CN113890769A - TCP blocking method - Google Patents

Abstract

The invention relates to a TCP blocking method, which comprises the following steps: 1. carrying out system building among a client, a server and DPI equipment; 2. monitoring ARP broadcast between a client and a server to obtain the server IP of the message, the IP of the client and the MAC address of the DPI equipment; 3. binding the IP of the server and the MAC address of the DPI equipment together to serve as a sender, binding the IP of the client and the broadcast MAC address together to serve as a receiver, and sending an ARP broadcast packet to the client; 4. modifying the ARP cache of the client, and forwarding the flow to DPI equipment; and 5, the DPI equipment detects suspicious information in the forwarded message and sends an RST message to the client to block the suspicious message. The invention effectively reduces the data packet flow quantity which needs to be analyzed by the access device; the interference of the outer network flow is avoided; the double network cards work simultaneously, the service pressure driven by the single network card is reduced, and the blocking success rate is high.

Description

TCP blocking method

Technical Field

The invention relates to a TCP blocking method, belonging to the technical field of network communication admission control.

Background

The bypass blocking technology is that in a local area network, a special capturing machine is used for capturing all data packets passing through a switch or a server in a mirror image port mode, a history report protocol is analyzed, and nodes needing to be blocked are blocked according to a set blocking rule.

The prior art uses a mirror image flow mode, copies flow into an admission device by configuring a mirror image port at a router, analyzes all packets, judges whether the IP in the packet is the admitted IP, and then performs blocking or redirection operation, resulting in a too slow packet sending rate, and a client or a server receives the RST packet after receiving the corresponding RST packet, and discards the RST packet because the packet is "out of date". Therefore, the technical difficulty in the prior art is that a large number of data packets need to be accepted and analyzed, a high-performance server and an algorithm are required, and the blocking success rate is low.

Disclosure of Invention

In order to solve the technical problem, the invention provides a TCP blocking method, which comprises the following specific technical scheme:

a TCP blocking method comprises the following steps:

step 1: the method comprises the steps of setting up a system, namely, carrying out system setting up among a client, a server and DPI equipment, and setting up connection between every two clients, the server and the DPI equipment;

step 2: acquiring information, monitoring ARP broadcast between a client and a server, acquiring a server IP of a message and an IP of the client, and acquiring an MAC address of DPI equipment;

and step 3: binding and sending, namely binding the IP of the server and the MAC address of the DPI equipment together to serve as a sender, binding the IP of the client and the broadcast MAC address together to serve as a receiver, and sending a large number of ARP broadcast packets to the client;

and 4, step 4: flow forwarding, namely modifying an ARP cache of a client and forwarding the flow to DPI equipment;

and 5: and blocking the suspicious messages, establishing TCP connection between the client and the server, detecting the suspicious information in the forwarded messages by the DPI equipment, and sending RST messages to the client to block the suspicious messages.

Further, in thestep 3, the MAC address of the DPI device constructs an ARP broadcast packet and broadcasts the ARP broadcast packet to the intranet environment where the client is located.

Further, instep 5, the DPI device receives an ARP broadcast packet sent by the client to the intranet by opening a handle, and detects a packet of the ARP broadcast packet.

Further, the RST message instep 5 includes a positive RST message and a negative RST message, the positive RST message is the RST message with the same message receiving end as the suspicious message receiving end, and the negative RST message is the RST message with a different message receiving end from the suspicious message receiving end.

Further, in thestep 5, the client and the server establish a TCP connection, predict the SQE according to a TCP handshake message transmitted between the client and the server, and perform the process according to a three-way handshake characteristic of the TCP connection and a flag bit in a TCP data header.

Further, the TCP header includes an ACK flag, and when the suspicious packet is a packet sent by the client, the SEQ value included in the RST packet sent to the client should be the ACK value of the last received packet, and a plurality of packets are sent.

The invention has the beneficial effects that:

the invention effectively reduces the data packet flow quantity which needs to be analyzed by the access device; the interference of the outer network flow is avoided; the double network cards work simultaneously, the service pressure of the single network card drive is reduced, the performance of receiving and sending packets immediately by the single network card drive is improved, and the blocking success rate is high.

Drawings

Figure 1 is a schematic flow diagram of the present invention,

figure 2 is an ARP flow diagram of the present invention,

figure 3 is a schematic diagram of the TCP blocking application scenario of the present invention,

figure 4 is a flow chart of an implementation of TCP blocking of the present invention,

fig. 5 is a diagram illustrating TCP basic message synchronization according to the present invention.

Detailed Description

The present invention will now be described in further detail with reference to the accompanying drawings. These drawings are simplified schematic views illustrating only the basic structure of the present invention in a schematic manner, and thus show only the constitution related to the present invention.

As shown in fig. 1, a TCP blocking method of the present invention includes the following steps: firstly, a system is built, the client, the server and the DPI equipment are built, and connection is built between every two clients, the server and the DPI equipment. And secondly, acquiring information, monitoring ARP broadcast between the client and the server, acquiring the server IP of the message and the IP of the client, and acquiring the MAC address of the DPI equipment. And then, binding and sending, namely binding the IP of the server and the MAC address of the DPI equipment together to serve as a sender, binding the IP of the client and the broadcast MAC address together to serve as a receiver, and sending a large number of ARP broadcast packets to the client. And then, the flow is forwarded, the ARP cache of the client is modified, and the flow is forwarded to the DPI equipment. And finally, blocking the suspicious message, establishing TCP connection between the client and the server, detecting the suspicious information in the forwarded message by the DPI equipment, and sending the RST message to the client to block the suspicious message.

Example 1

As shown in fig. 3, an application scenario diagram for implementing TCP blocking applied in the embodiment of the present application is as follows, and a client is an admission terminal. Dpi (deep Packet inspection), deep Packet inspection) equipment, that is, admission equipment is connected to a client, that is, an admission terminal, and is in a parallel relationship with the client. The DPI device may be a bypass listening device. When suspicious messages transmitted between the client and the server are monitored, the DPI equipment can construct a blocking message, namely an RST message, and then send the constructed RST message to the client or the server, so that the purpose of blocking the attack of the suspicious messages is achieved. In the prior art, after the DPI device monitors a suspicious packet, it sends an RST packet to a client or a server. However, because the RST message is likely to be sent to the client or the server later than the suspicious message, after the client or the server receives the RST message, the RST message is not processed because the RST message is an "outdated" message, so the RST message cannot achieve the purpose of blocking the suspicious message, and the blocking success rate in the prior art is low. As shown in fig. 3, when a client that needs admission control is confirmed, the DPI device monitors an ARP broadcast packet sent by the client to the intranet, and constructs an ARP packet according to the suspicious packet and the MAC address of the DPI device. After the ARP message is successfully constructed, the DPI device may broadcast the APR message to the intranet environment where the client is located, so as to forward the client traffic to the DPI device. By adopting the method and the device, the pressure of the application program for analyzing the message is reduced, and the probability that the RST message is not outdated is increased, so that the aim of improving the blocking success rate is fulfilled.

Example 2

As shown in fig. 2, first, a handle of the DPI device is opened, and the ARP broadcast packet of the client is listened to. When a client wants to establish TCP connection with a server, the IP and MAC address of a gateway can be searched in a local ARP cache of the client, and if the corresponding relation of the gateway IP and the MAC exists in the ARP cache, the gateway address can be directly found, and TCP connection is established with the server. The corresponding relation between the gateway IP and the MAC in the ARP cache exists for 10 minutes at most, and then ARP messages are broadcasted to all servers of the intranet to address the gateway. The DPI device monitors the ARP message and can acquire the IP and the MAC address of the client and the IP of the gateway in the message. In one example, assuming a session table as shown in table 1 below,

table 1 shows only the information of a partial session table, where the destination MAC is a broadcast MAC address, that is, all devices in the intranet receive the same message, and the destination IP is an IP to be addressed, and is not related to the device receiving the message. The DPI device then constructs and broadcasts an ARP packet. The DPI equipment opens a handle and monitors an ARP message of a client, when the message of the client tries to address a gateway, the handle opened by the DPI equipment can detect the ARP message broadcasted by the client at the moment, the DPI equipment analyzes a source IP and a source MAC in the message as addresses for sending the packet at the moment, and a target IP in the ARP message, namely the gateway IP, is analyzed. The DPI device obtains its own gateway address, for example, its own MAC address is and tries to construct an ARP message. In one example, assuming a session table as shown in table 2 below,

table 2 shows only the information of a part of the session table, which is an ARP packet constructed by the DPI device as shown in table 2, and the packet binds the IP of the gateway and the MAC address of the DPI device and broadcasts to all devices. When the client receives the ARP message, the client can not do any check, and directly updates the ARP message into an ARP cache table as a mapping relation according to the source IP and the source MAC address in the message. When the gateway receives the ARP message sent by the client, the gateway also sends a reply message, and sends the correct gateway IP and MAC address to the client. Therefore, the DPI device needs to continuously send multiple constructed ARP messages to prevent the correct ARP messages sent by the gateway from being updated into the ARP cache, which results in failure of flow to the DPI device. Fig. 4 is a flowchart illustrating an implementation of TCP blocking according to the present application, which is applied to a DPI device. Firstly, the SQE is predicted based on the acquired TCP handshake messages transmitted between the client and the server. The blocking mode is mainly carried out by utilizing three-way handshake characteristics of TCP connection and a zone bit in a TCP data head, and a TCP protocol provides reliable transmission service, so that when a data packet is sent from one end to the other end, the TCP adopts a three-way handshake principle, and information transmission is started when handshake is finished. The TCP data header contains a plurality of flag bits, which are respectively: URG (empty Pointer field designation), ACK (acknowledgement field designation), PSH (PushFunction), RST (reset the connection), SYN (synchronization sequence numbers). As shown in fig. 5, a TCP basic message synchronization diagram. SEQ appears in the TCP protocol in pairs and is divided into SEQ sequence number field, which indicates the sequence number of the data in this message in the whole data stream that the sending host wants to transmit, and ACK SEQ acknowledgement sequence number, which indicates the sequence number of the next octet of the opposite party that the sender wants to receive. SEQ now follows the following principle: namely, the sent SEQ is equal to the ACK SEQ received last time, and the sent ACK SEQ is equal to the SEQ received last time and the TCP data length sent this time. According to the rule, after the source and target traffic information SEQ is obtained, the sequence number of the next message required by the source computer can be calculated, and then a response data packet is constructed, so that the aim of blocking normal TCP connection is fulfilled. Secondly, suspicious messages are analyzed, the DPI equipment monitors more traffic, so that a filtering function is required to be provided, the DPI equipment quickly locates the content to be analyzed, and the DPI equipment provides several commonly used modes for troubleshooting the suspicious messages, wherein in the first scheme, an IP blacklist is customized, all requests for accessing the blacklist or requests initiated by the IP of the blacklist are regarded as suspicious messages and need to be blocked and intercepted, in the second scheme, HTTP request analysis is adopted, the HTTP requests in the network are more, a tcp flow recombination can be used for reconstructing an HTTP packet to obtain a complete HTTP request and response message, and on the basis, the statistics of HTTP traffic data generated when computer equipment in a unit network accesses a normal Web server comprises the following steps: the average size of transmitted HTTP request data packets and the average size of received HTTP response data packets, the average proportion of the size of flow requested to be transmitted and the size of response flow in any HTTP session, the average total data volume transmitted by each computer device every day, the header field of non-standard HTTP messages used by data packets when accessing a normal Web server, and the name and URL of Web service area accessed when software used by a unit network daily is automatically updated. The abnormal behavior comprises that a server blacklist library of a first access scheme, a plurality of continuous DNS query requests exist before HTTP requests are sent, a query return result is NXD0MAIN, non-HTTP flow is sent to a default port of a Web server, HTTP headers in data packets contain non-standard fields and non-statistical non-HTTP message header fields, the time for sending the request data packets presents certain periodicity, files uploaded to the Web server of a non-local unit network are encrypted by an uploader or the actual file types are compressed files, off type files and PDF files. The abnormal behavior also comprises that in one session, the size of the request data packet sent for multiple times continuously is larger than that of the response data packet, the proportion of the size of the request sending flow to that of the response flow is larger than a configured threshold, and the condition that the total data volume of a single session is larger than the configured threshold or the total data volume requested to be output within 24 hours exceeds the threshold or the total data volume requested to be output within 24 hours is several times of the statistical corresponding data volume is met. Thirdly, when the suspicious message is monitored, the reset connection RST message is constructed according to the suspicious message. After the TCP connection is established between the client and the server, the DPI device may monitor the data packets transmitted between the client and the server. When the DPI equipment monitors the suspicious messages, RST messages are constructed according to the suspicious messages, and the RST messages are used for blocking the suspicious messages. When the bypass device finds an illegal TCP connection, the bypass device predicts the connected SEQ, assembles RST data packets on the basis of the RST data packets, and sends RST packets to two ends of communication respectively, stacks of two communication sides interpret the RST packets as responses of the other end, then stops the whole communication process, releases the buffer IX and cancels the TCP state information, and accordingly the purpose of actively cutting off the connection is achieved. When the client or the server receives the RST message, the ACK bit of the RST message may be checked first. When the ACK bit of the message is not 0, the client or the server needs to continuously check the ACK _ SEQ value of the RST message; when the ACK bit of the RST message is 0, the client or the server may not check the ACK _ SEQ value of the RST message any more after checking the ACK bit of the RST message. Therefore, when the RST message is constructed, the ACK position of the RST message can be set to 0, and because the RST message can be used for blocking a suspicious message, the RST position of the RST message can be set to 1. And then, constructing RST messages sent to the client and the server respectively according to the suspicious messages. The RST message can be specifically divided into two types, namely a forward RST message and a reverse RST message. The positive RST message is the RST message with the same message receiving end as the suspicious message receiving end; the RST message in the reverse direction is a RST message with a message receiving end different from the suspicious message receiving end. The forward RST message and the reverse RST message are slightly different in structure. And when the receiving end of the suspicious message is the same as the receiving end of the RST message required to be constructed, constructing a positive RST message according to the suspicious message. When constructing the positive direction RST message, the ACK position 0 and theRST position 1 of the positive direction RST message are firstly carried out. Then, the data sequence number SEQ of the positive-direction RST packet may be set to be equal to the ACK value of the suspicious packet. After the setting of the parts above the positive direction RST message is completed, other parts can be set to be the same as the suspicious message. And when the receiving end of the suspicious message is the same as the receiving end of the RST message required to be constructed, constructing a reverse RST message according to the suspicious message. When constructing the reverse RST message, the ACK position 0 and theRST position 1 of the reverse RST message are firstly carried out. Then, the data sequence number SEQ value of the RST message in the reverse direction is set to be equal to the ACK value of the suspicious message, the source IP and the source port of the suspicious RST message are set to be the target IP and the destination port of the RST message in the reverse direction, and the target IP and the destination port of the suspicious RST message are set to be the source IP and the source port of the RST message in the reverse direction. After the setting of the parts above the positive direction RST message is completed, other parts can be set to be the same as the suspicious message. And fourthly, sending RST messages to the client and the server respectively to block the suspicious messages. When the DPI device finds a suspicious TCP connection, the DPI device predicts the SEQ of the connection and assembles an RST data packet on the basis of the RST data packet, stacks of two communication sides interpret the RST packet as a response of the other end, then the whole communication process is stopped, a buffer area is released, all TCP state information is cancelled, and therefore the purpose of actively disconnecting the connection is achieved. When the DPI device sends the RST message, if the RST message is sent to each TCP handshake process, a large amount of invalid loopback RST data occurs, which affects the normal operation of the entire network. According to engineering experience values, the DPI device needs to selectively identify the connection information requiring RST, and can selectively send RST messages by identifying the acquisition connection flag bits, for example, when the reception TCP flag bit is 0 x 02 or 0 x 12 is connected, the DPI device only sends RST packets, i.e., reverse RST messages, to the source, and when the reception TCP flag bit is 0 x 10 is connected, the DPI device only sends RST packets, i.e., forward RST messages, to the destination. According to engineering experience values, when the RST messages are sent to the suspicious messages each time, the number of the RST messages is generally 5, the SEQ of the RST messages is increased progressively, the unit is the win value of the suspicious messages, the ACK value of the SEQ of the first RST message is equal to the ACK value of the suspicious messages, and then each RST message is one win value more than the SEQ value of the last RST message.

Example 3

As shown in fig. 4, first, multiple applications are launched on the DPI device. The application app is driven based on pfring, and the DPI device includes at least two network cards, such as an eno3 network card and an eth0 network card. Theapps 1, 2 and 3 of the application programs are in the same cluster of pfring, and the source IP, the source port, the destination IP destination port, the proto and the vlan in the message are analyzed to be a unit according to the received message, and the message in the same unit is distributed to the same application program, so that the problem that the unpacking rate of a single application program is insufficient is solved. And then, monitoring the double network cards and distributing the functions of different network cards. In the application program, the dual network cards are monitored, a read-only mode or a write-only mode is set, for example, the eno3 network card is monitored, a ringreeve (handle) object is generated, and the handle object has a single function and is only responsible for receiving data in a ring and is not responsible for writing data into the ring. And the application program monitors another network card eth0 to generate a ringSend (handle) object, and the handle has a single function and is not responsible for receiving the data in the ring. The objects are all generated by the application program for monitoring the network card drive.

In light of the foregoing description of the preferred embodiment of the present invention, many modifications and variations will be apparent to those skilled in the art without departing from the spirit and scope of the invention. The technical scope of the present invention is not limited to the content of the specification, and must be determined according to the scope of the claims.

Claims (6)

1. A TCP blocking method is characterized by comprising the following steps:

step 1: the method comprises the steps of setting up a system, namely, carrying out system setting up among a client, a server and DPI equipment, and setting up connection between every two clients, the server and the DPI equipment;

step 2: acquiring information, monitoring ARP broadcast between a client and a server, acquiring a server IP of a message and an IP of the client, and acquiring an MAC address of DPI equipment;

and step 3: binding and sending, namely binding the IP of the server and the MAC address of the DPI equipment together to serve as a sender, binding the IP of the client and the broadcast MAC address together to serve as a receiver, and sending a large number of ARP broadcast packets to the client;

and 4, step 4: flow forwarding, namely modifying an ARP cache of a client and forwarding the flow to DPI equipment;

and 5: and blocking the suspicious messages, establishing TCP connection between the client and the server, detecting the suspicious information in the forwarded messages by the DPI equipment, and sending RST messages to the client to block the suspicious messages.

2. The TCP blocking method according to claim 1, wherein: and 3, constructing an ARP broadcast packet by the MAC address of the DPI equipment in the step 3 and broadcasting the ARP broadcast packet to the intranet environment where the client is located.

3. The TCP blocking method according to claim 1, wherein: in the step 5, the DPI device monitors an ARP broadcast packet sent by the client to the intranet by opening a handle, and detects a packet of the ARP broadcast packet.

4. The TCP blocking method according to claim 1, wherein: the RST message in step 5 includes a positive RST message and a negative RST message, the positive RST message is the RST message with the same message receiving end as the suspicious message receiving end, and the negative RST message is the RST message with the different message receiving end from the suspicious message receiving end.

5. The TCP blocking method according to claim 1, wherein: and 5, establishing TCP connection between the client and the server, predicting the SQE according to a TCP handshake message transmitted between the client and the server, and performing the SQE according to the three-way handshake characteristic of the TCP connection and the zone bit in the TCP data header.

6. The TCP blocking method according to claim 5, characterized in that: when the suspicious message is the message sent by the client, the RST message sent to the client should have the SEQ value which is the ACK value of the last received message, and a plurality of messages are sent.

Images