CN114465795A - Method and system for interfering network scanner - Google Patents
Method and system for interfering network scanner Download PDFInfo
- Publication number
- CN114465795A CN114465795A CN202210103519.7A CN202210103519A CN114465795A CN 114465795 A CN114465795 A CN 114465795A CN 202210103519 A CN202210103519 A CN 202210103519A CN 114465795 A CN114465795 A CN 114465795A
- Authority
- CN
- China
- Prior art keywords
- data packet
- packet
- access data
- network scanner
- operating system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 230000002452 interceptive effect Effects 0.000 title claims abstract description 7
- 230000004044 response Effects 0.000 claims abstract description 49
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 16
- 230000006854 communication Effects 0.000 claims abstract description 14
- 238000004891 communication Methods 0.000 claims abstract description 13
- 239000000523 sample Substances 0.000 claims description 35
- 238000001514 detection method Methods 0.000 claims description 12
- 230000000903 blocking effect Effects 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 8
- 238000001914 filtration Methods 0.000 claims description 8
- 230000007246 mechanism Effects 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 4
- 230000007123 defense Effects 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method and a system for interfering a network scanner, which relate to the technical field of network attack and defense, and the method for interfering the network scanner comprises the following steps: response data packets of a plurality of operating systems are prepared and stored, all visitors are sniffed, and the access data packets are received. And if the access data packet is in normal flow access, responding to the response data packet of SYN/ACK returned by the access data packet, and establishing communication connection with the visitor after three-way handshake is completed. And if the access data packet is a scanning packet, sending a response data packet of any operating system except the local computer back to the network scanner. The method has the advantages that when the network scanner accesses, the specific response data packet is automatically responded according to the response mode of the specified operating system, the algorithm of the network scanner is fixed and unchangeable, and the specific fingerprint can be generated for the specific response data packet, so that the network scanner of an attacker can misjudge that the operating system is the specified operating system.
Description
Technical Field
The present application relates to the field of network attack and defense technologies, and more particularly, to a method and system for interfering with a network scanner.
Background
In the field of network attack and defense, the first step of all attack/security tests is usually to collect information through network scanning, and an important ring in network scanning is to identify an operating system corresponding to a certain IP. After identifying the operating system, an attacker/security tester can only attack through the vulnerabilities that the operating system has. Therefore, if one operating system is directly forged into another operating system in the detection link of the scanner, a certain degree of defense can be performed. The identification function of the existing scanner operating system is the open source tool nmap which is used in the market in the widest application range, most of other network scanning tools are developed and completed based on the nmap scanner, and the fingerprint identification function of the operating system is even the function of directly multiplexing nmap.
nmap is a network connection end scanning software for scanning the open network connection end of the online computer. Determine which services are running on which connections and infer which operating system the computer is running for assessing network system security. Just as most of the tools used for network security, nmap is also a popular tool for hackers and hackers. The system administrator may use nmap to probe for unauthorized use of servers in the work environment, but hackers may use nmap to gather network settings of the target computer and thereby plan a method of attack. The current technical solution of countermeasure scanning has the following drawbacks: the method can only select to turn off or turn on certain flow characteristics, and the defect of the scheme is uncontrollable fake result, namely the scanning result of the operating system can be fake and different from the original operating system, but the fake operation cannot be directed to the specified operating system type.
Disclosure of Invention
The present application aims to provide a method and a system for interfering a network scanner, so as to solve the technical problem in the prior art that the network scanner cannot directionally forge a specified operating system type.
In order to achieve the technical purpose, the technical scheme adopted by the application is as follows:
a method of jamming a network scanner comprising the steps of:
preparing and storing response data packets of a plurality of operating systems, sniffing all visitors, receiving access data packets of the visitors, detecting the access data packets and judging the types of the access data packets;
if the access data packet is in normal flow access, responding to a response data packet of SYN/ACK returned by the access data packet, and establishing communication connection with the visitor after three-way handshake is completed;
and if the access data packet is a scanning packet, sending a response data packet of any operating system except the local computer back to the network scanner.
Preferably, the method further comprises the steps of:
setting at least two different types of operating systems, and setting a flow forwarding interface, wherein the flow forwarding interface is used for receiving an access data packet of the visitor, detecting the access data packet and judging the type of the access data packet;
one of the operating systems is used for running the service and calling the flow forwarding interface in the local computer, and the other operating systems are used for preparing and storing the response data packet of the operating system.
Preferably, preparing and storing response data packets of a plurality of operating systems, specifically comprising the following steps:
and simulating to receive a system detection probe sent by the network scanner, modifying the data content of the IP packet header and the TCP packet header in response to the system detection probe, and generating and storing a response data packet of the specified operating system.
Preferably, sniffing all visitors and receiving an access data packet of the visitors, detecting the access data packet and determining the type of the access data packet specifically includes the following steps:
setting a raw _ socket interface, and monitoring access data packets of all visitors through the raw _ socket interface;
disassembling the structure of the access data packet, analyzing each element in the structure after disassembly, detecting the access data packet according to the element and judging the type of the access data packet;
the access data packet comprises an IP packet and a TCP packet.
Preferably, the method further comprises the steps of:
blocking a local operating system from sending a Reset packet by an IP information packet filtering system;
and blocking the local operating system by the IP information packet filtering system to reply the ICMP packet.
Preferably, the system probing probes comprise a sequence generation algorithm probe, a TCP protocol probe, a UDP protocol probe, an ICMP echo probe, and an ECN probe.
Preferably, the data content of the IP packet header and the TCP packet header includes a sequence generation algorithm of a TCP/IP protocol stack, a greatest common divisor of a TCP ISN, a growth rate and SP, a TCP timestamp selection algorithm, a TCP initial window size, a TCP explicit congestion handling mechanism, a UDP reserved header bit, flag bit information, and an IP packet attribute.
A system for jamming a network scanner, comprising:
the storage unit stores response data packets of a plurality of operating systems;
the judging unit is used for sniffing all visitors, receiving access data packets of the visitors, detecting the access data packets and judging the types of the access data packets;
the first communication unit is used for responding to a response data packet of SYN/ACK returned by the access data packet and establishing communication connection with the visitor after three-way handshake is completed;
and the second communication unit is used for sending a response data packet of any operating system except the local operating system back to the network scanner.
An electronic device comprising a memory and a processor, the memory for storing one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement a method of jamming a network scanner as described above.
A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method described above.
The application provides beneficial effect lies in:
1. the method comprises the steps of preparing and storing response data packets of a plurality of operating systems, detecting the access data packets, judging the types of the access data packets, and sending the response data packets of any operating system except a local machine back to a network scanner if the access data packets are scanning packets. When the network scanner accesses, the network scanner automatically responds to the specific response data packet according to the response mode of the specified operating system, the algorithm of the network scanner is fixed and invariable, and the specific response data packet generates specific fingerprints, so that the network scanner of an attacker misjudges the operating system as the specified operating system.
2. According to the method and the device, the IP information packet filtering system is used for blocking the local operating system from sending the Reset packet, the influence on the three-way handshake process of the flow forwarding interface and the visitor is avoided, and the IP information packet filtering system is used for blocking the local operating system from replying the ICMP packet, so that the detection result of the network scanner is interfered.
3. The method simulates and receives the system detection probe sent by the network scanner, responds to the system detection probe to modify the data content of the IP packet header and the TCP packet header, generates and stores a response data packet of a specified operating system, all data used for generating the fingerprint by the network scanner are from the IP packet header and the TCP packet header, and the effect of deceiving the identification function of the operating system of the network scanner can be achieved as long as the data content of the IP packet header and the TCP packet header is modified.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a flowchart of a method of disturbing a network scanner in embodiment 1.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Example 1:
as shown in fig. 1, the present embodiment includes a method for jamming a network scanner, comprising the steps of: preparing and storing response data packets of a plurality of operating systems, sniffing all visitors, receiving access data packets of the visitors, detecting the access data packets and judging the types of the access data packets.
And if the access data packet is in normal flow access, responding to the response data packet of SYN/ACK returned by the access data packet, and establishing communication connection with the visitor after three-way handshake is completed. And if the access data packet is a scanning packet, sending a response data packet of any operating system except the local computer back to the network scanner.
Specifically, in normal network services, an attacker and a normal visitor both directly access a service port, and a network scanner of the attacker can directly judge specific information of the current operating system to form a fingerprint by detecting information of a tcp/ip protocol, and can judge the type of the current operating system by comparing the fingerprint with a database.
When the network scanner accesses, the network scanner automatically responds to the specific response data packet according to the response mode of the specified operating system, the algorithm of the network scanner is fixed and invariable, and the specific response data packet generates specific fingerprints, so that the network scanner of an attacker misjudges the operating system as the specified operating system.
Further comprising the steps of: setting at least two different types of operating systems, and setting a flow forwarding interface, wherein the flow forwarding interface is used for receiving an access data packet of an accessor, detecting the access data packet and judging the type of the access data packet. One of the operating systems is used for running the service and calling the flow forwarding interface in the local computer, and the other operating systems are used for preparing and storing the response data packet of the operating system.
In this embodiment, two operating systems, namely a first operating system and a second operating system, are prepared, and a traffic forwarding interface is defined as a traffic forwarding program of a mapper. The first operating system is used for operating the service and the mapper, the second operating system is used for preparing and storing a response data packet corresponding to the operating system, when the network scanner scans the first operating system, the fingerprint of the second operating system is detected, and the first operating system is judged as the second operating system.
Preparing and storing response data packets of a plurality of operating systems, and specifically comprising the following steps: and simulating to receive a system detection probe sent by the network scanner, responding to the data content of the system detection probe modification IP packet header and TCP packet header, generating a response data packet of the specified operating system and storing the response data packet.
The system detection probe comprises a sequence generation algorithm probe, a TCP protocol probe, a UDP protocol probe, an ICMP echo probe and an ECN probe.
Sniffing all visitors and receiving the visit data packets of the visitors, detecting the visit data packets and judging the types of the visit data packets, specifically comprising the following steps: and setting a raw _ socket interface, and monitoring access data packets of all visitors through the raw _ socket interface.
And disassembling the structure of the access data packet, analyzing each element in the structure after disassembly, detecting the access data packet according to the elements and judging the type of the access data packet. The access data packet comprises an IP packet and a TCP packet.
In this embodiment, the original service port is bound to other local ports, and the mapper traffic forwarding program is started at the same time, where the original service port is defined as the first service port, and the other ports are defined as the second service ports. Since the mapper does not listen to any port, a raw _ socket interface is set, and the raw _ socket interface is used for sniffing access data packets of all visitors. The flow forwarding interface is used for receiving the access data packet of the visitor, detecting the access data packet and judging the type of the access data packet.
When the mapper snoops that a visitor tries to access the first service port through the raw _ socket interface, it is specifically determined that an access data packet is received, the destination port of the access data packet is the first service port, and the TCP flag bit is SYN, that is, the mapper receives a SYN data packet for the first service port. And disassembling the access data packet according to the structure of the IP packet and the structure of the TCP packet, analyzing each element in the structure after disassembly, and judging the type of the access data packet.
If the access is normal, in the subsequent communication process, taking out the TCP packet data in the access data packet of the visitor, actively initiating connection to communicate with the second service port, sending the data to the second service port, sending the return data retrieved from the second service port to the visitor, and continuously repeating the process until the process is finished.
Further comprising the steps of: and blocking the local operating system from sending a Reset packet by the IP packet filtering system, and blocking the local operating system from replying an ICMP packet by the IP packet filtering system.
Specifically, when the operating system receives a SYN packet, the kernel essentially receives the SYN packet and forwards the SYN packet to the user mode program. When the kernel receives the SYN data packet, the kernel judges whether a port to be sent for monitoring the data packet exists locally or not, if not, a Reset packet is actively sent to the visitor, and therefore the visit of the visitor is interrupted.
The mapper runs in a user mode and does not monitor any port, and sniffs all SYN data packets through a raw _ socket interface, so that before the mapper sniffs the SYN data packets and sends SYN + ACK handshake packets according to the port, the kernel already sends Reset packets, which inevitably affects the three-way handshake process between the mapper and the visitor, and therefore the operating system needs to be prohibited from sending the Reset packets.
Specifically, the ICMP request is one of the ways for the visitor to determine whether the requested host is alive, and different operating systems respond to the request differently, which results in different fingerprints generated by the network scanner, so that the fastest solution is to not respond to the packet, which may interfere with the network scanner's detection result.
Specifically, the network scanner sends a plurality of specific data packets to the host to be scanned through the characteristics of the tcp/ip protocol stack, different operating systems have different responses to the specific data packets, the network scanner generates different fingerprints according to the different responses, and a fingerprint database is formed.
The data content of the IP packet header and the TCP packet header comprises a sequence generation algorithm of a TCP/IP protocol stack, a maximum common divisor of TCP ISN, an increase rate and SP, a TCP timestamp selection algorithm, a TCP initial window size, a TCP explicit congestion handling mechanism, a UDP reservation header bit, flag bit information and IP packet attributes.
Specifically, the network scanner uses 5 types of specially constructed system probe probes to perform operating system scanning on the specified host, where the 5 types of probes include a sequence generation algorithm probe, a TCP protocol probe, a UDP protocol probe, an ICMP echo probe, and an ECN probe. Further, the network scanner generates a calculation result through a plurality of algorithms according to a data packet returned in response, the calculation result forms a fingerprint, and the returned data packet includes an IP packet header and a TCP packet header.
All data used by the network scanner to generate the fingerprint is derived from the IP packet header and the TCP packet header, and more specifically, the fingerprint information includes a sequence generation algorithm of a TCP/IP protocol stack, a maximum common divisor, an increase rate and SP of a TCP ISN, a TCP timestamp selection algorithm, a TCP initial window size, a TCP explicit congestion handling mechanism, a UDP reserved header bit, and other more detailed flag bit information and IP packet attributes. The effect of deceiving the identification function of the operating system of the network scanner can be achieved only by modifying the data content of the IP packet header and the TCP packet header.
Example 2:
this embodiment includes a system for jamming a network scanner, comprising: and the storage unit stores response data packets of a plurality of operating systems. And the judging unit is used for sniffing all the visitors, receiving the access data packets of the visitors, detecting the access data packets and judging the types of the access data packets.
And the first communication unit is used for responding to a response data packet of the SYN/ACK returned by the access data packet and establishing communication connection with the visitor after three-way handshake is completed. And the second communication unit is used for sending a response data packet of any operating system except the local computer back to the network scanner.
The relevant points can be seen in the description of the embodiment 1.
Example 3:
an electronic device comprising a memory and a processor, the memory for storing one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement a method of jamming a network scanner as described above.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the electronic device described above may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method of embodiment 1.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that:
reference in the specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the application. Thus, the appearances of the phrase "one embodiment" or "an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
In addition, it should be noted that the specific embodiments described in the present specification may be different in terms of the parts, the shapes of the components, the names of the components, and the like. All equivalent or simple changes in the structure, characteristics and principles as described in the patent idea are included in the protection scope of the patent. Various modifications, additions and substitutions for the specific embodiments described herein may occur to those skilled in the art without departing from the scope and spirit of the invention as defined by the accompanying claims.
Claims (10)
1. A method of jamming a network scanner, comprising the steps of:
preparing and storing response data packets of a plurality of operating systems, sniffing all visitors, receiving access data packets of the visitors, detecting the access data packets and judging the types of the access data packets;
if the access data packet is in normal flow access, responding to a response data packet of SYN/ACK returned by the access data packet, and establishing communication connection with the visitor after three-way handshake is completed;
and if the access data packet is a scanning packet, sending a response data packet of any operating system except the local computer back to the network scanner.
2. The method of claim 1, further comprising the step of:
setting at least two different types of operating systems, and setting a flow forwarding interface, wherein the flow forwarding interface is used for receiving an access data packet of the visitor, detecting the access data packet and judging the type of the access data packet;
one of the operating systems is used for running the service and calling the flow forwarding interface in the local computer, and the other operating systems are used for preparing and storing the response data packet of the operating system.
3. The method of claim 1, wherein preparing and storing response packets for a plurality of operating systems comprises the steps of:
and simulating to receive a system detection probe sent by the network scanner, modifying the data content of the IP packet header and the TCP packet header in response to the system detection probe, and generating and storing a response data packet of the specified operating system.
4. The method as claimed in claim 1, wherein sniffing all visitors and receiving access packets of said visitors, detecting said access packets and determining the type of said access packets, comprises the following steps:
setting a raw _ socket interface, and monitoring access data packets of all visitors through the raw _ socket interface;
disassembling the structure of the access data packet, analyzing each element in the structure after disassembly, detecting the access data packet according to the element and judging the type of the access data packet;
the access data packet comprises an IP packet and a TCP packet.
5. The method of claim 1, further comprising the step of:
blocking a local operating system from sending a Reset packet by an IP information packet filtering system;
and blocking the local operating system by the IP information packet filtering system to reply the ICMP packet.
6. A method of jamming a network scanner according to claim 3 wherein the system probing probes comprise sequence generation algorithm probes, TCP protocol probes, UDP protocol probes, ICMP echo probes and ECN probes.
7. A method of disturbing a network scanner as in claim 3, wherein said data content of said IP header and TCP header includes sequence generation algorithm of TCP/IP stack, maximum common divisor of TCP ISN, growth rate and SP, TCP timestamp selection algorithm, TCP initial window size, TCP explicit congestion handling mechanism, UDP reserved header bits, flag bit information and IP packet attributes.
8. A system for jamming a network scanner, comprising:
the storage unit stores response data packets of a plurality of operating systems;
the judging unit is used for sniffing all visitors, receiving access data packets of the visitors, detecting the access data packets and judging the types of the access data packets;
the first communication unit is used for responding to a response data packet of SYN/ACK returned by the access data packet and establishing communication connection with the visitor after three-way handshake is completed;
and the second communication unit is used for sending a response data packet of any operating system except the local operating system back to the network scanner.
9. An electronic device comprising a memory and a processor, the memory storing one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement a method of interfering with a network scanner as claimed in any one of claims 1 to 7.
10. A readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210103519.7A CN114465795B (en) | 2022-01-27 | 2022-01-27 | Method and system for interfering network scanner |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210103519.7A CN114465795B (en) | 2022-01-27 | 2022-01-27 | Method and system for interfering network scanner |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114465795A true CN114465795A (en) | 2022-05-10 |
| CN114465795B CN114465795B (en) | 2024-03-29 |
Family
ID=81411970
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210103519.7A Active CN114465795B (en) | 2022-01-27 | 2022-01-27 | Method and system for interfering network scanner |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114465795B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN101567887A (en) * | 2008-12-25 | 2009-10-28 | 中国人民解放军总参谋部第五十四研究所 | Vulnerability simulation overload honeypot method |
| CN105721442A (en) * | 2016-01-22 | 2016-06-29 | 耿童童 | Spurious response system and method based on dynamic variation and network security system and method |
| KR20200055403A (en) * | 2018-11-13 | 2020-05-21 | 한국전자통신연구원 | Decoy apparatus and method for expand fake attack surface using deception network |
| CN112688900A (en) * | 2019-10-18 | 2021-04-20 | 张长河 | Local area network safety protection system and method for preventing ARP spoofing and network scanning |
| CN112751815A (en) * | 2019-10-31 | 2021-05-04 | 华为技术有限公司 | Message processing method, device, equipment and computer readable storage medium |
| CN113114666A (en) * | 2021-04-09 | 2021-07-13 | 天津理工大学 | Moving target defense method for scanning attack in SDN network |
| CN113132335A (en) * | 2019-12-31 | 2021-07-16 | 西安跃亿智产信息科技有限公司 | Virtual transformation system and method, network security system and method |
-
2022
- 2022-01-27 CN CN202210103519.7A patent/CN114465795B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN101567887A (en) * | 2008-12-25 | 2009-10-28 | 中国人民解放军总参谋部第五十四研究所 | Vulnerability simulation overload honeypot method |
| CN105721442A (en) * | 2016-01-22 | 2016-06-29 | 耿童童 | Spurious response system and method based on dynamic variation and network security system and method |
| KR20200055403A (en) * | 2018-11-13 | 2020-05-21 | 한국전자통신연구원 | Decoy apparatus and method for expand fake attack surface using deception network |
| CN112688900A (en) * | 2019-10-18 | 2021-04-20 | 张长河 | Local area network safety protection system and method for preventing ARP spoofing and network scanning |
| CN112751815A (en) * | 2019-10-31 | 2021-05-04 | 华为技术有限公司 | Message processing method, device, equipment and computer readable storage medium |
| CN113132335A (en) * | 2019-12-31 | 2021-07-16 | 西安跃亿智产信息科技有限公司 | Virtual transformation system and method, network security system and method |
| CN113114666A (en) * | 2021-04-09 | 2021-07-13 | 天津理工大学 | Moving target defense method for scanning attack in SDN network |
Non-Patent Citations (1)
| Title |
|---|
| 陈家东;朱建军;: "操作系统探测防御方法研究", 电脑开发与应用, no. 02, pages 1 - 3 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114465795B (en) | 2024-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9451036B2 (en) | Method and apparatus for fingerprinting systems and operating systems in a network | |
| CN108521408B (en) | Method and device for resisting network attack, computer equipment and storage medium | |
| CN109981653B (en) | A web vulnerability scanning method | |
| KR20000054538A (en) | System and method for intrusion detection in network and it's readable record medium by computer | |
| CN113179280B (en) | Deception defense method and device based on malicious code external connection behaviors and electronic equipment | |
| CN112738095A (en) | Method, device, system, storage medium and equipment for detecting illegal external connection | |
| CN113810381A (en) | A crawler detection method, web application cloud firewall, device and storage medium | |
| CN109218294A (en) | Anti-scanning method, device and server based on machine learning bayesian algorithm | |
| EP3230886B1 (en) | Operating system fingerprint detection | |
| CN106713242B (en) | Data request processing method and processing device | |
| CN112217777A (en) | Attack backtracking method and equipment | |
| CN112422486B (en) | SDK-based safety protection method and device | |
| CN110381047B (en) | Network attack surface tracking method, server and system | |
| CN114338120A (en) | Segment scanning attack detection method, device, medium and electronic equipment | |
| CN110058565B (en) | Industrial control PLC system fingerprint simulation method based on Linux operating system | |
| CN113098852A (en) | Log processing method and device | |
| CN114465795B (en) | Method and system for interfering network scanner | |
| KR100772177B1 (en) | Method and apparatus for generating intrusion detection event for security function test | |
| JP3892322B2 (en) | Unauthorized access route analysis system and unauthorized access route analysis method | |
| CN102957581A (en) | Network access detection system and network access detection method | |
| CN108650274B (en) | A kind of network intrusion detection method and system | |
| CN117254931A (en) | Port scanning method, device and scanning engine | |
| JP3986871B2 (en) | Anti-profiling device and anti-profiling program | |
| CN114363087B (en) | Scanner countermeasure method and system based on bypass interference | |
| CN115604162A (en) | A detection method for network security equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 1st Floor, Building 3, No. 2616, Yuhangtang Road, Cangqian Street, Yuhang District, Hangzhou City, Zhejiang Province, 311100 Applicant after: HANGZHOU MOAN TECHNOLOGY CO.,LTD. Address before: 311100 10th floor, Block E, building 1, 1378 Wenyi West Road, Cangqian street, Yuhang District, Hangzhou City, Zhejiang Province Applicant before: HANGZHOU MOAN TECHNOLOGY CO.,LTD. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |