201112675 六、發明說明: 【發明所屬之技術領域】 [醒]本發明涉及一種無線路由器及利用該無線路由器預防惡 意掃描的方法。 【先前技術】 [證]一般無線路由器本身或是LAN (Local Area Netw〇rk, 局域網)端的伺服器都會開啟一些UDP(USer Datagram Protocol ’用戶資料報協定)埠,給用戶蠕電腦提供相 應的服務。但網路上惡意的使用者會利用掃描以及聽取 埠的方法來得知哪些埠是開啟的’再利用這些埠做為進 入點或是攻擊點。所以預防惡意攻擊者的掃描是保護無 線路由器本身或是LAN端伺服器最有效方法。 【發明内容】 [0003] 鑒於以上内容,有必要提供一種無線路由器及利用該無 線路由器預防惡意掃描的方法,其讓惡意使用者無法得 知所掃描的璋是否開啟,保護無線路由器本身或是LAN端 飼服器。 [0004] 一種無線路由器,安裝有日誌日系統並分別與至少一台 WAN用戶端電腦以及至少一台LAN端伺服器相連。所述的 無線路由器包括:轉發模組,用於當WAN用戶端電腦發送 UDP蜂掃描封包時,將此封包轉發至LAN端伺服器;接收 模組’用於接收來自LAN端伺服器的回應封包;判斷模組 ,用於根據接收模組所接收的回應封包的報文格式判斷 所接收的回應封包是不是ICMP埠無法到達封包;所述的 判斷模組還用於當該回應封包是ICMP埠無法到達封包時 098131435 表單編號A0101 第4頁/共16頁 0982053934-0 201112675 根據此回應封包的連線記錄判斷此(⑽璋無法到達封 Ο疋不疋正#的回應封包;保護模組,用於當該回應封 包是ICMP槔無法到達封包且不是正常的回應封包時,將 此回應封包丢棄’並通知日料、統記錄此次琿掃描事件 0 [0005] -種利用無線路由H預防惡意掃描的方法,該方法包括 步驟:當糊用戶端電腦發送_埠掃描封包時,無線路 由器將。亥卿埠掃描封包轉發至LAN端飼服器;無線路由 0 器接收LAN職職的賴封包;根制接㈣回應封包 的報文格式判斷所接收的回應封包是否為則㈣無法到 達封包;當所接收的回應封包MCMp._無法到達封包時 ’根據此回應封包的連線記錄,判_此_封包是否是 正常的回應封包;當此回應封包不是正常的回應封包時 ’將此回應封包丢棄,通知日$系統記錄此次醫棒掃描 事件。 [0006] ❹ 相較於習知技術,本發明所述預防惡意掃描的方法,若 存在攻擊者對LAN端伺服器作掃描,則無線路由器通過丟 棄 LAN端伺服器產生的 ICMP (lnternet c〇ntr〇1 Mes_ sage Protocol ’網際控制報文協議)埠無法到達封包 ,避免洩漏LAN端伺服器的埠之開關狀態,從而保護無線 路由器本身或是LAN端飼服器不被惡意使用者攻擊。 [0007] 【實施方式】 針對本發明的專業辭彙注釋如下: [0008] 埠(Port):指網路中面向連接服務和無連接服務的通信 098131435 協定埠,是一種抽象的軟體結構,包括一些資料結構和 表單編號 A〇101 頁/共 Μ ! 〇982〇53934-0 201112675 ι/ο (基本輸入輸出)缓衝區。它是一個軟體結構’被客 戶程式或服務進程用來發送和接收資訊。一個埠對應一 個16比特的數。邏輯意義上的埠,一般是指TCP/IP協議 (傳輸控制協定/網際互連協議)中的埠,埠號的範圍從0 到65535,比如用於瀏覽網頁服務的80埠,用於FTP服務 的21埠等等。 [00〇9] 埠掃描:Port Scanning,是通過連接到目標系統的 TCP協定或UDP協定埠,來確定什麼服務正在運行。 [0010] UDP埠掃描(UDP Port Scanning):是執行埠掃描來 決定哪個用戶資料報協定(UDP)埠是開放的過程。(JDP掃 描能夠被駭客用於發起攻擊或用於合法的目的。UDpj:車掃 描的建立基礎為向一個關閉的UDP埠發送資料時會得到 ICMP PORT Unreachable消息回應’如果向我們想掃描 的主機發送UDP資料,沒有接受到ICMP PORT Unreachable消息時,可以假設遑個埠是開放的。 [0011] ICMP : Internet Control Message Protocol ,201112675 VI. Description of the Invention: [Technical Field of the Invention] [Wake] The present invention relates to a wireless router and a method for preventing malicious scanning using the wireless router. [Prior Art] [Certificate] The general wireless router itself or the LAN (Local Area Netw〇rk, LAN) server will open some UDP (USer Datagram Protocol) to provide users with corresponding services. . However, malicious users on the Internet will use scanning and listening to the tricks to know which ones are open. 'Reuse these as an entry point or an attack point. Therefore, preventing malicious attackers from scanning is the most effective way to protect the wireless router itself or the LAN server. SUMMARY OF THE INVENTION [0003] In view of the above, it is necessary to provide a wireless router and a method for preventing malicious scanning by using the wireless router, which makes it impossible for a malicious user to know whether the scanned UI is turned on, and protects the wireless router itself or the LAN. End feeding machine. [0004] A wireless router is installed with a log day system and is respectively connected to at least one WAN client computer and at least one LAN server. The wireless router includes: a forwarding module, configured to forward the packet to the LAN server when the WAN client computer sends the UDP beacon packet; and the receiving module is configured to receive the response packet from the LAN server. The determining module is configured to determine, according to the message format of the response packet received by the receiving module, whether the received response packet is not reachable by the ICMP, and the determining module is further configured to: when the response packet is ICMP埠Unable to reach the package 098131435 Form No. A0101 Page 4 / Total 16 pages 0992053934-0 201112675 According to the connection record of the response packet, judge this ((10)璋 can not reach the response packet of the seal not correct; protection module, use When the response packet is ICMP 槔 unable to reach the packet and is not a normal response packet, discard the response packet and notify the data, and record the 珲 scan event 0 [0005] - use wireless routing H to prevent malicious a method for scanning, the method comprising the steps of: when the paste client sends a _ scan packet, the wireless router forwards the scan packet to the LAN terminal feeder; The line receives the LAN service's sufficiency packet from the 0 device; the root system (4) responds to the packet's message format to determine whether the received response packet is (4) the packet cannot be reached; when the received response packet MCMp._ cannot reach the packet' According to the connection record of the response packet, it is judged whether the packet is a normal response packet; when the response packet is not a normal response packet, 'this response packet is discarded, and the notification day $ system records the medical bar scan event. [0006] ❹ Compared with the prior art, the method for preventing malicious scanning according to the present invention, if an attacker scans a LAN server, the wireless router discards the ICMP generated by the LAN server (Intelternet c〇). Ntr〇1 Mes_ sage Protocol 'Internet Control Message Protocol') can not reach the packet, to avoid leaking the switch state of the LAN server, thus protecting the wireless router itself or the LAN server from being attacked by malicious users. [0007] [Embodiment] The professional vocabulary for the present invention is as follows: [0008] ) (Port): refers to the connection-oriented service and the connectionless service in the network. Letter 098131435 Agreement 埠, is an abstract software structure, including some data structures and form numbers A 〇 101 pages / Μ 〇 〇 〇 34 34 53934-0 201112675 ι / ο (Basic input and output) buffer. It is a software The structure 'is used by client programs or service processes to send and receive information. A 埠 corresponds to a 16-bit number. 逻辑 in the logical sense, generally refers to the TCP/IP protocol (Transmission Control Protocol/Internet Protocol) The nickname ranges from 0 to 65535, such as 80埠 for browsing web services, 21埠 for FTP services, and so on. [00〇9] 埠 Scan: Port Scanning is to determine what service is running by connecting to the target system's TCP protocol or UDP protocol. [0010] UDP Port Scanning: A process of performing a scan to determine which User Datagram Protocol (UDP) is open. (JDP scanning can be used by hackers to launch attacks or for legitimate purposes. UDpj: Car scanning is based on the ICMP PORT Unreachable message sent when sending data to a closed UDP port. 'If you want to scan the host When sending UDP data, if you do not receive the ICMP PORT Unreachable message, you can assume that it is open. [0011] ICMP: Internet Control Message Protocol,
Internet控制報文協議。是TCP/IP協定族的—個子協定 ,用於在IP主機、路由器之間傳遞控制消息。控制消_ 是指網路通不通、主機是否可達、路由是否可用等網Z 本身的消息。 [0012] 如圖是本發明預防惡意掃料方法較佳實施例的架 構示意圖。所述的架構包括至少—台膽用戶端 無線路由器up) 2以及至少-台UN端词服器3。所述的 WAN用戶端電腦1的ADSL Modern (圖中未示出 ® )或者 098131435 表單編號A0101 第6頁/共16頁Internet Control Message Protocol. It is a sub-protocol of the TCP/IP protocol family, which is used to transfer control messages between IP hosts and routers. Control elimination _ refers to the message of the network Z itself, such as the network is unreachable, the host is reachable, and the route is available. [0012] As shown in the drawings, a schematic diagram of a preferred embodiment of the method for preventing malicious scanning of the present invention is shown. The architecture includes at least a platform client wireless router up 2 and at least a NAS client. The ADSL Modern (not shown in the figure) of the WAN client computer 1 or 098131435 Form No. A0101 Page 6 of 16
0982C 201112675 [0013] [0014] Ο [0015] [0016] [0017] ❹0982C 201112675 [0013] [0016] [0017] [0017]
Cable Modern (圖中未示出)通過網路線與無線路由器 2的WAN谭(圖中未示出)相連,所述的LAN端伺服器3通 過網路線與無線路由器2的LAN埠相連(圖中未示出)。 所述的無線路由器2中安裝日誌系統21。所述的日誌系統 21用於準確及時的記錄系統發生的所有事件,例如記錄 UDP埠(圖中未示出)被掃描的事件。 如圖2所示,是本發明無線路由器的功能模組圖。所述的 無線路由器還包括轉發模組2〇1 '接收模組202、判斷模 組203以及保護模組2〇4。 所述的轉發辑組201,用於當WAN用戶端電腦1發送UDP璋 掃描封包時,將此封包轉發至LAN端伺服器3。 所述的接收模組202,用於接收來自LAN端伺服器3的回應 封包。 所述的判斷模組203,用於根據接收模組2p2所接收的回 應封包的報文格式判斷所接收的回應封包是不是ICMP PORT UnreachabledCMP埠無法到達)封包。當所接收 的回應封包的報文格式中IP頭部的Protocol位為1,當 Type = 3和Code=3.時,判斷此回應封包即為ICMP PORT Unreachable封包;否則判斷此回應封包不是ICMP PORT Unreachable封包。 所述的轉發模組201,還用於當所接收的回應封包不是 ICMP PORT Unreachable封包時,將此回應封包轉發給 WAN用戶端電腦1進行處理。 098131435 表單編號A0101 第7頁/共16頁 0982053934-0 [0018] 201112675 [0019]所述的判斷模組2 〇 3還用於根據此回應封包的連線記錄判 斷此ICMP PORT Unreachable封包是不是正常的回應 封包。當此回應封包屬於先前正常建立連線之後又斷線 所產生的正常回應封包時,或者當該封包是之前曾進入 過LAN端伺服器3進行過資料交換的UDP連線產生的正常回 應封包時’則判斷模組203判斷該icmP PORT Unreachable封包為正常的回應封包;當在單一時間内 該回復的ICMP PORT Unreachable超過一定數量,則判 斷模組203判斷其不是正常的回應封包。 [〇〇2〇]所述的保護模組204,用於當判斷模組203判斷此回應封 包是ICMP PORT Unreachable.封包且不是正常的回應封 包時,將此回應封包丟棄,通知日誌系統21記錄此次UDp 埠被掃描事件,並顯示給使用者知道。 [〇〇21]所述的保護模組204還用於當判斷模組203判斷此回應封 包是ICMP PORT Unreachable封包且是再常的回應封包 時,將此回應封包丟棄。 [0022]如圖3所示,是本發明預防惡意掃描的方法較佳實施例的 流程圖。 [0023] [0024] [0025] 098131435 步驟S10 ’當WAN用戶端電腦1發送UDP埠掃描封包時 發模組201將WAN用戶端電腦1所發送的UDPi皁掃打 轉 發至LAN端伺服器3。 步驟S11 ’接收模組202接收LAN端伺服器3的回應封勺 步驟S12,判斷模組203判斷所接收的回應封包是否、ICMP PORT Unreachable封包。若此回應封包是ία 表單編號A0101 第8頁/共16頁 09820539 201112675 [0026] [0027] Ο [0028] ❹ [0029] [0030] PORT Unreachable封包,則進入步驟S14 ;若此回應封 包不是ICMP PORT Unreachable封包,則進入步驟S13 〇 步驟S13,轉發模組201將此回應封包轉發給WAN用戶端 電腦1進行處理,結束流程。 步驟S14,判斷模組203根據此回應封包的連線記錄判斷 此IMCP PORT Unreachable封包是否是正常的回應封包 。若判斷此IMCP PORT Unreachable封包不是正常的回 應封包,則進入步驟S15。若判斷此IMCP PORT Unreachable封包是正常的回應封包,則進入步驟S1 6。 步驟S15,保護模組204將此回應封包丟棄,避免洩漏 LAN端伺服器3的埠的開關狀態,保護無線路由器2本身或 是LAN端伺服器3不被惡意使用者攻擊,同時通知日誌系 統21記錄此次UDP埠被掃描的事件,並顯示給使用者知道 ,結束流程。 步驟S16,保護模組204將此回應封包丟棄,然後結束流 程。 綜上所述,本發明符合發明專利要件,爰依法提出專利 申請。惟,以上所述者僅爲本發明之較佳實施例,本發 明之範圍並不以上述實施例爲限,舉凡熟悉本案技藝之 人士援依本發明之精神所作之等效修飾或變化,皆應涵 蓋於以下申請專利範圍内。 【圖式簡單說明】 圖1為本發明預防惡意掃描的方法較佳實施例的架構示意 098131435 表單編號A0101 第9頁/共16頁 0982053934-0 [0031] 201112675 圖。 [0032]圖2為本發明無線路由器的功能模組圖。 闕W3為本發明預防惡意掃描的方法的較佳實施例的流程圖 【主要元件符號說明】 [0034] WAN用戶端電腦1 [0035] 無線路由器2 [0036] 日誌系統21 [0037] LAN端伺服器3 [0038] 轉發模組201 [0039] 接收模組202 [0040] 判斷模組203 [0041] 保護模組204 ':: ... .Cable Modern (not shown) is connected to the WAN Tan (not shown) of the wireless router 2 through a network route, and the LAN server 3 is connected to the LAN port of the wireless router 2 through a network route (in the figure) Not shown). The log system 21 is installed in the wireless router 2. The log system 21 is used to accurately and timely record all events that occur in the system, such as recording events that are scanned by UDP (not shown). As shown in FIG. 2, it is a functional module diagram of the wireless router of the present invention. The wireless router further includes a forwarding module 2〇1' receiving module 202, a determining module 203, and a protection module 2〇4. The forwarding group 201 is configured to forward the packet to the LAN server 3 when the WAN client computer 1 sends a UDP scan packet. The receiving module 202 is configured to receive a response packet from the LAN server 3. The determining module 203 is configured to determine, according to the message format of the response packet received by the receiving module 2p2, whether the received response packet is an ICMP PORT Unreachable CMP (unreachable) packet. When the protocol bit of the received response packet format is 1 in the IP header, when Type = 3 and Code=3., the response packet is judged to be an ICMP PORT Unreachable packet; otherwise, the response packet is not an ICMP PORT. Unreachable packet. The forwarding module 201 is further configured to: when the received response packet is not an ICMP PORT Unreachable packet, forward the response packet to the WAN client computer 1 for processing. 098131435 Form No. A0101 Page 7 / Total 16 Page 0992053934-0 [0018] The decision module 2 〇3 is also used to determine whether the ICMP PORT Unreachable packet is normal according to the connection record of the response packet. Response packet. When the response packet belongs to a normal response packet generated by a disconnection after the previous normal connection establishment, or when the packet is a normal response packet generated by a UDP connection that has previously entered the LAN side server 3 for data exchange. Then, the judging module 203 judges that the icmP PORT Unreachable packet is a normal response packet; when the ICMP PORT Unreachable of the reply exceeds a certain amount within a single time, the judging module 203 judges that it is not a normal response packet. The protection module 204 is configured to: when the determining module 203 determines that the response packet is an ICMP PORT Unreachable. packet and is not a normal response packet, discarding the response packet, and notifying the log system 21 to record The UDp is scanned for events and displayed to the user. The protection module 204 is further configured to discard the response packet when the determining module 203 determines that the response packet is an ICMP PORT Unreachable packet and is a frequent response packet. [0022] As shown in FIG. 3, it is a flow chart of a preferred embodiment of the method for preventing malicious scanning of the present invention. [0025] [0025] 098131435 Step S10' When the WAN client computer 1 sends a UDP scan packet, the module 201 forwards the UDPi soap sent by the WAN client computer 1 to the LAN server 3. Step S11' The receiving module 202 receives the response packet from the LAN server 3, step S12, and the determining module 203 determines whether the received response packet is an ICMP PORT Unreachable packet. If the response packet is ία Form No. A0101 Page 8/16 pages 09920539 201112675 [0026] [0027] ❹ [0029] [0030] PORT Unreachable packet, proceed to step S14; if the response packet is not ICMP If the PORT Unreachable packet is sent to step S13 to step S13, the forwarding module 201 forwards the response packet to the WAN client computer 1 for processing, and ends the process. In step S14, the determining module 203 determines, according to the connection record of the response packet, whether the IMCP PORT Unreachable packet is a normal response packet. If it is judged that the IMCP PORT Unreachable packet is not a normal response packet, it proceeds to a step S15. If it is determined that the IMCP PORT Unreachable packet is a normal response packet, then the process proceeds to step S16. In step S15, the protection module 204 discards the response packet to avoid leaking the switch state of the LAN server 3, and protects the wireless router 2 itself or the LAN server 3 from being attacked by malicious users, and notifies the log system 21 at the same time. Record the event that this UDP file was scanned and display it to the user to know and end the process. In step S16, the protection module 204 discards the response packet and then ends the process. In summary, the present invention complies with the requirements of the invention patent and submits a patent application according to law. The above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited to the above-described embodiments, and equivalent modifications or variations made by those skilled in the art in light of the spirit of the present invention are It should be covered by the following patent application. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic diagram of a preferred embodiment of a method for preventing malicious scanning according to the present invention. 098131435 Form No. A0101 Page 9 of 16 0982053934-0 [0031] 201112675. 2 is a functional block diagram of a wireless router of the present invention.阙W3 is a flow chart of a preferred embodiment of the method for preventing malicious scanning according to the present invention. [Main component symbol description] [0034] WAN client computer 1 [0035] Wireless router 2 [0036] Log system 21 [0037] LAN side servo 3 [0038] forwarding module 201 [0039] receiving module 202 [0040] determining module 203 [0041] protection module 204 ':: ... .
:丨: C· :- V:丨: C· :- V
[0042] 將WAN用戶端電腦發送的UDP埠蜂描封包轉發至[αν飼服 器S10 [0043] 接收LAN伺服器的回應封包S11 [0044] 判斷所接收的回應封包是否為ICMP埠無法到達封包S12 [0045] [0046] [0047] 098131435 將其轉發給WAN用戶端電腦進行處理S13 判斷是否是正常的回應封包S14 將此回應封包丟棄並通知日誌系統記錄此次UDP璋被掃描 事件S15 0982053934-0 表單編號A0101 第10頁/共16頁 201112675 [0048] 將此回應封包丟棄S16 Ο ❹ 098131435 表單編號A0101 第11頁/共16頁 0982053934-0[0042] forwarding the UDP packet sent by the WAN client computer to the [ανfeeder S10 [0043] receiving the response packet S11 of the LAN server [0044] determining whether the received response packet is an ICMP 埠 unreachable packet S12 [0047] [0047] 098131435 forward it to the WAN client computer for processing S13 to determine whether it is a normal response packet S14 to discard this response packet and notify the log system to record the UDP 璋 scan event S15 0982053934- 0 Form No. A0101 Page 10 of 16 201112675 [0048] Discard this response packet S16 Ο 098 098131435 Form No. A0101 Page 11 of 16 0982053934-0