CN103475646A - Method for preventing hostile ESP (electronic stability program) message attack - Google Patents
Method for preventing hostile ESP (electronic stability program) message attack Download PDFInfo
- Publication number
- CN103475646A CN103475646A CN2013103712944A CN201310371294A CN103475646A CN 103475646 A CN103475646 A CN 103475646A CN 2013103712944 A CN2013103712944 A CN 2013103712944A CN 201310371294 A CN201310371294 A CN 201310371294A CN 103475646 A CN103475646 A CN 103475646A
- Authority
- CN
- China
- Prior art keywords
- message
- firewall device
- esp
- received
- pool
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 9
- 238000004891 communication Methods 0.000 claims abstract description 6
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
本发明公开了一种防止恶意ESP报文攻击的方法,包括以下步骤:S1:第一防火墙设备接收第二防火墙设备发送的报文,若第一防火墙设备接收报文与发送报文的流量差达到预先设定的阈值,则第一防火墙设备对接收到的ESP报文进行解密,再将解密报文进行复制并将复制的报文留存在报文池中;S2:第一防火墙设备将接收到的ESP报文进行解密后与报文池中的所有报文进行比对,若报文池中存在与接收到的报文相同的报文,则第一防火墙设备切断与第二防火墙设备之间的通信链路,并重新协商IPSEC隧道。The invention discloses a method for preventing malicious ESP message attacks, which includes the following steps: S1: the first firewall device receives the message sent by the second firewall device, if the flow rate of the first firewall device receiving the message is different from that of the sending message When the preset threshold is reached, the first firewall device decrypts the received ESP message, then copies the decrypted message and stores the copied message in the message pool; S2: the first firewall device will receive After the received ESP message is decrypted, it is compared with all the messages in the message pool. If there is a message identical to the received message in the message pool, the first firewall device cuts off the connection with the second firewall device. communication link between them and renegotiate the IPSEC tunnel.
Description
技术领域technical field
本发明涉及网络通信技术领域,特别涉及一种防止恶意ESP报文攻击的方法。The invention relates to the technical field of network communication, in particular to a method for preventing malicious ESP message attacks.
背景技术Background technique
IPSEC隧道对数据报文进行加密处理后的报文分两种,一种是AH报文,一种是ESP报文,对于AH报文来说,只对报文做完整新认证,可以防止报文被篡改,并且AH认证报文是将整个报文体包括新的IP头和AH头一起进行认证处理,此时就防止报文被篡改和重防攻击,但ESP报文只对报文加密部分做认证和加密,所以如果有黑客复制报文的加密部分,ESP头部的sn号修改不断加1的方式来复制整个报文时,IPSEC隧道就会将此报文作为一个正常的ESP报文进行处理,由于ESP报文解密会耗费很高的CPU资源,就会形成损耗CPU攻击。There are two types of packets encrypted by the IPSEC tunnel for data packets, one is AH packets and the other is ESP packets. For AH packets, only a complete new authentication is performed on the packets to prevent The message has been tampered with, and the AH authentication message is to authenticate the entire message body, including the new IP header and the AH header. Do authentication and encryption, so if a hacker copies the encrypted part of the message, the SN number in the ESP header is modified and continuously increased by 1 to copy the entire message, the IPSEC tunnel will treat this message as a normal ESP message For processing, since ESP packet decryption consumes high CPU resources, a CPU loss attack will be formed.
发明内容Contents of the invention
(一)要解决的技术问题(1) Technical problems to be solved
本发明要解决的是解决网络中常见的恶意ESP报文攻击,造成对用户CPU损耗的问题。What the present invention aims to solve is to solve the common malicious ESP message attack in the network, which causes the problem of CPU consumption of users.
(二)技术方案(2) Technical solution
为解决上述技术问题,本发明提供了一种防止恶意ESP报文攻击的方法,其特征在于,In order to solve the problems of the technologies described above, the invention provides a method for preventing malicious ESP message attacks, characterized in that,
包括以下步骤:Include the following steps:
S1:第一防火墙设备接收第二防火墙设备发送的报文,若第一防火墙设备接收报文与发送报文的流量差达到预先设定的阈值,则所述第一防火墙设备对接收到的ESP报文进行解密,再将解密报文进行复制并将复制的报文留存在报文池中;S1: The first firewall device receives the message sent by the second firewall device, and if the flow difference between the received message and the sent message of the first firewall device reaches a preset threshold, the first firewall device Decrypt the message, then copy the decrypted message and save the copied message in the message pool;
S2:所述第一防火墙设备将接收到的ESP报文进行解密后与所述报文池中的所有报文进行比对,若所述报文池中存在与所述接收到的报文相同的报文,则所述第一防火墙设备切断与所述第二防火墙设备之间的通信链路,并重新协商IPSEC隧道。S2: The first firewall device decrypts the received ESP message and compares it with all the messages in the message pool. packets, the first firewall device cuts off the communication link with the second firewall device, and renegotiates the IPSEC tunnel.
所述阈值的取值范围是50~500兆。The value range of the threshold is 50-500 megabytes.
(三)有益效果(3) Beneficial effects
本发明通过在防火墙设备中建立报文池,当防火墙设备吞吐报文的流量差达到阈值后,将接收到的报文与报文池中报文逐一比对,若出现重复报文,则说明网络受到攻击,此时断开通信链路,重新协商IPSEC隧道,可以有效防止恶意ESP报文攻击。The present invention establishes a message pool in the firewall device. When the flow difference of the firewall device throughput reaches the threshold, the received message is compared with the messages in the message pool one by one. If there are duplicate messages, it means When the network is under attack, disconnect the communication link and renegotiate the IPSEC tunnel, which can effectively prevent malicious ESP packet attacks.
具体实施方式Detailed ways
下面对本发明的具体实施方式作进一步详细描述。以下实施例用于说明本发明,但不用来限制本发明的范围。Specific embodiments of the present invention will be further described in detail below. The following examples are used to illustrate the present invention, but are not intended to limit the scope of the present invention.
本实施方式的方法包括以下步骤:The method of the present embodiment comprises the following steps:
S1:第一防火墙设备接收第二防火墙设备发送的报文,若第一防火墙设备接收报文与发送报文的流量差达到预先设定的阈值,则所述第一防火墙设备对接收到的ESP报文进行解密,再将解密报文进行复制并将复制的报文留存在报文池中;S1: The first firewall device receives the message sent by the second firewall device, and if the flow difference between the received message and the sent message of the first firewall device reaches a preset threshold, the first firewall device Decrypt the message, then copy the decrypted message and save the copied message in the message pool;
S2:所述第一防火墙设备将接收到的ESP报文进行解密后与所述报文池中的所有报文进行比对,若所述报文池中存在与所述接收到的报文相同的报文,则所述第一防火墙设备切断与所述第二防火墙设备之间的通信链路,并重新协商IPSEC隧道。S2: The first firewall device decrypts the received ESP message and compares it with all the messages in the message pool. packets, the first firewall device cuts off the communication link with the second firewall device, and renegotiates the IPSEC tunnel.
进一步地,所述阈值的取值范围是50~500兆。Further, the value range of the threshold is 50-500 megabytes.
本发明通过在防火墙设备中将接收到报文进行复制并留存,将接收到的报文与之前接收到的报文进行比对,若出现重复报文,则说明网络已经受到攻击,将网络上的ESP报文和对应IKE报文断开,重新协商IPSEC隧道,通过此方法来解决ESP报文重复攻击的问题。In the present invention, the received message is copied and stored in the firewall device, and the received message is compared with the previously received message. If repeated messages appear, it means that the network has been attacked, and the The ESP packet and the corresponding IKE packet are disconnected, and the IPSEC tunnel is renegotiated. This method solves the problem of repeated ESP packet attacks.
以上实施方式仅用于说明本发明,而并非对本发明的限制,有关技术领域的普通技术人员,在不脱离本发明的精神和范围的情况下,还可以做出各种变化和变型,因此所有等同的技术方案也属于本发明的范畴,本发明的专利保护范围应由权利要求限定。The above embodiments are only used to illustrate the present invention, but not to limit the present invention. Those of ordinary skill in the relevant technical field can make various changes and modifications without departing from the spirit and scope of the present invention. Therefore, all Equivalent technical solutions also belong to the category of the present invention, and the scope of patent protection of the present invention should be defined by the claims.
Claims (2)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013103712944A CN103475646A (en) | 2013-08-23 | 2013-08-23 | Method for preventing hostile ESP (electronic stability program) message attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013103712944A CN103475646A (en) | 2013-08-23 | 2013-08-23 | Method for preventing hostile ESP (electronic stability program) message attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103475646A true CN103475646A (en) | 2013-12-25 |
Family
ID=49800342
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013103712944A Pending CN103475646A (en) | 2013-08-23 | 2013-08-23 | Method for preventing hostile ESP (electronic stability program) message attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103475646A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070165638A1 (en) * | 2006-01-13 | 2007-07-19 | Cisco Technology, Inc. | System and method for routing data over an internet protocol security network |
| WO2007109963A1 (en) * | 2006-03-24 | 2007-10-04 | Huawei Technologies Co., Ltd. | A vpn gateway and an ipv6 network system and a system for realizing mobile vpn in hybrid network and the method |
| CN101262409A (en) * | 2008-04-23 | 2008-09-10 | 华为技术有限公司 | Virtual private network VPN access method and device |
| US20080260151A1 (en) * | 2007-04-18 | 2008-10-23 | Cisco Technology, Inc. | Use of metadata for time based anti-replay |
| CN102571497A (en) * | 2012-01-29 | 2012-07-11 | 华为技术有限公司 | IPSec tunnel fault detection method, apparatus thereof and system thereof |
| CN103188351A (en) * | 2011-12-27 | 2013-07-03 | 中国电信股份有限公司 | IPSec VPN communication service processing method and system under IPv6 environment |
-
2013
- 2013-08-23 CN CN2013103712944A patent/CN103475646A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070165638A1 (en) * | 2006-01-13 | 2007-07-19 | Cisco Technology, Inc. | System and method for routing data over an internet protocol security network |
| WO2007109963A1 (en) * | 2006-03-24 | 2007-10-04 | Huawei Technologies Co., Ltd. | A vpn gateway and an ipv6 network system and a system for realizing mobile vpn in hybrid network and the method |
| US20080260151A1 (en) * | 2007-04-18 | 2008-10-23 | Cisco Technology, Inc. | Use of metadata for time based anti-replay |
| CN101262409A (en) * | 2008-04-23 | 2008-09-10 | 华为技术有限公司 | Virtual private network VPN access method and device |
| CN103188351A (en) * | 2011-12-27 | 2013-07-03 | 中国电信股份有限公司 | IPSec VPN communication service processing method and system under IPv6 environment |
| CN102571497A (en) * | 2012-01-29 | 2012-07-11 | 华为技术有限公司 | IPSec tunnel fault detection method, apparatus thereof and system thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR200425873Y1 (en) | Virtual private network device with harmful information detection and prevention | |
| CN104158653B (en) | A kind of safety communicating method based on the close algorithm of business | |
| CN102571497B (en) | A kind of method, Apparatus and system of ipsec tunnel fault detect | |
| CN103079200B (en) | The authentication method of a kind of wireless access, system and wireless router | |
| CN108075890A (en) | Data sending terminal, data receiver, data transmission method and system | |
| CN104219041A (en) | Data transmission encryption method applicable for mobile internet | |
| CN106209883A (en) | Based on link selection and the multi-chain circuit transmission method and system of broken restructuring | |
| Touil et al. | Secure and guarantee QoS in a video sequence: a new approach based on TLS protocol to secure data and RTP to ensure real-time exchanges | |
| US10440038B2 (en) | Configuration management for network activity detectors | |
| Liyanage et al. | Securing virtual private LAN service by efficient key management | |
| CN110752921A (en) | A security reinforcement method for communication links | |
| CN109688115B (en) | Data security transmission system | |
| CN114928491A (en) | Internet of things security authentication method, device and system based on identification cryptographic algorithm | |
| CN106254231A (en) | A kind of industrial safety encryption gateway based on state and its implementation | |
| CN103596179B (en) | The anti-Denial of Service attack method of access authentication of WLAN based on radio-frequency (RF) tag | |
| CN102710638A (en) | Device and method for isolating data by adopting non-network manner | |
| CN101197828A (en) | A method for implementing secure ARP and network equipment | |
| CN106161386A (en) | A kind of method and apparatus realizing that IPsec shunts | |
| KR101448866B1 (en) | Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof | |
| CN105591748B (en) | A kind of authentication method and device | |
| CN102843375B (en) | Method for controlling network access based on identification in IP (Internet Protocol) protocol | |
| CN103475646A (en) | Method for preventing hostile ESP (electronic stability program) message attack | |
| CN102447674B (en) | A kind of method of security negotiation and device | |
| CN107317851A (en) | A kind of safety communicating method based on software defined network | |
| CN106487773A (en) | A kind of encryption and decryption method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| DD01 | Delivery of document by public notice | ||
| DD01 | Delivery of document by public notice |
Addressee: Tianjin CP-World Information Technology Co.,Ltd. Person in charge of patents Document name: Notice of Termination of Program |
|
| DD01 | Delivery of document by public notice | ||
| DD01 | Delivery of document by public notice |
Addressee: Tianjin CP-World Information Technology Co.,Ltd. Person in charge of patents Document name: Regard as withdrawal notice |
|
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20131225 |