CN101753637A - Method and network address translation device preventing network attacks - Google Patents
Method and network address translation device preventing network attacks Download PDFInfo
- Publication number
- CN101753637A CN101753637A CN200910242842A CN200910242842A CN101753637A CN 101753637 A CN101753637 A CN 101753637A CN 200910242842 A CN200910242842 A CN 200910242842A CN 200910242842 A CN200910242842 A CN 200910242842A CN 101753637 A CN101753637 A CN 101753637A
- Authority
- CN
- China
- Prior art keywords
- address
- source
- nat device
- nat
- data flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a network address translation device preventing network attacks, wherein the method comprises the following steps: the network address translation device receives a data stream; the NAT device judges whether a source IP address in the data stream is legitimate or not; and the NAT device creates an NAT table entry for the data stream under the situation that the source IP address is legitimate, and the NAT device refuses to create the NAT table entry for the data stream under the situation that the source IP address is illegitimate. The method can protect the NAT table entry of the NAT device and further prevent the network attacks.
Description
Technical field
The present invention relates to network communication field, in particular to a kind of method and network address translation apparatus that prevents network attack.
Background technology
Network address translation (Network Address Translator, abbreviate NAT as), mutual conversion between the IP address of its realization Intranet and the address of public network is one or a spot of public network IP address with a large amount of Intranet IP address transition, reduces taking public network IP address.
The most typical application of NAT is: in a local area network (LAN), only need a computer to connect and go up Internet, just can utilize NAT share I nternet to connect, interior other computers of local area network (LAN) also can be surfed the Net.Use the NAT agreement, the computer in the local area network (LAN) can be visited the computer on the Internet, but the computer on the Internet can't be visited the computer in the local area network (LAN).
Intranet Internet access way that all ISPs (Internet Sever Provider abbreviates ISP as) provide nearly all is based on the NAT agreement.
The benefit that application NAT brings has: realize that by nat feature a plurality of users' shared public network IP address of while and exterior I nternet communicate, and reach the purpose of saving the IP address; By NAT internal network and exterior I nternet are kept apart, make Intranet safer.
Fig. 1 is the typical N AT applied environment topological diagram according to correlation technique.
By shown in Figure 1, when a host access external network of internal network resource, substep diagram topology detailed process step comprises that step S1 is to step S5:
Step S1, internal host 192.168.12.2 initiate a connection to external host 168.168.12.1.
Step S2, when router receives with 192.168.12.2 when being first packet of source address, cause router inspection NAT mapping table, there is the configuring static mapping this address, with regard to execution in step S3,, just dynamically shine upon if there is not static mappings, router is just selected an effective address in the global address pool internally, and creates NAT conversion record in NAT mapping table kind.This record is master record.
Global address during step S3, router write down with the NAT conversion of 192.168.12.2 correspondence, replacement data bag source address, after conversion, the source address of packet becomes 200.168.12.2, transmits this packet then.NAT conversion record sheet sees Table 1 in detail:
Table 1
| Inside local address | Inside global address |
| ??192.168.12.2 | ??200.168.12.2 |
Step S4 after the 168.168.12.1 main frame receives packet, will send respond packet to 200.168.12.2.
Step S5 when router receives the packet of inside global address, will be a keyword search NAT record sheet with inside global address 200.168.12.2, and the destination address of packet is converted to 192.168.12.2 and is transmitted to 192.168.12.2.
Step S6,192.168.12.2 receives response packet, and continues to keep session.Step S1 will repeat to step S5 always, up to conversation end.
Usually, an equipment of enabling NAT all is a gateway device.NAT device is when carrying out the NAT address transition, and the information of most critical is exactly the ATT of NAT, the common ATT that every data flow all can a corresponding NAT, and we also are the NAT list item.If NAT list item capacity has been expired, new data flow just can't be carried out the NAT conversion.
Recently, the attack of adopting cook source address to produce usually takes place, and has brought many problems for ISP and network operation.The practical IP network segment such as the assailant place is 192.168.196.0, still but forges the message of non-existent source address 11.0.0.1 and launches a offensive, and causes the NAT gateway device also can set up the NAT list item for the data flow of non-existent source address 11.0.0.1.
We can detect the attack of this situation usually by reverse route querying.The message forwarding is according to the destination address of the IP message that receives, and searches converting route, carries out message according to the converting route item that finds and transmits.The process of searching the converting route item usually all is to carry out when message will be sought the outgoing interface of forwarding.
Oppositely route querying then is when source interface is received message, just by obtaining source address and the incoming interface that receives message, searching forwarding-table item according to the message source address in converting route (is exactly hypothesis if send message toward this source address in fact, issue which interface, at this moment will just know) by searching the converting route item.
If forwarding-table item does not exist, if the outgoing interface of the list item that perhaps E-Packets and the incoming interface of message do not match, the source address of message is illegal source address certainly so.Otherwise the source address of message then is legal source address.
Suppose typical N AT applied environment topological diagram as shown in Figure 1, there is not the 11.0.0.0 network segment on the NAT device, the practical IP network segment at assailant place is 192.168.196.0, if we search route with source address 11.0.0.1 on NAT device, normally can not find route, just forwarding-table item does not exist.If NAT device has the configuration default route, at this moment search route and will find default route, on NAT device, the interface that default route is pointed to all is the outer network interface of NAT device, certainly and the incoming interface of this message do not match (incoming interface of this message is interior network interface).
The attack pattern of Intranet is a lot of at present, and wherein forge source IP construction data stream and attack NAT device, be a mode commonly used.Present NAT device can not checked the legitimacy of source IP usually, therefore, attacks NAT device if construct the non-existent data flow of a large amount of source IP.NAT device will be created the NAT list item for these illegal data flow, take a large amount of NAT device internal memories, if under much more very situations of such invalid data stream, will take NAT device NAT list item, cause legal data flow owing to apply for less than the NAT list item, can't carry out normal N AT address transition, can't normally transmit.
In the Chinese patent application that is entitled as " method that a kind of network user of preventing attacks network address translation (nat) equipment ", this patent is described is that the inner-mesh network user's that exists NAT link information is added up, judge according to statistical value whether Intranet user is set up the frequency and the number of NAT link legal, the illegal restriction.
The situation that this patent is set up the NAT connection request to the non-existent source address of Intranet is not judged, therefore can't protect the NAT list item under this attack condition.
The NAT of the main frame that has existed at Intranet in the Chinese patent application that is entitled as " method that solves TCP and refusal attack under the NAT environment " is connected control.
The situation that this patent is set up the NAT connection request to the non-existent source address of Intranet is not judged, therefore can't protect the NAT list item under this attack condition.
In the Chinese patent application that is entitled as " a kind of NAT-PT of preventing equipment method under attack "; this patent equally also is that the NAT linking number of the main frame that existed at Intranet is added up and observed; carry out the establishment that NAT connects is controlled; the non-existent source address of Intranet is set up the situation of NAT connection request and do not judged, therefore can't protect the NAT list item under this attack condition.
Often by a large amount of non-sources of law IP attack, cause the NAT list item to be taken at NAT device in the correlation technique, the problem that normal NAT message can't be transmitted does not propose effective solution at present as yet.
Summary of the invention
At NAT device often by a large amount of non-sources of law IP attack, cause the NAT list item to be taken, the problem that normal NAT message can't be transmitted and propose the present invention, for this reason, main purpose of the present invention is to provide a kind of method and NAT device that prevents network attack, to address the above problem.
To achieve these goals, according to an aspect of the present invention, provide a kind of method that prevents network attack.
The method of network attack that prevents according to the present invention comprises: the network address translation device receiving data stream; Whether the source IP address in the NAT device judgment data stream is legal; Under the legal situation of source IP address, NAT device is created network address translation NAT list item to data flow, and under the illegal situation of source IP address, the NAT device refusal is created the NAT list item to data flow.
Preferably, the source IP address in the NAT device judgment data stream legal comprising whether: whether the source IP address in the NAT device judgment data stream receives the network interface of message at the same network segment with NAT device; Receive under the situation of network interface at the same network segment of message at source IP address and NAT device, NAT device is searched the ARP list item by the source IP address of data flow; Find at NAT device under the situation of ARP list item, determine that then source IP address is legal.
Preferably, at network interface that source IP address and NAT device receive message not under the situation at the same network segment, whether the source IP address in the NAT device judgment data stream is legal also comprises: NAT device judges whether the network interface of its receiving data stream and purpose interface are same interface, wherein, the purpose interface is the pairing purpose interface of route table items that source IP address is found in NAT device; Network interface and purpose interface at the NAT device receiving data stream are under the situation of same interface, NAT device statistics with the source IP address be destination address data message number and be the number of the data message of source address with the source IP address; With the source IP address be destination address data message number and be that the number of the data message of source address is under the situation of non-zero with the source IP address, determine that then source IP address is legal.
Preferably, the source IP address in the NAT device judgment data stream legal comprising whether: whether the source IP address of first data message in the NAT device judgment data stream is legal; Under the illegal situation of the source IP address of first data message, then the source IP address of specified data stream is illegal.
Preferably, under the illegal situation of the source IP address in data flow, this method also comprises: illegal source IP address is added blacklist.
Preferably, after illegal source IP address was added blacklist, this method also comprises: NAT device judged every preset time whether each source IP address in the blacklist is used; Under the situation that source IP address in blacklist is used, the source IP address that is used is deleted from blacklist.
Preferably, NAT device is judged every preset time whether each source IP address in the blacklist is used and comprised: NAT device sends the data message of default destination interface every preset time each source IP address in blacklist; In receiving from blacklist, NAT device under the situation of the back message using of source IP address, determines that then source IP address is used.
Preferably, under the illegal situation of the source IP address in data flow, this method comprises: whether other data flow of judging the source IP address correspondence have set up the NAT list item, if then delete the NAT list item.
To achieve these goals, according to a further aspect in the invention, provide a kind of network address translation device.
Network address translation device according to the present invention comprises: receiver module is used for receiving data stream; First judge module, whether the source IP address that is used for judgment data stream is legal; Creation module under the legal situation of source IP address, is used for data flow is created network address translation NAT list item.
Preferably, first judge module also comprises: search submodule, be used for receiving under the situation of network interface at the same network segment of message at the source IP address and the NAT device of data flow, search the ARP list item by the source IP address of data flow; Whether first judges submodule, be used for coming the source IP address of judgment data stream legal according to the result who searches the ARP list item.
Preferably, first judge module also comprises: second judges submodule, be used at network interface that the source IP address of data flow and NAT device receive message not under the situation at the same network segment, whether network interface and the purpose interface of judging receiving data stream are same interface, if then trigger the statistics submodule, wherein, the purpose interface is the pairing purpose interface of route table items that source IP address is found in NAT device; The statistics submodule, be used to add up with the source IP address be destination address data message number and be the number of the data message of source address with the source IP address; Whether the 3rd judges submodule, be used for coming the source IP address of judgment data stream legal according to the result of statistics.
Preferably, NAT device also comprises: second judge module is used for judging whether each source IP address of blacklist is used, and wherein, blacklist is used to preserve illegal source IP address; Removing module is used for the source IP address that is used is deleted from blacklist.
Preferably, NAT device also comprises: the 3rd judge module, be used under the illegal situation of source IP, and judge whether other data flow of source IP address correspondence have set up the NAT list item, if then delete the NAT list item.
By the present invention, adopt the network address translation device receiving data stream; Whether the source IP address in the NAT device judgment data stream is legal; Under the legal situation of source IP address; NAT device is created the NAT list item to data flow; under the illegal situation of source IP address; the NAT device refusal is created the NAT list item to data flow; solve a large amount of non-sources of law IP attack NAT device, caused the NAT list item of NAT device to take the problem that normal N AT message can't be transmitted; and then reached the NAT list item of protection NAT device, and then prevent the effect of network attack.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the NAT applied environment topological diagram according to correlation technique;
Fig. 2 is the flow chart according to the method that prevents network attack of the embodiment of the invention;
Fig. 3 is the flow chart according to the method that preferably prevents network attack of the embodiment of the invention;
Fig. 4 is the flow chart that blacklist is made regular check on according to the embodiment of the invention;
Fig. 5 is the schematic diagram according to the NAT device of the embodiment of the invention;
Fig. 6 is the schematic diagram according to the preferred NAT device of the embodiment of the invention.
Embodiment
Consider that NAT device often by a large amount of non-sources of law IP attack, causes the NAT list item to be taken, the problem that normal NAT message can't be transmitted and propose the present invention, the embodiment of the invention provides a kind of method and NAT device that prevents network attack.
In order better to describe the embodiment of the invention, now carry out following description:
Data flow implication in this article is the identical message flow of five-tuple of message.The different data flow of definition usually according to agreement have following several different classes of: TCP stream, UDP stream, ICMP stream, RawIP stream.The five-tuple of these several quasi-protocols schedules respectively as table 1:
Table 1
| Traffic category | The five-tuple sign |
| TCP stream | Source IP address | purpose IP address | the IP agreement | tcp source port | the TCP destination interface |
| UDP stream | Source IP address | purpose IP address | the IP agreement | the UDP source port | the UDP destination interface |
| ICMP stream | Source IP address | purpose IP address | the IP agreement | ICMP ID|ICMP protocol type |
| RawIP stream | Source IP address | purpose IP address | the IP agreement | 0x0000|0x0000 |
Default route is a record in the routing table, and the route of the destination that indicates message not in routing table the time is a kind of special static routing, briefly, and the route of when not finding the route of coupling, using exactly.In routing table, default route is that 0.0.0.0, subnet mask are the form appearance of 0.0.0.0 with the purpose network.If the destination address of packet can not be complementary with any route, system will use default route to transmit this packet so.Usually the outer network interface that NAT device all can designated equipment is the default route of NAT device.
Address resolution protocol (Address Resolution Protocol abbreviates ARP as) as its name suggests, is used for explaining the agreement of address exactly.Specifically, Ethernet be exactly IP address resolution with network layer be the ethernet address of physical layer.The IP packet sends by Ethernet.32 IP addresses of ethernet device and nonrecognition: they are with 48 ethernet address transmission Ethernet data bags.Therefore, ethernet device must become ethernet address to purpose IP address transition.Between these two kinds of addresses, exist certain static state or dynamic mapping, usually need to check a table.Address resolution protocol is exactly the agreement that is used for determining these mappings.
For a NAT device and the interface of NAT device be in the PC of the same network segment, so long as legal IP address is arranged, all can send ARP address resolution request to NAT device, can be on NAT device generate the ARP list item.If the IP address of certain PC is 192.168.196.2, but it directly constructs the UDP message stream of source IP address 192.168.196.137, send to NAT device, 192.168.196.137 be non-existent IP address, just can not send ARP address resolution request, therefore can on NAT device, not form the ARP list item yet to NAT device.
The main main purpose of the present invention is to have constructed the non-existent data flow attack of a large amount of source IP NAT device in order to solve Intranet, causing NAT device is that these illegal data flow are created the NAT list item, the NAT list item of NAT device is taken, normal data flow can't be created the NAT list item, can't carry out the problem that normal N AT message is transmitted.
If can be before NAT device be created the NAT list item; the legitimacy whether the Intranet source IP of data flow exists is judged; judge the data flow of a large amount of forgery Intranet source IP, do not create the NAT list item, then just can reach the purpose of the NAT list item of protection NAT device for these data flow.
Need to prove that under the situation of not conflicting, embodiment and the feature among the embodiment among the application can make up mutually.Describe the present invention below with reference to the accompanying drawings and in conjunction with the embodiments in detail.
According to embodiments of the invention, provide a kind of method that prevents network attack.
Fig. 2 is the flow chart according to the method that prevents network attack of the embodiment of the invention.
As shown in Figure 2, this method comprises that following step S202 is to step S206:
Step S202, the network address translation device receiving data stream;
Step S204, whether the source IP address in the NAT device judgment data stream is legal;
Step S206, under the legal situation of source IP address, NAT device is created the NAT list item to data flow, and under the illegal situation of source IP address, the NAT device refusal is created the NAT list item to data flow.
In this embodiment, create the NAT list item, reached the NAT item of protection NAT device, and then prevent the effect of network attack by the data flow of involutory method source IP address only.
Preferably, the source IP address in the above-mentioned NAT device judgment data stream legal comprising whether: whether the source IP address in the NAT device judgment data stream receives the network interface of message at the same network segment with NAT device; Receive under the situation of network interface at the same network segment of message at source IP address and NAT device, NAT device is searched the ARP list item by the source IP address of data flow; Find at NAT device under the situation of ARP list item, determine that then source IP address is legal.By this method, can whether more easily the legitimacy of the source IP address in the data flow be judged at the same network segment by the source IP address in data flow with the network interface of NAT device reception message.
Preferably, at network interface that source IP address and NAT device receive message not under the situation at the same network segment, whether the source IP address in the NAT device judgment data stream is legal also comprises: NAT device judges whether the network interface of its receiving data stream and purpose interface are same interface, wherein, the purpose interface is the pairing purpose interface of route table items that source IP address is found in NAT device; Network interface and purpose interface at the NAT device receiving data stream are under the situation of same interface, NAT device statistics with described source IP address be destination address data message number and be the number of the data message of source address with described source IP address; With described source IP address be destination address data message number and be that the number of the data message of source address is under the situation of non-zero with described source IP address, determine that then source IP address is legal.By this method, the network interface whether source IP address that can be in data flow receives message with NAT device is at the same network segment, and the network interface of NAT device receiving data stream and purpose interface are more easily the legitimacy of the source IP address in the data flow to be judged under the situation of same interface.
Preferably, network interface and purpose interface at the NAT device receiving data stream are not under the situation of same interface, whether the source IP address in the NAT device judgment data stream is legal also comprises: do not exist or the network interface of purpose interface and NAT device receiving data stream is not under the situation of same interface at the purpose interface, then definite source IP address is illegal.By this method, the network interface whether source IP address that can be in data flow receives message with NAT device is at the same network segment, and the network interface of NAT device receiving data stream and purpose interface are not more easily the legitimacy of the source IP address in the data flow to be judged under the situation of same interface.
Preferably, the source IP address in the NAT device judgment data stream legal comprising whether: whether the source IP address of first data message in the NAT device judgment data stream is legal; Under the illegal situation of the source IP address of first data message, then the source IP address of specified data stream is illegal.Because the source IP address of a plurality of messages of every data flow correspondence is identical, thereby, by this method, can be faster, more easily the legitimacy of the source IP address in the data flow is judged.
Preferably, under the illegal situation of the source IP address in data flow, this method also comprises: illegal source IP address is added blacklist.Under the situation that adds blacklist, do not need to judge again legitimacy for the source IP address in the blacklist.
Preferably, after illegal source IP address was added blacklist, this method also comprises: NAT device judged every preset time whether each source IP address in the blacklist is used; Under the situation that source IP address in blacklist is used, the source IP address that is used is deleted from blacklist.
Preferably, NAT device is judged every preset time whether each source IP address in the blacklist is used and comprised: NAT device sends the data message of default destination interface every preset time each source IP address in blacklist; In receiving from blacklist, NAT device under the situation of the back message using of source IP address, determines that then source IP address is used.
Preferably, under the illegal situation of the source IP address in described data flow, said method also comprises: whether other data flow of judging described source IP address correspondence have set up the NAT list item, if then delete described NAT list item.
Be described in detail below in conjunction with the implementation procedure of example the embodiment of the invention.
Whether the Intranet source IP that wants judgment data stream legal existence, distinguish three kinds of situations:
Situation one: all in same IP network, the promptly all Intranet source IP users and the interior network interface of NAT device belong to same IP address network segment to the Intranet IP that NAT device connects.
In this case, we can obtain the Intranet source IP of data flow, then this Intranet source IP are searched the ARP table of NAT device, if do not find the ARP list item, illustrate that then this Intranet source IP is illegal non-existent IP address.To the data flow of such source IP address, do not allow to produce the NAT list item.
Situation two: Intranet IP that NAT device connects and NAT device are in a plurality of direct-connected Intranet network segments, and promptly NAT device has a plurality of interior network interfaces, the Intranet network segment that each interface is corresponding different.
In this case, if the source IP under the network interface network segment in being somebody's turn to do then is exactly that situation one can be judged.If Intranet source IP is other Fei Bennei network interface network segments, we can obtain the Intranet source IP of data flow, be the purpose IP of route querying with this Intranet source IP then, NAT device is carried out reverse route querying, if the route of can not find, perhaps found the interface of route unequal, illustrated that then this Intranet source IP is illegal non-existent IP address with the source interface that this data flow receives.To the data flow of such source IP address, do not allow to produce the NAT list item.
Situation three: Intranet IP that NAT device connects and NAT device are in a plurality of indirectly connected Intranet network segments, and promptly the interior network interface of NAT device connects one or many s' three-tier switch, and the Intranet network segment is divided by three-tier switch.
In this case, because the interior network interface of NAT device is to be connected with three-tier switch, if the Intranet source IP that forges is the IP that divides the legal network segment that comes out in the three-tier switch, NAT device is carried out reverse route querying, can find that such Intranet source IP still be legal because look for interface and the source interface of data flow all be network interface in that links to each other with switch.Therefore the scheme of situation one and situation two all can't be judged such forgery source IP.
At this moment, we just need judge it is real Intranet IP according to the bidirectional traffic protocol interaction characteristic of source IP, still the Intranet IP that forges.Real Intranet IP, when carrying out the data flow communication with the outer net destination address, be the legal response that can receive the outer net destination address certainly, and if the Intranet source IP that forges, its data stream contents is also forged, and will can not receive the legal response of outer net destination address.Therefore can judge whether Intranet source IP with the mutual characteristic of intranet and extranet data message into forging.
What 1, the Intranet source IP that forges visited is non-existent outer net destination address, and then outer net does not have any response.As destination address, statistics a period of time (empirical value is 3 minutes) is through the data message of NAT device forwarding with this Intranet source IP, if all do not count on data message within a certain period of time, then this Intranet source IP is non-existent IP.
The Intranet source IP visit of 2, forging be the outer net destination address that exists, but message itself also forge, this destination address of outer net might not responded, and might respond error message.Comprise following situation:
(1) mail to the outer net destination address if this Intranet source IP forges the UDP message, then the outer net destination address will not responded, and perhaps responds the unreachable message of ICMP.Therefore, we with this Intranet source IP as destination address, the data message that statistics a period of time (empirical value is 3 minutes) is transmitted through NAT device, if the UDP message number that counts on is 0, and the UDP message number that Intranet source IP sends is not 0 (to what deserves to be explained is here, the message number that Intranet source IP sends comprises first message that NAT device receives, below similar), then this Intranet source IP is non-existent IP.
(2) message mails to the outer net destination address if this Intranet source IP forges TCP, and then the outer net destination address will not responded, and the RST that perhaps the responds TCP message that resets can not responded legal TCP ACK message.Therefore, we with this Intranet source IP as destination address, the data message that statistics a period of time (empirical value is 3 minutes) is transmitted through NAT device, if the legal ACK message number of the TCP that counts on is 0, and the TCP message number that Intranet source IP sends is not 0, and then this Intranet source IP is non-existent IP.
Forgery source IP for above 1,2 two kind of situation is found will pipe off, and to the data flow of such source IP address, not allow to produce the NAT list item.
In the situation three, classify the IP of blacklist as, also need to make regular check on (empirical value is 10 seconds), might certain user really use this source IP afterwards, just need shift out this source IP this moment from blacklist.The mode of checking is as follows:
Regularly sending to this source IP, to send destination interface be 65534 to be TCP FIN data message, according to the Transmission Control Protocol standard, the PC main frame will be responded a TCP RST message, if NAT device is received this TCP RST message, just illustrate that this source address is legal, need from blacklist, shift out this source IP.
Fig. 3 is the flow chart according to the method that preferably prevents network attack of the embodiment of the invention.
As shown in Figure 3, this method comprises the steps:
Step S301, NAT device receive first message of certain bar data flow, obtain the Intranet source IP of message;
Step S302 judges that network interface that whether message Intranet source IP receive message with NAT device at the same network segment, changes step S303 over to when the same network segment, does not change step S306 when the same network segment over to;
Step S303 searches the ARP list item of NAT device with the Intranet source IP of message;
Step S304, the lookup result of judgement arp list item sees if there is and finds the arp list item, finds the arp list item to change step S315 over to, does not find the arp list item to change step S305 over to;
Step S305, if the Arp list item does not exist, then the Intranet source IP of this message correspondence is illegal non-existent source IP, can not create the NAT list item, changes step S313 over to;
Step S306 as purpose IP, searches the converting route of NAT device with the Intranet source IP of message;
Step S307, the result of judgement route querying sees whether the purpose interface of route and the network interface that NAT device receives this message are same interface.Change step S309 at same-interface, do not change step S308 at same interface;
Step S308, if the purpose interface of route does not exist, perhaps the purpose interface of route and the NAT device network interface that receives this message is not same interface.Then the Intranet source IP of this message correspondence is illegal non-existent source IP, can not create the NAT list item, changes step S313 over to;
Step S309, with 3 minutes be the time interval, the data message that the statistics NAT device is transmitted.Statistics is with the message number of message Intranet source IP as destination address;
Step S310 judges whether statistical value is 0 to the message number, and statistical value is to change step S314 at 0 o'clock over to, and statistical value is not to change step S311 at 0 o'clock over to;
Step S311, with 3 minutes be the time interval, the data message that the statistics NAT device is transmitted.Suppose that first message is the UDP message among the step S301, then add up with described message Intranet source IP UDP message number that is destination address and the UDP message number that is source address with described message Intranet source IP; Suppose that first message is the TCP message among the step S301, then adding up with described message Intranet source IP is the legal TCP ACK message number of destination address and the TCP message number that is source address with described message Intranet source IP; In this embodiment, UDP message and TCP message only are to describe for example, and the message under other agreements is equally applicable to the method for this embodiment.
Step S312 judges whether that two statistical values are 0, and statistical value all is not to change step S315 at 0 o'clock, otherwise changes step S314 over to;
Step S313 does not create the NAT list item, and the subsequent packet of this data flow does not carry out NAT to be handled;
Step S314 does not create the NAT list item, and the subsequent packet of this data flow does not carry out NAT to be handled, and this source address pipes off;
Step S315, the NAT list item of establishment data flow correspondence.This data flow subsequent packet directly carries out the NAT conversion according to this NAT list item.
Preferably, under the illegal situation of the source IP address in data flow, this method also comprises: whether other data flow of judging the source IP address correspondence have set up the NAT list item, if then delete the NAT list item.
Fig. 4 is the flow chart that blacklist is made regular check on according to the embodiment of the invention.
As shown in Figure 4, this flow process comprises the steps:
Step S401, NAT device was every 10 seconds ergodic source address blacklists;
Step S402 obtains a source IP from blacklist;
Step S403, sending destination interface toward this source IP is 65534 to be TCP FIN data message;
Step S404 judges whether to receive the TCP RST back message using of this source IP, receives to respond to forward step S405 to, does not receive to respond to forward step S402 to;
Step S405 receives back message using, and IP removes from blacklist this source, and adds up the back message using that receives;
Step S406 judges whether that statistical value is 0, and statistical value is to change step S402 at 0 o'clock over to, and statistical value is not to change step S407 at 0 o'clock over to;
Step S407, the NAT list item of establishment data flow correspondence.This data flow subsequent packet directly carries out the NAT conversion according to this NAT list item.
From above description, as can be seen, the present invention has realized following technique effect: with respect to the technical scheme of prior NAT attack protection, mainly solve Intranet and constructed a large amount of non-existent sources IP traffic attack NAT device, causing NAT device is that these illegal data flow are created the NAT list item, the problem that the NAT list item of NAT device is taken.According to method of the present invention, improved the ability of the NAT attack protection of NAT device, improved NAT device stability itself.Comprise following aspect:
1, whether the interface that receives this data flow according to datastream source IP and NAT device is precondition in same Intranet IP network, checks the legitimacy of datastream source IP in different ways.
2, the interface that receives this data flow when the source of data flow IP and NAT device is when same Intranet IP network, and whether the source IP by checking data flow is in the ARP of NAT device table, and the source IP of filtering out the not data flow in the ARP table creates the request of NAT list item.Thereby the NAT list item that guarantees NAT device can not taken by these non-existent source IP traffics.
3, the interface that receives this data flow when the source of data flow IP and NAT device is not when same Intranet IP network, by reverse route inspection, filter out data flow and can not find the outgoing interface of route table items situation and route table items with the inconsistent situation of the receiving interface of data flow.Thereby the NAT list item of protection NAT device can not taken by these non-existent source IP traffics.
4, when the source of data flow IP in the indirectly connected Intranet network segment of NAT device, by adding up the message number of this source IP,, then filter out the request that such source IP creates the NAT list item if the message number is 0 as destination address.Thereby the NAT list item that guarantees NAT device can not taken by these non-existent source IP traffics.
5, when the source of data flow IP in the indirectly connected Intranet network segment of NAT device, by statistics with this source IP as the message number of destination address with the message number of this source IP composition source address, if having one in two statistical values is 0, then filter out the request that such source IP creates the NAT list item.Thereby the NAT list item that guarantees NAT device can not taken by these non-existent source IP traffics.
6, in 4 and 5, be judged as non-existent source IP, by regularly sending destination interface to this source IP is 65534 TCP FIN data message, if NAT device can be received the TCP RST message of response, just illustrate that this source IP by legal use, deletes this source IP again from blacklist list.
According to embodiments of the invention, provide a kind of NAT device.
Fig. 5 is the schematic diagram according to the NAT device of the embodiment of the invention.
As shown in Figure 5, this NAT device comprises: receiver module 501, the first judge modules 502 and creation module 503.
Wherein, receiver module 501 is used for receiving data stream; First judge module 502, whether the source IP address that is used for judgment data stream is legal; Creation module 503 under the legal situation of source IP address, is used for data flow is created the NAT list item.
Preferably, this first judge module 502 also comprises: search submodule 511 and first and judge submodule 512.
Wherein, search submodule 511, source IP address in described data flow and described NAT device receive the network interface of message under the situation of the same network segment, are used for searching the ARP list item by the source IP address of data flow; Whether first judges submodule 512, be used for coming the source IP address of judgment data stream legal according to the result who searches the ARP list item.
Preferably, this first judge module 502 also comprises: second judges submodule 513, statistics submodule 514 and the 3rd judgement submodule 515.
Wherein, second judges submodule 513, be used at network interface that the source IP address of described data flow and described NAT device receive message not under the situation at the same network segment, whether network interface and the purpose interface of judging receiving data stream are same interface, if then trigger the statistics submodule, wherein, the purpose interface is the pairing purpose interface of route table items that source IP address is found in NAT device; Statistics submodule 514, be used to add up with the source IP address be destination address data message number and be the number of the data message of source address with the source IP address; Whether the 3rd judges submodule 515, be used for coming the source IP address of judgment data stream legal according to the result of statistics.
Fig. 6 is the schematic diagram according to the preferred NAT device of the embodiment of the invention.
As shown in Figure 6, preferably, this NAT device also comprises: second judge module 504 and removing module 505.
Second judge module 504 is used for judging whether each source IP address of blacklist is used, and wherein, blacklist is used to preserve illegal source IP address; Removing module 505 is used for the source IP address that is used is deleted from blacklist.
Preferably, this NAT device also comprises: the 3rd judge module 506, wherein, the 3rd judge module 506 is used under the illegal situation of described source IP, judge whether other data flow of described source IP address correspondence have set up the NAT list item, if then delete described NAT list item.
Need to prove, can in computer system, carry out in the step shown in the flow chart of accompanying drawing such as a set of computer-executable instructions, and, though there is shown logical order in flow process, but in some cases, can carry out step shown or that describe with the order that is different from herein.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (13)
1. a method that prevents network attack is characterized in that, comprising:
The network address translation device receiving data stream;
Described NAT device judges whether the source IP address in the described data flow is legal;
Under the legal situation of described source IP address, described NAT device is created network address translation NAT list item to described data flow, and under the illegal situation of described source IP address, described NAT device refusal is created the NAT list item to described data flow.
2. method according to claim 1 is characterized in that, described NAT device is judged source IP address legal the comprising whether in the described data flow:
Described NAT device judges whether the source IP address in the described data flow receives the network interface of message at the same network segment with described NAT device;
Receive under the situation of network interface at the same network segment of message at described source IP address and described NAT device, described NAT device is searched the ARP list item by the source IP address of described data flow;
Find at described NAT device under the situation of described ARP list item, determine that then described source IP address is legal.
3. method according to claim 1 and 2, it is characterized in that, at network interface that described source IP address and described NAT device receive message not under the situation at the same network segment, described NAT device is judged that the source IP address in the described data flow is whether legal and is also comprised:
Described NAT device judges whether the network interface of its receiving data stream and purpose interface are same interface, and wherein, described purpose interface is the pairing purpose interface of route table items that described source IP address is found in NAT device;
Network interface and described purpose interface at described NAT device receiving data stream are under the situation of same interface, described NAT device statistics with described source IP address be destination address data message number and be the number of the data message of source address with described source IP address;
With described source IP address be destination address data message number and be that the number of the data message of source address is under the situation of non-zero with described source IP address, determine that then described source IP address is legal.
4. according to each described method in the claim 1 to 3, it is characterized in that described NAT device is judged source IP address legal the comprising whether in the described data flow:
Described NAT device judges whether the source IP address of first data message in the described data flow is legal;
Under the illegal situation of the source IP address of described first data message, determine that then the source IP address of described data flow is illegal.
5. according to each described method in the claim 1 to 3, it is characterized in that under the illegal situation of the source IP address in described data flow, described method also comprises:
Illegal described source IP address is added blacklist.
6. method according to claim 5 is characterized in that, after illegal described source IP address was added blacklist, described method also comprised:
Described NAT device judges every preset time whether each source IP address in the described blacklist is used;
Under the situation that source IP address in described blacklist is used, the source IP address that is used is deleted from described blacklist.
7. method according to claim 6 is characterized in that, described NAT device is judged every preset time whether each source IP address in the described blacklist is used and comprised:
Described NAT device sends the data message of default destination interface every described preset time each source IP address in described blacklist;
In receiving from described blacklist, described NAT device under the situation of the back message using of source IP address, determines that then described source IP address is used.
8. according to each described method in the claim 1 to 3, it is characterized in that under the illegal situation of the source IP address in described data flow, described method comprises:
Judge whether other data flow of described source IP address correspondence have set up the NAT list item, if then delete described NAT list item.
9. a network address translation device is characterized in that, comprising:
Receiver module is used for receiving data stream;
First judge module is used for judging whether the source IP address of described data flow is legal;
Creation module under the legal situation of described source IP address, is used for described data flow is created network address translation NAT list item.
10. NAT device according to claim 9 is characterized in that, described first judge module also comprises:
Search submodule, be used for receiving under the situation of network interface at the same network segment of message, search the ARP list item by the source IP address of described data flow at the source IP address and the described NAT device of described data flow;
First judges submodule, is used for judging according to the result who searches the ARP list item whether the source IP address of described data flow is legal.
11., it is characterized in that described first judge module also comprises according to claim 9 or 10 described NAT device:
Second judges submodule, be used at network interface that the source IP address of described data flow and described NAT device receive message not under the situation at the same network segment, whether network interface and the purpose interface of judging receiving data stream are same interface, if then trigger the statistics submodule, wherein, described purpose interface is the pairing purpose interface of route table items that described source IP address is found in NAT device;
The statistics submodule, be used to add up with described source IP address be destination address data message number and be the number of the data message of source address with described source IP address;
The 3rd judges submodule, is used for judging according to the result of described statistics whether the source IP address of described data flow is legal.
12., it is characterized in that described NAT device also comprises according to each described NAT device in the claim 9 to 11:
Second judge module is used for judging whether each source IP address of blacklist is used, and wherein, described blacklist is used to preserve illegal source IP address;
Removing module, the source IP address that is used for being used is deleted from described blacklist.
13., it is characterized in that described NAT device also comprises according to each described NAT device in the claim 9 to 11:
The 3rd judge module is used under the illegal situation of described source IP, judges whether other data flow of described source IP address correspondence have set up the NAT list item, if then delete described NAT list item.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910242842A CN101753637A (en) | 2009-12-17 | 2009-12-17 | Method and network address translation device preventing network attacks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910242842A CN101753637A (en) | 2009-12-17 | 2009-12-17 | Method and network address translation device preventing network attacks |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101753637A true CN101753637A (en) | 2010-06-23 |
Family
ID=42480024
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910242842A Pending CN101753637A (en) | 2009-12-17 | 2009-12-17 | Method and network address translation device preventing network attacks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101753637A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102843362A (en) * | 2012-08-08 | 2012-12-26 | 江苏华丽网络工程有限公司 | Method for carrying out ARP (Address Resolution Protocol) defense by using TCAM (Ternary Content Addressable Memory) |
| CN103428229A (en) * | 2012-05-14 | 2013-12-04 | 百度在线网络技术(北京)有限公司 | Data center system and device and method for providing service |
| CN104579939A (en) * | 2014-12-29 | 2015-04-29 | 网神信息技术(北京)股份有限公司 | Protecting method and device for gateway |
| CN105684351A (en) * | 2013-10-25 | 2016-06-15 | 汤姆逊许可公司 | Improved subnet provisioning method |
| CN105827427A (en) * | 2015-01-08 | 2016-08-03 | 联想(北京)有限公司 | Information processing method and electronic devices |
| CN108769055A (en) * | 2018-06-14 | 2018-11-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of falseness source IP detection method and device |
| CN109561164A (en) * | 2017-09-27 | 2019-04-02 | 华为技术有限公司 | Management method, device and the NAT device of NAT table item |
| CN109617920A (en) * | 2019-01-23 | 2019-04-12 | 新华三信息安全技术有限公司 | A kind of message processing method, device, router and firewall box |
| CN109618004A (en) * | 2019-01-16 | 2019-04-12 | 新华三技术有限公司 | A kind of message forwarding method and device |
| WO2021077996A1 (en) * | 2019-10-21 | 2021-04-29 | 中兴通讯股份有限公司 | Nat security and access control method, apparatus and device, and storage medium |
| CN116170405A (en) * | 2021-11-24 | 2023-05-26 | 瞻博网络公司 | Causing or preventing updates to network address translation tables |
-
2009
- 2009-12-17 CN CN200910242842A patent/CN101753637A/en active Pending
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103428229A (en) * | 2012-05-14 | 2013-12-04 | 百度在线网络技术(北京)有限公司 | Data center system and device and method for providing service |
| CN102843362B (en) * | 2012-08-08 | 2016-05-04 | 唐稳杰 | A kind of TCAM of use carries out the method for ARP defence |
| CN102843362A (en) * | 2012-08-08 | 2012-12-26 | 江苏华丽网络工程有限公司 | Method for carrying out ARP (Address Resolution Protocol) defense by using TCAM (Ternary Content Addressable Memory) |
| CN105684351A (en) * | 2013-10-25 | 2016-06-15 | 汤姆逊许可公司 | Improved subnet provisioning method |
| CN104579939A (en) * | 2014-12-29 | 2015-04-29 | 网神信息技术(北京)股份有限公司 | Protecting method and device for gateway |
| CN105827427B (en) * | 2015-01-08 | 2020-06-23 | 联想(北京)有限公司 | Information processing method and electronic equipment |
| CN105827427A (en) * | 2015-01-08 | 2016-08-03 | 联想(北京)有限公司 | Information processing method and electronic devices |
| CN109561164A (en) * | 2017-09-27 | 2019-04-02 | 华为技术有限公司 | Management method, device and the NAT device of NAT table item |
| US10652205B2 (en) | 2017-09-27 | 2020-05-12 | Huawei Technologies Co., Ltd. | NAT entry management method and NAT device |
| CN108769055A (en) * | 2018-06-14 | 2018-11-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of falseness source IP detection method and device |
| CN109618004A (en) * | 2019-01-16 | 2019-04-12 | 新华三技术有限公司 | A kind of message forwarding method and device |
| CN109617920A (en) * | 2019-01-23 | 2019-04-12 | 新华三信息安全技术有限公司 | A kind of message processing method, device, router and firewall box |
| CN109617920B (en) * | 2019-01-23 | 2021-07-20 | 新华三信息安全技术有限公司 | Message processing method and device, router and firewall equipment |
| WO2021077996A1 (en) * | 2019-10-21 | 2021-04-29 | 中兴通讯股份有限公司 | Nat security and access control method, apparatus and device, and storage medium |
| CN112769732A (en) * | 2019-10-21 | 2021-05-07 | 中兴通讯股份有限公司 | NAT security and access control method, device, equipment and storage medium |
| CN116170405A (en) * | 2021-11-24 | 2023-05-26 | 瞻博网络公司 | Causing or preventing updates to network address translation tables |
| EP4187848A1 (en) * | 2021-11-24 | 2023-05-31 | Juniper Networks, Inc. | Causing or preventing an update to a network address translation table |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101753637A (en) | Method and network address translation device preventing network attacks | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100623 |