number of computer attacks is of intelligence nature in order to obtain information about the topology of the computer network that is the target of the attack, as well as about the means used to protect the computer network. One of the network protection tools that operate using fraudulent network strategies aimed at creating illusions for the intruder or creating a more complex infrastructure than actually exists is the network honeypots described, for example, in the book Provos , N., Holz, T, Virtual Honeypots'. From Botnet Tracking to Intrusion Detection // Addison Wesley, 2007.480 p. More advanced methods of network fraud include not only providing the adversary with a plausible target, but also the so-called proactive protection measures, such as, for example, keeping the connection with the sender of message packets in a two-way manner, which causes the resource sender to “exhaust” resources to maintain connection state, slows down the process of automatic scanning of the attacked computer network and, as a result, imposes a limitation on the computing resource used by the intruder, h of the results in the inability to carry out information exchange network intruder. The proactive protection methods discussed are implemented in the form of network cheating tools, the so-called network “traps” (network tarpits), which are described, for example, in the book Andres, S., Kepuop, V. Birkolz, E. Security Sage's Guide to Hardening the Network Infrastructure II Sungress Publishing, 2004. 608 p., Pp. 414-416.

In turn, information security violators are also actively developing and improving means of reducing the effectiveness of network "traps" that implement the following methods of compromising them: detecting unique identifiers (unmasking signs) of network "traps"; detailed analysis of network traffic coming from network "traps". Such unmasking signs of a network "trap" implemented in the prototype method are the activity of any IP address from the entire range of IP addresses of the computer network, as well as the use of the default "window size" field of GSR message packets set to ten bytes by default.

TCP provides mechanisms for controlling the flow of data and is described, for example, in the technical specifications (RFC, Request for Comments) of the Internet (see, for example, https://tools.ietf.org/html/rfc793). Flow control allows you to maintain the reliability of transmission over TCP by adjusting the speed of the data stream between the sender and recipient of the GSR message packets during a specific session. Flow control is carried out by limiting the number of data segments transmitted at a time, as well as requesting confirmation of receipt before sending the next segments.

To control the flow, the TCP protocol first determines the number of data segments that the receiver of TCP messages packets can receive. The TCP header is shown in FIG. 1 and includes a 16-bit field called the “window size”. This is the number of bytes that the receiver of TCP message packets is able to receive and process at a time. The initial value of the window size field is agreed upon during the process of establishing a connection between the sender and receiver of TCP messages packets. After negotiation, the sender of the TCP message packets must limit the number of data segments sent to the recipient of the message packets in accordance with the value of the window size field. Only after the sender of the TCP message packets has received confirmation that the data segments have been received, can he continue sending the remaining data in this session.

During the delay in receiving confirmation, the sender of the TCP message packets does not send additional segments. In those time periods when the network or resources of the receiver of the TCP message packets are overloaded, the delay time may increase. As the delay duration increases, the effective data rate for this session decreases. Slowing down the data transfer during each session helps to reduce the conflict of resources between the sender and the receiver of TCP message packets in case of several communication sessions. Thus, the value of the “window size” field controls the data rate in accordance with the maximum value of the stream, which is supported by the network and the recipient of message packets, while reducing data loss and the number of retransmissions.

As a means of compromising network "traps", in terms of detecting the fact of using the entire set of IP addresses, the attacker can use various utilities (ptar, ethereal, arping, etc.) designed to analyze network traffic and the network topology, described, for example, in the book Andronchik A.N., Bogdanov V.V., Domukhovsky N.A., Kollerov A.S., Sinadsky N.I., Khorkov D.A., Shcherbakov M.Yu. Information security in computer networks. Practical course: study guide / A.N. Andronchik, V.V. Bogdanov, N.A. Domukhovsky and others; edited by N.I. Sinadsky. - Yekaterinburg: USTU-UPI, 2008 .-- 248 p.

As a means of compromising network “traps” using a small value of the window size service field of TCP message packets set to ten bytes or less by default, attackers use specialized software to compromise the proactive protection of computer networks Degreaser (see, for example, https://github.com/lancealt/degreaser).

Thus, a contradiction arises between the effectiveness of protection of computer networks provided by means of proactive defense and the capabilities of violators to determine the structure of computer networks, identify the characteristics of security devices with unmasking signs, and their compromise. To eliminate this contradiction, the claimed method is directed.

The claimed method is implemented as follows. In a typical case (Fig. 2), a computer network is a collection of correspondents 101 and 102, which are sources and receivers of network traffic, peripheral and communication equipment 104, 109 relaying network traffic of correspondents, united by physical communication lines (channels) 103, 110, connecting n nodes of the computer network into a single infrastructure, including using a data network of the Internet type 105. At the same time, the space of IP addresses of the computer network is occupied by computer correspondents network is not fully: Correspondent K _1, K _2, K _3, marked in Fig. 2 together 101, connected to a computer network. Whereas the correspondents K ₄ , K ₅ , ... K _n highlighted in FIG. 2 together 102 (PC icons in Fig. 2 are dotted), are not connected to the computer network, that is, IP addresses by correspondents K4, K5, ... K _{n are} not busy (are not used).

To protect the computer network and mislead the intruder 106 regarding the structure of the computer network, a network “trap” is installed on one of the allocated computers 107 of the computer network, which intercepts ARP requests to the i-th unused IP address of the network device from the aggregate 102 of the computer network, by means of the packet analyzer 108. After intercepting the ARP requests, the message messages are held with the sender of the TCP packets of the connection in a bilateral manner.

Figure 3 presents the computing network with the division of the address space into areas that ensure the realism of the functioning of the protected computing network. So, to reduce the likelihood of an intruder detecting the use and identification of the characteristics of security equipment, the address space of the computer network (Fig. 3) is preliminarily divided into sets of 101-allowed and connected IP addresses of network devices, 102-allowed and temporarily unconnected IP addresses of network devices , 111 - IP addresses of network devices belonging to the K ₇ , ... K _n correspondents prohibited for use in a computer network (PC icons in Fig. 3 are depicted by a thin line).

A graphical interpretation of the separation of the address space of a computer network is shown in FIG. 4 using mathematical expressions accepted in set theory. So in FIG. 4 the following notation is accepted:

{M _IP } - the set of all i IP addresses of network devices of a computer network belonging to correspondents from the aggregates 101, 102 and 111, where i = 1, 2, n, and n is the maximum allowable value of the range / P-addresses for the computer network;

{A _IP } - a set of IP addresses of network devices that are allowed for use in a computer network that belong to correspondents from

populations 101 and 102, where {A _IP } ∈ {M _IP };

{D _IP } - the set of IP-addresses of network devices belonging to correspondents from the aggregate 111, prohibited for use in a computer network, where D _IP } = M _IP / A _IP } = {D _IP ∈ M _IP ∧ D _IP ∉ A _IP } _;

{U _IP } is the set of allowed and temporarily unconnected IP addresses of network devices in the computer network belonging to correspondents from the aggregate 102 of the set A _IP , where {U _IP } = {A _IP \ R _IP } = {R _IP ∈ A _IP ∧ U _IP ∉ R _IP }.

{R _IP } - a set of allowed and connected / P-addresses of network devices in a computer network belonging to correspondents from

the set 101 of the set A _fP , where = { ^A > ^p ^ ^u ip} = {R _IP ∈ A _IP ∧ R _IP ∉ U _IP }.

The difference {R} of the sets {A} and {U} is the operation, the result of which is a set consisting of those elements that belong to {A} and do not belong to {U} at the same time, that is, {R _IP } = {A _IP \ U _iP} = {R f _{iP iP} A l R _iP £ U _iP} ^ _{4TQ and shown in} f _{u 4j} similar expressions are written for {D _iP} and {U _iP}.

In FIG. 5 is a flowchart illustrating the claimed method of protecting computer networks, in which, in addition to the above, the following notations are adopted:

Sp is the Sp memory array for storing k fragments received from the sender of the TCP message packets, where k = 1, 2, F, and F is the total number of received fragments of the TCP message packet;

Gp is a memory array for storing m generated response fragments of the TCP message packet, where m = 1, 2, M, and M is the total number of generated response fragments of the TCP message packet;

AG is a memory array for storing the correspondence matrix of the kth received fragment of the TCP message packet from the array Sp of the tth generated fragment of the TSR message packet from the memory array Gp;

t _ass is the time interval during which three duplicate ASK acknowledgment messages will be sent to the sender of the TCP message packets.

To divide the address space into regions, a set {M _IP } = {K ₁ , K ₂ , ... K _n } of all / IP-addresses of network devices of the computer network, where i = 1, is pre-set (see block 1 in Fig. 5) 2, n, and n is the maximum allowable range of IP addresses for a computer network.

In the set {M _IP }, the set {A _IP } = {K ₁ , K ₂ , K ₃ , K ₄ , K ₅ , K ₆ } is set for IP addresses of network devices allowed for use in a computer network, where [А _IP ] e {M _IP }.

Then, in the set {M _IP }, the set {D _IP } = {Kj, ... K „} is set for IP addresses of network devices prohibited for use in the computer network, where {D _IP } = [M _IP \ A _IP ] = {D _IP ∈ M _{1 R} ∧ D _1P ∉ A _IP}.

After that, in the set {M _IP }, the set {U _IP } = {K ₄ , K ₅ , K ₆ } of allowed and temporarily unconnected IP addresses of network devices in the computer network from the set where

{U _IP } = {A _IP \ R _IP } = {U _1P ∈ A, _P ∧ U _IP ∉ R _IP }.

Also pre-set the set of {R _IP } = {K ₁ , K ₂ , K ₃ } allowed and connected / P-addresses of network devices in the computer network from the set of {A _IP }, where

{R _1P } = {А _IP \ U _IP } = {R _IP ∈ А _IP ∧ R _IP ∉ U _IP }.

By dividing the address space of the computer network in this way, the functioning of the protected computer network is realistic, which reduces the likelihood of an intruder detecting the use of protective equipment and identifies with a high degree of probability the fact of network reconnaissance by the intruder, which consists in accessing the IP addresses of temporarily unconnected network devices {U _IP}, and also to reduce network feature information content unmasking "trap", which consists in total activity d apazone IP addresses of computer network.

To reduce the likelihood of identifying the characteristics of the protective equipment in the claimed method, it is possible to reduce the information content of the unmasking feature of the network "trap", which consists in using the value of the service field "window size" TCP message packets, the default value of ten bytes. For this, random values of the window size service field are used.

The use of random values of the service window “window size” is achieved by setting (see block 1 in Fig. 5) an array of memory Sp for storing k fragments received from the sender of the TCP message packets, where k = 1, 2, F, a F is the total number of received fragments of the TCP message packet and the memory array Gp for storing m generated response fragments of the TCP message packet, where m = 1, 2, M, and M is the total number of generated response fragments of the TCP message packet. Also, a memory array AG is preliminarily set for storing the correspondence matrix of the kth received fragment of the TCP packet of messages from the array Sp of the tth generated fragment of the TCP packet of messages from the memory array Gp and the time interval t _3a d, during which the sender of the TCP packet of messages Three duplicate ASK confirmations will be sent.

The use of the time interval t _ass , during which three duplicates of ACK confirmation will be sent to the sender of the TCP message packets to each of the received fragments of the TCP message packet, is used to increase the total retention time of the connection with the intruder.

The direction of three duplicates of ACK confirmation to the sender of the TCP message packets in the claimed method of protection is used for unambiguous identification of the fact of network reconnaissance by the intruder when he addresses the ZP addresses of temporarily unconnected network devices {U _IP } and represents the use of a standard saturation control algorithm to protect Fast Retransmit algorithm for the TCP protocol (see, for example, https://tools.ietf.org/html/rfc5681) to form a false idea of the poor quality of the communication channel for the intruder.

The fast retry algorithm for the TCP protocol is based on the fact that the recipient of the TCP message packets should immediately transmit a duplicate of the ACK when a segment is received in violation of the delivery order. This is done in order to inform the sender of the TCP message packets with the help of the ASK packet that the segment was received in an orderly violation and indicate the sequence number of the expected segment. From the point of view of the sender of the TCP message packets, the duplicate ACK can be caused by various network problems. Firstly, the cause may be dropping segments. In this case, all segments after discarded will generate duplicate ASKs. Secondly, duplicate ASKs may be caused by a violation of the order of delivery of segments (for example, when delivered via different routes). Finally, duplicate ACKs may be caused by the replication of ACK packets or data segments on the network. In addition to what was said, the recipient of the TCP message packets should immediately transmit the ACK confirmation upon receipt of a segment that fills in whole or in part the gaps in serial numbers. This will provide timely information to the sender of GSR message packets performing recovery after loss using a retransmission timeout, fast retransmit, or an improved loss recovery algorithm.

The sender of the TCP message packets should use the fast retry algorithm to detect loss and correct errors using incoming duplicate ASKs. The fast repeat algorithm uses the arrival of three duplicate ACKs, without any intermediate ACK segments, as an indication of segment loss. After receiving three duplicates of the ACK, the TCP protocol retransmits the segment that is considered lost, without waiting for the completion of the countdown of the retransmission timer provided for in the TCP protocol specification (see, for example, https://tools.ietf.org/html/rfc793).

After connecting the network devices to the computer network (see block 2 in Fig. 5), the IP addresses of temporarily unconnected network devices are stored in the set {U _IP } (see block 3 in Fig. 5).

Next, they accept (see block 4 in Fig. 5) an LRP request to any mr IP address of a network device from the set of {M _IP } and compare (see block 6 in Fig. 5) the recipient IP address ^ 4LR- a request with IP addresses of network devices from the set of {D _IP } prohibited for use in the computer network IP addresses of network devices. According to the results of the comparison, in case of coincidence of the IP address of the recipient of the ARP request. with IP addresses from the set of {D _IP } prohibited for use in the computer network IP addresses of network devices ignore the LLR request (see block 5 in Fig. 5).

Otherwise, that is, if the IP address of the recipient of the ARP request does not match the IP addresses from the set {D _IP }, compare (see block 7 in FIG. 5) / the P-address of the recipient of the ARP request with IP addresses of the network devices from the set of {R _IP } permitted and connected IP addresses of network devices, and according to the results of comparison, if the IP address of the recipient of the ARP request matches IP addresses from the set of {R _IP } allowed and connected IP addresses, form (see block 10 in Fig. 5) a message about the availability of the node of the recipient of message packets, which corresponds to the appeal a lot of the subscriber to the network device computer network.

Otherwise, that is, if the IP address of the recipient of the ARP request with the IP addresses from the set {R _IP } does not match, the IP address of the recipient of the ARP request with the IP addresses of network devices is compared (see block 8 in Fig. 5) from the set of {U _IP } temporarily unconnected IP addresses, and according to the results of comparison in case of mismatch of the IP address of the recipient of the ARP request. with IP addresses from the set of {U _IP } temporarily unconnected IP addresses form (see block 10 in Fig. 5) a message about the availability of the recipient node of message packets.

Otherwise, that is, if the IP address of the recipient of the ARP request coincides with the IP addresses from the set {U _IP }, a TCP connection is established with the sender of the message packets, for which they receive (see block 9 in Fig. 5) a request fragment to establish a connection with the SYN flag set.

The setting of the “window size” field in the GSR header is implemented as follows. The procedure for establishing a TCP connection between the sender and receiver of message packets is known and described, for example, in the book Olifer V., Olifer N. Computer Networks. Principles, technologies, protocols: Textbook for universities. 5th ed. - SPb .: Peter, 2016 .-- 992 s: ill. The connection is initiated by the sender of the message packages. If necessary, to exchange data with the recipient of message packets, the client application accesses the underlying TCP protocol, which sends a connection request by setting the SYNb flag to SYN = l.

Accept (see block 9 in Fig. 5) a request fragment to establish a connection with the SYN flag set. Next, the recipient of message packets allocates system resources for information exchange and notifies the sender of the readiness to receive data in limited blocks (fragments). To this end, the recipient of message packets sets the initial value W _{Hm of} the “window size” field when forming the tСР-header of the response message packet, announcing to the sender of message packets his readiness to receive a small but sufficient amount of data for subsequent information exchange, as well as other connection variables . Connection variables, for example, are described in RFC-793, Transmission Control Protocol, September 1981, for example, such as Maximum Segment Size (MSS) or TCP Header (Padding).

After that, write (see block 11 in Fig. 5) in the “window size” field of the response fragment a random value W _Hm and send (see block 12 in Fig. 5) the response fragment with the SYN flags set to the sender of the TCP message packets ASK and the set value of the "window size" W _{Ha4 field} . In response, the sender of the message packets sends a segment with the ACK flag and enters the established logical connection state.

Receive (see block 13 in Fig. 5) from the sender of the GSR packet of messages, consisting of F fragments. The number of fragments F depends on the value of the “window size” field W _Ha4 , i.e. the data packet that needs to be transmitted to the sender of the GSR message packets will be received by the recipient of the TCP message packets in fragments no more than the value W _Ha4 - Next, remember (see block 14 in Fig. 5) F fragments of the TCP message packet received from the sender in the array memory Sp and form (see block 15 in Fig. 5) M response fragments of the TCP message packet. Then remember (see block 16 in Fig. 5) M generated response fragments of the TCP message packet in the memory array Gp, and also remember (see block 17 in Fig. 5) in the memory array AG the correspondence to the k-th received fragment TSR- a message packet from the Sp array of the tth generated response fragment of the TCP message packet from the Gp memory array.

After that, the counter / number of generated response fragments of the TCP message packet stored in the memory array Gp is set (see block 18 in FIG. 5) to G equal to M and sent (see block 19 in FIG. 5) to the sender of the TCP message packets confirmation on the reception of the first fragment of the F received fragments of the TCP message packet. The first packet is received immediately in order to mask the network "trap", if special software is used to search it on the network, for example, such as Degreaser by zero or small value of the "window size" parameter of the TCP message packet header.

Next, delete (see block 20 in Fig. 5) the first of the F received TSR segments from the sender of the TCP message packets from the Sp memory array and delete (see block 21 in Fig. 5) the first of the M generated TSP packet response fragments messages from the Gp memory array. After that, the counter / number of generated M response fragments of the TCP message packet is reduced by one.

In order to simulate the loss of sent fragments of the TCP message packet, or violation of the order of fragment delivery or replication of ACK packets or data fragments on the network (see, for example, https://tools.ietf.org/html/rfc5681) they send (see block 23 in Fig. 5) to the sender of the TCP message packets three duplicates of the ACK confirmation, indicating the receipt of the next from the received fragments of the TCP message packet, for example, with a violation of the delivery order during t _ass - After that, take (see block 24 on Fig. 5) repeatedly from the sender of the messages the next (k + 1) -th from earlier Answered F fragments GSR message packet and sent (see. the block 25 in FIG. 5) to the sender a confirmation message on the successful receipt of the next (k + 1) -th F of previously received fragments tcp Message-packet. Then delete (see block 26 in Fig. 5) the next (k + 1) -th of the F received fragments of the TCP message packet from the sender of the TCP message packets from the Sp memory array and delete it (see block 27 in Fig. 5) the next (m + 1) -and from M formed TSR segments from the memory array Gp.

After that, the counter / number M of generated response fragments of the TCP message packet is reduced (see block 28 in Fig. 5) by one, until the penultimate (Fl) -ft is retransmitted from the received F fragments of the TCP message packet, i.e. as long as the counter / quantity value

M formed response fragments of the TCP message packet (see block 29 in Fig. 5) will not be equal to unity 1 = 1.

This suggests that there is only one raw fragment left in the memory array and, if processed, the sender of the TCP message packet can simply end the connection. And in order to avoid this, i.e. to realize the maximum time of controlled interaction with the intruder after re-receiving the penultimate (Fl) -ro from F fragments of the TCP message packet, set (see block 30 in Fig. 5) the window size field of the response fragment _Wdl = 0 and form (see block 31 in Fig. 5) a response fragment of the TCP-packet of messages with W _zd = 0, send (see block 32 in Fig. 5) the response fragment with W _Zd = 0 to the sender of the TCP-packet of messages. Having received a message packet with W _zd = 0, in accordance with the specification of the TCP protocol (see RFC-793), the sender of the message packets will periodically send trial single-byte segments “zero window ргоЬе”, requesting the recipient of message packets to retry information about the value of the “size” field windows ”to determine when it will be able to resume sending data. The recipient of message packets, implementing a mechanism for holding in a two-way connection with the sender of message packets, does not enlarge the window, leaving it equal to zero, thereby keeping the sender of message packets blocked for a long time until the timeout expires (FIN-WAIT- V), determined by the presets of the operating system of the sender of message packets.

If the sender of message packets attempts to break the held connection (by sending a message packet with the flag FIN = \ in the TCP header) or send urgent data (sending a message packet with the flag URG = \ in the TCP header), then to block attempts to terminate the connection from the side the sender of the TCP packets of the message packets is ignored (see block 33 in FIG. 5) all incoming fragments until the connection timeout expires.

In the process of holding the connection, the resources of the sender of message packets are spent to maintain the state of the connection, which imposes a limitation on the computing resource used by the intruder. In most practical cases, the "depletion" of resources at the sender leads to the inability of the sender to send message packets network information exchange.

At the same time, the recipient of message packets does not support the connection state for his part and does not consume his computing resource, which gives him a time gain for adapting the security system, which consists in rebuilding its parameters and (or) structure, and makes it possible to continue to process message packets, without clipboard overflow and service quality degradation.

The correspondence to the kth received fragment of the TCP packet of messages from the array Sp of the tth generated response fragment of the TCP packet of messages from the array of memory Gp is stored in the memory array AG by writing a logical unit to the cell \ k, t \ of the memory array AG. The two-dimensional memory array as a result contains a simple matrix containing zeros and ones. A unit in the matrix cell means the correspondence of the ith IP address of the network device with the um M4 C address.

The value of the service window "window size" for the formation of the response fragment of the TCP message packet is selected in the range from 11 to 30 bytes.

The value of t _3a d is the time interval during which three duplicates of ACK confirmation will be sent to the sender of the TCP-message packages, they are selected in the range from 5 to 9 seconds.

The effectiveness of the formulated technical result was verified by software implementation of the claimed method and conducting a full-scale experiment. The essence of the experiment is a comparison of the detection efficiency of the network "trap" implemented in the prototype method with the detection efficiency of the network "trap" in the software implementation of the claimed method. To identify the characteristics of protective equipment during the experiment, the specialized software Degreaser was used.

In FIG. 6 presents the results of the first stage of the experiment. The fundamental criterion for detecting network "traps" is the analysis of the flow of GSR message packets. The set value of the “window size” field (see the Window Size column in Fig. 6) of the network “trap” is ten bytes by default. The detection of this value allows the specialized Degreaser software to unambiguously identify the fact of using the network “trap” (Tarpit) as a means of protecting the computer network (see the Scan Result column in Fig. 6).

At the second stage of the experiment, a software implementation of the claimed method was used. To eliminate the unmasking feature of the network "trap", a randomly generated value of the "window size" field was used in the range from 11 to 30 bytes (see the Window Size column in Fig. 7). Using this value completely eliminated the unmasking feature of the network “trap” and thus concealed the fact of using a network “trap” to protect the computer network (see the Real host value of the Scan Result column corresponding to the generated value of the window size field of the Window Size column in FIG. 7).

In FIG. 8 presents the results of the third stage of the experiment. The essence of this stage is to compare the time duration of the controlled interaction of the intruder and the network "trap" implemented in the prototype method with the time duration of the controlled interaction of the intruder and the network "trap" with the software implementation of the claimed method. To evaluate the capabilities of the protective equipment during the experiment, interception of network responses to requests was used using the Wireshark packet analyzer described, for example, in (Abbhinav, Singh. Instant Wireshark Starter. Pakt Publishing, UK. 69 p. ISBN 978-1-84969-564 -0). In FIG. Figure 8 shows a screen display showing the length of time of the controlled interaction of the intruder and the network "trap", the value of the "window size" field of which is zero bytes. The screen form displays the columns: Time, containing fixed values of the time intervals of the controlled interaction of the intruder and the network "trap" given in increasing order; Sourse and Destination containing the IP addresses of the intruder and the network "trap"; Info containing network sharing options. The attempt to connect the intruder to the network “trap” was simulated using the Chrome Internet browser and for the analyzed Windows 7 operating system, the duration of the controlled interaction was 3566 seconds (the last row of the Time column of the screen form).

At the fourth stage of the experiment, a software implementation of the claimed method was used under the same conditions of FIG. 9. For the analyzed Windows 7 operating system, the length of time for the controlled interaction of the intruder and the network “trap”, the value of the “window size” field is zero bytes and duplicate ASK confirmation is used, amounted to 3948 seconds (the last row of the Time column of the screen form). This indicates an increase in the effectiveness of the software-implemented means of proactive protection of computer networks in the claimed method compared to the prototype by 10%, ceteris paribus.

At the fifth stage of the experiment, the software implementation of the claimed method was also used, only an attempt to connect the intruder to the network “trap” was simulated using the SSH protocol using putty and iperf TCP clients that showed the same results. Figure 10 presents the screen form showing the length of time of the controlled interaction of the intruder and the network "trap" the value of the "window size" field is zero bytes, using the TCP client and the duplicated ASK mechanism. For the analyzed Windows 1 operating system, the duration of the controlled interaction of the network “trap" and the intruder under the specified conditions was 23035 seconds, the last row of the Time column of the screen form), after which the experiment was terminated, because The results obtained at this stage of the experiment allow us to conclude that there is an unlimited time for the controlled interaction of the network "trap" and the intruder under the above conditions due to the lack of a connection timeout mechanism for the TCP client.

As a result of the experiment, along with simulating a decrease in the quality of the communication channel due to the use of duplicates of ACK confirmation, in addition to increasing the length of the hold time in the two-way connection with the sender of message packets, the unmasking sign in the form of the service field “window size” of the header of the response TCP message packet equal zero byte inherent in the network "trap" implemented in the prototype method. In addition, the obtained values of the length of time of the controlled interaction of the intruder and the network "trap" allow them to be used to determine the type of operating system of the intruder.

Thus, in the claimed method, the stated goal is achieved, which is to increase the effectiveness of protection by reducing the likelihood of an intruder detecting the use of protective equipment and identifying their characteristics, achieved by dividing the address space of the computer network into areas that ensure the realism of the functioning of the protected computer network, simulating the channel due to poor quality, keeping in a two-way connection with the sender of packets with communication as well as blocking the sender attempts to break the connection.

Claims (4)

1. The method of protecting computer networks, which consists in connecting network devices to the computer network and after receiving ARP requests to the i-th unused IP address of the network device of the computer network, they form a response message packet, record in the TCP window size field of the response message packet header value W _start equal to ten bytes, receive the next message packet, form the response message packet, set the value W _beat to zero bytes in the window size field of the TCP header of the response message packet, eg inform the sender of the generated response message packets, and to block attempts to disconnect from the sender of the message packets, ignore all incoming message packets until the connection timeout expires, characterized in that the set {M _IP } of all i IP addresses of the network devices of the computer network is pre-set , where i = 1, 2, ..., n, and n is the maximum allowable value of the range of IP addresses for a computer network, the set {A _IP } allowed for use in a computer network IP addresses of network devices, where {A _IP } ∈ {M _IP }, the set of {D _IP } forbidden IP network addresses of network devices for use in a computer network, where {D _IP ) = {M _IP / A _IP ) = {D _IP ∈ M _IP ∧ D _IP ∉ A _IP }, the set of {U _IP } allowed and temporarily unconnected IP addresses of network devices in the computer network from the set of {A _IP } and the set of {R _IP } permitted and connected IP addresses of network devices in the computer network from the set of {A _IP }, where {U _IP } = {A _IP / R _IP } = {U _IP ∈ A _IP ∧ U _IP ∉ R _IP } and {R _IP } = {A _IP / U _IP } = {R _IP ∈ A _IP ∧ R _IP ∉ U _IP }, an array of memory S _P for storing k fragments received from the sender of TCP message packets, where k = 1, 2, ..., F, and F is the total number of received fragments of the TCP message packet, an array of memory Gp for storing m generated response fragments of the TCP message packet, where m = 1, 2, ..., M, and M is the total number of generated response messages fragments of the TCP message packet, an AG memory array for storing the correspondence matrix to the kth received fragment of the TCP message packet from the array S _{P of the} mth generated fragment of the TCP message packet from the memory array G _P , time interval t _ass , during which the sender TCP message packets will be sent three duplicate confirmation Ia ASA, and after connecting the network devices to the network is stored the IP address temporarily unconnected network devices in the set {U _IP}, then take ARP-request to any i-th IP address of the network device of the plurality of {M _IP} and compared The IP address of the recipient of the ARP request with IP addresses of network devices from the set of {D _IP } prohibited for use in the computer network IP addresses of network devices, and according to the results of comparison, if the IP address of the recipient of the ARP request matches IP addresses from IP sets {D _IP } prohibited for use Using the IP addresses of network devices in the computer network ignores the ARP request, otherwise, that is, if the IP address of the recipient of the ARP request does not match the IP addresses from the set {D _IP }, the IP address of the recipient of the ARP request is compared with IP addresses of network devices from the set of {R _IP } allowed and connected IP addresses of network devices, and according to the results of comparison, if the IP address of the recipient of the ARP request matches IP addresses from the set of {R _IP } allowed and connected IP addresses form a message about the availability of the packet receiver node messages, otherwise, that is, if the IP address of the recipient of the ARP request does not match the IP addresses of the set {R _IP }, the IP address of the recipient of the ARP request is compared with the IP addresses of network devices from the set of {U _IP } temporarily unconnected IP addresses, and according to the results of comparison, if the IP address of the recipient of the ARP request does not match IP addresses from the set of {U _IP } temporarily unconnected IP addresses, a message is sent about the availability of the recipient node of the message packet, otherwise, that is when the IP address of the recipient of the ARP request matches the IP address From the set of {U _IP }, they establish a TCP connection with the sender of message packets, for which they accept a request fragment for establishing a connection with the SYN flag set, write in the window size field of the response fragment a random value W _beginning , send to the sender TCP packet messages back fragment defined flags SYN and ACK fields are set by the value "window size» W _nach, receiving from the sender TCP-packet messages from F fragments stored F received from the sender messages fragments TCP packet In the memory array S _P , M response fragments of the TCP message packet are formed, M formed response fragments of the TCP message packet are stored in the memory array G _P , the correspondence to the kth received fragment of the TCP message packet from the array S _{P is} stored in the memory array AG m-th fragment generated response message from the memory array TCP-packet G _P, establish the value of the counter number l fragments generated response message of the TCP packet stored in the memory array G _P equal to M, the sender sent the TCP packet messages etc. dtverzhdenie of reception of the first fragment of F fragments received messages TCP packet, remove the first of the F received TCP segments from the sender TCP packet messages from the memory array S _P, is removed first from M generated response message fragment TCP packet from the memory array G _P reduce by one the value of the counter l of the number of generated M response fragments of the TCP message packet, send to the sender of the message TCP packet three duplicates of ACK confirmation, indicating the receipt of the next TCP message from K received Chum messages in violation of the delivery order for t _ass, then re-receive messages from the sender to the next (k + 1) -th of the previously received message fragments F TCP packet is sent to the sender a confirmation message on the successful receipt of the next (k + 1) - of the F previously received fragments of the TCP message packet, delete the next (k + 1) th from the F received fragments of the TCP message packet from the sender of the TCP message packets from the memory array S _P , delete the next (m + 1) th from M generated TCP segment from the memory array G _P, is reduced and unit counter value l of the number M of generated response fragments of the TCP message packet, and so on until the last but one (F-1) of the received F fragments of the TCP message packet is sent again by the sender of the TCP message packets, t. e. until the counter value l of the number M of the generated response fragments of the TCP message packet does not become equal to unity l = 1, after re-receiving the penultimate (Fl) of F fragments of the TCP message packet, the window size field of the response fragment W is set _sp = 0, forming a return message fragment TCP packet W _ud = 0 is sent to the sender of the TCP packet messages back fragment W _sp = 0, to block attempts to break the connection by the sender of the TCP packet message packets ignore all incoming fragments, etc. until expires connection timeout. 2. The method according to p. 1, characterized in that the storage in the memory array AG of the correspondence to the kth received fragment of the TCP message packet from the array S _{P of the} mth generated response fragment of the TCP message packet from the memory array G _{P is} carried out by writing to cell ⎜k, m⎜ of the memory array AG of a logical unit. 3. The method according to p. 1, characterized in that the value of W _beginning service field "window size" for the formation of the response fragment of the TCP message packet is selected in the range from 11 to 30 bytes. 4. The method according to p. 1, characterized in that the value of t _ass the time interval during which three duplicates of confirmation of the ASK will be sent to the sender of the TCP messages packets, choose from 5 to 9 seconds.

Images