DETECTION METHOD OF SECURITY EQUIPMENT BASED ON ALG PROTOCOL TO REALIZE TCP STACK INFORMATION LEAK

Abstract

The present invention discloses a detection method of security equipment based on ALG protocol to realize TCP stack information leak, including: S1, a client sending a detection packet containing an ALG protocol stack to a server; S2, the server responding to the detection packet, wherein a response packet of the server in response to the detection packet includes basic information of a software to be detected and protocol stack information of the security equipment; S3, the client receiving the response packet. The detection method constructs a detection packet containing a protocol stack of a security equipment to enable the security equipment to return the corresponding protocol stack information, thereby recognizing the transparent deployed security equipment to achieve a genuine purpose of network equipment recognition.

Claims

1. A detection method of security equipment based on ALG protocol to realize TCP stack information leak, the detection method comprising the steps of: S1, a client sending a detection packet containing an ALG protocol stack to a server; S2, the server responding to the detection packet, wherein a response packet of the server in response to the detection packet comprises basic information of a software to be detected and protocol stack information of the security equipment; and S3, the client receiving the response packet.

2. The detection method of security equipment based on ALG protocol to realize TCP stack information leak according to claim 1, wherein the ALG protocol stack comprises one or more of FTP, H.323, SIP, SCCP, RTSP, PPTP, DNS, GRE, ORACLE SQL*Net, MS-RPC, Sun-RPC, TFTP and RSH.

3. The detection method of security equipment based on ALG protocol to realize TCP stack information leak according to claim 1, wherein the basic information of the software to be detected comprises name, Web server software type, version information and operation system information.

4. The detection method of security equipment based on ALG protocol to realize TCP stack information leak according to claim 1, wherein the security equipment comprises a protective wall, an intrusion detection system, and a transparently deployed firewall.

5. The detection method of security equipment based on ALG protocol to realize TCP stack information leak according to claim 1, wherein the protocol stack information of the security equipment comprises a SYN packet and an ACK packet returned by the security equipment after receiving the ALG protocol stack.

6. The detection method of security equipment based on ALG protocol to realize TCP stack information leak according to claim 5, the detection method comprising the steps of: S1-1, a client sending a detection packet containing an ALG protocol stack to a server; S1-2, the security equipment responding to the detection packet, and returning the SYN packet and the ACK packet to the client; S1-3, the client sending the ACK packet again to the security equipment, and the security equipment sending the SYN packet to the server; S1-4, the server returning an RST response packet to the security equipment; S1-5, the security equipment returning a RST/FIN response packet containing the RST response packet to the client after receiving the RST response packet; and S1-6, after receiving the RST/FIN response packet, the client recognizing the security equipment, and then analyzing the SYN packet and the ACK packet returned by the step S1-2 to obtain the type of the security equipment.

7. The detection method of security equipment based on ALG protocol to realize TCP stack information leak according to claim 6, wherein in the step S1-6, the client recognizes the security equipment with different types by recognizing MSS and Windows information in the SYN packet and the ACK packet.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0039] FIG. 1 shows a schematic diagram of the detection method of security equipment based on ALG protocol to realize TCP stack information leak according to the present invention.

DETAILED DESCRIPTION

[0040] The present invention will now be described in further detail with reference to the accompanying drawings in order to enable person skilled in the art to practice with reference to the description.

[0041] As shown in FIG. 1, a detection method of security equipment based on ALG protocol to realize TCP stack information leak comprises the following steps of:

[0042] S1, a client sending a detection packet containing an ALG protocol stack to a server;

[0043] S2, the server responding to the detection packet, wherein a response packet of the server in response to the detection packet comprises basic information of a software to be detected and protocol stack information of security equipment; and

[0044] S3, the client receiving the response packet.

[0045] In the above technical solution, the existence of the security equipment in the network can be obtained during detection by setting the ALG protocol stack in the detection packet, thereby realizing the detection of the security equipment.

[0046] The security equipment contains TCP/IP (a large collection of different communication protocols based on two original protocols of TCP and IP; wherein TCP stands for Transmission Control Protocol; IP stands for Internet Protocol). By default, FTP/PPTP (File Transfer Protocol/Point to Point Tunneling Protocol) is open, so it can be sent by the detection packet containing the ALG (Application Layer Gateway) protocol stack to the server, so that the security equipment realizes communication with the client by its own TCP/IP protocol stack when the security equipment encounters the ALG protocol stack, and then forwarding to the back-end server, thus avoiding the problem of the security equipment in the prior art directly forwarding the detection packet sent by the client to the back-end server without any data packet, thereby realizing the security equipment returning the corresponding protocol stack information to recognize the security equipment, that is, realizing the detection of a security system in the network, avoiding false alarms, improving detection accuracy, and achieving the genuine purpose of network equipment recognition.

[0047] In a preferred solution, the ALG protocol stack comprises one or more of FTP, H.323, SIP, SCCP, RTSP, PPTP, DNS, GRE, ORACLE SQL*Net, MS-RPC, Sun-RPC, TFTP and RSH.

[0048] In the above solution, FTP, H.323, SIP, SCCP, RTSP, PPTP, DNS, GRE, ORACLE SQL*Net, MS-RPC, Sun-RPC, TFTP and RSH are known as 13 Application Gateway Protocols in the prior art.

[0049] In a preferred solution, the basic information of the software to be detected comprises name, Web server software type, version information and operation system information.

[0050] In the above solution, the identity of the software to be detected can be accurately recognized by the above basic information.

[0051] In a preferred solution, the security equipment comprises a protective wall, an intrusion detection system, and a transparently deployed firewall.

[0052] In a preferred solution, the protocol stack information of the security equipment comprises a SYN packet and an ACK packet returned by the security equipment after receiving the ALG protocol stack.

[0053] In the above solution, the SYN packet refers to the Synchronize Sequence Numbers, and the SYN packet sets a sign to 1 for requesting a connection. The ACK packet refers to a request status or a response status, wherein 0 is request status, and 1 is response status.

[0054] As shown in FIG. 1, in a preferred solution, the detection method comprises the following steps of:

[0055] S1-1, a client sending a detection packet containing an ALG protocol stack to a server;

[0056] S1-2, the security equipment responding to the detection packet, and returning the SYN packet and the ACK packet to the client;

[0057] S1-3, the client sending the ACK packet again to the security equipment, and the security equipment sending the SYN packet to the server;

[0058] S1-4, the server returning an RST response packet to the security equipment;

[0059] S1-5, the security equipment returning a RST/FIN response packet containing the RST response packet to the client after receiving the RST response packet; and

[0060] S1-6, after receiving the RST/FIN response packet, the client recognizing the security equipment, and then analyzing the SYN packet and the ACK packet returned by the step S1-2 to obtain the type of the security equipment.

[0061] In the above solution, the existence of the security equipment in the network can be obtained during detection by setting the ALG protocol stack in the detection packet, thereby realizing the detection of the security equipment.

[0062] The security equipment contains TCP/IP (a large collection of different communication protocols based on two original protocols of TCP and IP; wherein TCP stands for Transmission Control Protocol; IP stands for Internet Protocol). By default, FTP/PPTP (File Transfer Protocol/Point to Point Tunneling Protocol) is open. Therefore, so it can be sent by the detection packet containing the ALG (Application Layer Gateway) protocol stack to the server, so that the security equipment realizes communication with the client by its own TCP/IP protocol stack when the security equipment encounters the ALG protocol stack, and then forwarding to the back-end server. That is, there are steps 3 and 6 as shown in FIG. 1, thus avoiding the problem of the security equipment in the prior art directly forwarding the detection packet sent by the client to the back-end server without any data packet. It realizes that the security equipment returns the corresponding protocol stack information, which not only realizes that the transparent security equipment can return the packet, but also realizes the purpose of specific security equipment recognition by the SYN packet and the ACK packet returned in the step 2 as shown in FIG. 1, thereby realizing the detection of a security system in the network, avoiding false alarms, improving detection accuracy, and achieving the genuine purpose of network equipment recognition.

[0063] In a preferred solution, in the step S1-6, the client recognizes the security equipment with different types by recognizing MSS and Windows information in the SYN packet and the ACK packet.

[0064] In the above solution, security equipments from different manufacturers have different MSS and Windows, so the client can recognize the manufacturer, model and other information of the specific security equipment in the network equipment by recognizing the MSS and Windows information in the SYN packet and the ACK packet.

[0065] Although the embodiments of the present invention have been disclosed above, they are not limited to the applications previously mentioned in the specification and embodiments, and can be applied in various fields suitable for the present invention. For ordinary skilled person in the field, other various changes may be easily achieved without creative work according to instruction of the present invention. Therefore, without departing the general concept defined by the claims and their equivalent, the present invention is not limited to particular details and illustrations shown and described herein.