CN1812394A - Method for using immediate information software by data detection network address switching equipment - Google Patents
Method for using immediate information software by data detection network address switching equipment Download PDFInfo
- Publication number
- CN1812394A CN1812394A CNA2006100114224A CN200610011422A CN1812394A CN 1812394 A CN1812394 A CN 1812394A CN A2006100114224 A CNA2006100114224 A CN A2006100114224A CN 200610011422 A CN200610011422 A CN 200610011422A CN 1812394 A CN1812394 A CN 1812394A
- Authority
- CN
- China
- Prior art keywords
- address
- nat
- data
- packet
- network address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 30
- 238000000034 method Methods 0.000 title claims description 37
- 238000004321 preservation Methods 0.000 claims description 12
- 238000001914 filtration Methods 0.000 claims description 9
- 238000013519 translation Methods 0.000 claims description 4
- 238000012360 testing method Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 230000009191 jumping Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 101710099060 Tectonic Proteins 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This invention can find out the concurrent routines number of immediate information software in the detected address by acquiring the data of immediate information software in the network, in order to judge whether NAT is operated in the IP address. It uses the current-unused information of application layer. Users and NAT manufacturers cannot avoid detection by modifying mainframe network protocol stack and NAT gateway.
Description
Technical field
Use the method for the data detection network address switching equipment of immediate information software to belong to Internet technical field, relate in particular to administrative skill the Internet access network.
Background technology
Network address translation apparatus (following represent with NAT) is in order to solve a kind of scheme that IPv4 address shortage problem proposed in 1994.The typical operative scenario of NAT uses the subnet of privately owned address to insert the Internet by NAT as shown in Figure 1.NAT has disposed a global effective address G at least, and the main frame of subnet inside uses privately owned address.NAT changes the IP address of importing in a datagram and the outer datagram, replaces each outer source address of sending out in datagram with G, replaces the destination address that each imports datagram into the privately owned address of correct main frame.From the outside, NAT is similar to the logical main frame of a Daepori, and all packets are from NAT, and all responses also turn back to NAT.Internally, NAT is a router that can reach the Internet.By the IP address is transformed into the another one address field by an address field, NAT is provided to the IP layer visit of the Internet for using privately owned address of host.
NAT can be alleviated the pressure of internet-ip address shortage, but it also causes a lot of problems.Angle from network management, NAT allows multiple host accesses network simultaneously, externally but show as a main frame, the keeper has no way of learning the accurate operating position of network, and the public NAT access internet of a plurality of users means potential user's loss for Internet Access provider ISP.From the angle of network security, NAT may allow undelegated main frame visit network, this access way even may be wireless, and this causes a hidden trouble to network security.Therefore people need to be grasped the operating position of NAT in the network.
Obtaining in the network facility information can be divided into initiatively and passive dual mode substantially.In active mode, the surveyor sends data to obtain its response to detected object on one's own initiative; In passive mode, the surveyor monitors the packet that detected object is sent passively.Active mode can be surveyed in network Anywhere, but has introduced data in network, and easy interference detection object; Passive mode can not introduced data in network, but needs a specific test point.People generally use passive mode to detect NAT at present, and this is because most NAT generally do not accept packet not to be responded, so active mode generally is difficult to obtain the information of NAT by the communication of NAT outside to the inside initiation; By comparison, passive mode can obtain the packet that the NAT aft engine sends at an easy rate.NAT detects scene as shown in Figure 2, and test point is arranged on the network interface place, obtains and the phase-split network data by passive, detects the NAT that may exist in the network.
Present already present NAT detection mode has message time to live (ttl) field value method, passive operation system fingerprint probe method that uses the IP stem and the method for using id field (IPid) tectonic sequence of IP stem.The ttl value method utilizes operating system generally to use specific T TL value and NAT generally can when transmitting packet TTL be subtracted 1 these two characteristics, arrive the jumping figure of the ttl value calculated data bag process of test point according to packet, check whether it judges less than normal jumping figure whether this packet has passed through NAT.Passive operation system fingerprint probe method utilize data packet header can carry usually can the operation system information the ICP/IP protocol stack realize this characteristic of situation, by checking whether can go out the several operation systems fingerprint from the packet inspection that send an IP address judges on this IP address whether have NAT.The IPid serial method utilizes main frame generally to take to add successively the characteristic that 1 mode is used the id field of IP stem, and the IP packet structure IPid sequence of using detected object to send checks whether can construct a plurality of sequences, judges whether to exist NAT with this.For network layer data, generally can escape detection by the realization of revising NAT; For transport layer data, can revise the method for mainframe network protocol stack and escape detection.
By above analysis as seen, because network behavior and the normal hosts of NAT are similar, thinking accurately to detect NAT is a relatively thing of difficulty.In addition, NAT user and NAT manufacturer may design corresponding escape detection method according to the NAT detection method for the consideration on privacy and the interests.Also do not have one at present and all guarantee effective NAT detection means under all scenes, people often need to improve as far as possible in conjunction with multiple detection means the accuracy of detection.Therefore, from the new new detection method of detection angles invention,, be the problem that the present invention need solve to improve accuracy and the anti-escape ability that NAT detects.
Summary of the invention
The object of the present invention is to provide a kind of new NAT detection method, the data of sending by the immediate information software in the passive monitoring network (following represent with IM) are carried out NAT and are detected.The advantage of method is and can't escapes detection by the method for revising NAT gateway and mainframe network protocol stack.Though still can escape detection by the method for revising application program, some widely used application programs generally are not easy to obtain source code, and the developer of application program does not have direct power and goes to attempt to escape detection to NAT.Compare with the NAT detection method of existing use network layer and transport layer information, the advantage of the method is that application layer message is not easy to be revised by the NAT gateway, and NAT manufacturer and user are not easy to escape detection by revising NAT gateway and main frame ICP/IP protocol stack.
Method thinking provided by the present invention is: it is user-dependent that IM uses, and the user is general or a few routine only can moving an IM on a main frame.Connect under the situation of network by NAT a plurality of users,, then can observe a plurality of routines that IM is arranged and move on an IP address in the NAT outside if they use certain to use simultaneously.So we can infer on this IP address whether used NAT by the routine number that obtains certain IM that moves simultaneously on the assigned ip address.
IM generally can use a kind of mechanism of presence announcement, and being used for provides relevant other IM user's online information to the user.The IM of main flow is general, and the stable data passage (connecting such as a stable TCP) that adopts is provided at the line states announcement, and the IM client can keep a stable data passage with the external world when operation.If we can obtain the data of this passage, infer the number of passage, just obtained the routine number of IM client.Only move at each main frame under the hypothesis of an IM client routine,, then illustrate on this IP address to have the NAT gateway if find that the IM routine number that occurs on certain IP address is too much.As shown in Figure 3, the host B and the C that are in behind the NAT use certain IM simultaneously, their data are through test point the time, test point finds to have the data channel of two peace preservation association's speech phases, learn and moved two IM client routines on this IP address simultaneously, thus the NAT gateway of having inferred on this IP address possible configuration.
The present invention has used the Google Talk of Google and these two kinds of IM of MSN Messenger of Microsoft to carry out concrete testing.
The invention is characterized in:
1. as shown in Figure 4, this method contains following steps successively:
Step 1. is set up packet filtering at the network interface place, and passive extracting is mail to the data of outer net by Intranet, filters out the data that are used to keep IM client sessions state that various immediate information softwares (following represent with IM) send, and comprises following steps successively:
Step 1.1. obtains the packet of peace preservation association's speech phase of certain IM;
Step 1.2. finds the IM channel information tabulation of setting up for detected object according to the source IP address and the affiliated IM type of packet;
Step 1.3. searches the IM passage, i.e. the passage of this IM peace preservation association speech phase according to the purpose IP address of packet and tcp source port number in the tabulation of the IM of this detected object channel information;
Step 2. is analyzed from the IM channel data that step 1 obtains and is obtained current parallel IM number of active lanes;
Step 3. is added up the IM routine number that the parallel number of active lanes that obtains is concurrent running on current this IP address in step 2; If described IM routine number greater than the threshold values that is set in advance in the detector, is then judged on this IP address and has been moved network address translation apparatus.
2. described IM belongs to the Google Talk type of Google, filters as Rule of judgment with Google Talk server address and service port number
3. described IM belongs to the MSN Messenger type of Microsoft, filters according to service port number and the packet content of MSN Messenger.
4. described packet filtering need operate on the equipment at network interface place.
The method that use IM data proposed by the invention are carried out the NAT detection can be used in the general networking range of management, especially aspect the control of access network very big meaning is arranged at ISP.The method and prior NAT detection method binding energy improve accuracy and the anti-ability of escaping that NAT detects.The present invention may operate on the main frame at network interface place, for large-scale network, can improve disposal ability by disposing the special network equipment.This method is checked by experiment.
Description of drawings
Fig. 1. the schematic diagram of network address translation;
Fig. 2 .NAT detects the schematic diagram of scene;
Fig. 3. carry out the schematic diagram that NAT detects scene based on IM information;
Fig. 4. carry out the schematic diagram of NAT testing process based on IM information;
The schematic diagram of Fig. 5 .Google Talk and MSN Messenger peace preservation association speech phase data filter flow process;
Fig. 6 .IM channel operation and NAT judge the schematic diagram of flow process.
Embodiment
Use the IM data to carry out the NAT detection and can be divided into for two steps substantially:
1) goes out to belong to the data of IM peace preservation association speech phase passage (hereinafter to be referred as the IM passage) from data filter by test point;
2) analysis obtains current parallel IM channel data from the data of IM passage, and promptly the IM routine number that moves on the detected object this moment judges according to the number size whether this detected object is NAT then.
The filtration of IM channel data
Because the working method difference of existing different I M, the filtration details is also different, but can be divided into dual mode substantially: utilize IM generally can use the server of fixed address and these characteristics of port numbers to filter; Utilize the data of some peace preservation association's speech phase to have format and these characteristics of content are filtered.We choose Google Talk and these two kinds of typical IM of MSN Messenger do explanation, and flow chart as shown in Figure 5.
For Google Talk, we come filtering data with server address and port as Rule of judgment.Google Talk adopts the XMPP agreement, is connected to come swap data by a TCP between the client of Google Talk and the server end, comprising keeping session state data and instant message.This TCP is connected client when login and sets up, and continues the whole session process always, and our data that only need obtain above-mentioned TCP can obtain the data of peace preservation association's speech phase passage of Google Talk like this.Whether our purpose by judging a packet is whether the IP address, destination slogan of domain name talk.***.com correspondence is 5222 to judge whether it is the data of above-mentioned TCP.
For MSNMessenger, we have adopted the method for filtering according to port numbers and packet content.In a typical conversation procedure, MSN Messenger client can with a plurality of server exchange data, they are distribution server (DS), conversation informing server (NS) and swap server (SS), process is as follows:
1) client connects DS, and DS distributes a NS to client, and the notice client connects this NS;
2) client connects NS, and this connection will continue the whole session process, be used to provide the session status service;
When 3) needing between the client to send IM message, NS can distribute a SS to give client, and client is set up a TCP with this SS and is connected.
What we need obtain is the data that client connects NS.Because the number of NS is a lot, reach up to a hundred, we are difficult to collect whole NS addresses, carry out too much address during filtration and more also can influence strainability, we do not use the address of NS to filter as filtercondition, filter and adopted according to port numbers and packet content.In the session channel of MSNMessenger client and NS server, MSN Messenger client can be irregular sends the PNG order to the NS server, this order can not appear at other data in server exchanges in.The PNG command format is as follows:
PNG\r\n
We check earlier whether the destination slogan of packet is 1863, reexamine packet and whether comprise the PNG order, judge with this whether a packet is the data of peace preservation association's speech phase of MSN Messenger.
The maintenance of IM channel information and NAT judge
We safeguard the channel list of peace preservation association's speech phase to each detected local ip address.As shown in Figure 6, get access to network internal when mailing to the data of outside IM peace preservation association speech phase, doing following processing:
1) according to packet<source port number, destination address〉this two tuple judges whether this packet belongs to some passages that has write down.If belong to, then upgrade the final updating time of this passage; If do not belong to, then newly add a record.
2) remove the passage record that does not have renewal in a period of time (representing) with Tmax.The size of Tmax value is relevant with the strobe utility of packet.The filter type of the MSN that adopts for us, because two PNG orders can not surpass 50s blanking time, so we are set to 50s at MSN Tmax.
3) statistics parallel number of active lanes this moment.This number is the IM routine number of concurrent running on current this IP address.
After obtaining the routine number of certain IM on the detected object, we judge whether this numerical value infers greater than certain threshold values whether detected object is NAT.
Use the trace routine of IM data in the interface configuration that is connected to external network, a plurality of users use under the situation of a kind of IM simultaneously have NAT and NAT in network after, trace routine will detect a plurality of routines of having moved an IM on certain IP address, thus the NAT that learnt on this IP address possible configuration.The application layer message that the present invention has used existing method not use, detection can't be escaped by the method for revising NAT gateway and mainframe network protocol stack by user and NAT manufacturer, if combine, can be good at improving the accuracy and the anti-escape ability of detection with existing method.This shows that the present invention has reached intended purposes.
Claims (4)
1. use the method for the data detection network address switching equipment of immediate information software to it is characterized in that this method contains following steps successively:
Step 1. is set up packet filtering at the network interface place, and passive extracting is mail to the data of outer net by Intranet, filters out the data that are used to keep IM client sessions state that various immediate information softwares (following represent with IM) send, and comprises following steps successively:
Step 1.1. obtains the packet of peace preservation association's speech phase of certain IM;
Step 1.2. finds the IM channel information tabulation of setting up for detected object according to the source IP address and the affiliated IM type of packet;
Step 1.3. searches the IM passage, i.e. the passage of this IM peace preservation association speech phase according to the purpose IP address of packet and tcp source port number in the tabulation of the IM of this detected object channel information;
Step 2. is analyzed from the IM channel data that step 1 obtains and is obtained current parallel IM number of active lanes;
Step 3. is added up the IM routine number that the parallel number of active lanes that obtains is concurrent running on current this IP address in step 2; If described IM routine number greater than the threshold values that is set in advance in the detector, is then judged on this IP address and has been moved network address translation apparatus.
2. use the method for the data detection network address switching equipment of immediate information software to it is characterized in that described IM belongs to the Google Talk type of Google, filters as Rule of judgment with Google Talk server address and service port number.
3. use the method for the data detection network address switching equipment of immediate information software to it is characterized in that described IM belongs to the MSN Messenger type of Microsoft, filters according to service port number and the packet content of MSN Messenger.
4. use the method for the data detection network address switching equipment of immediate information software to it is characterized in that described packet filtering need operate on the equipment at network interface place.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100114224A CN100493065C (en) | 2006-03-03 | 2006-03-03 | Method for using immediate information software by data detection network address switching equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100114224A CN100493065C (en) | 2006-03-03 | 2006-03-03 | Method for using immediate information software by data detection network address switching equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1812394A true CN1812394A (en) | 2006-08-02 |
| CN100493065C CN100493065C (en) | 2009-05-27 |
Family
ID=36845083
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100114224A Expired - Fee Related CN100493065C (en) | 2006-03-03 | 2006-03-03 | Method for using immediate information software by data detection network address switching equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100493065C (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895552A (en) * | 2010-07-22 | 2010-11-24 | 北京天融信科技有限公司 | Security gateway and method thereof for detecting proxy surfing |
| CN101159713B (en) * | 2007-11-14 | 2011-01-05 | 杭州华三通信技术有限公司 | Method, system and device of limiting instant communication application |
| CN101155147B (en) * | 2006-09-26 | 2011-11-16 | 阿里巴巴集团控股有限公司 | Method and apparatus for distributing monitoring data of instant communication server |
| CN101291327B (en) * | 2008-06-06 | 2011-11-30 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for detecting sharing access host number |
| CN105681487A (en) * | 2009-10-28 | 2016-06-15 | 惠普发展公司,有限责任合伙企业 | Method and device for detecting NAT device |
| CN112822204A (en) * | 2021-01-28 | 2021-05-18 | 深信服科技股份有限公司 | NAT detection method, device, equipment and medium |
| CN112995358A (en) * | 2021-04-21 | 2021-06-18 | 中国人民解放军国防科技大学 | Large-scale network address translation traffic identification method and device and computer equipment |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103401736B (en) * | 2013-08-22 | 2016-12-28 | 东南大学 | A kind of method based on MSN detection network agent |
-
2006
- 2006-03-03 CN CNB2006100114224A patent/CN100493065C/en not_active Expired - Fee Related
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101155147B (en) * | 2006-09-26 | 2011-11-16 | 阿里巴巴集团控股有限公司 | Method and apparatus for distributing monitoring data of instant communication server |
| CN101159713B (en) * | 2007-11-14 | 2011-01-05 | 杭州华三通信技术有限公司 | Method, system and device of limiting instant communication application |
| CN101291327B (en) * | 2008-06-06 | 2011-11-30 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for detecting sharing access host number |
| CN105681487A (en) * | 2009-10-28 | 2016-06-15 | 惠普发展公司,有限责任合伙企业 | Method and device for detecting NAT device |
| CN101895552A (en) * | 2010-07-22 | 2010-11-24 | 北京天融信科技有限公司 | Security gateway and method thereof for detecting proxy surfing |
| CN101895552B (en) * | 2010-07-22 | 2014-01-01 | 北京天融信科技有限公司 | Security gateway and method thereof for detecting proxy surfing |
| CN112822204A (en) * | 2021-01-28 | 2021-05-18 | 深信服科技股份有限公司 | NAT detection method, device, equipment and medium |
| CN112995358A (en) * | 2021-04-21 | 2021-06-18 | 中国人民解放军国防科技大学 | Large-scale network address translation traffic identification method and device and computer equipment |
| CN112995358B (en) * | 2021-04-21 | 2021-07-23 | 中国人民解放军国防科技大学 | Large-scale network address translation traffic identification method and device and computer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100493065C (en) | 2009-05-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100493065C (en) | Method for using immediate information software by data detection network address switching equipment | |
| CN101924757B (en) | Method and system for reviewing Botnet | |
| EP2403187A1 (en) | Method, apparatus and system for botnet host detection | |
| Berk et al. | Using sensor networks and data fusion for early detection of active worms | |
| US20090182864A1 (en) | Method and apparatus for fingerprinting systems and operating systems in a network | |
| CN101068242A (en) | Method for obtaining internal and external network address mapping relation in safety auditing system | |
| CN106899612B (en) | Method for automatically detecting ARP spoofing of fake host | |
| KR20140025316A (en) | Method and system for fingerprinting operating systems running on nodes in a communication network | |
| WO2009135396A1 (en) | Network attack processing method, processing device and network analyzing and monitoring center | |
| CN1889573A (en) | Active decoy method and system | |
| CN101060397A (en) | Apparatus and method for detecting network address translation device | |
| EP2372954A2 (en) | Method and system for collecting information relating to a communication network | |
| CN100377534C (en) | System and method for detecting network worm | |
| CN111654486A (en) | Server equipment judgment and identification method | |
| CN1917512A (en) | Method for establishing direct connected peer-to-peer channel | |
| Kaushik et al. | Network forensic system for ICMP attacks | |
| CN104021348A (en) | Real-time detection method and system of dormant P2P (Peer to Peer) programs | |
| Pashamokhtari et al. | Progressive monitoring of iot networks using sdn and cost-effective traffic signatures | |
| CN112787848B (en) | Active scanning system based on network flow analysis | |
| CN1741473A (en) | A network data packet availability deciding method and system | |
| CN1842011A (en) | Improved method and system for carrying out charging based on flow | |
| CN101478406A (en) | Method for real-time monitoring network operation behavior of remote user | |
| CN109309679A (en) | A kind of Network scan detection method and detection system based on TCP flow state | |
| KR100710047B1 (en) | Apparatus for traffic identification on internet protocol network environment | |
| CN105516096A (en) | Botnet network discovery technology and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090527 Termination date: 20210303 |