An anti-replay attack method for whole network udp port scanning

Abstract

The invention relates to a playback attack preventive method of whole-network UDP port scanning. A scanning end forms a UDP message, a UDP message header is encrypted by target IP equipment, a UDP detection data packet in the IPv4 full address space after encryption is sent, the scanning end verifies a response UDP message, the response UDP message is abandoned if not valid, otherwise, keywords are calculated by using the IP address and source port of IP equipment which sends the valid response message, a reception frequency value matches an annular AVL tree array, it is determined to be a playback attack if the keywords exceed the upper limit of the reception frequency, the valid response message is abandoned, and otherwise, the scanning end receives and processes the effective response message. According to the method, two defensive mechanism are included, the maintenance cost is low, a scanning result is accurate, space is occupied less and kept in the controllable range, play attacks o the USP message in any port of any IP address can be defended effectively, the accuracy and efficiency of safety plotting as well as asset scanning in the network space can be improved, and solidtechnical support is provided for space plotting of the global network.

Description

technical field [0001] The invention relates to the transmission of digital information, such as the technical field of telegram communication, in particular to an anti-replay attack method for efficiently defending against replay attacks by UDP port scanning of the whole network. Background technique [0002] The application of network technology has profoundly affected and changed people's production methods and lifestyles, promoted the progress and development of all aspects of society, and played an important role in promoting and supporting various fields of the national economy. [0003] Port scan refers to a method of sending a group of port scan packets to try to access the device and obtain various useful information about the device. Powerful port scanning technology can effectively detect various security risks and vulnerabilities, and generate detailed security detection reports, compatible with various mainstream operating systems, firewalls, routers and other n...

AI Technical Summary

Problems solved by technology

[0006] (1) Add the IP address that has initiated the replay attack to the blacklist through the black and white list. When the packet is received by the scanning end, first check whether the source IP of the packet is in the blacklist. If it exists, it will be discarded. If it does not exist, it will be discarded is reserved; although this method can defend against the replay attack of the fixed IP list, most attackers now disguise their own source IP. The source IP is a variable that can be changed at will for the attacker, especially in the entire network. When defending against replay attacks internally, it is not only difficult to defend against attackers by using the black and white list method, but even the port information of the IP devices in the blacklist cannot be collected;

[0007] (2) The source IP address and source port of the received message are used as keywords, and the AVL tree structure is established with the number of times received as the value. When the scanning end receives the message, it directly queries the AVL tree according to the source IP address and source port. If the number of corresponding receiving times exceeds the set upper limit, it will be judged as a replay attack and discarded; if it is not exceeded, it will be kept; in this way, the source IP address of the UDP protocol is 32 bits, the source port is 16 bits, and the source IP address and If the source port is a keyword, it is necessary to maintain an AVL tree whose keyword is a 48-bit integer. It may need to save 2 to the 48th power nodes at most. When the scanning end scans the entire network, replay attacks come from any port of any IP, and maintenance This AVL tree will consume a lot of space and even exhaust the memory space of the scanning end

Images