Data packet detection method and system

Abstract

The invention is applicable to an Internet network access device, provides a data packet detection method and system. The data packet detection method comprises the steps of acquiring an original survival time value in a valid data packet; calculating a survival time reference value according to the original survival time value, the survival time reference value corresponding to a plurality of preset adjacent addresses of a source address of the valid data packet; acquiring a survival time value to be verified in a data packet to be verified; and determining whether the data packet to be verified is valid according to the survival time value to be verified and the survival time reference value. Therefore, the invention can reduce the transparent transmission rate of invalid data packets, can improve the security performance of a back-end server, also can be suitable for a variety of complex network environment, and is simple, practical and safe and reliable.

Description

technical field [0001] The invention relates to a data packet detection method and system. Background technique [0002] With the popularization of Internet technology, more and more applications have begun to migrate to the Internet, followed by more and more attacks against the Internet. Many attack data packets are illegal data packets directly forged by hackers, and then forwarded to the target machine through the Internet. If it is not judged that these data packets are not much different from ordinary packets, they will be accepted by network devices and servers. Once the forged attack data packet reaches the target machine, it will pose a fatal threat to the services running on the target machine until the server resources are exhausted and cannot operate normally. [0003] Therefore, an efficient and practical technical solution capable of judging whether a data packet is forged is particularly important. Among the methods for judging the authenticity of data pack...

AI Technical Summary

Problems solved by technology

[0009] 1. The method for TTL detection and recording listed in CN200810067292.5 cannot be used in a NAT (NetworkAddressTransfer, Network Address Translator) environment. It records a formal TTL value for a source address, but in fact if the source address is For a NAT exit, there are multiple segments for the TTL value of this source address, then the actual TTL value recorded in the table will continue to change, as long as different operating systems access alternately, there will be a lot of manslaughter

Although CN200810067292.5 Figure 7 When described in , a TTL credible range will be judged in advance, but when the next TTL comparison table is searched based on the source address, as long as the operating system of the current visitor is different from the operating system of the TTL value recorded in the table, the It may lead to a judgment that does not match the actual TTL value, thus entering the packet loss process

[0010] 2. In CN200810067292.5, one source address corresponds to one storage structure, which requires a large amount of memory

[0011] 3. CN200810067292.5 obtains the TTL value by actively sending ICMP data packets and waiting for the return packet or obtaining the TTL value from the normal three-way handshake, but many network devices or software firewalls will automatically disable ICMP, so the use is limited

[0012] 4. CN200810067292.5 only describes the comparison between the actual TTL value and the pre-stored TTL record. If the difference between the two TTL values ​​is 1 or 2, it will be discarded. However, there may be some differences in the real network environment. Once there is a difference Using the one-to-one relationship between the TTL record described in CN200810067292.5 and the real client will cause very large manslaughter

[0013] 5. The TTL records prestored in CN200810067292.5 have an aging time, that is, the TTL records corresponding to each source address in the storage table will be updated periodically, and the system is redundant and not flexible enough

[0014] In summary, there are obviously inconveniences and defects in the actual use of the existing technology, so it is necessary to improve

Images