[go: up one dir, main page]

CN116318801A - SOHO router data modification method - Google Patents

SOHO router data modification method Download PDF

Info

Publication number
CN116318801A
CN116318801A CN202211673853.2A CN202211673853A CN116318801A CN 116318801 A CN116318801 A CN 116318801A CN 202211673853 A CN202211673853 A CN 202211673853A CN 116318801 A CN116318801 A CN 116318801A
Authority
CN
China
Prior art keywords
data packet
data
packet
router
netfilter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211673853.2A
Other languages
Chinese (zh)
Other versions
CN116318801B (en
Inventor
刘胜利
盖贤哲
蔡瑞杰
杨启超
赵方方
贾凡
陈宏伟
蒋思康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University Of Chinese People's Liberation Army Cyberspace Force
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN202211673853.2A priority Critical patent/CN116318801B/en
Publication of CN116318801A publication Critical patent/CN116318801A/en
Application granted granted Critical
Publication of CN116318801B publication Critical patent/CN116318801B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of SOHO router data security, in particular to a SOHO router data modification method, which modifies data of a streaming SOHO router by combining Netfilter and RAW_SOCKET.

Description

一种SOHO路由器数据修改方法A SOHO router data modification method

技术领域:Technical field:

本发明涉及SOHO路由器数据安全技术领域,具体涉及一种SOHO路由器数据修改方法。The invention relates to the technical field of SOHO router data security, in particular to a method for modifying SOHO router data.

背景技术:Background technique:

SOHO路由器一般用来为连接到它上面的终端设备提供网络服务,其主要功能是处理局域网中设备的互联网访问的请求并转发至互联网的目标服务器和将互联网服务器的返回数据转发给内网设备,由于SOHO路由器一般没有专门的安全防护软件,且用户对路由器的安全性关注较少,所以SOHO路由器存在较多安全漏洞,且有可能长期存在,通过对SOHO路由器架构进行分析可以看出,其Web服务、应用程序和底层linux内核均可能存在漏洞,漏洞类型包含内存破环漏洞,XSS和CSRF等传统的Web漏洞,命令注入漏洞,文件上传漏洞等多种类型,使攻击者可获取底层linux系统的root访问权限,给SOHO路由器带来安全隐患;SOHO routers are generally used to provide network services for terminal devices connected to it. Its main function is to process the Internet access requests of devices in the LAN and forward them to the target server on the Internet and forward the returned data from the Internet server to the intranet devices. Because SOHO routers generally do not have special security protection software, and users pay less attention to the security of routers, there are many security vulnerabilities in SOHO routers, which may exist for a long time. Through the analysis of SOHO router architecture, it can be seen that its Web Vulnerabilities may exist in services, applications, and the underlying Linux kernel. Vulnerabilities include memory corruption vulnerabilities, traditional Web vulnerabilities such as XSS and CSRF, command injection vulnerabilities, and file upload vulnerabilities, allowing attackers to obtain the underlying Linux system. root access authority, which brings security risks to SOHO routers;

攻击者控制SOHO路由器以后,往往会通过修改流经路由器的数据包实现对路由器的进一步利用,网络安全人员为了发现攻击行为并对攻击者追踪溯源,也需要通过修改数据包,插入特定的标签,从流量层面对恶意行为进行检测,但是现有的修改数据包方式有可能会影响路由器的正常运行,影响到通信双方的正常通信,同时路由器安全技术的研究主要集中在漏洞挖掘方面,目的是拿到SOHO路由器底层linux内核操作系统的root权限,并没有针对获取控制权以后的数据利用问题,存在一定的缺陷,因此有必要研发一种SOHO路由器数据修改方法。After the attacker controls the SOHO router, he will often further exploit the router by modifying the data packets flowing through the router. In order to discover the attack behavior and trace the source of the attacker, the network security personnel also need to modify the data packet and insert a specific label. Malicious behavior is detected from the traffic level, but the existing way of modifying data packets may affect the normal operation of the router and the normal communication between the two parties. At the same time, the research on router security technology mainly focuses on vulnerability mining. The root authority of the linux kernel operating system at the bottom of the SOHO router does not address the problem of data utilization after obtaining control rights, and there are certain defects. Therefore, it is necessary to develop a data modification method for SOHO routers.

发明内容:Invention content:

针对上述存在的的缺陷和问题,本发明提供一种SOHO路由器数据修改方法,其目的是利用Netfilter和RAW_SOCKET相结合的方式,对流经SOHO路由器的数据进行修改,该数据修改方法不影响路由器正常运行,也不影响通信双方的正常通信,可在网络安全检测和网络攻击等多个场景应用,能够在数据包进入Netfilter处理之前捕获数据包并根据需要进行修改,在Netfilter的挂载点处设置规则将原始数据包丢弃,最后绕过路由器对数据包的处理规则,直接将修改后的数据包发送到网络中。In view of the defects and problems existing above, the present invention provides a SOHO router data modification method, the purpose of which is to use the combination of Netfilter and RAW_SOCKET to modify the data flowing through the SOHO router, and the data modification method does not affect the normal operation of the router , and does not affect the normal communication between the two parties. It can be applied in multiple scenarios such as network security detection and network attack. It can capture data packets before they enter Netfilter for processing and modify them as needed. Set rules at the mount point of Netfilter Discard the original data packet, and finally bypass the router's processing rules for the data packet, and directly send the modified data packet to the network.

本发明解决其技术问题所采用的方案是:1.一种SOHO路由器数据修改方法, SOHO路由器底层linux内核中的Netfilter机制对需要修改的数据包丢弃,用raw socket(原始套接字)捕获进入网卡的原始数据包,修改原始数据包以后绕过系统内核协议栈将修改后的数据包从网卡发出;The scheme that the present invention solves its technical problem adopts is: 1. a kind of SOHO router data modification method, the Netfilter mechanism in the SOHO router bottom layer linux kernel discards the packet that needs modification, captures and enters with raw socket (original socket) The original data packet of the network card, after modifying the original data packet, bypass the system kernel protocol stack and send the modified data packet from the network card;

S1:丢弃数据包S1: drop packet

SOHO路由器对数据包的过滤基于底层linux内核中的Netfilter机制实现,Netfilter是设置在报文处理路径上的嵌入内核IP协议栈的一系列调用入口,Netfilter根据网络报文的流向,提供对数据包修改的挂载点,利用Netfilter在用户空间的配置组件iptables,根据需修改的数据包特征,在挂载点处设置数据包过滤规则,进行数据包的初步筛选,丢弃数据包;The filtering of data packets by SOHO routers is based on the Netfilter mechanism in the underlying linux kernel. Netfilter is a series of call entries embedded in the kernel IP protocol stack set on the packet processing path. Netfilter provides data packets according to the flow direction of network packets. For the modified mount point, use Netfilter’s configuration component iptables in the user space to set packet filtering rules at the mount point according to the characteristics of the data packet to be modified, perform preliminary screening of the data packet, and discard the data packet;

S2:捕获数据包修改发出S2: capture packet modification sent

采用raw socket(原始套接字),并利用PF_PACKET的套接字协议,在原始数据包进入到Netfilter处理之前捕获来自数据链路层的原始数据帧,通过数据包处理系统对数据包进行处理,数据包处理系统包括数据包嗅探模块、数据包分析模块、数据包修改模块和数据包发送模块;Use raw socket (raw socket) and use PF_PACKET socket protocol to capture the original data frame from the data link layer before the original data packet enters Netfilter processing, and process the data packet through the data packet processing system. The data packet processing system includes a data packet sniffing module, a data packet analysis module, a data packet modification module and a data packet sending module;

(1)原始数据包进入到Netfilter处理之前,数据包嗅探模块从网卡捕获需处理的原始数据包;(1) Before the original data packets are processed by Netfilter, the packet sniffing module captures the original data packets to be processed from the network card;

(2)数据包分析模块对捕获的原始数据包进行解析,确定该数据包是否为需要修改的数据包,若该数据包不是需要修改的数据包则直接发出,若该数据包为需要修改的数据包,则通过数据包修改模块对数据包进行修改,同时修改数据包头部中的数据包长度、SEQ、ACK字段并重新计算校验和,确保数据包的正确性和通信的接续性;(2) The data packet analysis module analyzes the captured original data packet to determine whether the data packet is a data packet that needs to be modified. If the data packet is not a data packet that needs to be modified, it will be sent directly. Data packet, then modify the data packet through the data packet modification module, modify the data packet length, SEQ, and ACK fields in the data packet header and recalculate the checksum at the same time, to ensure the correctness of the data packet and the continuity of communication;

(3)数据包发送模块利用raw socket(原始套接字),绕过TCP / IP协议栈,将修改后的数据包从网卡发出。(3) The data packet sending module uses raw socket (raw socket), bypasses the TCP/IP protocol stack, and sends the modified data packet from the network card.

进一步的,数据包捕获的原则是在数据包被Netfilter框架处理之前进行捕获,数据包发送的原则是绕过Netfilter框架和内核协议栈处理,将修改后的数据包发送到网络中。Furthermore, the principle of data packet capture is to capture data packets before they are processed by the Netfilter framework, and the principle of data packet transmission is to bypass the Netfilter framework and kernel protocol stack processing, and send the modified data packets to the network.

进一步的,Netfilter根据网络报文的流向,可提供五个对数据包进行修改的挂载点,Prerouting、Forward、Postrouting三个挂载点均可对流经路由器的数据包进行丢弃,为了不影响进入路由器的数据包和路由器发出的数据包,选择在Forward挂载点处设置数据包过滤规则,丢弃数据包。Furthermore, Netfilter can provide five mount points for modifying data packets according to the flow direction of network packets. The three mount points of Prerouting, Forward, and Postrouting can all discard data packets passing through the router. For the data packets of the router and the data packets sent by the router, choose to set the data packet filtering rules at the Forward mount point to discard the data packets.

进一步的,SOHO路由器为ARM或MIPS架构,使用Buildroot工具搭建对应的交叉编译环境,交叉编译出能在SOHO路由器上运行的数据捕获、数据处理和数据发送程序,实现对数据包的修改。Furthermore, the SOHO router is based on ARM or MIPS architecture, use the Buildroot tool to build a corresponding cross-compilation environment, cross-compile the data capture, data processing and data transmission programs that can run on the SOHO router, and realize the modification of the data packet.

本发明的有益效果:本发明该方法利用Netfilter和RAW_SOCKET相结合的方式,利用SOHO路由器底层linux内核中的Netfilter机制对需要修改的数据包丢弃,用raw socket捕获进入网卡的原始数据包,修改原始数据包以后绕过系统内核协议栈直接将修改后的数据包从网卡发出,该数据修改方法不影响路由器正常运行,也不影响通信双方的正常通信,可在网络安全检测和网络攻击等多个场景应用,通用性强,保证了数据包丢弃时数据发送方无感,使只有修改后的数据包到达接收方,原数据包无法到达接收方,避免数据包重复到达,且通过RAW_SOCKET数据处理效率较高,数据修改的延时较小,不会影响正常的通信,同时发出的数据包是用户自行构造的数据包,数据包构造功能可根据需要编写,可实现对数据包的任意修改。Beneficial effects of the present invention: the method of the present invention utilizes the combination of Netfilter and RAW_SOCKET, utilizes the Netfilter mechanism in the SOHO router bottom layer linux kernel to discard the data packet that needs to be modified, captures the original data packet entering the network card with raw socket, and modifies the original Afterwards, the data packet bypasses the system kernel protocol stack and directly sends the modified data packet from the network card. This data modification method does not affect the normal operation of the router or the normal communication between the two communication parties. It can be used in network security detection and network attacks. Scenario application, strong versatility, ensures that the data sender has no sense when the data packet is discarded, so that only the modified data packet reaches the receiver, and the original data packet cannot reach the receiver, avoiding repeated arrival of data packets, and the data processing efficiency through RAW_SOCKET Higher, the delay of data modification is small, and it will not affect normal communication. At the same time, the data packet sent is a data packet constructed by the user. The data packet construction function can be written according to the need, and any modification of the data packet can be realized.

附图说明Description of drawings

图1为本发明原理流程图。Fig. 1 is a flow chart of the principle of the present invention.

图2为数据包捕获发送原理流程图。Figure 2 is a flow chart of the principle of data packet capture and transmission.

图3为捕获数据的位置和发送数据的位置与数据包在SOHO路由器中流进位置关系图。FIG. 3 is a diagram showing the relationship between the position of capturing data, the position of sending data, and the position where data packets flow into the SOHO router.

图4为数据包处理系统原理流程图。Fig. 4 is a flow chart of the principle of the data packet processing system.

图5为SOHO路由器对数据包的过滤流程图。FIG. 5 is a flow chart of filtering data packets by SOHO routers.

图6为“丢弃-重发”数据修改方法论证实验环境示意图。Figure 6 is a schematic diagram of the experimental environment for the demonstration of the "discard-resend" data modification method.

图7为正常网络环境中发送方向接收方发起连接告知发送方无法连接结果图。FIG. 7 is a diagram showing the result of initiating a connection from the sender to the receiver in a normal network environment and notifying the sender that the connection cannot be made.

图8为“丢弃-重发”数据修改方法中丢弃数据包时不返回任何信息结果图。Fig. 8 is a diagram showing the result of not returning any information when discarding data packets in the "discard-resend" data modification method.

图9为发送方发出的数据示意图。FIG. 9 is a schematic diagram of data sent by the sender.

图10为接收方收到的数据示意图。FIG. 10 is a schematic diagram of data received by the receiver.

图11为对数据包的IP进行修改实现伪造身份通信的程序代码。Figure 11 is the program code for modifying the IP of the data packet to realize fake identity communication.

图12为发送方发送两个数据包的时间差信息示意图。FIG. 12 is a schematic diagram of time difference information of two data packets sent by the sender.

图13为接收方收到两个数据包的时延信息示意图。FIG. 13 is a schematic diagram of delay information of two data packets received by the receiver.

具体实施方式:Detailed ways:

下面结合附图和实施例对本发明进一步说明。The present invention will be further described below in conjunction with the accompanying drawings and embodiments.

实施例1,攻击者控制SOHO路由器以后,往往会通过修改流经路由器的数据包实现对路由器的进一步利用,网络安全人员为了发现攻击行为并对攻击者追踪溯源,需要通过修改数据包,插入特定的标签,从流量层面对恶意行为进行检测,但是现有的修改数据包方式有可能会影响路由器的正常运行,影响到通信双方的正常通信,同时路由器安全技术的研究主要集中在漏洞挖掘方面,目的是拿到SOHO路由器底层linux内核操作系统的root权限,并没有针对获取控制权以后的数据利用问题,存在一定的缺陷。Example 1, after the attacker controls the SOHO router, he will often modify the data packets flowing through the router to realize further use of the router. In order to discover the attack behavior and trace the source of the attacker, the attacker needs to modify the data packet and insert a specific Labels to detect malicious behaviors from the traffic level, but the existing way of modifying data packets may affect the normal operation of the router and affect the normal communication between the two parties. At the same time, the research on router security technology mainly focuses on vulnerability mining. The purpose is to obtain the root authority of the underlying linux kernel operating system of the SOHO router, and it does not address the data utilization problem after obtaining the control right, and there are certain defects.

针对上述问题,本实施例提供一种SOHO路由器数据修改方法,利用Netfilter和RAW_SOCKET相结合的方式,对流经SOHO路由器的数据进行修改,该数据修改方法不影响路由器正常运行,也不影响通信双方的正常通信,可在网络安全检测和网络攻击等多个场景应用;其原理是利用SOHO路由器底层linux内核中的Netfilter机制对需要修改的数据包丢弃,用raw socket(原始套接字)捕获进入网卡的原始数据包,修改原始数据包以后绕过系统内核协议栈将修改后的数据包从网卡发出;In view of the above problems, this embodiment provides a SOHO router data modification method, which uses the combination of Netfilter and RAW_SOCKET to modify the data flowing through the SOHO router. Normal communication can be applied in multiple scenarios such as network security detection and network attack; the principle is to use the Netfilter mechanism in the underlying linux kernel of SOHO routers to discard the data packets that need to be modified, and use raw sockets (raw sockets) to capture and enter the network card After modifying the original data packet, the system kernel protocol stack is bypassed to send the modified data packet from the network card;

数据包在路由器上的处理过程可以分为三类:流入路由器的数据包、流经路由器的数据包和流出路由器的数据包,其中流入和流经的数据包需要经过路由器判决才能区分,而流经和流出的报文则需要经过路由器发出,此外,流经的数据包还有一个FORWARD的过程,即从一个网卡转到另一个网卡;The processing of data packets on the router can be divided into three categories: data packets flowing into the router, data packets flowing through the router, and data packets flowing out of the router. The passing and outgoing packets need to be sent by the router. In addition, the flowing data packets also have a FORWARD process, that is, they are transferred from one network card to another network card;

S1:丢弃数据包S1: drop packet

如图5所示,SOHO路由器对数据包的过滤基于底层linux内核中的Netfilter机制实现,Netfilter是设置在报文处理路径上的嵌入内核IP协议栈的一系列调用入口,Netfilter根据网络报文的流向,能够提供五个对数据包修改的挂载点,如下图所示,利用Netfilter在用户空间的配置组件iptables,根据需修改的数据包特征,在Prerouting、Forward、Postrouting三个挂载点处均可对流经路由器的数据包设置数据包过滤规则,进行数据包的初步筛选,丢弃数据包,同时本实施例中,为了不影响进入路由器的数据包和路由器发出的数据包,选择在Forward挂载点处设置数据包过滤规则,丢弃数据包;As shown in Figure 5, the filtering of data packets by SOHO routers is based on the Netfilter mechanism in the underlying linux kernel. Netfilter is a series of call entries embedded in the kernel IP protocol stack set on the message processing path. Flow direction can provide five mount points for data packet modification, as shown in the figure below, use Netfilter’s configuration component iptables in user space, according to the characteristics of the data packet to be modified, at the three mount points of Prerouting, Forward, and Postrouting All can set data packet filtering rules for the data packets flowing through the router, perform preliminary screening of data packets, and discard data packets. At the same time, in this embodiment, in order not to affect the data packets entering the router and the data packets sent by the router, select the Set data packet filtering rules at the load point to discard data packets;

S2:捕获数据包修改发出S2: capture packet modification sent

数据包捕获的原则是在数据包被Netfilter框架处理之前进行捕获,数据包发送的原则是绕过Netfilter框架和内核协议栈处理,将修改后的数据包发送到网络中;The principle of data packet capture is to capture the data packet before it is processed by the Netfilter framework, and the principle of data packet transmission is to bypass the Netfilter framework and kernel protocol stack processing, and send the modified data packet to the network;

如图2所示,采用raw socket(原始套接字),并利用PF_PACKET的套接字协议,在原始数据包进入到Netfilter处理之前捕获来自数据链路层的原始数据帧,也可以绕过系统内核的协议栈,发送用户自行构造的数据包,通过数据包处理系统对数据包进行处理,数据包处理系统包括数据包嗅探模块、数据包分析模块、数据包修改模块和数据包发送模块,实现从数据链路层获取原始数据包和将数据包发送到网络中的目的;如图3-4所示,As shown in Figure 2, using raw socket (raw socket) and using the socket protocol of PF_PACKET to capture the original data frame from the data link layer before the original data packet enters Netfilter processing can also bypass the system The protocol stack of the kernel sends the data packets constructed by the user, and processes the data packets through the data packet processing system. The data packet processing system includes a data packet sniffing module, a data packet analysis module, a data packet modification module and a data packet sending module. Realize the purpose of obtaining the original data packet from the data link layer and sending the data packet to the network; as shown in Figure 3-4,

(1)原始数据包进入到Netfilter处理之前,数据包嗅探模块从网卡捕获需处理的原始数据包;(1) Before the original data packets are processed by Netfilter, the packet sniffing module captures the original data packets to be processed from the network card;

(2)数据包分析模块对捕获的原始数据包进行解析,确定该数据包是否为需要修改的数据包,若该数据包不是需要修改的数据包则直接发出,若该数据包为需要修改的数据包,则通过数据包修改模块对数据包进行修改,同时修改数据包头部中的数据包长度、SEQ、ACK字段并重新计算校验和,确保数据包的正确性和通信的接续性;(2) The data packet analysis module analyzes the captured original data packet to determine whether the data packet is a data packet that needs to be modified. If the data packet is not a data packet that needs to be modified, it will be sent directly. Data packet, then modify the data packet through the data packet modification module, modify the data packet length, SEQ, and ACK fields in the data packet header and recalculate the checksum at the same time, to ensure the correctness of the data packet and the continuity of communication;

(3)数据包发送模块利用raw socket(原始套接字),绕过TCP / IP协议栈,将修改后的数据包从网卡发出;(3) The data packet sending module uses raw socket (raw socket), bypasses the TCP/IP protocol stack, and sends the modified data packet from the network card;

数据嗅探模块首先捕获进入网卡的原始数据包,由于捕获的数据包并不全是需要修改的数据包,所以通过数据分析模块对数据包进行分析,若该数据包不是需要修改的数据包则直接发出,若该数据包是需要修改的数据包,则先根据需要进行数据包修改,然后重新计算数据包头的校验和窗口大小字段,如果是修改TCP数据包的内容部分,再修改数据包头部中的数据包长度、SEQ、ACK等字段,确保数据包的正确性和通信的接续性,最后通过数据发送模块将数据包直接发送到网络中;同时SOHO路由器为ARM或MIPS架构,使用Buildroot工具搭建对应的交叉编译环境,交叉编译出能在SOHO路由器上运行的数据捕获、数据处理和数据发送程序,实现对数据包的修改。The data sniffing module first captures the original data packets entering the network card. Since the captured data packets are not all data packets that need to be modified, the data packets are analyzed through the data analysis module. If the data packets are not the data packets that need to be modified, then directly If the data packet is a data packet that needs to be modified, first modify the data packet according to the need, and then recalculate the checksum window size field of the data packet header, if it is to modify the content part of the TCP data packet, then modify the data packet header The data packet length, SEQ, ACK and other fields in the data packet ensure the correctness of the data packet and the continuity of communication, and finally send the data packet directly to the network through the data sending module; at the same time, the SOHO router is ARM or MIPS architecture, using the Buildroot tool Build the corresponding cross-compilation environment, cross-compile the data capture, data processing and data sending programs that can run on the SOHO router, and realize the modification of the data package.

该方法保证了数据包丢弃时数据发送方无感,其次,该方法可保证只有修改后的数据包到达接收方,原数据包无法到达接收方,避免数据包重复到达的问题,并且RAW_SOCKET数据处理效率较高,数据修改的延时较小,不会影响正常的通信,且发出的数据包是用户自行构造的数据包,数据包构造功能可根据需要编写,从原理上可实现对数据包的任意修改。This method ensures that the data sender has no sense when the data packet is discarded. Secondly, this method can ensure that only the modified data packet reaches the receiver, and the original data packet cannot reach the receiver, avoiding the problem of repeated arrival of data packets, and RAW_SOCKET data processing The efficiency is high, the delay of data modification is small, and the normal communication will not be affected, and the data packet sent is the data packet constructed by the user. The data packet construction function can be written according to the need, and the data packet can be realized in principle Any modification.

“丢弃-重发”数据修改方法利用场景:"Discard-resend" data modification method utilization scenario:

“丢弃-重发”的数据修改方法通过修改数据包可实现在数据包或数据流中插入特殊数据,实现对网络安全性的分析, 基于标记(Marking-based traceback ,MBT)的追踪溯源方法是研究较多的溯源方法,概率包标记算法[8](Probabilistic Packet Marking,PPM)和确定包标记算法[9](Deterministic Packet Marking, DPM)这些经典的方法都需要进行数据修改, 匿名通道的安全性分析中,水印分析[10]是一种常用的方法,不管是数据包水印还是流速率水印,本质都是对数据包内容的修改或对数据包时延的修改,利用“丢弃-重发”的数据修改方法均可实现;The "discard-resend" data modification method can insert special data in the data packet or data stream by modifying the data packet, and realize the analysis of network security. The traceability method based on marking (Marking-based traceback, MBT) is The more researched traceability methods, such classic methods as Probabilistic Packet Marking Algorithm [8] (Probabilistic Packet Marking, PPM) and Deterministic Packet Marking Algorithm [9] (Deterministic Packet Marking, DPM) all require data modification, the security of anonymous channels In performance analysis, watermark analysis [10] is a commonly used method. Whether it is a data packet watermark or a flow rate watermark, the essence is to modify the content of the data packet or the delay of the data packet. Using the "discard-resend "The data modification method can be realized;

实验论证:Experimental proof:

如图6所示,一台主机模拟内网上网终端,一台主机模拟外网服务器,中间经过SOHO路由器进行通信,SOHO路由器的WAN口IP配置为10.0.0.1,LAN口IP配置为192.168.1.1,外网服务器IP配置为10.0.0.2,内网主机IP配置为192.168.1.2,在SOHO路由器上对内网主机访问外网服务器的数据包进行修改,并分别在内网主机和外网服务器上抓包,需要说明的是,由于SOHO路由器的NAT机制,在内网主机上捕获的数据包是192.168.1.2与10.0.0.2的通信数据,但在外网服务器上捕获数据包看到的是SOHO路由器WAN口10.0.0.1与10.0.0.2通信的数据包。As shown in Figure 6, one host simulates an internal network terminal, and one host simulates an external network server, and communicates through a SOHO router. The WAN port IP of the SOHO router is configured as 10.0.0.1, and the LAN port IP is configured as 192.168.1.1 , the IP configuration of the external network server is 10.0.0.2, and the IP configuration of the internal network host is 192.168.1.2. On the SOHO router, modify the data packets for the internal network host to access the external network server, and respectively on the internal network host and the external network server Packet capture, it should be noted that due to the NAT mechanism of the SOHO router, the data packet captured on the internal network host is the communication data between 192.168.1.2 and 10.0.0.2, but the data packet captured on the external network server is the SOHO router The data packets communicated between WAN port 10.0.0.1 and 10.0.0.2.

数据包丢弃无感性测试:Packet drop non-inductive test:

网络环境中,若数据接收方拒绝接收数据包时,会给数据发送方返回数据不可达的数据包,告知数据发送方该数据包未被接收。“丢弃-重发”的数据修改方式在丢弃数据包时不能给数据发送方发送任何数据包,要让数据发送方“无感”丢弃,否则,若数据发送方知道该数据包被丢弃,则会影响后续通信。In the network environment, if the data receiver refuses to receive the data packet, it will return a data packet of unreachable data to the data sender, and inform the data sender that the data packet has not been received. The "discard-resend" data modification method cannot send any data packet to the data sender when discarding the data packet, so that the data sender should discard it "insensitively", otherwise, if the data sender knows that the data packet is discarded, then affect subsequent communications.

如图7所示,正常网络环境中,发送方向接收方发起连接,接收方返回带有RST标志的数据包告知发送方无法连接;As shown in Figure 7, in a normal network environment, the sender initiates a connection to the receiver, and the receiver returns a data packet with the RST flag to inform the sender that the connection cannot be made;

如图8所示,数据修改方法中,丢弃数据包时不返回任何信息,数据发送方不会知道数据包被丢弃,不影响后续通信过程;As shown in Figure 8, in the data modification method, no information is returned when the data packet is discarded, and the data sender will not know that the data packet is discarded, and the subsequent communication process will not be affected;

修改数据包内容测试:Modify the packet content test:

正常网络通信中,接收方收到的数据包和发送方发出的数据包内容一致,本实施例利用“丢弃-重发”的方法成功修改数据包,接收方收到的数据包内容与发送方发送的数据包内容不同,In normal network communication, the content of the data packet received by the receiver is consistent with the content of the data packet sent by the sender. This embodiment uses the "discard-resend" method to successfully modify the data packet. The contents of the packets sent are different,

如图9发送方发出的数据和图10接收方收到的数据可以看出,发送者发送的数据内容是test!,然而接收者收到的数据是hacked!,说明数据包内容被修改。As can be seen from the data sent by the sender in Figure 9 and the data received by the receiver in Figure 10, the content of the data sent by the sender is test! , but the data received by the receiver is hacked! , indicating that the content of the data packet has been modified.

伪造数据发送方IP测试:Forged data sender IP test:

“丢弃-重发”的数据修改方法可以对数据包的IP进行修改,实现伪造身份的通信,如图11所示,展示了发送方向接收方10.0.0.2发送请求,接收方在返回数据时伪造身份,以8.8.8.8的IP向发送方回复数据,这种方式常被网络攻击者用来隐藏自己身份,防止被追踪溯源时使用;The "discard-resend" data modification method can modify the IP of the data packet to realize the communication of forged identity. As shown in Figure 11, it shows that the sender sends a request to the receiver 10.0.0.2, and the receiver forges when returning data Identity, replying data to the sender with the IP of 8.8.8.8, this method is often used by network attackers to hide their identity and prevent it from being traced;

修改数据包间时延测试:Modify the inter-packet delay test:

正常网络的通信时延相对固定,发送方发出时间相近的数据包到达接收方的时间也相近,“丢弃-重发”的数据修改方式可以在两个数据包间插入延时,实现数据流的时间水印;The communication delay of a normal network is relatively fixed, and the time for data packets sent by the sender to arrive at the receiver is also similar. The "discard-resend" data modification method can insert a delay between two data packets to realize the time delay of data flow. watermark;

如图12所示,发送方发送的两个数据包,发出时间相差很小;As shown in Figure 12, the sending time of the two data packets sent by the sender is very small;

如图13所示,接收方收到的这两个数据包,插入了2秒的时延;As shown in Figure 13, the two data packets received by the receiver are inserted with a delay of 2 seconds;

以上所述仅为本发明的较佳实施例,并不限制本发明,凡在本发明的精神和原则范围内所做的任何修改、等同替换和改进,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and do not limit the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principle of the present invention shall be included in the protection scope of the present invention. Inside.

Claims (4)

1. A SOHO router data modification method is characterized in that a Netfilter mechanism in a linux kernel of a bottom layer of the SOHO router discards a data packet to be modified, a raw socket is used for capturing an original data packet entering a network card, and the modified data packet is sent out from the network card by bypassing a system kernel protocol stack after the original data packet is modified;
s1: discarding data packets
The SOHO router filters the data packet based on a Netfilter mechanism in a bottom linux kernel, the Netfilter is a series of call entries which are arranged on a message processing path and embedded in a kernel IP protocol stack, provides a mounting point for modifying the data packet according to the flow direction of a network message, and sets a data packet filtering rule at the mounting point according to the data packet characteristics to be modified by utilizing a configuration component iptables of the Netfilter in a user space, so as to perform preliminary screening of the data packet and discard the data packet;
s2: capturing packet modification issues
The method comprises the steps that a raw socket (original socket) is adopted, a socket protocol of a PF_PACKET is utilized, an original data frame from a data link layer is captured before an original data PACKET enters Netfilter processing, the data PACKET is processed through a data PACKET processing system, and the data PACKET processing system comprises a data PACKET sniffing module, a data PACKET analysis module, a data PACKET modification module and a data PACKET sending module;
(1) Before the original data packet enters Netfilter processing, the data packet sniffing module captures the original data packet to be processed from the network card;
(2) The data packet analysis module analyzes the captured original data packet, determines whether the data packet is a data packet needing to be modified, if the data packet is not the data packet needing to be modified, directly sends the data packet, if the data packet is the data packet needing to be modified, modifies the data packet through the data packet modification module, modifies the data packet length, SEQ and ACK fields in the data packet header and recalculates the checksum, and ensures the correctness of the data packet and the continuity of communication;
(3) And the data packet sending module bypasses a TCP/IP protocol stack by using a raw socket, and sends the modified data packet from the network card.
2. The SOHO router data modification method according to claim 1, wherein a packet capturing principle is capturing before a packet is processed by a Netfilter frame, and a packet transmitting principle is bypassing the Netfilter frame and kernel protocol stack processing, and transmitting the modified packet into the network.
3. The SOHO router data modification method according to claim 1, wherein Netfilter provides five mounting points for modifying the data packet according to the flow direction of the network packet, and each of the three mounting points Prerouting, forward, postrouting discards the data packet flowing through the router, so as not to affect the data packet entering the router and the data packet sent by the router, and selectively sets a data packet filtering rule at the Forward mounting point, and discards the data packet.
4. The method for modifying SOHO router data according to claim 1, wherein the SOHO router is an ARM or MIPS architecture, and uses a Buildroot tool to build a corresponding cross-coding environment, and cross-coding a data capturing, data processing and data transmitting program that can run on the SOHO router, so as to implement modification of the data packet.
CN202211673853.2A 2022-12-26 2022-12-26 SOHO router data modification method Active CN116318801B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211673853.2A CN116318801B (en) 2022-12-26 2022-12-26 SOHO router data modification method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211673853.2A CN116318801B (en) 2022-12-26 2022-12-26 SOHO router data modification method

Publications (2)

Publication Number Publication Date
CN116318801A true CN116318801A (en) 2023-06-23
CN116318801B CN116318801B (en) 2024-07-12

Family

ID=86794873

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211673853.2A Active CN116318801B (en) 2022-12-26 2022-12-26 SOHO router data modification method

Country Status (1)

Country Link
CN (1) CN116318801B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20250023819A1 (en) * 2023-07-11 2025-01-16 Korea University Research And Business Foundation Device and method for lightweight container packet processing in iot environment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753928A (en) * 2015-03-16 2015-07-01 苏州科达科技股份有限公司 Code stream forwarding method and system
CN106059885A (en) * 2016-06-15 2016-10-26 京信通信系统(中国)有限公司 Method and system for processing CAPWAP message by wireless controller
US20170026224A1 (en) * 2015-07-22 2017-01-26 Cisco Technology, Inc. Resilient segment routing service hunting with tcp session stickiness
CN106911778A (en) * 2017-02-27 2017-06-30 网宿科技股份有限公司 A kind of flow bootstrap technique and system
CN107317810A (en) * 2017-06-23 2017-11-03 济南浪潮高新科技投资发展有限公司 A kind of data interception method and device
CN109361723A (en) * 2018-04-18 2019-02-19 上海锐智集数电子有限公司 A kind of effective message transmission timing control method of UDP

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753928A (en) * 2015-03-16 2015-07-01 苏州科达科技股份有限公司 Code stream forwarding method and system
US20170026224A1 (en) * 2015-07-22 2017-01-26 Cisco Technology, Inc. Resilient segment routing service hunting with tcp session stickiness
CN106059885A (en) * 2016-06-15 2016-10-26 京信通信系统(中国)有限公司 Method and system for processing CAPWAP message by wireless controller
CN106911778A (en) * 2017-02-27 2017-06-30 网宿科技股份有限公司 A kind of flow bootstrap technique and system
CN107317810A (en) * 2017-06-23 2017-11-03 济南浪潮高新科技投资发展有限公司 A kind of data interception method and device
CN109361723A (en) * 2018-04-18 2019-02-19 上海锐智集数电子有限公司 A kind of effective message transmission timing control method of UDP

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
郭一辰;陈靖;张黎;黄聪会;: "大规模MANET路由协议SPDSR在Linux中的设计与实现", 空军工程大学学报(自然科学版), no. 04, 25 August 2012 (2012-08-25), pages 1 - 6 *
陈炼;李桂林;刘耀瑞;赵亚楠;: "基于Android的DSDV路由协议实现与应用", 信息通信, no. 02, 15 February 2017 (2017-02-15), pages 1 - 4 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20250023819A1 (en) * 2023-07-11 2025-01-16 Korea University Research And Business Foundation Device and method for lightweight container packet processing in iot environment

Also Published As

Publication number Publication date
CN116318801B (en) 2024-07-12

Similar Documents

Publication Publication Date Title
US9049220B2 (en) Systems and methods for detecting and preventing flooding attacks in a network environment
US7636305B1 (en) Method and apparatus for monitoring network traffic
US20170093891A1 (en) Mobile device-based intrusion prevention system
US20060161983A1 (en) Inline intrusion detection
US20120227088A1 (en) Method for authenticating communication traffic, communication system and protective apparatus
JP2009510815A (en) Method and system for reassembling packets before search
CN101572700A (en) Method for defending HTTP Flood distributed denial-of-service attack
CN108881328B (en) Data packet filtering method and device, gateway equipment and storage medium
US8320249B2 (en) Method and system for controlling network access on a per-flow basis
CN1938982B (en) Method and apparatus for preventing network attacks by authenticating internet control message protocol packets
CN116318801B (en) SOHO router data modification method
KR100439170B1 (en) Attacker traceback method by using edge router's log information in the internet
Kavisankar et al. A mitigation model for TCP SYN flooding with IP spoofing
CN114257452B (en) Method for discovering unknown UDP reflection amplification attacks based on traffic analysis
CN114710343A (en) Intrusion detection method and detection equipment
CN102006289B (en) Spoofed source address filtering method and device
CN116094779B (en) A transmission method and device for preventing ND spoofing in IPv6
CN120051980A (en) System and method for analyzing incoming traffic streams
CN118139052A (en) Enhanced network security protection method and device, storage medium, and electronic device
KR20230009306A (en) Method and apparatus for detecting malicious communication based session
JP4391455B2 (en) Unauthorized access detection system and program for DDoS attack
CN109889475B (en) Method and system for preventing TCP connection from being sniffed by bypass equipment
CN116866055B (en) Method, device, equipment and medium for defending data flooding attack
CN113949519A (en) Method and system for implementing user identity fidelity
Gai et al. Packet modification and utilization technology of SOHO router

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 450000 Science Avenue 62, Zhengzhou High-tech Zone, Henan Province

Patentee after: Information Engineering University of the Chinese People's Liberation Army Cyberspace Force

Country or region after: China

Address before: No. 62 Science Avenue, High tech Zone, Zhengzhou City, Henan Province

Patentee before: Information Engineering University of Strategic Support Force,PLA

Country or region before: China