[go: up one dir, main page]

CN101257450A - Network security protection method, gateway device, client and network system - Google Patents

Network security protection method, gateway device, client and network system Download PDF

Info

Publication number
CN101257450A
CN101257450A CNA2008100898387A CN200810089838A CN101257450A CN 101257450 A CN101257450 A CN 101257450A CN A2008100898387 A CNA2008100898387 A CN A2008100898387A CN 200810089838 A CN200810089838 A CN 200810089838A CN 101257450 A CN101257450 A CN 101257450A
Authority
CN
China
Prior art keywords
client
response message
gateway device
tcp
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2008100898387A
Other languages
Chinese (zh)
Inventor
蒋武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Digital Technologies Chengdu Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNA2008100898387A priority Critical patent/CN101257450A/en
Publication of CN101257450A publication Critical patent/CN101257450A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明实施例公开一种网络安全防护方法、网关设备、客户端及网络系统。所述方法包括:接收客户端发送的用户数据报协议UDP查询请求报文;向所述客户端返回应答报文,所述应答报文中的TC字段表明字节被截断;接收所述客户端根据所述应答报文发送的传输控制协议TCP连接请求,建立所述客户端与域名系统DNS服务器之间的TCP连接。相应的,本发明实施例还提供一种网关设备、客户端和网络系统。本发明实施例提供的技术方案能够提高网络的安全防护。

Figure 200810089838

The embodiment of the invention discloses a network security protection method, a gateway device, a client and a network system. The method includes: receiving a User Datagram Protocol UDP query request message sent by a client; returning a response message to the client, wherein the TC field in the response message indicates that bytes are truncated; receiving the client Establish a TCP connection between the client and the Domain Name System DNS server according to the Transmission Control Protocol TCP connection request sent by the response message. Correspondingly, the embodiment of the present invention also provides a gateway device, a client and a network system. The technical solutions provided by the embodiments of the present invention can improve the security protection of the network.

Figure 200810089838

Description

网络安全防护方法、网关设备、客户端及网络系统 Network security protection method, gateway device, client and network system

技术领域 technical field

本发明涉及通信技术领域,具体涉及一种网络安全防护方法、网关设备、客户端及网络系统。The invention relates to the field of communication technology, in particular to a network security protection method, a gateway device, a client and a network system.

背景技术 Background technique

DNS(Domain Name System,域名系统)是一种以层次结构分布的命名系统。在如互联网Internet之类的TCP/IP(Transmission Control Protocol/InternetProtocol,传输控制协议/网间协议)网络中,使用DNS名字来定位计算机,如果在应用程序中输入DNS名,就可以由DNS服务器中的数据库提供包括IP地址在内的与名称相关的信息。DNS (Domain Name System, Domain Name System) is a naming system distributed in a hierarchical structure. In a TCP/IP (Transmission Control Protocol/Internet Protocol) network such as the Internet, the DNS name is used to locate the computer. If the DNS name is entered in the application program, it can be used by the DNS server The database provides name-related information including IP addresses.

DNS服务容易在网络上遭受攻击,因此一般通过在DNS服务器和客户端之间设置防火墙进行安全防护,允许正常报文通过,并过滤掉攻击报文。客户端和DNS服务器之间一般是使用UDP(User Datagram Protocol,用户数据报协议)传输报文,客户端存在重传机制,在没有收到服务器的响应报文后会重复向DNS服务器发送报文。The DNS service is vulnerable to attacks on the network, so a firewall is generally set up between the DNS server and the client for security protection, allowing normal packets to pass through and filtering out attack packets. UDP (User Datagram Protocol, User Datagram Protocol) is generally used to transmit messages between the client and the DNS server. The client has a retransmission mechanism, and will repeatedly send messages to the DNS server after receiving no response message from the server. .

现有技术中,当客户端采用UDP方式发出UDP查询请求报文,并经过防火墙发送到DNS服务器的UDP端口时,DNS服务器准备应答,但发现报文的数据长度超过512字节,就会把应答报文中报头的标志Flag字段中的TC字段标记为1,然后把报文的前512个字节截断后返回给客户端,客户端接收到这个报文后,首先读取TC字段,知道该报文是截断的,则改为采用TCP连接的方式主动向DNS服务器的TCP端口进行连接,重新发出请求,进行报文传输。In the prior art, when the client uses UDP to send a UDP query request message and sends it to the UDP port of the DNS server through the firewall, the DNS server is ready to answer, but if it finds that the data length of the message exceeds 512 bytes, it will send The TC field in the Flag field of the header in the response message is marked as 1, and then the first 512 bytes of the message are truncated and returned to the client. After receiving the message, the client first reads the TC field to know If the message is truncated, the TCP connection mode is used instead to actively connect to the TCP port of the DNS server, and the request is reissued for message transmission.

在对现有技术的研究和实践过程中,发明人发现现有技术存在以下问题:During the research and practice of the prior art, the inventor found the following problems in the prior art:

因为现有技术中客户端和DNS服务器之间一般是使用UDP方式传输报文,而UDP方式不采用建立连接方式进行通信,也没有连接握手等机制,只是在字节超过512字节时才可能改为采用TCP方式,因此网络安全性还不高,存在DNS欺骗、IP欺骗等一系列安全问题。例如对于DNS欺骗,因为DNS服务器向客户端返回报文中,将包含有客户端发送的报文中的头两个字节ID(查询ID)以表示对应回答。如果这个查询ID被监听到或预测到,则会被利用向DNS服务器或客户程序发送虚假信息。Because in the prior art, the UDP method is generally used to transmit messages between the client and the DNS server, and the UDP method does not use the connection establishment method for communication, and there is no mechanism such as connection handshake, which is only possible when the byte exceeds 512 bytes. The TCP method is used instead, so the network security is not high, and there are a series of security problems such as DNS spoofing and IP spoofing. For example, for DNS spoofing, because the DNS server returns the message to the client, it will contain the first two bytes ID (query ID) in the message sent by the client to represent the corresponding answer. If this query ID is intercepted or predicted, it will be exploited to send false information to the DNS server or client program.

发明内容 Contents of the invention

本发明实施例要解决的技术问题是提供一种网络安全防护方法、网关设备、客户端及网络系统,能够提高网络的安全防护。The technical problem to be solved by the embodiments of the present invention is to provide a network security protection method, a gateway device, a client and a network system, which can improve network security protection.

为解决上述技术问题,本发明所提供的实施例是通过以下技术方案实现的:In order to solve the above technical problems, the embodiments provided by the present invention are achieved through the following technical solutions:

本发明实施例提供一种网络安全防护方法,包括:接收客户端发送的用户数据报协议UDP查询请求报文;向所述客户端返回应答报文,所述应答报文中的TC字段表明字节被截断;接收所述客户端根据所述应答报文发送的传输控制协议TCP连接请求,建立所述客户端与域名系统DNS服务器之间的TCP连接。An embodiment of the present invention provides a network security protection method, including: receiving a User Datagram Protocol UDP query request message sent by a client; and returning a response message to the client, where the TC field in the response message indicates a The section is truncated; receiving the transmission control protocol TCP connection request sent by the client according to the response message, and establishing a TCP connection between the client and the Domain Name System DNS server.

本发明实施例提供一种网关设备,包括:接收单元,用于接收客户端发送的UDP查询请求报文,接收客户端根据应答报文发送的TCP连接请求;反弹单元,用于在所述接收单元接收所述UDP查询请求报文后,向所述客户端返回应答报文,所述应答报文中的TC字段表明字节被截断;处理单元,用于在所述接收单元接收所述TCP连接请求后,建立所述客户端与DNS服务器之间的TCP连接。An embodiment of the present invention provides a gateway device, including: a receiving unit, configured to receive the UDP query request message sent by the client, and receive the TCP connection request sent by the client according to the response message; After the unit receives the UDP query request message, it returns a response message to the client, and the TC field in the response message indicates that the byte is truncated; the processing unit is used to receive the TCP at the receiving unit After the connection request, a TCP connection between the client and the DNS server is established.

本发明实施例提供一种客户端,包括:发送单元,用于向网关设备发送用户数据报协议UDP查询请求报文;接收单元,用于接收所述网关设备返回的应答报文,所述应答报文中的TC字段表明字节被截断;处理单元,用于根据所述接收单元接收的应答报文向所述网关设备发送传输控制协议TCP连接请求,通过所述网关设备建立本客户端与域名系统DNS服务器之间的TCP连接。An embodiment of the present invention provides a client, including: a sending unit, configured to send a User Datagram Protocol UDP query request message to a gateway device; a receiving unit, configured to receive a response message returned by the gateway device, the response The TC field in the message indicates that the byte is truncated; the processing unit is configured to send a transmission control protocol TCP connection request to the gateway device according to the response message received by the receiving unit, and establish the connection between the client and the gateway device through the gateway device A TCP connection between Domain Name System DNS servers.

本发明实施例提供一种网络系统,包括:客户端,用于发送请求;网关设备,用于接收客户端发送的UDP查询请求报文,向所述客户端返回应答报文,所述应答报文中的TC字段表明字节被截断,接收所述客户端根据所述应答报文发送的TCP连接请求,建立所述客户端与DNS服务器之间的TCP连接;DNS服务器,用于通过所述网关设备建立与所述客户端的连接。An embodiment of the present invention provides a network system, including: a client, used to send a request; a gateway device, used to receive a UDP query request message sent by the client, and return a response message to the client, the response message The TC field in the text indicates that the bytes are truncated, receive the TCP connection request sent by the client according to the response message, and establish a TCP connection between the client and the DNS server; the DNS server is used to pass the A gateway device establishes a connection with the client.

上述技术方案可以看出,本发明实施例技术方案通过接收客户端发送的UDP查询请求报文后,无论其是否超过512字节,都将应答报文的TC字段设置为表明字节被截断,从而利用了现有技术的DNS特性,使得客户端改为采用TCP方式进行报文传输,提高了网络安全防护程度。As can be seen from the above technical solution, the technical solution of the embodiment of the present invention will set the TC field of the response message to indicate that the byte is truncated no matter whether it exceeds 512 bytes after receiving the UDP query request message sent by the client. Therefore, the DNS feature of the prior art is utilized, so that the client is changed to use the TCP mode for message transmission, and the degree of network security protection is improved.

附图说明 Description of drawings

图1是本发明实施例网络安全防护方法流程图;Fig. 1 is a flowchart of a network security protection method according to an embodiment of the present invention;

图2是本发明实施例一网络安全防护方法流程图;2 is a flowchart of a network security protection method according to an embodiment of the present invention;

图3是本发明实施例二网络安全防护方法流程图;FIG. 3 is a flow chart of a network security protection method according to Embodiment 2 of the present invention;

图4是本发明实施例网关设备结构示意图;FIG. 4 is a schematic structural diagram of a gateway device according to an embodiment of the present invention;

图5是本发明实施例网络系统结构示意图;FIG. 5 is a schematic structural diagram of a network system according to an embodiment of the present invention;

图6是本发明实施例客户端结构示意图。FIG. 6 is a schematic structural diagram of a client terminal according to an embodiment of the present invention.

具体实施方式 Detailed ways

本发明实施例提供了提供一种网络安全防护方法,能够提高网络的安全防护。The embodiment of the present invention provides a network security protection method, which can improve network security protection.

本发明实施例技术方案通过把DNS的UDP通信方式转化为TCP通信方式来解决DNS的安全防范问题,大幅增强DNS安全防护能力。The technical scheme of the embodiment of the present invention solves the security prevention problem of the DNS by converting the UDP communication mode of the DNS into the TCP communication mode, and greatly enhances the DNS security protection capability.

请参阅图1,是本发明实施例网络安全防护方法流程图,包括步骤:Please refer to Fig. 1, which is a flowchart of a network security protection method according to an embodiment of the present invention, including steps:

步骤101、接收客户端发送的UDP查询请求报文;Step 101, receiving the UDP query request message sent by the client;

步骤102、向所述客户端返回应答报文,所述应答报文中的TC字段表明字节被截断;Step 102, returning a response message to the client, the TC field in the response message indicates that the byte is truncated;

无论接收的UDP查询请求报文的数据长度是否超过512字节,都将准备返回的应答报文中报头的Flag字段中的TC字段设置为1、数据长度设置为512个字节,然后反弹回客户端。Regardless of whether the data length of the received UDP query request message exceeds 512 bytes, set the TC field in the Flag field of the header in the response message to be returned to 1, set the data length to 512 bytes, and then bounce back client.

步骤103、接收所述客户端根据所述应答报文发送的TCP连接请求,建立所述客户端与DNS服务器之间的TCP连接。Step 103: Receive the TCP connection request sent by the client according to the response message, and establish a TCP connection between the client and the DNS server.

请参阅图2,是本发明实施例一网络安全防护方法流程图,包括步骤:Please refer to FIG. 2 , which is a flowchart of a network security protection method according to an embodiment of the present invention, including steps:

步骤201、客户端发出UDP查询请求报文;Step 201, the client sends a UDP query request message;

客户端向DNS服务器发送UDP查询请求报文,该UDP查询请求报文将首先发送到防火墙。The client sends a UDP query request message to the DNS server, and the UDP query request message will be sent to the firewall first.

步骤202、防火墙向客户端发送TC字段为1、数据长度为512个字节的应答报文;Step 202, the firewall sends a response message with a TC field of 1 and a data length of 512 bytes to the client;

防火墙接收客户端发送的UDP查询请求报文后,向客户端发送TC字段为1、数据长度为512个字节的应答报文。该步骤中,无论防火墙接收的UDP查询请求报文的数据长度是否超过512字节,防火墙都将准备返回的应答报文中报头的Flag字段中的TC字段设置为1、数据长度设置为512个字节,然后反弹回客户端。After receiving the UDP query request packet sent by the client, the firewall sends a response packet with a TC field of 1 and a data length of 512 bytes to the client. In this step, regardless of whether the data length of the UDP query request message received by the firewall exceeds 512 bytes, the firewall will set the TC field in the Flag field of the header in the response message to be returned to 1 and the data length to 512 bytes. bytes, which are then bounced back to the client.

步骤203、客户端接收防火墙返回的上述应答报文后,发现报文是截断的,改为采用TCP方式,发出建立连接请求;Step 203, after the client receives the above-mentioned response message returned by the firewall, it finds that the message is truncated, and uses the TCP method instead to send a connection establishment request;

客户端接收防火墙反弹回的应答报文,首先读取Flag字段中的TC字段,发现为1,则知道该应答报文是截断的,因此决定改为采用TCP方式与DNS服务器进行报文传输,发出建立连接请求。When the client receives the response message bounced back by the firewall, it first reads the TC field in the Flag field and finds that it is 1, then it knows that the response message is truncated, so it decides to use the TCP method to transmit the message with the DNS server instead. Issue a request to establish a connection.

步骤204、防火墙接收客户端发送的上述连接请求,利用三次握手过程进行安全验证,建立会话SESSION表项,建立客户端与DNS服务器之间的连接;Step 204, the firewall receives the above-mentioned connection request sent by the client, uses the three-way handshake process to perform security verification, establishes a session SESSION entry, and establishes a connection between the client and the DNS server;

防火墙接收客户端发送的连接请求,与客户端之间进行三次握手连接过程进行安全验证。The firewall receives the connection request sent by the client, and performs a three-way handshake connection process with the client for security verification.

第一次握手:建立连接时,客户端发送序列SYN包(SYN=j)到防火墙,并进入序列发送SYN_SEND状态,等待防火墙确认;The first handshake: when establishing a connection, the client sends a serial SYN packet (SYN=j) to the firewall, and enters the serial sending SYN_SEND state, waiting for the firewall to confirm;

第二次握手:防火墙收到SYN包,确认客户端的SYN(ACK=j+1),同时自己也发出一个SYN包(SYN=k),即SYN+ACK包,此时防火墙进入序列接收SYN_RECV状态;The second handshake: the firewall receives the SYN packet, confirms the SYN of the client (ACK=j+1), and at the same time sends a SYN packet (SYN=k), that is, the SYN+ACK packet. At this time, the firewall enters the state of receiving the SYN_RECV sequence ;

第三次握手:客户端收到防火墙的SYN+ACK包,向防火墙发送确认包ACK(ACK=k+1),此包发送完毕,客户端和防火墙进入确定ESTABLISHED状态,完成三次握手。The third handshake: the client receives the SYN+ACK packet from the firewall and sends an acknowledgment packet ACK (ACK=k+1) to the firewall. After the packet is sent, the client and the firewall enter the ESTABLISHED state and complete the three-way handshake.

防火墙与客户端完成三次握手后,建立SESSION表项,再建立客户端与DNS服务器之间的连接。After the firewall and the client complete the three-way handshake, a SESSION entry is established, and then a connection between the client and the DNS server is established.

步骤205、客户端向DNS服务器再次发出查询请求报文;Step 205, the client sends a query request message to the DNS server again;

步骤206、防火墙根据SESSION表项完成五元组检查后将查询请求报文转发给DNS服务器,由DNS服务器进行查询应答。In step 206, the firewall forwards the query request message to the DNS server after completing the quintuple check according to the SESSION entry, and the DNS server responds to the query.

请参阅图3,是本发明实施例二网络安全防护方法流程图。该实施例二与实施例一的区别主要是防火墙被替换为具有防火墙功能的防火墙类网关。图3中包括步骤:Please refer to FIG. 3 , which is a flowchart of a network security protection method according to Embodiment 2 of the present invention. The difference between the second embodiment and the first embodiment is mainly that the firewall is replaced by a firewall-like gateway with a firewall function. Figure 3 includes steps:

步骤301、客户端发出UDP查询请求报文;Step 301, the client sends a UDP query request message;

客户端向DNS服务器发送UDP查询请求报文,该UDP查询请求报文将首先发送到防火墙类网关。The client sends a UDP query request message to the DNS server, and the UDP query request message will first be sent to a firewall-type gateway.

步骤302、防火墙类网关向客户端发送TC字段为1、数据长度为512个字节的应答报文;Step 302, the firewall-type gateway sends a response message with a TC field of 1 and a data length of 512 bytes to the client;

防火墙类网关接收客户端发送的UDP查询请求报文后,向客户端发送TC字段为1、数据长度为512个字节的应答报文。该步骤中,无论防火墙类网关接收的UDP查询请求报文的数据长度是否超过512字节,防火墙类网关都将准备返回的应答报文中报头的Flag字段中的TC字段设置为1、数据长度设置为512个字节,然后反弹回客户端。After receiving the UDP query request message sent by the client, the firewall-type gateway sends a response message with a TC field of 1 and a data length of 512 bytes to the client. In this step, regardless of whether the data length of the UDP query request message received by the firewall-type gateway exceeds 512 bytes, the firewall-type gateway will set the TC field in the Flag field of the header in the response message to be returned to 1, the data length Set to 512 bytes and bounce back to the client.

步骤303、客户端接收防火墙类网关返回的上述应答报文后,发现报文是截断的,改为采用TCP方式,发出建立连接请求;Step 303, after receiving the above-mentioned response message returned by the firewall gateway, the client finds that the message is truncated, and uses TCP instead to send a connection establishment request;

客户端接收防火墙类网关反弹回的应答报文,首先读取Flag字段中的TC字段,发现为1,则知道该应答报文是截断的,因此决定改为采用TCP方式与DNS服务器进行报文传输,发出建立连接请求。When the client receives the response message bounced back by the firewall gateway, it first reads the TC field in the Flag field and finds that it is 1, then it knows that the response message is truncated, so it decides to use TCP instead to communicate with the DNS server. Transport, making a request to establish a connection.

步骤304、防火墙类网关接收客户端发送的上述连接请求,利用三次握手过程进行安全验证,建立会话SESSION表项,建立客户端与DNS服务器之间的连接;Step 304, the firewall class gateway receives the above connection request sent by the client, uses the three-way handshake process to perform security verification, establishes a session SESSION entry, and establishes a connection between the client and the DNS server;

防火墙类网关接收客户端发送的连接请求,与客户端之间进行三次握手连接过程进行安全验证。The firewall-type gateway receives the connection request sent by the client, and performs a three-way handshake connection process with the client for security verification.

第一次握手:建立连接时,客户端发送序列SYN包(SYN=j)到防火墙类网关,并进入SYN_SEND状态,等待防火墙类网关确认;The first handshake: when establishing a connection, the client sends a sequence of SYN packets (SYN=j) to the firewall-type gateway, and enters the SYN_SEND state, waiting for the firewall-type gateway to confirm;

第二次握手:防火墙类网关收到SYN包,确认客户端的SYN(ACK=j+1),同时自己也发出一个SYN包(SYN=k),即SYN+ACK包,此时防火墙类网关进入SYN_RECV状态;The second handshake: the firewall gateway receives the SYN packet, confirms the SYN of the client (ACK=j+1), and at the same time sends a SYN packet (SYN=k), that is, the SYN+ACK packet. At this time, the firewall gateway enters SYN_RECV state;

第三次握手:客户端收到防火墙类网关的SYN+ACK包,向防火墙类网关发送确认包ACK(ACK=k+1),此包发送完毕,客户端和防火墙类网关进入ESTABLISHED状态,完成三次握手。The third handshake: the client receives the SYN+ACK packet from the firewall gateway, and sends an acknowledgment packet ACK (ACK=k+1) to the firewall gateway. After the packet is sent, the client and the firewall gateway enter the ESTABLISHED state and complete Three handshakes.

防火墙类网关与客户端完成三次握手后,建立SESSION表项,再建立客户端与DNS服务器之间的连接。After the firewall-type gateway completes the three-way handshake with the client, it establishes a SESSION entry, and then establishes a connection between the client and the DNS server.

步骤305、客户端向DNS服务器再次发出查询请求报文;Step 305, the client sends a query request message to the DNS server again;

步骤306、防火墙类网关根据SESSION表项完成五元组检查后将查询请求报文转发给DNS服务器,由DNS服务器进行查询应答。Step 306 , the firewall-type gateway completes the quintuple check according to the SESSION entry and forwards the query request message to the DNS server, and the DNS server responds to the query.

上述实施例表明,本发明实施例技术方案通过接收客户端发送的UDP查询请求报文后,无论其是否超过512字节,都将应答报文的TC字段设置为1,从而利用了现有技术的DNS特性,使得客户端改为采用TCP方式进行报文传输。客户端和DNS服务器的所有报文都被改为采用TCP方式进行传输,这样就可以完满解决DNS欺骗攻击问题,一旦采用TCP方式进行通信,就算拿到ID字段,由于TCP存在握手过程,需要建立连接,因此基本无法进行DNS欺骗。改为采用TCP方式进行传输还可以完满解决DNS中IP欺骗攻击问题,如果请求IP是伪造IP,在UDP方式中无法判断其真伪,会转发造成流量浪费,但当采用TCP方式时,可以通过其TCP代理方式拒绝掉所有的伪造IP的数据,因此完满解决IP欺骗问题。改为采用TCP方式还可以利用TCP中现有的安全模块大幅提高DNS安全防护,由于TCP是有连接的传输协议,在其中可以构建很多安全防范算法,因此DNS采用TCP方式能利用这些算法大幅度提高DNS安全防护程度。The above-mentioned embodiment shows that, after receiving the UDP query request message sent by the client, no matter whether it exceeds 512 bytes or not, the technical solution of the embodiment of the present invention sets the TC field of the response message to 1, thereby utilizing the existing technology The DNS feature enables the client to use TCP for message transmission. All messages from the client and the DNS server are changed to use TCP for transmission, which can perfectly solve the problem of DNS spoofing attacks. Once TCP is used for communication, even if the ID field is obtained, due to the handshake process of TCP, it is necessary to establish connection, so DNS spoofing is basically impossible. Changing to TCP for transmission can also perfectly solve the problem of IP spoofing attacks in DNS. If the requested IP is a forged IP, it cannot be judged in UDP mode, which will cause traffic waste due to forwarding. However, when using TCP mode, you can pass Its TCP proxy method rejects all fake IP data, thus perfectly solving the problem of IP spoofing. Changing to the TCP method can also use the existing security modules in TCP to greatly improve DNS security protection. Since TCP is a connected transmission protocol, many security protection algorithms can be built in it, so DNS can use these algorithms to greatly improve DNS security. Improve DNS security protection.

上述内容详细介绍了本发明实施例网络安全防护方法,相应的,本发明实施例提供一种网关设备、网络系统及客户端。The above content introduces the network security protection method of the embodiment of the present invention in detail. Correspondingly, the embodiment of the present invention provides a gateway device, a network system, and a client.

请参阅图4,是本发明实施例网关设备结构示意图。Please refer to FIG. 4 , which is a schematic structural diagram of a gateway device according to an embodiment of the present invention.

如图4所示,网关设备包括:接收单元401、反弹单元402和处理单元403。As shown in FIG. 4 , the gateway device includes: a receiving unit 401 , a bounce unit 402 and a processing unit 403 .

接收单元401,用于接收客户端发送的UDP查询请求报文,接收客户端根据应答报文发送的TCP连接请求。The receiving unit 401 is configured to receive the UDP query request message sent by the client, and receive the TCP connection request sent by the client according to the response message.

反弹单元402,用于在所述接收单元401接收所述UDP查询请求报文后,向所述客户端返回应答报文,所述应答报文中的TC字段表明字节被截断。The bounce unit 402 is configured to return a response message to the client after the receiving unit 401 receives the UDP query request message, and the TC field in the response message indicates that bytes are truncated.

处理单元403,用于在所述接收单元401接收所述客户端根据所述应答报文发送的TCP连接请求后,建立所述客户端与DNS服务器之间的TCP连接。The processing unit 403 is configured to, after the receiving unit 401 receives the TCP connection request sent by the client according to the response message, establish a TCP connection between the client and the DNS server.

所述反弹单元402包括:设置单元4021和发送单元4022。The bounce unit 402 includes: a setting unit 4021 and a sending unit 4022 .

设置单元4021,用于将应答报文中的TC字段设置为1,将应答报文中的数据设置为截断的512字节,The setting unit 4021 is used to set the TC field in the response message to 1, and set the data in the response message to truncated 512 bytes,

发送单元4022,用于向客户端发送所述设置单元4021设置的应答报文。The sending unit 4022 is configured to send the response message set by the setting unit 4021 to the client.

这里的所述网关设备为防火墙或防火墙类网关。The gateway device here is a firewall or a firewall-like gateway.

请参阅图5,是本发明实施例网络系统结构示意图。Please refer to FIG. 5 , which is a schematic structural diagram of a network system according to an embodiment of the present invention.

如图5所示,网络系统包括:客户端501、网关设备502和DNS服务器503。As shown in FIG. 5 , the network system includes: a client 501 , a gateway device 502 and a DNS server 503 .

客户端501,用于发送请求。The client 501 is used to send a request.

网关设备502,用于接收客户端501发送的UDP查询请求报文,向所述客户端501返回应答报文,所述应答报文中的TC字段表明字节被截断,接收所述客户端501根据所述应答报文发送的TCP连接请求,建立所述客户端501与DNS服务器503之间的TCP连接。The gateway device 502 is configured to receive the UDP query request message sent by the client 501, return a response message to the client 501, the TC field in the response message indicates that the byte is truncated, and receive the client 501 Establish a TCP connection between the client 501 and the DNS server 503 according to the TCP connection request sent by the response message.

DNS服务器503,用于通过所述网关设备502建立与所述客户端501的连接。The DNS server 503 is configured to establish a connection with the client 501 through the gateway device 502 .

所述网关设备502的结构如图4所示,包括:接收单元401、反弹单元402和处理单元403。The structure of the gateway device 502 is shown in FIG. 4 , including: a receiving unit 401 , a bounce unit 402 and a processing unit 403 .

接收单元401,用于接收客户端501发送的UDP查询请求报文。The receiving unit 401 is configured to receive the UDP query request message sent by the client 501 .

反弹单元402,用于在所述接收单元401接收UDP查询请求报文后,向所述客户端501返回应答报文,所述应答报文中的TC字段表明字节被截断。The bounce unit 402 is configured to return a response message to the client 501 after the receiving unit 401 receives the UDP query request message, and the TC field in the response message indicates that bytes are truncated.

处理单元403,用于接收所述客户端501根据所述应答报文发送的TCP连接请求,建立所述客户端501与DNS服务器503之间的TCP连接。The processing unit 403 is configured to receive the TCP connection request sent by the client 501 according to the response message, and establish a TCP connection between the client 501 and the DNS server 503 .

所述反弹单元402包括:设置单元4021和发送单元4022。The bounce unit 402 includes: a setting unit 4021 and a sending unit 4022 .

设置单元4021,用于将应答报文中的TC字段设置为1,将应答报文中的数据设置为截断的512字节,The setting unit 4021 is used to set the TC field in the response message to 1, and set the data in the response message to truncated 512 bytes,

发送单元4022,用于向客户端501发送所述设置单元4021设置的应答报文。The sending unit 4022 is configured to send the response message set by the setting unit 4021 to the client 501 .

这里的所述网关设备502为防火墙或防火墙类网关。The gateway device 502 here is a firewall or a firewall-type gateway.

请参阅图6,是本发明实施例客户端结构示意图。Please refer to FIG. 6 , which is a schematic structural diagram of a client terminal according to an embodiment of the present invention.

如图6所示,客户端包括:发送单元601、接收单元602、处理单元603。As shown in FIG. 6 , the client includes: a sending unit 601 , a receiving unit 602 , and a processing unit 603 .

发送单元601,用于向网关设备发送用户数据报协议UDP查询请求报文。The sending unit 601 is configured to send a User Datagram Protocol UDP query request message to the gateway device.

接收单元602,用于接收所述网关设备根据所述UDP查询请求报文返回的应答报文,所述应答报文中的TC字段表明字节被截断。The receiving unit 602 is configured to receive a response message returned by the gateway device according to the UDP query request message, where the TC field in the response message indicates that bytes are truncated.

处理单元603,用于根据所述接收单元601接收的应答报文向所述网关设备发送传输控制协议TCP连接请求,通过所述网关设备建立本客户端与域名系统DNS服务器之间的TCP连接。The processing unit 603 is configured to send a Transmission Control Protocol TCP connection request to the gateway device according to the response message received by the receiving unit 601, and establish a TCP connection between the client and the Domain Name System DNS server through the gateway device.

所述处理单元603进一步包括:第一处理单元6031、第二处理单元6032。The processing unit 603 further includes: a first processing unit 6031 and a second processing unit 6032 .

第一处理单元6031,用于根据所述接收单元601接收的应答报文向所述网关设备发送传输控制协议TCP连接请求。The first processing unit 6031 is configured to send a transmission control protocol TCP connection request to the gateway device according to the response message received by the receiving unit 601 .

第二处理单元6032,用于在所述第一处理单元6031发送所述TCP连接请求后,与所述网关设备进行三次握手连接过程,在所述三次握手连接完成后,通过所述网关设备建立本客户端与DNS服务器之间的TCP连接。The second processing unit 6032 is configured to perform a three-way handshake connection process with the gateway device after the first processing unit 6031 sends the TCP connection request, and establish a connection through the gateway device after the three-way handshake connection is completed. TCP connection between this client and DNS server.

综上所述,本发明实施例技术方案通过接收客户端发送的UDP查询请求报文后,无论其是否超过512字节,都将应答报文的TC字段设置为表明字节被截断,从而利用了现有技术的DNS特性,使得客户端改为采用TCP方式进行报文传输,提高了网络安全防护程度。To sum up, after receiving the UDP query request message sent by the client, no matter whether it exceeds 512 bytes or not, the technical solution of the embodiment of the present invention sets the TC field of the response message to indicate that the byte is truncated, thereby utilizing The DNS feature of the prior art is changed, so that the client adopts the TCP mode for message transmission, which improves the degree of network security protection.

进一步的,本发明实施例技术方案不但适用于防火墙,还可以适用于其他防火墙类网关,只要是串接网络的网关设备都可以采用此方案提高网络安全,更好保护DNS服务器。Furthermore, the technical solutions of the embodiments of the present invention are not only applicable to firewalls, but also applicable to other firewall-type gateways. As long as they are gateway devices connected to the network in series, this solution can be used to improve network security and better protect DNS servers.

以上对本发明实施例所提供的一种网络安全防护方法、网关设备、客户端及网络系统进行了详细介绍,对于本领域的一般技术人员,依据本发明实施例的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。A network security protection method, gateway device, client, and network system provided by the embodiment of the present invention have been introduced in detail above. There will be changes in the scope. In summary, the content of this specification should not be construed as limiting the present invention.

Claims (10)

1, a kind of network safety protection method is characterized in that, comprising:
Receive the User Datagram Protoco (UDP) UDP query requests message that client sends;
To described client echo reply message, the TC field in the described response message shows that byte is blocked;
Receive described client according to the TCP connection request that described response message sends, set up described client and be connected with TCP between the domain name system DNS server.
2, network safety protection method according to claim 1 is characterized in that, this method also comprises:
TC field in the described response message is set to 1, and intercepted byte is 512 bytes in the described response message.
3, network safety protection method according to claim 1 and 2 is characterized in that:
The described client of described reception is according to the TCP connection request that described response message sends, and sets up described client and is connected with TCP between the dns server and is specially:
After receiving the TCP connection request that described client sends according to described response message, carry out the three-way handshake connection procedure with described client's section, described three-way handshake connect finish after, set up described client and be connected with TCP between the dns server.
4, network safety protection method according to claim 3 is characterized in that:
The UDP query requests message that described reception client sends is specially:
Fire compartment wall or firewall class gateway receive the UDP query requests message that client sends.
5, a kind of gateway device is characterized in that, comprising:
Receiving element is used to receive the UDP query requests message that client sends, and receives the TCP connection request that client sends according to response message;
The bounce-back unit is used for after described receiving element receives described UDP query requests message, and to described client echo reply message, the TC field in the described response message shows that byte is blocked;
Processing unit is used for after described receiving element receives described TCP connection request, sets up described client and is connected with TCP between the dns server.
6, gateway device according to claim 5 is characterized in that, described bounce-back unit comprises:
The unit is set, and the TC field that is used for response message is set to 1,512 bytes that the data in the response message are set to block;
Transmitting element is used for sending the described response message that the unit is provided with that is provided with to client.
7, according to claim 5 or 6 described gateway devices, it is characterized in that:
Described gateway device is fire compartment wall or firewall class gateway.
8, a kind of client is characterized in that, comprising:
Transmitting element is used for sending User Datagram Protoco (UDP) UDP query requests message to gateway device;
Receiving element is used to receive the response message that described gateway device returns according to described UDP query requests message, and the TC field in the described response message shows that byte is blocked;
Processing unit, the response message that is used for receiving according to described receiving element sends TCP connection request to described gateway device, sets up this client by described gateway device and is connected with TCP between the domain name system DNS server.
9, client according to claim 8 is characterized in that, described processing unit comprises:
First processing unit, the response message that is used for receiving according to described receiving element sends TCP connection request to described gateway device;
Second processing unit, be used for after described first processing unit sends described TCP connection request, carry out the three-way handshake connection procedure with described gateway device, described three-way handshake connect finish after, set up this client by described gateway device and be connected with TCP between the dns server.
10, a kind of network system is characterized in that, comprising:
Client is used for sending request;
Gateway device, be used to receive the UDP query requests message that client sends, to described client echo reply message, TC field in the described response message shows that byte is blocked, receive described client according to the TCP connection request that described response message sends, set up described client and be connected with TCP between the dns server;
Dns server is used for setting up and being connected of described client by described gateway device.
CNA2008100898387A 2008-03-28 2008-03-28 Network security protection method, gateway device, client and network system Pending CN101257450A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2008100898387A CN101257450A (en) 2008-03-28 2008-03-28 Network security protection method, gateway device, client and network system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2008100898387A CN101257450A (en) 2008-03-28 2008-03-28 Network security protection method, gateway device, client and network system

Publications (1)

Publication Number Publication Date
CN101257450A true CN101257450A (en) 2008-09-03

Family

ID=39891930

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2008100898387A Pending CN101257450A (en) 2008-03-28 2008-03-28 Network security protection method, gateway device, client and network system

Country Status (1)

Country Link
CN (1) CN101257450A (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010124549A1 (en) * 2009-04-29 2010-11-04 华为技术有限公司 Method, apparatus and system for obtaining public key
CN102480477A (en) * 2010-11-30 2012-05-30 中国移动通信集团北京有限公司 Method, device and system for accessing service by client
CN102546794A (en) * 2011-12-30 2012-07-04 华为技术有限公司 Method for directly communicating browser client with back-end server as well as gateway and communication system
CN101651677B (en) * 2009-09-11 2012-08-08 北京交通大学 Method for solving IMS network DNS spoofing attack based on chaos encryption algorithm
CN104468544A (en) * 2014-11-26 2015-03-25 上海斐讯数据通信技术有限公司 Method for enhancing network communication security
CN105580018A (en) * 2013-08-21 2016-05-11 美敦力迷你迈德公司 Medical devices and related updating methods and systems
CN105959228A (en) * 2016-06-23 2016-09-21 华为技术有限公司 Flow processing method and transparent cache system
CN106789988A (en) * 2016-12-08 2017-05-31 柴汝松 A kind of network inquiry platform
CN107124482A (en) * 2017-05-26 2017-09-01 深圳市米联科信息技术有限公司 A kind of DNS data package transmitting method, system and router
CN107438115A (en) * 2017-09-11 2017-12-05 深圳市茁壮网络股份有限公司 A kind of domain name analytic method, apparatus and system
CN103747005B (en) * 2014-01-17 2018-01-05 山石网科通信技术有限公司 The means of defence and equipment that DNS cache is poisoned
CN108965496A (en) * 2018-07-20 2018-12-07 网宿科技股份有限公司 A kind of method and device verifying DNS request legitimacy
WO2019134334A1 (en) * 2018-01-04 2019-07-11 平安科技(深圳)有限公司 Network abnormal data detection method and apparatus, computer device and storage medium
US11024408B2 (en) 2013-08-21 2021-06-01 Medtronic Minimed, Inc. Medical devices and related updating methods and systems
US11075006B2 (en) 2015-10-23 2021-07-27 Medtronic Minimed, Inc. Medical devices and related methods and systems for data transfer
CN113271287A (en) * 2020-02-17 2021-08-17 西安诺瓦星云科技股份有限公司 Terminal device connection method and device
CN113542292A (en) * 2021-07-21 2021-10-22 江南信安(北京)科技有限公司 Intranet safety protection method and system based on DNS and IP credit data
CN113709271A (en) * 2021-08-25 2021-11-26 杭州迪普科技股份有限公司 Domain name resolution method and device

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010124549A1 (en) * 2009-04-29 2010-11-04 华为技术有限公司 Method, apparatus and system for obtaining public key
CN101651677B (en) * 2009-09-11 2012-08-08 北京交通大学 Method for solving IMS network DNS spoofing attack based on chaos encryption algorithm
CN102480477A (en) * 2010-11-30 2012-05-30 中国移动通信集团北京有限公司 Method, device and system for accessing service by client
CN102480477B (en) * 2010-11-30 2015-03-11 中国移动通信集团北京有限公司 Method, device and system for accessing service by client terminal
CN102546794A (en) * 2011-12-30 2012-07-04 华为技术有限公司 Method for directly communicating browser client with back-end server as well as gateway and communication system
CN105580018A (en) * 2013-08-21 2016-05-11 美敦力迷你迈德公司 Medical devices and related updating methods and systems
CN110047571A (en) * 2013-08-21 2019-07-23 美敦力迷你迈德公司 Medical Devices and relevant updates method and system
US12033737B2 (en) 2013-08-21 2024-07-09 Medtronic Minimed, Inc. Streamed communication of updated control information to a medical device via an intermediate device
CN110047571B (en) * 2013-08-21 2023-10-27 美敦力迷你迈德公司 Medical device and related updating method and system
US11024408B2 (en) 2013-08-21 2021-06-01 Medtronic Minimed, Inc. Medical devices and related updating methods and systems
CN103747005B (en) * 2014-01-17 2018-01-05 山石网科通信技术有限公司 The means of defence and equipment that DNS cache is poisoned
CN104468544A (en) * 2014-11-26 2015-03-25 上海斐讯数据通信技术有限公司 Method for enhancing network communication security
US11075006B2 (en) 2015-10-23 2021-07-27 Medtronic Minimed, Inc. Medical devices and related methods and systems for data transfer
CN105959228B (en) * 2016-06-23 2020-06-16 华为技术有限公司 Traffic processing method and transparent cache system
CN105959228A (en) * 2016-06-23 2016-09-21 华为技术有限公司 Flow processing method and transparent cache system
CN106789988A (en) * 2016-12-08 2017-05-31 柴汝松 A kind of network inquiry platform
CN107124482A (en) * 2017-05-26 2017-09-01 深圳市米联科信息技术有限公司 A kind of DNS data package transmitting method, system and router
CN107438115A (en) * 2017-09-11 2017-12-05 深圳市茁壮网络股份有限公司 A kind of domain name analytic method, apparatus and system
WO2019134334A1 (en) * 2018-01-04 2019-07-11 平安科技(深圳)有限公司 Network abnormal data detection method and apparatus, computer device and storage medium
CN108965496A (en) * 2018-07-20 2018-12-07 网宿科技股份有限公司 A kind of method and device verifying DNS request legitimacy
CN113271287A (en) * 2020-02-17 2021-08-17 西安诺瓦星云科技股份有限公司 Terminal device connection method and device
CN113542292A (en) * 2021-07-21 2021-10-22 江南信安(北京)科技有限公司 Intranet safety protection method and system based on DNS and IP credit data
CN113709271A (en) * 2021-08-25 2021-11-26 杭州迪普科技股份有限公司 Domain name resolution method and device

Similar Documents

Publication Publication Date Title
CN101257450A (en) Network security protection method, gateway device, client and network system
Demmer et al. Delay-tolerant networking tcp convergence-layer protocol
TWI677222B (en) Connection establishment method and device applied to server load balancing
JP4517042B1 (en) Method, apparatus and program for detecting port scans using fake source addresses
US8332532B2 (en) Connectivity over stateful firewalls
CN101997673B (en) Network agent implementation method and device
EP1892887B1 (en) Communication method between communication devices and communication apparatus
CN104270379B (en) HTTPS agency retransmission methods and device based on transmission control protocol
CN102571749B (en) Data transmission system and method using relay server
US20120227088A1 (en) Method for authenticating communication traffic, communication system and protective apparatus
EP3125502A1 (en) Method for providing access to a web server
CN102025746B (en) Method, device and network equipment for establishing transmission control protocol (TCP) connection
CN106685930B (en) Method and device for processing transmission control protocol options
Thornburgh Adobe's Secure Real-Time Media Flow Protocol
CN101252584B (en) Authentication method, system and equipment for bidirectional forwarding detection protocol conversation
JP6444988B2 (en) Communication system using HTTP
JP2017118545A5 (en)
CN101547134B (en) Method and system for mutually converting UDP connection and TCP connection and transfer server
CN102427452B (en) Synchronize (SYN) message transmitting method and device and network equipment
CN115603994A (en) A trusted communication method, device, equipment and storage medium
CN105553986A (en) UDP-based multi-addressing limited real-time node communication method
Demmer et al. RFC 7242: Delay-Tolerant Networking TCP Convergence-Layer Protocol
JP3648211B2 (en) Packet relay program, packet relay device, and recording medium
CN101110816B (en) Remote data transmission system and method
JP2002312261A (en) Network service relay method and relay device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
ASS Succession or assignment of patent right

Owner name: CHENGDU CITY HUAWEI SAIMENTEKE SCIENCE CO., LTD.

Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD.

Effective date: 20090424

C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20090424

Address after: Qingshui River District, Chengdu high tech Zone, Sichuan Province, China: 611731

Applicant after: Chengdu Huawei Symantec Technologies Co., Ltd.

Address before: Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Province, China: 518129

Applicant before: Huawei Technologies Co., Ltd.

C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Open date: 20080903