Redirection method and device for real time monitoring network activities

12-05-2010 дата публикации
Номер:
CN0101193044B
Автор: TAO WEI, ZHIYUAN YE, HONGYU YOU, XINHUI HAN, WEI ZOU, JINPENG GUO, JIANWEI ZHUGE, WEI TAO, YE ZHIYUAN, YOU HONGYU, HAN XINHUI, ZOU WEI, GUO JINPENG, ZHUGE JIANWEI
Принадлежит: Peking University
Контакты:
Номер заявки: 14-10-20064809
Дата заявки: 21-11-2006

[1]

Technical Field

[2]

The invention belongs to the technical field of computer network security, relates to a redirection network communication connection method and device, in particular to a network activity obtained by monitoring the active IP address, and the particular network communication connection redirected to designated method and apparatus of the receiving system.

[3]

Background Art

[4]

A through the network connection device is connected to the outside Internet internet (hereinafter referred to as external network) often occupies a plurality of local area network LAN IP address (hereinafter referred to as IP address), these IP address in the local area network may be part of the host computer uses a, has not been used. The use of these IP address of the host may be current is running, also may have been shut-down. Usually the host computer is running the current IP address of the IP address of the called active, in addition to the IP address referred to as the non-active IP address.

[5]

The external network and the local area network is connected to a network connection device, the data interaction between the two sides have to be through the network connection device to transmit to the other side each other. External network data sources to be non-active to the local area network communication connection initiated by the IP address of the designated reception system for redirecting, the network connection device realized according to the following operation:

[6]

1, first of all monitoring network activity in LAN, obtaining the IP address list active and registration. If a communication connection to a series of this table is not registered in the IP, the communication connection requirements is redirected.

[7]

2, the data from the external network to the data packet sent from the first discriminating whether or not it is hope that the redirection is connected, if it is, reorientation to the designated receiving system.

[8]

3, sent from the designated receiving system for the data packet is judged at first whether or not it is the hope that redirects connection, if it is, redirected to the external network data source.

[9]

4, the data packet sent from the internal network will not be interference.

[10]

This redirection of communication connections with the several issues need to be addressed:

[11]

A, IP address of a local area network may be in a certain time is a non-active IP address, may be in another time IP address is active, this redirection method have to monitor local area network of the IP address, the IP address of the communication connection redirection of the non-active, is stopped in the active when the communication connection redirection.

[12]

B, not be allowed to the external network data source is redirected to the communication connection, return to an external network data packet of the data source from the original must look like to the non-active connection of the IP address of the same.

[13]

However in the known in the prior art, the present have not been able to properly solve the above-mentioned several problems. The method is usually relatively close to:a part of the fixed IP address to the local area network, the other part is non-active, the network connection device is provided with a processing and forwarding channel, the channel is connected to the receiving system, finally the external network to the inactive IP address of the data source of communication is initiated through this processing and forwarding channel redirected to the receiving system. This method has the problem that: what local area network cannot be monitored IP address is active, which is non-active, cannot be dynamically determined according to whether the IP address of a communication connection redirection. That is to say, also in the prior art there is no better monitoring local area network IP address activity and in real time according to the this activity redirection communication connection method.

[14]

Content of the invention

[15]

The purpose of this invention is to provide a real-time monitoring of local network activities, obtaining active IP address, and relates to a non-active communication connection IP redirect method of the receiving system;

[16]

Another purpose of this invention is to provide a network connection device of the above-mentioned method, the device referred to as the redirection gateway, the gateway has a connection to an external network of the channel, a connecting to the channel of the local area network, and to a channel of the receiving system.

[17]

The real-time monitoring of network activity redirection method mainly includes two aspects: one is through the network activities of the active monitoring and analysis to be IP, and registered in the table, through the network activity detection module finishes; the second is to be forwarding table look-up to differentiate whether the data packet to the requesting redirection, and release or redirection according to the query result to the data packet, is completed through the redirection module. The immediate the query the table to reflect the current dynamic IP address, it can immediately redirect a communications link, can be immediately stopped to the communication connection redirection.

[18]

In the present invention, according to the external network and the local area network communication between the flow of the data packet, the data packet to be transmitted is divided into forward and reverse two situations. Wherein said forward means from an external network the direction of the data source to the receiving system, wherein the reverse means to the external network from the receiving system in the direction of the data source. Those of skill in the art can understand, provided by the present invention it is clear that the method and apparatus for forward and reverse flow can be applied to the data packet.

[19]

The real-time detection of network activity the reorientation of the device includes a network activity monitoring module and a redirection module. Wherein for network activity monitoring module for monitoring and registering the active IP address, including an active IP address table, a mac/IP address table and a network probe. Wherein:

[20]

Active IP address table stored in the redirection gateway, the registration table is used for active IP address within the local area network. Each entry of this table contains the following attributes: a IP address, an automatic time the remaining survival time continuously decrease.

[21]

Mac/IP address table, is used for recording of the host computer in the LAN address mac and its corresponding IP address.

[22]

Network probe to the network activity in LAN monitoring and analysis, and the adoption of the following monitoring and inquiry method obtaining and maintaining the current active IP address table:

[23]

(1) monitoring in the local area network and this arp broadcast inquires the package , if it is found that any inquires the package or response packet, then the IP address of the sender is a dynamic IP address, the sender of the IP address mac address and the address a mac/IP;

[24]

(2) the mac/IP address to write or update the address that should be table mac/IP, in order to record local area network address and mac ip corresponding relationship of the address;

[25]

(3) the active IP address in the IP address table write active, if the IP address has been registered, the update its initial remaining survival time;

[26]

(4) the source of the data packet in the monitoring local area network address mac, then the enquiry mac/IP address corresponding to the IP address of the table to obtain active and registered in the IP address table of the active, if the IP address has been registered, the update its initial remaining survival time.

[27]

Furthermore, a network probe also to be tracked inquires the package arp the host computer within a certain time whether or not to issue a against the same target IP arp inquires the package of a 2nd, if not issued, the host computer through the other channels for the return of the arp response packet, the arp inquires the package in front of the goal of the IP address is a dynamic IP address, the IP address of the registered IP address table in the active, if the IP address has been registered, the update its initial remaining survival time.

[28]

Network activity detection module every certain time traversals an active IP address table, when a certain IP address to the reduction of the remaining survival time 0 to the IP address of the send a arp inquires the package , and wait for the IP address should answer, if within a specified period of time until this case, the IP address of the return to the initial remaining survival time, if the IP address to be the address mac there is a change, the address mac/IP also to be updated should be table. If within a specified period of time if no wait should be arp answers the package , from the active IP address table of the IP address is deleted.

[29]

Redirection module is used for network activity detection module according to the real-time detection of the communication connection redirection of the results, the module mainly includes a data packet transformation parameter table, the table is used for recording the redirection is connected with each of the communications of the connection and the forward and reverse transformation of the data packet of the relevant parameter. The forward transformation can make the data packet in accordance with the requirements of the receiving system, the reverse transformation can be returned to the external network data packet of the data source from the original look like to the non-active connection of the IP address of the same, that is to say an external network is unable to feel the data source is redirected to the communication connection. Specific forward transformation and reverse of the strategy can be pre-defined by the user.

[30]

The transform parameter list of the data packet of each table entry has a diminishing at any time the remaining survival time, when the table entries are used for the transformation of the data packet are restored to the initial remaining survival time, when the long time to use the remaining survival time is reduced to 0, the entry will be deleted. Furthermore, when any item related to the communication connection of the IP address is the network activity monitoring module by adding active IP address table of the table entry is deleted.

[31]

The entire monitoring network activities directional communication is connected with both the detailed steps are described below:

[32]

1, first running in the LAN network activity monitoring module network probe, the network probe according to the aforesaid monitoring and inquiry method know the active IP address and written in the IP address table active. Furthermore, a timing task will confirm the remaining survival time is reduced to 0 whether the IP address is no longer active, and will no longer be active IP address from the active IP address table is deleted.

[33]

2, when one of the data packet from the external network to the gateway after reorientation, processing flow is as follows:

[34]

(1) the redirection module firstly inquires whether the destination address in the IP address table in the active, if it is, will not interfere with the flow direction of this data packet, if it is not, a step to the next.

[35]

(2) query data packet transformation parameter table, whether the recording of the data packet which belongs to the table a communication connection, if it is, to section (3) step, if it is not, the data packet structure according to the one of the communication connection, the forward transformation according to a predetermined strategy determination forward transformation parameter, according to a predetermined strategy for the reverse direction of the reverse transformation of the transformation parameters is determined, then the communication connection and its forward transformation parameter, reverse transformation parameter, the initial remaining survival time are combined into a table entry transformation parameter table is inserted into the data packet.

[36]

(3) the communication connection is taken out of the forward transformation parameter and the parameter for the forward transformation to the data packet, after the transformation is sent to the receiving system.

[37]

3, when one of the data packets from the receiving system to the gateway after reorientation, redirection module query data packet transformation parameter table, to judge whether the data packet is connected with a communication table, if it is, the reverse direction of communication is the transformation parameter and the parameter for the reverse transformation to the data packet, after the transformation of the data sent to the external network. If the data packet does not belong to the table that any communication connection, will not interfere with the flow of the data packet.

[38]

The technical effect of the present invention lies in:

[39]

1) by monitoring network activity within LAN in the active IP address to the local area network of the detection.

[40]

2) re-can to an external network to the internal non-active communication connection initiated by the IP address, can be timely to stop the communication connection redirection.

[41]

Description of drawings

[42]

Figure 1 is a structure diagram of the embodiment of the invention the redirection gateway;

[43]

Figure 2 is flow chart of network probe to collect active IP;

[44]

Figure 3 is the tracking flowchart of the IP network probe to collect active arp inquires the package host computer to the issue;

[45]

Figure 4 is flow chart of the deletion of an active IP remaining survival time is reduced to 0 is triggered when the;

[46]

Figure 5 is a forward processing flow chart of a communication connection redirection of the method;

[47]

Figure 6 is the reverse processing flow chart of a communication connection redirection of the method.

[48]

Mode of execution

[49]

Consult this invention the Figure below, the best embodiment with a detailed description of the invention.

[50]

As shown in Figure 1, is the redirection gateway is connected with an external network, a local area network and a schematic diagram of the receiving system. In this embodiment in a redirection of the three channels of the gateway are respectively connected with the external network, local area network, receiving system. Network activity monitoring module network probe operation a certain node in a local area network on the network activity to monitor local area network.

[51]

As shown in Figure 2, is a network probe to collect active flow of IP:

[52]

(1) monitoring local area network and inquires the package arp response packet.

[53]

(2) if it is found that this inquires the package or any arp, the sender of the packet address mac/IP the load network activity detection module address table mac/IP.

[54]

(3) monitoring of the other data packet in the local area network, the source of each data packet obtained mac address.

[55]

(4) in the address table mac/IP mac query the source address, if the searching to the, corresponding to the IP address is written into the network activity detection module active IP address table, if already write, more new initial survival time for remaining the same.

[56]

Furthermore, through tracking network probe can also be a collection of active arp inquires the package IP of the host computer, as shown in Figure 3, is a network probe to collect active IP arp inquires the package a tracking process of the host computer:

[57]

(5) monitoring to a to a certain IP address of the arp query packet.

[58]

(6) wait for a certain period of time the arp response packet. If after this, the end of the tracking process, otherwise enter the next step.

[59]

(7) the host computer has issued did not repeat arp against the IP address issued arp inquires the package , if, the end of the tracking process, otherwise the IP address write active IP address table.

[60]

Network activity detection module also is provided with a timing task, used for confirming the remaining survival time is reduced to 0 whether the IP address is no longer active, and will no longer be active IP address from the active IP address table is deleted. As shown in Figure 4, is a dynamic the remaining IP survival time is reduced to 0 the deletion process is triggered when the:

[61]

(1) first of all sends an arp query to the IP address.

[62]

(2) if a certain time has been received from the IP address of this arp to return to the host, from the active IP address table in the IP address is deleted, otherwise the next step.

[63]

(3) in the active IP address table of the IP address is updated in the remaining survival time is transmission.

[64]

(4) the arp answers the package mac should be the address of the new table address mac/IP.

[65]

Redirection module processing in network communication are respectively as shown in Figure 5 and 6 the flow chart of the data packet. As shown in Figure 5, said redirection module flow chart of forward data packet:

[66]

(1) assume a TCP data packet from the external network arrive at a gateway router.

[67]

(2) according to the destination address of the data packet IP address table active query, if the query to, shows that the data packet addressed to a active IP address, the gateway router not to interfere the flow of the data packet, is directly released. If there is no query to, the data packet is addressed to a non-active IP address, to the data packet gateway router processing redirection module.

[68]

(3) the redirection module, the protocol of the data packet, the source address of the purpose of the description of the communication connection information for a query combined and the combined query data packet transformation parameter table, discriminating whether or not a communication connection can be a matching an upper this combination. If there are no matching an upper, one step to the next, if there is a match on the, transferred directly to step (5).

[69]

(4) steps based on a combined structure query generated the description of the communication connection, together with pre-defined strategy of the forward and reverse transformation, generating forward and reverse transformation parameter table, the description of the communication connection, forward and reverse transformation parameter table and the remaining survival time of initialization to form a table entry transformation parameter table is inserted into the data packet. Assuming that pre-defined modification of the forward transformation of the data packet is the destination address of the receiving system, which is a transformation of the receiving system, a parameter table of IP address, port, etc. information. Assuming that reverse transformation scheme is modified data packet source address for the communication connection attempt to the original IP address lian Xiang inactive, the reverse transformation parameter table with the non-active IP address and its port.

[70]

(5) parameter table from the data packet, the transformation of the data packet which belongs to the communication connection of the forward transformation parameter information and forward transformation to the data packet, the communication connection table entry at the same time remaining survival time of the initial value. In this embodiment in particular to: the forward transformation parameters for the IP address, port the destination address of the replacement data packet and the destination port, and to restore the initial remaining survival time.

[71]

(6) because the data packet destination address of the receiving system has been directed, the data packet will be the gateway router transmits to the receiving system.

[72]

As shown in Figure 6, said reverse processing module redirection of the flow chart of the data packet. Reverse processing method described is as follows:

[73]

(1) reverse forwarding module receives the data packet from the receiving system after the query redirection module data packet transformation parameter table, to judge whether the data packet is connected with a communication table. If it is, to section 2 step, if it is not, will not interfere with the flow of the data packet.

[74]

(2) if the packet belongs to the table is connected with a communication, the communication is connected with the reverse transformation parameter and the parameter for the reverse transformation to the data packet, after the transformation of the data sent to the external network. In this embodiment of the data packet in the reverse direction of the parameter table storing the transformation parameter is the transformation of the original non-active and port of the IP address, the IP address and port for replacing the source address and port of the data packet, then the data packet is sent to the external network. Note in this embodiment because the data packet source address and port is replaced by a non-active IP address and port, external network data source to sense the communication whether a connection is the redirection.

[75]

As mentioned above, the present invention by examining the network activity within LAN active IP address is determined, and according to the active IP address table to determine the transmission of the data packets, this makes the transmit frame is simple and clear, rapid and efficient. This invention is suitable for various need to be flexible, the intercepted data packet a concealed manner, having good inter-platform compatibility, extendibility and practicality.

[76]

The embodiment has been developed by the applicant on kilomega level gateway application, very good effect is achieved, the instant of the specific communication connection redirection, in the collection of network attack scanning in the application of the full use of the IP address, very good effect is achieved, and the transmitting efficiency of the programme in the past compared with the 50%, successful achievement of the purpose of the invention. The invention has very good practicability and promoting application prospect.

[77]

Although for illustration purposes the invention is disclosed with specific embodiment and, its purpose is to help understand the content of the invention and in order to implement, but those of skill in the art can understand: without departing from the invention and the attached claim within the spirit and scope of, various replacement, variations and modifications are possible. For example, redirection gateway may run on the gateway router, may also be running on a gateway firewall, or as an independent device exists. In another example, the system itself can also be received from the LAN, as long as the gateway router has network path can reach the receiving system. Also, such as, network activity monitoring module network probe can be more than one, but a plurality of and operation of a plurality of switching in the network or connection node on a plurality of hosts. In another example, if the redirection gateway forward and reverse transformation strategy and DNAT un_DNAT operation respectively, the forward and reverse the forwarding module of the operating system can use the linux module to realize the DNAT, the module itself already contains and DNAT un_DNAT operation. Therefore, the invention should not be limited to the best embodiment of the specification and drawings the disclosed content, the invention calls for the requirements of the scope of protection defined by the scope of the rights of the book.



[1]

A re-direction method for detecting network activity at real time comprises the following steps: A. the active IP in a local area network is obtained by monitoring and analyzing the network activitiesand is recorded in a active IP address list; besides, a timed task confirms whether the IP, the survival time of which is reduced to zero, is really not active and delete the IP address which is no longer active from the IP address list; B. whether the to-be-transferred data packet satisfies the re-direction demands is judged and the to-be-transferred data packet is released or re-directed according to the query results. The device to realize the method comprises a network activity detecting module which is used for detecting and recording the active IP address and a re-direction module whichis used for re-directing communication connection according to the real-time detection results of the network activity detecting module. The invention realizes the detection for the active IP addressin the local area network by monitoring the network activities inside the local area network, so communication connection launched by external network to internal inactive IP address can be redirected instantly.



1. A real-time monitoring of network activity redirection method, comprising the steps of:

A. Through the network activities by monitoring, measurement, and analysis of active within local area network IP, and registered in the IP address table in the active, in particular the steps of:

(1) monitoring in the local area network and this arp broadcast inquires the package , if it is found that any arp inquires the package or response packet, then the IP address of the sender is a dynamic IP address, the sender of the IP address mac address and the address a mac/IP;

(2) the mac/IP address to write or update the address that should be table mac/IP, in order to record in the local area network and IP address mac corresponding relationship of the address;

(3) the active IP address in the IP address table write active, if the IP address has been registered, the update its initial remaining survival time;

(4) the source of the data packet in the monitoring local area network address mac, then the enquiry mac/IP address corresponding to the IP address of the table to obtain active and registered in the IP address table of the active, if the IP address has been registered, the update its initial remaining survival time;

Furthermore, a timing task will confirm the remaining survival time is reduced to 0 whether the IP address is no longer active, and will no longer be active IP address from the active IP address table, delete, specific steps are:

Traversing every a certain time an active IP address table, when a certain IP address to the reduction of the remaining survival time 0 to the IP address of the send a arp inquires the package , and wait for the IP address should answer, if within a specified period of time until the arp response packet, then the IP address of the return to the initial remaining survival time, if the IP address to be the address mac there is a change, the address mac/IP also to be updated should be table; if not within a specified period of time until the arp response packet, the IP address table in the from the deletion of the IP address;

B. Discriminating whether the data packet to be forwarded to the requesting redirection, and release or redirection according to the query result to the data packet, the data packet from the external network, specifically comprises the following steps:

(1) according to the destination address of the data packet IP address table query active, if the searching to the, the gateway router is not interfere with the flow of the data packet, the direct release of;

(2) if there is no query to, is withdrawn the data packet of the description information of the communication connection: protocol, source address purpose, constitute a query combined and the combined query data packet transformation parameter table, judging whether there is a communication connection can be combined this query match, if there is a match on the, to the step (4), otherwise turn to the next step;

(3) step based on a combined structure query generated the description of the communication connection, together with pre-defined strategy of the forward and reverse transformation, generating forward and reverse transformation parameter table, the description of the communication connection, forward and reverse transformation parameter table and the remaining survival time of initialization to form a table entry transformation parameter table is inserted into the data packet;

(4) parameter table from the data packet, the transformation of the data packet which belongs to the communication connection of the forward transformation parameter information and forward transformation to the data packet, the communication connection table entry at the same time the remaining survival time recovering to the original ones, because the data packet destination address of the receiving system has been directed, the data packet will be the gateway router transmits to the receiving system;

The data packet from the receiving system, specifically comprises the following steps:

(1) query redirection module that belongs to data packet transformation parameter table, to judge whether the data packet is connected with a communication table, if not, does not interfere with the flow of the data packet;

(2) if the packet belongs to the table is connected with a communication, the communication is connected with the reverse transformation parameter and the parameter for the reverse transformation to the data packet, after the transformation of the data sent to the external network.

2. Method according to Claim 1, characterized in that also comprises the steps of: tracking a inquires the package arp the host computer within a certain time whether or not to issue a against the same target IP address of the arp inquires the package a 2nd, if not issued, the registration the target IP address in the IP address table of the active, if the target IP address has been registered, the update its initial remaining survival time.

3. A real-time monitoring of network activity the reorientation of the device, including:

1) for monitoring and registering the active IP address of the network activity monitoring module, including:

A. Internal local area network for registering the IP address of the active active IP address table, each entry of this table contains the following attributes: a IP address, an automatic time the remaining survival time diminishing;

B. For the network activity in LAN monitoring and analysis of network probe, and inquiry obtained through monitoring and maintaining the current active IP address table;

C. Used for recording of the host computer in the LAN address and its mac IP address corresponding to the address of the corresponding table mac/IP;

The network activity monitoring module monitoring in the local area network and inquires the package this arp broadcast, if it is found that any inquires the package or response packet, then the IP address of the sender is a dynamic IP address, the sender of the IP address mac address and the address a mac/IP; the mac/IP address to write or update the address that should be table mac/IP, in order to record the address in the local area network and IP address mac the corresponding relations; the active IP address in the IP address table write active, if the IP address has been registered, the update its initial remaining survival time; monitoring a local area network address mac in the source of the data packet, then the enquiry mac/IP address corresponding to the IP address of the table to obtain active and registered in the IP address table of the active, if the IP address has been registered, its remaining survival time is updated to the initial value; and, the network activity monitoring module at intervals of a certain time the traverse an active IP address table, when a certain IP address to the reduction of the remaining survival time 0 to the IP address of the send a arp inquires the package , and wait for the IP address should answer, if within a specified period of time until the arp response packet, then the IP address of the return to the initial remaining survival time, if the IP address to be the address mac there is a change, the address mac/IP also to be updated should be table; if not within a specified period of time until the arp response packet, the IP address table in the from the deletion of the IP address;

2) according to the network activity monitors used for real-time monitoring of the module result of the redirection of the communication connection redirection module, the redirect module includes a data packet transformation parameter table, the table is used for recording the redirection is connected with each of the communications of the connection and the forward and reverse transformation of the data packet of the relevant parameter; for the redirection module data packet from the external network:

According to the destination address of the data packet IP address table query active, if the searching to the, the gateway router is not interfere with the flow of the data packet, the direct release of; if there is no query to, is withdrawn the data packet of the description information of the communication connection: protocol, source address purpose, constitute a query combined and uses this query combined query data packet transformation parameter table, judging whether there is a communication connection with the combination of this query can be matched, not in the event of a match, query generated the combined structure according to the description of the communication connection, together with pre-defined strategy of the forward and reverse transformation, generating forward and reverse transformation parameter table, the description of the communication connection, forward and reverse transformation parameter table and the remaining survival time of initialization to form a table entry transformation parameter table is inserted into the data packet, the data packet to the communication connection of the forward transformation parameter information and forward transformation to the data packet, the communication connection table entry at the same time the remaining survival time recovering to the original ones, because the data packet destination address of the receiving system has been directed, the data packet will be the gateway router transmits to the receiving system; on in the event of a match, the parameter table from the data packet, the transformation of the data packet which belongs to the communication connection of the forward transformation parameter information and forward transformation to the data packet, the communication connection table entry at the same time the remaining survival time recovering to the original ones, because the data packet destination address of the receiving system has been directed, the data packet will be the gateway router transmits to the receiving system;

The data packet from the receiving system to:

Query redirection module that belongs to data packet transformation parameter table, to judge whether the data packet is connected with a communication table, if it is not, the flow of the data packet does not interfere with the; if the packet belongs to the table is connected with a communication, the communication is connected with the reverse transformation parameter and the parameter for the reverse transformation to the data packet, after the transformation of the data sent to the external network.

4. Device according to Claim 3, characterized in that the data packet is the transformation parameter table of each item at any time there is a diminishing between the remaining survival time, when the table entries are used for the transformation of the data packet are restored to the initial remaining survival time, when the long time to use the remaining survival time is reduced to 0, the entry will be deleted.

5. Device according to Claim 3, characterized in that the forward transformation of the receiving system parameters include the IP address and port information, the reverse transformation parameters include a non-active IP address and its port.



IPC - классификация

HH0H04H04LH04L1H04L12H04L12/H04L12/2H04L12/26H04L2H04L29H04L29/H04L29/0H04L29/06
Получить PDF