[go: up one dir, main page]

WO2008095430A1 - A method and a system for preventing a media agency from hacker attacking - Google Patents

A method and a system for preventing a media agency from hacker attacking Download PDF

Info

Publication number
WO2008095430A1
WO2008095430A1 PCT/CN2008/070151 CN2008070151W WO2008095430A1 WO 2008095430 A1 WO2008095430 A1 WO 2008095430A1 CN 2008070151 W CN2008070151 W CN 2008070151W WO 2008095430 A1 WO2008095430 A1 WO 2008095430A1
Authority
WO
WIPO (PCT)
Prior art keywords
media
authentication code
session entry
packet
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2008/070151
Other languages
French (fr)
Chinese (zh)
Inventor
Xin Yao
Jin Xu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2008095430A1 publication Critical patent/WO2008095430A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • the present invention relates to the field of network information security, and in particular, to a method and apparatus for preventing a media agent from being attacked by a hacker.
  • next generation networks with softswitch and IP packet switching technology as the core (Next Generation
  • NGN Network, NGN
  • Session Border Controller As a signaling agent and media proxy device, it is one of the important devices in NGN. Its functions mainly include signaling agent and media agent:
  • the SBC can be regarded as a softswitch system for the NGN terminal 1, that is, the user's registration and call messages are sent to the SBC first, and the SBC will process the received message after signaling. Forwarded to the core softswitch system.
  • the SBC can be regarded as a user of the core softswitch system.
  • the core softswitch system first sends a request for calling the called party to the SBC, and the SBC forwards the request to the actual called party after signaling processing.
  • SBC can support SIP (Session Initiation)
  • MGCP Media Gateway Control
  • Proxy function of one or more of Protocol Media Gateway Control Protocol, H.248, etc. Since the SBC participates in the entire process, the SBC can obtain detailed information such as user registration, call, and so on.
  • the SBC can also act as a proxy for media streams in its peers as a signaling agent.
  • Figure 2 is a schematic diagram of the transmission of a signaling stream (dashed line) and a media stream (solid line). All media streams communicated by the users of the SBC and the outside world need to be processed and forwarded by the SBC.
  • the called party sees the called party from the SBC.
  • the called party sees the called address as SBC. the address of.
  • NAT/firewall Clients in home and corporate networks are usually located behind the customer premises NAT/firewall, which poses a problem for signaling and media streams that need to be delivered to the client because NAT/firewall can only be "opened” for outgoing traffic. ", and sessions that flow into the client are often blocked. Since the private IP address and port inserted by the client device cannot correspond to the public IP address and port after NAT conversion in the payload of the IP packet, the NAT device hinders the two-way voice and multimedia communication.
  • the SBC full proxy technology can solve the above private network NAT/firewall penetration problem.
  • the solution is as follows: As shown in Figure 3, assume that the IP address of terminal 1 is "A”, NAT.
  • the IP address is "B"
  • the media address of the SBC client side is "B”
  • the address of the server is "E”
  • the IP address of terminal 2 is "F”.
  • the SBC learns the session entry as (Bb, Cc) ⁇ ->
  • FIG. 4 shows the schematic diagram of the hacker attacking the SBC media agent: Suppose the source IP address of the hacker is "H", before the first packet of the media message arrives, because the IP address of the SBC media proxy
  • C is publicly available.
  • the hacker can use the port scanning method to update the media session of the SBC media proxy device to the source address and port designed by the hacker, ie (Aa, Cc) ⁇ ->( Dd, Ff ) will be updated to (Hh, Cc ) ⁇ ->( Dd, Ff ), resulting in business unavailability.
  • the embodiment of the present invention provides a method for preventing the media agent from being attacked by a hacker.
  • the media proxy device receives the call signaling, randomly generates and records an authentication code, and adds the authentication code to the Forwarded in the call signaling;
  • the media proxy device receives the media packet sent by the terminal, and after determining that the media session entry needs to be learned, and the authentication code carried in the media packet matches the recorded authentication code, The media message updates the media session entry.
  • An embodiment of the present invention further provides an apparatus for preventing a media agent from being attacked by a hacker.
  • the apparatus includes: [16] generating a record identification module, configured to randomly generate and record an authentication code after receiving call signaling, Outputting the generated authentication code and the received call signaling;
  • the adding module is configured to receive the authentication code and the call signaling sent by the generated record identification module, add the received authentication code to the received call signaling, and output the call signaling with the added authentication code. ;
  • the media message sending module is configured to receive the call signaling sent by the adding module, parse the authentication code from the received call signaling, and send the media packet that includes the authentication code;
  • the media packet forwarding processing module is configured to receive the media packet sent by the media packet sending module, and determine that the media session entry needs to be learned, and the authentication code carried in the media packet is After the recorded authentication codes are matched, the media session entries are updated according to the media messages.
  • the embodiment of the present invention further provides a media proxy device, where the media proxy device includes:
  • generating a record identification module configured to: after receiving the call signaling, randomly generate and record an authentication code, and output the generated authentication code and the received call signaling;
  • the adding module is configured to receive the authentication code and the call signaling sent by the generated record identification module, add the received authentication code to the received call signaling, and send the call with the added authentication code to the terminal.
  • the media packet forwarding processing module is configured to receive the media packet sent by the terminal, and determine that the media session entry needs to be learned, and the authentication code carried in the media packet is related to the record. After the authentication code is matched, the media session entry is updated according to the media packet.
  • the embodiment of the present invention further provides a terminal device, where the terminal device includes:
  • the media message sending module is configured to receive call signaling sent by the media proxy device, parse the authentication code from the received call signaling, and send the media packet including the authentication code to the media proxy device. .
  • the embodiment of the present invention randomly generates an authentication code on the media proxy device, and records the authentication code, and the peer carries the authentication code in the media packet, so that the first packet of the legal media packet does not arrive.
  • the media proxy device did not incorrectly update the media session even if it received a hacker attack on the media message.
  • the entry causes the business to be interrupted.
  • FIG. 1 is a schematic diagram of a typical networking of an SBC in an NGN network in the prior art
  • FIG. 2 is a schematic diagram of a principle of implementing media stream and signaling stream transmission by an SBC media proxy in the prior art
  • FIG. 3 is a schematic diagram of a principle of implementing media message transmission by an SBC media proxy in the prior art
  • FIG. 4 is a schematic diagram showing the principle of a hacker attacking an SBC media agent in the prior art
  • FIG. 5 is a flowchart of a method for preventing a media agent from being attacked by a hacker according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of a signaling interaction process according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of an apparatus for preventing a media agent from being attacked by a hacker according to an embodiment of the present invention.
  • the embodiment of the present invention provides a method for preventing a media agent from being attacked by a hacker, and the involved signaling process is as shown in FIG. 6.
  • the method for preventing the media agent from being attacked by a hacker is shown in FIG. 5, which specifically includes the following steps:
  • Step 101 The terminal 1 sends an invitation signaling message Invite to the NAT firewall (ie, step 1 in FIG. 6), and the N AT firewall sends the signaling message Invite to the media proxy device (ie, step 2 in FIG. 6).
  • Step 102 After receiving the invitation signaling packet Invite, the media proxy device modifies its internal signaling IP address, and allocates an IP address and port for transmitting media packets on its uplink port, and invites the signaling signal to the packet.
  • the In vite is forwarded to the terminal 2 through the softswitch (ie, steps 3, 4 in Figure 6).
  • Step 103 After receiving the invite signaling message Invite, the terminal 2 sends a ringing signaling message to the softswitch.
  • Ring is forwarded to the media proxy device (ie, steps 5, 6 in Figure 6).
  • Step 104 The ringing signaling message that the media proxy device will receive 180
  • Ring is forwarded to terminal 1 through the NAT firewall (ie, steps 7, 8 in Figure 6).
  • Step 105 Terminal 1 receives a ringing signaling message 180 Ring.
  • Step 106 The terminal 2 sends a signaling message 200 OK to the softswitch, and the softswitch sends the signaling message 200. OK forwarded to the media proxy device (ie step in Figure 6), steps 9, 10
  • Step 107 The media proxy device receives the signaling packet 200
  • a string is generated as the authentication code, and the string is recorded, and the string is added to the 1 signaling packet 200 OK, and the signaling packet is 200.
  • OK is forwarded to terminal 1 through the NAT firewall (ie, steps 11, 12 in Figure 6).
  • the media proxy device receives the signaling message 200
  • the media proxy device After the OK, in addition to performing the operations of this step, the media proxy device also needs to modify its internal signaling IP address, and at the same time, allocates an IP address and port for transmitting media packets on its downlink port, and generates a session for media packets. An entry that identifies the session entry as having no learning completion.
  • Step 108 After receiving the signaling message 200 OK, the terminal 1 receives the signaling packet 200
  • the string that is the authentication code is parsed, and the string is saved, and the response is sent to the NAT firewall.
  • the NAT firewall forwards the response to the terminal 2 through the media proxy device and the softswitch (ie, steps 13, 14, 15 in Figure 6). , 16).
  • Step 109 The terminal 1 sends a media packet containing the character string as the authentication code to the NAT firewall, and the NAT firewall forwards the media packet containing the string to the media proxy device.
  • Step 110 After receiving the media packet containing the string, the media proxy device matches the destination address and port in the media session entry in the media proxy device according to the destination address and port of the media packet. If the matching is successful, step 111 is performed, otherwise step 116 is performed.
  • Step 111 The media proxy device checks whether the media session entry is completed. If the learning is completed, step 112 is performed, otherwise step 113 is performed.
  • Step 112 The media proxy device removes the string in the media packet, and forwards the media packet to the terminal 2 through the softswitch according to the media session entry.
  • Step 113 The media proxy device checks whether the received media packet carries a string. If no string is carried, step 116 is performed; otherwise, step 114 is performed.
  • Step 114 The media proxy device compares the string in the media packet with the string recorded in the media session entry. If the two strings are the same, step 115 is performed; otherwise, step 116 is performed. [56] Step 115: The media proxy device updates the source address and port of the media session entry, and records the session entry as a learning completion state, removes the string in the media packet, and mediaizes according to the media session entry. The message is forwarded to the terminal 2 through the softswitch.
  • Step 116 The media proxy device discards the received media message.
  • the media proxy device randomly generates a character string as an authentication code in the process of signaling interaction, and records the authentication code, and the peer carries the authentication code in the media packet, so the media proxy device Before the first packet of a legitimate media message arrives, even if it is attacked by a media message, the media session entry will not be updated incorrectly, and the service will not be interrupted.
  • the authentication code may be in other forms, such as carrying a number, etc., in this embodiment, in the signaling 200.
  • the OK carries a string as the authentication code, and can also be carried in other signaling, such as 180 Ring in SIP signaling.
  • an embodiment of the present invention further provides an apparatus for preventing a media agent from being attacked by a hacker.
  • the device includes a record identification module, an add module, a media message sending module, and a media packet forwarding processing module.
  • the generated record identification module is configured to randomly generate and record an authentication code, generate a media session entry, and identify a status of the media session entry, and generate the generated authentication code and the received call letter. Send to the add module;
  • the adding module is configured to receive the authentication code and the call signaling sent by the generated record identification module, add the received authentication code to the received call signaling, and send the call signaling with the added authentication code to the media.
  • Message sending module
  • the media message sending module is configured to receive the call signaling sent by the adding module, parse the authentication code from the received call signaling, and send the media packet containing the authentication code to the media packet forwarding module.
  • the media packet forwarding processing module is configured to receive the media packet sent by the media packet sending module, and process the media packet and update according to the authentication code in the media packet and the status of the media session entry identified by the record identification module. Media session entry.
  • generating a record identification module including an allocation unit, a media session entry establishment unit, and a recording unit;
  • the allocating unit is configured to allocate an IP address and a port of the transmission media packet according to the call signaling received by the generating record identification module, and send the allocated IP address and port information to the media session entry establishing unit;
  • the media session entry establishing unit is configured to receive the IP address and port information sent by the allocation unit, and establish a media session entry according to the IP address and the port information;
  • the recording unit is configured to record the authentication code randomly generated by the generated record identification module into the media session entry established by the media session entry establishment unit.
  • the media message forwarding processing module includes a matching unit, an updating unit, and a comparing unit;
  • the matching unit is configured to match the IP address and port of the media packet with the IP address and port in the media session entry established by the media session entry establishment unit, and if the matching is successful, send the media packet to the comparison. Unit, if the match is unsuccessful, discard the received media message;
  • the comparing unit is configured to receive the media packet sent by the matching unit, and compare the authentication code in the media packet with the authentication code in the media session entry established by the media session entry establishing unit, if the two authentication codes are consistent. And sending a message for updating the media session entry to the update unit, and discarding the received media message if the two authentication codes are inconsistent;
  • the update unit is configured to receive the message sent by the comparison unit, and update the media session entry established by the media session entry establishment unit.
  • the generating record identification module randomly generates an authentication code in the process of signaling interaction, and records the authentication code, and the same carries the authentication code in the media packet sent by the media packet sending module. Therefore, before the first packet of the legal media packet arrives, the media proxy device does not erroneously update the media session entry even if it receives the hacker attack of the media packet, and the service interruption is not caused.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method and a system for preventing a media agency from hacker attacking belongs to the field of network information security. The method for preventing a media agency from hacker attacking includes: receiving a call instruction, generating randomly an authentication code and registering it, identifying terms of a media conversation list, and appending the authentication code to the call instruction and transmitting it by the media agent device; receiving the call instruction, parsing the authentication code from the call instruction, and sending a media message with the authentication code by a terminal; receiving the media message, then processing the media message and updating the terms of the media conversation list according to the authentication code and the identifying state of the media conversation list by the media agent device. Accordingly hacker attacking is prevented efficaciously.

Description

说明书 一种防止媒体代理受黑客攻击的方法和装置  Method and apparatus for preventing media agents from being attacked by hackers

[1] 技术领域 [1] Technical field

[2] 本发明涉及网络信息安全领域, 特别涉及一种防止媒体代理受黑客攻击的方法 和装置。  [2] The present invention relates to the field of network information security, and in particular, to a method and apparatus for preventing a media agent from being attacked by a hacker.

[3] 发明背景 [3] Background of the invention

[4] 随着 IP (internet  [4] With IP (internet)

Protocol, 因特网协议) 技术的日益成熟, 以软交换和 IP分组交换技术为核心的 下一代网络 (Next Generation  Protocol, Internet Protocol) The growing maturity of technology, next generation networks with softswitch and IP packet switching technology as the core (Next Generation

Network, NGN) 技术, 由于具有广阔的应用前景和可以满足人们多样化、 个性 化的业务需求, 已成为业界最关注的热点之一。 SBC (Session Border  Network, NGN) technology has become one of the hotspots in the industry due to its broad application prospects and meeting the diverse and personalized business needs of people. SBC (Session Border

Controler, 会话边界控制器) 作为信令代理和媒体代理设备是 NGN中的重要设 备之一, 其功能主要包括信令代理和媒体代理:  Controler, Session Border Controller) As a signaling agent and media proxy device, it is one of the important devices in NGN. Its functions mainly include signaling agent and media agent:

[5] 1.信令代理 (Signalling Proxy, 简称 SP) [5] 1. Signaling Agent (Signalling Proxy, SP for short)

[6] 如图 1所示, SBC对 NGN终端 1来说, 可看作是软交换系统, 即用户的注册和呼 叫消息都会先发送给 SBC, SBC将接收到的消息经过信令处理后再转发给核心软 交换系统。 同吋, SBC又可看作核心软交换系统的用户, 核心软交换系统首先将 呼叫被叫的请求发送给 SBC, SBC将该请求经过信令处理后再转发给真正的被叫 用户。 一般 SBC可以支持 SIP (Session Initiation  [6] As shown in Figure 1, the SBC can be regarded as a softswitch system for the NGN terminal 1, that is, the user's registration and call messages are sent to the SBC first, and the SBC will process the received message after signaling. Forwarded to the core softswitch system. Similarly, the SBC can be regarded as a user of the core softswitch system. The core softswitch system first sends a request for calling the called party to the SBC, and the SBC forwards the request to the actual called party after signaling processing. Generally SBC can support SIP (Session Initiation)

Protocol, 会话发起†办议) 、 Η·323、 MGCP (Media Gateway Control  Protocol, session initiation, Η·323, MGCP (Media Gateway Control)

Protocol, 媒体网关控制协议) 、 H.248等协议中的一种或多种的代理功能。 由于 SBC参与了整个流程, 因此 SBC可以获取相应的用户注册、 呼叫等详细信息。  Proxy function of one or more of Protocol, Media Gateway Control Protocol, H.248, etc. Since the SBC participates in the entire process, the SBC can obtain detailed information such as user registration, call, and so on.

[7] 2·媒体代理 (Media Proxy, 简称 MP)  [7] 2. Media Proxy (MP)

[8] SBC在作为信令代理的同吋也可以进行媒体流的代理。 图 2为信令流 (虚线) 和媒体流 (实线) 的传输示意图。 所有 SBC所代理的用户与外界互通的媒体流都 需要经过 SBC进行处理和转发。 当 SBC下的用户作为主叫吋, 主叫用户所看到的 被叫来自于 SBC, 当 SBC下的用户作为被叫吋, 主叫用户看到的被叫地址为 SBC 的地址。 [8] The SBC can also act as a proxy for media streams in its peers as a signaling agent. Figure 2 is a schematic diagram of the transmission of a signaling stream (dashed line) and a media stream (solid line). All media streams communicated by the users of the SBC and the outside world need to be processed and forwarded by the SBC. When the user under the SBC acts as the calling party, the called party sees the called party from the SBC. When the user under the SBC acts as the called party, the called party sees the called address as SBC. the address of.

家庭和企业网络中的客户端通常位于用户驻地 NAT/防火墙的后面, 这给需要 传送到客户端的信令流和媒体流带来了问题, 因为 NAT/防火墙只能为流出的数 据流而 "打开", 而流入到客户端的会话通常会受到拦阻。 由于在 IP分组的有效载 荷中, 由客户端设备插入的私有 IP地址和端口无法与 NAT转换后的公有 IP地址和 端口对应, 所以使得 NAT设备阻碍了双向语音和多媒体通信。  Clients in home and corporate networks are usually located behind the customer premises NAT/firewall, which poses a problem for signaling and media streams that need to be delivered to the client because NAT/firewall can only be "opened" for outgoing traffic. ", and sessions that flow into the client are often blocked. Since the private IP address and port inserted by the client device cannot correspond to the public IP address and port after NAT conversion in the payload of the IP packet, the NAT device hinders the two-way voice and multimedia communication.

使用 SBC全代理的技术可以解决上面的私网 NAT/防火墙穿透问题, 其解决原理 为: 如图 3所示, 假设终端 1的 IP地址是 "A", NAT  The SBC full proxy technology can solve the above private network NAT/firewall penetration problem. The solution is as follows: As shown in Figure 3, assume that the IP address of terminal 1 is "A", NAT.

的 IP地址是 "B", SBC的客户侧的媒体地址是 The IP address is "B", the media address of the SBC client side is

"C", SBC的服务器侧的媒体地址是" D" "C", the media address on the server side of the SBC is "D"

, 服务器的地址是 "E", 终端 2的 IP地址是 "F"。 信令交互完成以后, SBC会根据 S DP (Session Description  The address of the server is "E", and the IP address of terminal 2 is "F". After the signaling interaction is completed, the SBC will follow the S DP (Session Description

Protocol, 会话描述协议) 的信息创建媒体的 session (会话) 表项 (Aa, Cc ) <->( Dd, Ff  Protocol, Session Description Protocol) Information creation media session (Aa, Cc) <->( Dd, Ff

), 当终端 1或终端 2发送的媒体报文的首包发送给 SBC以后, SBC会将 session表项 学习为 (Bb, Cc) <->  After the first packet of the media packet sent by the terminal 1 or the terminal 2 is sent to the SBC, the SBC learns the session entry as (Bb, Cc) <->

(Dd, Ff)。 但是现有的代理技术在媒体报文的首包没有到来之前, 如果 SBC媒体 代理受到黑客攻击, 将会导致 SBC媒体代理学习错误, 进而导致业务不可用。 图 4给出了黑客攻击 SBC媒体代理的原理示意图: 假设黑客设计的源 IP地址是 "H", 在媒体报文的首包没有到达之前, 因为 SBC媒体代理的 IP地址 (Dd, Ff). However, the existing proxy technology will cause the SBC media agent to learn errors if the SBC media agent is attacked by the hacker before the first packet of the media message arrives, which may result in the service being unavailable. Figure 4 shows the schematic diagram of the hacker attacking the SBC media agent: Suppose the source IP address of the hacker is "H", before the first packet of the media message arrives, because the IP address of the SBC media proxy

"C"是对外公开的, 黑客可以利用端口扫描的方法, 让 SBC媒体代理设备的媒体 s ession表项更新成黑客设计的源地址和端口, 即 (Aa, Cc ) <->( Dd, Ff ) 将会更新为 (Hh, Cc ) <->( Dd, Ff ) , 从而导致业务不可用。 "C" is publicly available. The hacker can use the port scanning method to update the media session of the SBC media proxy device to the source address and port designed by the hacker, ie (Aa, Cc) <->( Dd, Ff ) will be updated to (Hh, Cc ) <->( Dd, Ff ), resulting in business unavailability.

发明内容  Summary of the invention

为了解决在合法的媒体报文的首包到来之前, 媒体代理设备有可能会受到黑客 攻击, 导致业务中断的问题, 本发明实施例提出了一种防止媒体代理受黑客攻 击的方法, 所述方法包括:  In order to solve the problem that the media proxy device may be hacked and the service is interrupted before the first packet of the legal media message arrives, the embodiment of the present invention provides a method for preventing the media agent from being attacked by a hacker. Includes:

媒体代理设备收到呼叫信令, 随机生成并记录认证码, 将所述认证码添加到所 述呼叫信令中转发出去; The media proxy device receives the call signaling, randomly generates and records an authentication code, and adds the authentication code to the Forwarded in the call signaling;

[14] 所述媒体代理设备接收终端发送来的媒体报文, 在确定出需要学习媒体会话表 项、 且所述媒体报文中携带的认证码与所述记录的认证码匹配后, 根据所述媒 体报文更新所述媒体会话表项。  [14] The media proxy device receives the media packet sent by the terminal, and after determining that the media session entry needs to be learned, and the authentication code carried in the media packet matches the recorded authentication code, The media message updates the media session entry.

[15] 本发明实施例还提供了一种防止媒体代理受黑客攻击的装置, 所述装置包括: [16] 生成记录标识模块, 用于接收到呼叫信令后, 随机生成并记录认证码, 输出生 成的认证码和收到的呼叫信令; An embodiment of the present invention further provides an apparatus for preventing a media agent from being attacked by a hacker. The apparatus includes: [16] generating a record identification module, configured to randomly generate and record an authentication code after receiving call signaling, Outputting the generated authentication code and the received call signaling;

[17] 添加模块, 用于接收所述生成记录标识模块发送的认证码和呼叫信令, 将收到 的认证码添加到收到的呼叫信令中, 并输出添加了认证码的呼叫信令; [17] The adding module is configured to receive the authentication code and the call signaling sent by the generated record identification module, add the received authentication code to the received call signaling, and output the call signaling with the added authentication code. ;

[18] 媒体报文发送模块, 用于接收所述添加模块发送的呼叫信令, 从收到的呼叫信 令中解析出认证码, 并发送含有认证码的媒体报文; [18] The media message sending module is configured to receive the call signaling sent by the adding module, parse the authentication code from the received call signaling, and send the media packet that includes the authentication code;

[19] 媒体报文转发处理模块, 用于接收所述媒体报文发送模块发送的媒体报文, 在 确定出需要学习媒体会话表项、 且所述媒体报文中携带的认证码与所述记录的 认证码匹配后, 根据所述媒体报文更新媒体会话表项。 [19] The media packet forwarding processing module is configured to receive the media packet sent by the media packet sending module, and determine that the media session entry needs to be learned, and the authentication code carried in the media packet is After the recorded authentication codes are matched, the media session entries are updated according to the media messages.

[20] 本发明实施例还提供一种媒体代理设备, 所述媒体代理设备包括: [20] The embodiment of the present invention further provides a media proxy device, where the media proxy device includes:

[21] 生成记录标识模块, 用于接收到呼叫信令后, 随机生成并记录认证码, 输出生 成的认证码和收到的呼叫信令; [21] generating a record identification module, configured to: after receiving the call signaling, randomly generate and record an authentication code, and output the generated authentication code and the received call signaling;

[22] 添加模块, 用于接收所述生成记录标识模块发送的认证码和呼叫信令, 将收到 的认证码添加到收到的呼叫信令中, 并向终端发送添加了认证码的呼叫信令; [23] 媒体报文转发处理模块, 用于接收终端发送来的媒体报文, 在确定出需要学习 媒体会话表项、 且所述媒体报文中携带的认证码与所述记录的认证码匹配后, 根据所述媒体报文更新媒体会话表项。 [22] The adding module is configured to receive the authentication code and the call signaling sent by the generated record identification module, add the received authentication code to the received call signaling, and send the call with the added authentication code to the terminal. [23] The media packet forwarding processing module is configured to receive the media packet sent by the terminal, and determine that the media session entry needs to be learned, and the authentication code carried in the media packet is related to the record. After the authentication code is matched, the media session entry is updated according to the media packet.

[24] 本发明实施例还提供一种终端设备, 所述终端设备包括: [24] The embodiment of the present invention further provides a terminal device, where the terminal device includes:

[25] 媒体报文发送模块, 用于接收媒体代理设备发送来的呼叫信令, 从所述收到的 呼叫信令中解析出认证码, 并向媒体代理设备发送含有认证码的媒体报文。  [25] The media message sending module is configured to receive call signaling sent by the media proxy device, parse the authentication code from the received call signaling, and send the media packet including the authentication code to the media proxy device. .

[26] 由于本发明实施例在媒体代理设备上随机生成认证码, 并记录下该认证码, 同 吋在媒体报文中携带了此认证码, 使得在合法的媒体报文的首包没有到达之前 , 媒体代理设备即使收到了媒体报文的黑客攻击, 也不会错误的更新媒体会话 表项, 导致业务中断。 [26] The embodiment of the present invention randomly generates an authentication code on the media proxy device, and records the authentication code, and the peer carries the authentication code in the media packet, so that the first packet of the legal media packet does not arrive. Previously, the media proxy device did not incorrectly update the media session even if it received a hacker attack on the media message. The entry causes the business to be interrupted.

[27] 附图简要说明 [27] BRIEF DESCRIPTION OF THE DRAWINGS

[28] 图 1是现有技术中 SBC在 NGN网络中的典型组网示意图;  [28] FIG. 1 is a schematic diagram of a typical networking of an SBC in an NGN network in the prior art;

[29] 图 2是现有技术中通过 SBC媒体代理实现媒体流和信令流传输的原理示意图; 2 is a schematic diagram of a principle of implementing media stream and signaling stream transmission by an SBC media proxy in the prior art;

[30] 图 3是现有技术中通过 SBC媒体代理实现媒体报文传输的原理示意图; [30] FIG. 3 is a schematic diagram of a principle of implementing media message transmission by an SBC media proxy in the prior art;

[31 ] 图 4是现有技术中黑客攻击 SBC媒体代理的原理示意图;  [31] FIG. 4 is a schematic diagram showing the principle of a hacker attacking an SBC media agent in the prior art;

[32] 图 5是本发明实施例防止媒体代理受黑客攻击的方法流程图;  FIG. 5 is a flowchart of a method for preventing a media agent from being attacked by a hacker according to an embodiment of the present invention; FIG.

[33] 图 6是本发明实施例信令交互过程的示意图;  6 is a schematic diagram of a signaling interaction process according to an embodiment of the present invention;

[34] 图 7是本发明实施例防止媒体代理受黑客攻击的装置的结构示意图。  7 is a schematic structural diagram of an apparatus for preventing a media agent from being attacked by a hacker according to an embodiment of the present invention.

[35] 实施本发明的方式 [35] Mode for carrying out the invention

[36] 下面结合附图和具体实施例对本发明作进一步说明, 但不作为对本发明的限定 [37] 实施例  The invention is further described below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention. [37]

[38] 本发明实施例提出了一种防止媒体代理受黑客攻击的方法, 包含的信令的交互 过程如图 6所示。 防止媒体代理受黑客攻击的方法流程如图 5所示, 其具体包括 以下步骤:  [38] The embodiment of the present invention provides a method for preventing a media agent from being attacked by a hacker, and the involved signaling process is as shown in FIG. 6. The method for preventing the media agent from being attacked by a hacker is shown in FIG. 5, which specifically includes the following steps:

步骤 101 : 终端 1向 NAT防火墙发送邀请信令报文 Invite (即图 6中的步骤 1) , N AT防火墙将邀请信令报文 Invite发送给媒体代理设备 (即图 6中的步骤 2) 。  Step 101: The terminal 1 sends an invitation signaling message Invite to the NAT firewall (ie, step 1 in FIG. 6), and the N AT firewall sends the signaling message Invite to the media proxy device (ie, step 2 in FIG. 6).

步骤 102: 媒体代理设备收到邀请信令报文 Invite后, 修改其内部的信令 IP地址 , 同吋在其上行口分配用于传输媒体报文的 IP地址和端口, 并将邀请信令报文 In vite通过软交换转发给终端 2 (即图 6中的步骤 3、 4) 。  Step 102: After receiving the invitation signaling packet Invite, the media proxy device modifies its internal signaling IP address, and allocates an IP address and port for transmitting media packets on its uplink port, and invites the signaling signal to the packet. The In vite is forwarded to the terminal 2 through the softswitch (ie, steps 3, 4 in Figure 6).

[41] 步骤 103: 终端 2收到邀请信令报文 Invite后, 向软交换发送振铃信令报文 180 [41] Step 103: After receiving the invite signaling message Invite, the terminal 2 sends a ringing signaling message to the softswitch.

Ring, 软交换将振铃信令报文 180 Ring, softswitch will ring signaling message 180

Ring转发给媒体代理设备 (即图 6中的步骤 5、 6) 。  Ring is forwarded to the media proxy device (ie, steps 5, 6 in Figure 6).

[42] 步骤 104: 媒体代理设备将收到的振铃信令报文 180 [42] Step 104: The ringing signaling message that the media proxy device will receive 180

Ring通过 NAT防火墙转发给终端 1 (即图 6中的步骤 7、 8) 。  Ring is forwarded to terminal 1 through the NAT firewall (ie, steps 7, 8 in Figure 6).

[43] 步骤 105: 终端 1收到振铃信令报文 180 Ring。 [43] Step 105: Terminal 1 receives a ringing signaling message 180 Ring.

[44] 步骤 106: 终端 2向软交换发送信令报文 200 OK, 软交换将信令报文 200 OK转发给媒体代理设备 (即图 6中的步 '骤 9、 10 [44] Step 106: The terminal 2 sends a signaling message 200 OK to the softswitch, and the softswitch sends the signaling message 200. OK forwarded to the media proxy device (ie step in Figure 6), steps 9, 10

步骤 107: 媒体代理设备收到信令报文 200  Step 107: The media proxy device receives the signaling packet 200

OK后, 随机生成作为认证码的字符串, 并记录下该字符串, 将该字符串添加至 1 信令报文 200 OK中, 并将信令报文 200  After the OK, a string is generated as the authentication code, and the string is recorded, and the string is added to the 1 signaling packet 200 OK, and the signaling packet is 200.

OK通过 NAT防火墙转发给终端 1 (即图 6中的步骤 11、 12) 。  OK is forwarded to terminal 1 through the NAT firewall (ie, steps 11, 12 in Figure 6).

[46] 媒体代理设备收到信令报文 200  [46] The media proxy device receives the signaling message 200

OK后, 除了执行本步骤的操作外, 媒体代理设备还要修改其内部的信令 IP地址 , 同吋在其下行口分配用于传输媒体报文的 IP地址和端口, 生成媒体报文的会话 表项, 标识该会话表项为没有学习完成的状态。  After the OK, in addition to performing the operations of this step, the media proxy device also needs to modify its internal signaling IP address, and at the same time, allocates an IP address and port for transmitting media packets on its downlink port, and generates a session for media packets. An entry that identifies the session entry as having no learning completion.

[47] 步骤 108: 终端 1收到信令报文 200 OK后, 从信令报文 200  [47] Step 108: After receiving the signaling message 200 OK, the terminal 1 receives the signaling packet 200

OK中解析出作为认证码的字符串, 并保存该字符串, 向 NAT防火墙发送应答, NAT防火墙将应答通过媒体代理设备、 软交换转发给终端 2 (即图 6中的步骤 13 、 14、 15、 16) 。  In OK, the string that is the authentication code is parsed, and the string is saved, and the response is sent to the NAT firewall. The NAT firewall forwards the response to the terminal 2 through the media proxy device and the softswitch (ie, steps 13, 14, 15 in Figure 6). , 16).

[48] 至此, 终端 1和终端 2之间完成了建立会话连接的信令交互过程。  [48] So far, the signaling interaction process of establishing a session connection is completed between the terminal 1 and the terminal 2.

[49] 以下步骤是终端 1和终端 2之间媒体报文的交互过程。 [49] The following steps are the process of media message exchange between terminal 1 and terminal 2.

[50] 步骤 109: 终端 1向 NAT防火墙发送含有作为认证码的字符串的媒体报文, NAT 防火墙将含有所述字符串的媒体报文转发给媒体代理设备。  [50] Step 109: The terminal 1 sends a media packet containing the character string as the authentication code to the NAT firewall, and the NAT firewall forwards the media packet containing the string to the media proxy device.

[51] 步骤 110: 媒体代理设备收到含有所述字符串的媒体报文后, 根据媒体报文的 目的地址和端口去匹配媒体代理设备中的媒体会话表项中的目的地址和端口, 如果匹配成功, 则执行步骤 111, 否则执行步骤 116。 [51] Step 110: After receiving the media packet containing the string, the media proxy device matches the destination address and port in the media session entry in the media proxy device according to the destination address and port of the media packet. If the matching is successful, step 111 is performed, otherwise step 116 is performed.

[52] 步骤 111 : 媒体代理设备检査媒体会话表项是否学习完成, 如果学习完成, 则 执行步骤 112, 否则执行步骤 113。 [52] Step 111: The media proxy device checks whether the media session entry is completed. If the learning is completed, step 112 is performed, otherwise step 113 is performed.

[53] 步骤 112: 媒体代理设备去掉媒体报文中的字符串, 按照媒体会话表项, 将媒 体报文通过软交换转发给终端 2。 [53] Step 112: The media proxy device removes the string in the media packet, and forwards the media packet to the terminal 2 through the softswitch according to the media session entry.

[54] 步骤 113: 媒体代理设备检査收到的媒体报文是否携带字符串, 如果没有携带 字符串, 则执行步骤 116, 否则执行步骤 114。 [54] Step 113: The media proxy device checks whether the received media packet carries a string. If no string is carried, step 116 is performed; otherwise, step 114 is performed.

[55] 步骤 114: 媒体代理设备将媒体报文中的字符串和媒体会话表项中记录的字符 串进行比较, 如果两个字符串一样, 则执行步骤 115, 否则执行步骤 116。 [56] 步骤 115: 媒体代理设备更新媒体会话表项的源地址和端口, 同吋将该会话表 项记录为学习完成状态, 去掉媒体报文中的字符串, 按照媒体会话表项, 将媒 体报文通过软交换转发给终端 2。 [55] Step 114: The media proxy device compares the string in the media packet with the string recorded in the media session entry. If the two strings are the same, step 115 is performed; otherwise, step 116 is performed. [56] Step 115: The media proxy device updates the source address and port of the media session entry, and records the session entry as a learning completion state, removes the string in the media packet, and mediaizes according to the media session entry. The message is forwarded to the terminal 2 through the softswitch.

[57] 步骤 116: 媒体代理设备丢弃收到的媒体报文。  [57] Step 116: The media proxy device discards the received media message.

[58] 本实施例由于媒体代理设备在信令交互的过程中随机生成了字符串作为认证码 , 并记录下了该认证码, 同吋在媒体报文中携带此认证码, 所以媒体代理设备 在合法的媒体报文的首包到达之前, 即使受到了媒体报文的黑客攻击, 也不会 错误的更新媒体会话表项, 不会导致业务中断。 认证码除了可以为字符串以外 , 还可以是其他的形式, 例如携带数字等, 本实施例在信令 200  [58] In this embodiment, the media proxy device randomly generates a character string as an authentication code in the process of signaling interaction, and records the authentication code, and the peer carries the authentication code in the media packet, so the media proxy device Before the first packet of a legitimate media message arrives, even if it is attacked by a media message, the media session entry will not be updated incorrectly, and the service will not be interrupted. The authentication code may be in other forms, such as carrying a number, etc., in this embodiment, in the signaling 200.

OK中携带了字符串作为认证码, 此外还可以在其它的信令中携带, 例如 SIP 信令中的 180 Ring  The OK carries a string as the authentication code, and can also be carried in other signaling, such as 180 Ring in SIP signaling.

等, 本发明实施例所述技术方案不仅适合在 SBC设备上实现, 而且还可以在其它 具备信令代理和媒体代理功能的设备上实现。  The technical solution described in the embodiments of the present invention is not only suitable for implementation on an SBC device, but also can be implemented on other devices having signaling proxy and media proxy functions.

[59] 参见图 7, 本发明实施例还提供了一种防止媒体代理受黑客攻击的装置, 该装 置包括生成记录标识模块、 添加模块、 媒体报文发送模块和媒体报文转发处理 模块; [59] Referring to FIG. 7, an embodiment of the present invention further provides an apparatus for preventing a media agent from being attacked by a hacker. The device includes a record identification module, an add module, a media message sending module, and a media packet forwarding processing module.

[60] 生成记录标识模块用于接收到呼叫信令后, 随机生成并记录认证码, 生成媒体 会话表项, 并标识该媒体会话表项的状态, 将生成的认证码和收到的呼叫信令 发送给添加模块;  [60] The generated record identification module is configured to randomly generate and record an authentication code, generate a media session entry, and identify a status of the media session entry, and generate the generated authentication code and the received call letter. Send to the add module;

[61] 添加模块用于接收生成记录标识模块发送的认证码和呼叫信令, 将收到的认证 码添加到收到的呼叫信令中, 并将添加了认证码的呼叫信令发送给媒体报文发 送模块;  [61] The adding module is configured to receive the authentication code and the call signaling sent by the generated record identification module, add the received authentication code to the received call signaling, and send the call signaling with the added authentication code to the media. Message sending module;

[62] 媒体报文发送模块用于接收添加模块发送的呼叫信令, 从收到的呼叫信令中解 析出认证码, 向媒体报文转发模块发送含有认证码的媒体报文;  [62] The media message sending module is configured to receive the call signaling sent by the adding module, parse the authentication code from the received call signaling, and send the media packet containing the authentication code to the media packet forwarding module.

[63] 媒体报文转发处理模块用于接收媒体报文发送模块发送的媒体报文, 根据媒体 报文中的认证码和生成记录标识模块标识的媒体会话表项的状态处理媒体报文 及更新媒体会话表项。  [63] The media packet forwarding processing module is configured to receive the media packet sent by the media packet sending module, and process the media packet and update according to the authentication code in the media packet and the status of the media session entry identified by the record identification module. Media session entry.

[64] 生成记录标识模块包括分配单元、 媒体会话表项建立单元和记录单元; [65] 分配单元用于根据生成记录标识模块收到的呼叫信令, 分配传输媒体报文的 IP 地址和端口, 并将分配的 IP地址和端口信息发送给媒体会话表项建立单元; [66] 媒体会话表项建立单元用于接收分配单元发送的 IP地址和端口信息, 并根据 IP 地址和端口信息建立媒体会话表项; [64] generating a record identification module, including an allocation unit, a media session entry establishment unit, and a recording unit; [65] The allocating unit is configured to allocate an IP address and a port of the transmission media packet according to the call signaling received by the generating record identification module, and send the allocated IP address and port information to the media session entry establishing unit; [66] The media session entry establishing unit is configured to receive the IP address and port information sent by the allocation unit, and establish a media session entry according to the IP address and the port information;

[67] 记录单元用于将生成记录标识模块随机生成的认证码记录到媒体会话表项建立 单元建立的媒体会话表项中。 [67] The recording unit is configured to record the authentication code randomly generated by the generated record identification module into the media session entry established by the media session entry establishment unit.

[68] 媒体报文转发处理模块包括匹配单元、 更新单元和比较单元; [68] The media message forwarding processing module includes a matching unit, an updating unit, and a comparing unit;

[69] 匹配单元用于将媒体报文的 IP地址和端口与媒体会话表项建立单元建立的媒体 会话表项中的 IP地址和端口进行匹配, 如果匹配成功, 则将媒体报文发送给比较 单元, 如果匹配不成功, 则丢弃收到的媒体报文; [69] The matching unit is configured to match the IP address and port of the media packet with the IP address and port in the media session entry established by the media session entry establishment unit, and if the matching is successful, send the media packet to the comparison. Unit, if the match is unsuccessful, discard the received media message;

[70] 比较单元用于接收匹配单元发送的媒体报文, 将媒体报文中的认证码与媒体会 话表项建立单元建立的媒体会话表项中的认证码进行比较, 如果两个认证码一 致, 则向更新单元发送更新媒体会话表项的消息, 如果两个认证码不一致, 则 丢弃收到的媒体报文;  [70] The comparing unit is configured to receive the media packet sent by the matching unit, and compare the authentication code in the media packet with the authentication code in the media session entry established by the media session entry establishing unit, if the two authentication codes are consistent. And sending a message for updating the media session entry to the update unit, and discarding the received media message if the two authentication codes are inconsistent;

[71] 更新单元用于接收比较单元发送的消息, 更新媒体会话表项建立单元建立的媒 体会话表项。  [71] The update unit is configured to receive the message sent by the comparison unit, and update the media session entry established by the media session entry establishment unit.

[72] 本实施例由于生成记录标识模块在信令交互的过程中随机生成了认证码, 并记 录下了该认证码, 同吋在媒体报文发送模块发送的媒体报文中携带此认证码, 所以媒体代理设备在合法的媒体报文的首包到达之前, 即使收到了媒体报文的 黑客攻击, 也不会错误的更新媒体会话表项, 不会导致业务中断。  [72] In this embodiment, the generating record identification module randomly generates an authentication code in the process of signaling interaction, and records the authentication code, and the same carries the authentication code in the media packet sent by the media packet sending module. Therefore, before the first packet of the legal media packet arrives, the media proxy device does not erroneously update the media session entry even if it receives the hacker attack of the media packet, and the service interruption is not caused.

[73] 以上所述的实施例只是本发明较优选的具体实施方式, 本领域的技术人员在本 发明技术方案范围内进行的通常变化和替换都应包含在本发明的保护范围内。  The embodiment described above is only a preferred embodiment of the present invention, and the usual changes and substitutions made by those skilled in the art within the scope of the present invention are included in the scope of the present invention.

Claims

权利要求书 Claim [1] 1.一种防止媒体代理受黑客攻击的方法, 其特征在于, 所述方法包括: 媒体代理设备收到呼叫信令, 随机生成并记录认证码, 将所述认证码添加 到所述呼叫信令中转发出去; 所述媒体代理设备接收终端发送来的媒体报文, 在确定出需要学习媒体会 话表项、 且所述媒体报文中携带的认证码与所述记录的认证码匹配后, 根 据所述媒体报文更新所述媒体会话表项。  [1] A method for preventing a media agent from being attacked by a hacker, the method comprising: the media agent device receiving call signaling, randomly generating and recording an authentication code, adding the authentication code to the The media proxy device receives the media packet sent by the terminal, and determines that the media session entry needs to be learned, and the authentication code carried in the media packet matches the recorded authentication code. Afterwards, the media session entry is updated according to the media message. [2] 2.如权利要求 1所述的防止媒体代理受黑客攻击的方法, 其特征在于, 所述 媒体代理设备将该认证码记录在根据该呼叫信令创建的媒体会话表项中, 并标识所述媒体会话表项为没有学习完成状态。  [2] The method for preventing a media agent from being attacked by a hacker according to claim 1, wherein the media proxy device records the authentication code in a media session entry created according to the call signaling, and The media session entry is identified as having no learning completion status. [3] 3.如权利要求 2所述的防止媒体代理受黑客攻击的方法, 其特征在于, 所述 媒体代理设备确定出需要学习媒体会话表项包括:  [3] The method for preventing a media agent from being attacked by a hacker according to claim 2, wherein the media agent device determines that the media session entry needs to be learned includes: 所述媒体代理设备将收到的媒体报文的目的 IP地址和端口与所述媒体会话 表项中记录的目的 IP地址和端口进行匹配;  The media proxy device matches the destination IP address and port of the received media packet with the destination IP address and port recorded in the media session entry; 在匹配成功、 且匹配的媒体会话表项为没有学习完成状态, 确定出需要学 习媒体会话表项。  After the matching is successful and the matched media session entry is not in the learning completion state, it is determined that the media session entry needs to be learned. [4] 4.如权利要求 3所述的防止媒体代理受黑客攻击的方法, 其特征在于, 所述 方法还包括:  [4] The method of claim 3, wherein the method further comprises: 当媒体报文的目的 IP地址和端口与所述媒体会话表项中记录的目的 IP地址 和端口匹配、 且匹配的媒体会话表项为学习完成状态吋, 所述媒体代理设 备去掉所述媒体报文中的认证码, 按照所述匹配的媒体会话表项转发所述 媒体报文。  When the destination IP address and port of the media packet match the destination IP address and port recorded in the media session entry, and the matched media session entry is in the learning completion state, the media proxy device removes the media report. The authentication code in the text forwards the media message according to the matched media session entry. [5] 5.如权利要求 1所述的防止媒体代理受黑客攻击的方法, 其特征在于, 所述 媒体代理设备更新所述媒体会话表项具体包括: 所述媒体代理设备更新所 述媒体会话表项中的源地址和端口。  [5] The method for preventing a media agent from being attacked by a hacker according to claim 1, wherein the updating, by the media proxy device, the media session entry comprises: the media proxy device updating the media session The source address and port in the entry. [6] 6.—种防止媒体代理受黑客攻击的装置, 其特征在于, 所述装置包括: 生成记录标识模块, 用于接收到呼叫信令后, 随机生成并记录认证码, 输 出生成的认证码和收到的呼叫信令; 添加模块, 用于接收所述生成记录标识模块发送的认证码和呼叫信令, 将 收到的认证码添加到收到的呼叫信令中, 并输出添加了认证码的呼叫信令 媒体报文发送模块, 用于接收所述添加模块发送的呼叫信令, 从收到的呼 叫信令中解析出认证码, 并发送含有认证码的媒体报文; [6] 6. The device for preventing a media agent from being attacked by a hacker, wherein the device comprises: a record identification module, configured to: after receiving the call signaling, randomly generate and record an authentication code, and output the generated authentication. Code and received call signalling; The adding module is configured to receive the authentication code and the call signaling sent by the generated record identification module, add the received authentication code to the received call signaling, and output a call signaling media message with the added authentication code. a sending module, configured to receive call signaling sent by the adding module, parse an authentication code from the received call signaling, and send a media packet that includes an authentication code; 媒体报文转发处理模块, 用于接收所述媒体报文发送模块发送的媒体报文 , 在确定出需要学习媒体会话表项、 且所述媒体报文中携带的认证码与所 述记录的认证码匹配后, 根据所述媒体报文更新媒体会话表项。  The media packet forwarding processing module is configured to receive the media packet sent by the media packet sending module, and determine that the media session entry needs to be learned, and the authentication code carried in the media packet and the authentication of the record are After the code is matched, the media session entry is updated according to the media message. [7] 7.如权利要求 6所述的防止媒体代理受黑客攻击的装置, 其特征在于, 所述 生成记录标识模块包括: [7] The device for preventing a hacker from being attacked by a hacker according to claim 6, wherein the generating the record identification module comprises: 分配单元, 用于根据所述呼叫信令分配传输媒体报文的 IP地址和端口, 并 输出所述分配的 IP地址和端口信息;  An allocating unit, configured to allocate an IP address and a port of the transmission media message according to the call signaling, and output the allocated IP address and port information; 媒体会话表项建立单元, 用于接收所述分配单元发送的 IP地址和端口信息 , 并根据 IP地址和端口信息建立媒体会话表项;  a media session entry establishing unit, configured to receive an IP address and port information sent by the allocating unit, and establish a media session entry according to the IP address and the port information; 记录单元, 用于将所述随机生成的认证码记录到所述媒体会话表项建立单 元建立的媒体会话表项中。  And a recording unit, configured to record the randomly generated authentication code into a media session entry established by the media session entry establishment unit. [8] 8.如权利要求 7所述的防止媒体代理受黑客攻击的装置, 其特征在于, 所述 媒体报文转发处理模块包括:  [8] The apparatus for preventing a media agent from being attacked by a hacker according to claim 7, wherein the media message forwarding processing module comprises: 匹配单元, 用于将媒体报文的 IP地址和端口与所述媒体会话表项中的 IP地 址和端口进行匹配, 如果匹配成功, 则将媒体报文发送给比较单元, 如果 匹配不成功, 则丢弃收到的媒体报文;  a matching unit, configured to match an IP address and a port of the media packet with an IP address and a port in the media session entry, and if the matching succeeds, send the media packet to the comparison unit, if the matching is unsuccessful, Discard the received media message; 比较单元, 用于接收所述匹配单元发送的媒体报文, 将媒体报文中的认证 码与所述匹配的媒体会话表项中的认证码进行比较, 如果两个认证码一致 , 则向更新单元发送更新媒体会话表项的消息, 如果两个认证码不一致, 则丢弃收到的媒体报文;  The comparing unit is configured to receive the media packet sent by the matching unit, compare the authentication code in the media packet with the authentication code in the matched media session entry, and update the two authentication codes if they are consistent The unit sends a message for updating the media session entry, and if the two authentication codes are inconsistent, discarding the received media message; 更新单元, 用于接收所述比较单元发送的消息, 更新所述媒体会话表项建 立单元建立的媒体会话表项。  And an update unit, configured to receive a message sent by the comparison unit, and update a media session entry established by the media session entry establishment unit. [9] 9.一种媒体代理设备, 其特征在于, 所述媒体代理设备包括: 生成记录标识模块, 用于接收到呼叫信令后, 随机生成并记录认证码, 输 出生成的认证码和收到的呼叫信令; [9] 9. A media proxy device, wherein the media proxy device comprises: Generating a record identification module, configured to: after receiving the call signaling, randomly generate and record an authentication code, and output the generated authentication code and the received call signaling; 添加模块, 用于接收所述生成记录标识模块发送的认证码和呼叫信令, 将 收到的认证码添加到收到的呼叫信令中, 并向终端发送添加了认证码的呼 叫信令; The adding module is configured to receive the authentication code and the call signaling sent by the generated record identification module, add the received authentication code to the received call signaling, and send the call signaling with the added authentication code to the terminal; 媒体报文转发处理模块, 用于接收终端发送来的媒体报文, 在确定出需要 学习媒体会话表项、 且所述媒体报文中携带的认证码与所述记录的认证码 匹配后, 根据所述媒体报文更新媒体会话表项。 a media packet forwarding processing module, configured to receive a media packet sent by the terminal, and after determining that the media session entry needs to be learned, and the authentication code carried in the media packet matches the recorded authentication code, according to The media message updates the media session entry. 10.—种终端设备, 其特征在于, 所述终端设备包括:  10. A terminal device, the terminal device comprising: 媒体报文发送模块, 用于接收媒体代理设备发送来的呼叫信令, 从所述收 到的呼叫信令中解析出认证码, 并向媒体代理设备发送含有认证码的媒体 报文。 The media message sending module is configured to receive the call signaling sent by the media proxy device, parse the authentication code from the received call signaling, and send the media message including the authentication code to the media proxy device.
PCT/CN2008/070151 2007-02-08 2008-01-21 A method and a system for preventing a media agency from hacker attacking Ceased WO2008095430A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNA2007100028774A CN101013937A (en) 2007-02-08 2007-02-08 Method and apparatus for preventing media proxy from hacker attack
CN200710002877.4 2007-02-08

Publications (1)

Publication Number Publication Date
WO2008095430A1 true WO2008095430A1 (en) 2008-08-14

Family

ID=38701245

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070151 Ceased WO2008095430A1 (en) 2007-02-08 2008-01-21 A method and a system for preventing a media agency from hacker attacking

Country Status (2)

Country Link
CN (1) CN101013937A (en)
WO (1) WO2008095430A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101013937A (en) * 2007-02-08 2007-08-08 华为技术有限公司 Method and apparatus for preventing media proxy from hacker attack
US20130215897A1 (en) * 2010-07-26 2013-08-22 David Warren Mitigation of detected patterns in a network device
US9342709B2 (en) 2010-10-27 2016-05-17 Hewlett-Packard Enterprise Development LP Pattern detection
CN102752291B (en) * 2012-06-21 2016-04-27 深圳市共进电子股份有限公司 The data processing method of a kind of ALG and RTSP service system
CN103916305A (en) * 2012-12-31 2014-07-09 北京新媒传信科技有限公司 Method and terminal for transmitting instant communication message
CN109510821B (en) * 2018-11-07 2021-02-26 杭州迪普科技股份有限公司 Message processing method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002017181A1 (en) * 2000-08-22 2002-02-28 Payperfect Pte Ltd. Electronic payment methods
JP2002142260A (en) * 2000-11-01 2002-05-17 Toshiba Corp Authentication system in station service system
CN1633100A (en) * 2003-12-24 2005-06-29 华为技术有限公司 Method of multimedia service NAT traversing and system thereof
JP2006277028A (en) * 2005-03-28 2006-10-12 Nec Corp User registration method and proxy authentication system using biometric information
CN1863194A (en) * 2005-05-13 2006-11-15 中兴通讯股份有限公司 An Improved IP Multimedia Subsystem Authentication and Key Agreement Method
CN101013937A (en) * 2007-02-08 2007-08-08 华为技术有限公司 Method and apparatus for preventing media proxy from hacker attack

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002017181A1 (en) * 2000-08-22 2002-02-28 Payperfect Pte Ltd. Electronic payment methods
JP2002142260A (en) * 2000-11-01 2002-05-17 Toshiba Corp Authentication system in station service system
CN1633100A (en) * 2003-12-24 2005-06-29 华为技术有限公司 Method of multimedia service NAT traversing and system thereof
JP2006277028A (en) * 2005-03-28 2006-10-12 Nec Corp User registration method and proxy authentication system using biometric information
CN1863194A (en) * 2005-05-13 2006-11-15 中兴通讯股份有限公司 An Improved IP Multimedia Subsystem Authentication and Key Agreement Method
CN101013937A (en) * 2007-02-08 2007-08-08 华为技术有限公司 Method and apparatus for preventing media proxy from hacker attack

Also Published As

Publication number Publication date
CN101013937A (en) 2007-08-08

Similar Documents

Publication Publication Date Title
CN100558081C (en) Method and system for keeping alive address forwarding entries
US9392437B2 (en) Method and system for IP multimedia bearer path optimization through a succession of border gateways
US10038779B2 (en) Intercepting voice over IP communications and other data communications
US7394804B2 (en) Message conversion server and IP telephone
US7886060B2 (en) Establishing and modifying network signaling protocols
US7826602B1 (en) Enabling incoming VoIP calls behind a network firewall
US8606936B2 (en) Communication system, session control management server and session control method
US8090845B2 (en) Apparatus and method for firewall traversal
CN100531074C (en) Method and system for legally monitoring IP multimedia subsystem network
CN110650260B (en) A system and method for intercommunication of network terminal audio with internal and external networks
WO2008095430A1 (en) A method and a system for preventing a media agency from hacker attacking
US20100002701A1 (en) System and method for media communication through network address translation
WO2006082576A2 (en) A method and apparatus for server-side nat detection
US8374178B2 (en) Apparatus and method for supporting NAT traversal in voice over internet protocol system
KR101258988B1 (en) VoIP SERVICE SYSTEM AND PACKET PROCESSING METHOD THEREOF
CN101834836B (en) Communication method, device and system based on public IP network
JP5609519B2 (en) SIP equipment
US20070233901A1 (en) Methods and systems for integrating network services with multiple communication protocols
CN109067659B (en) Session establishing method, router and session system
US7995561B2 (en) Techniques for implementing logical trunk groups with session initiation protocol (SIP)
US9749296B1 (en) Method and apparatus for modifying address information in signaling messages to ensure in-path devices remain in signaling path between endpoints
JP4191010B2 (en) Communications system
Nurmela Session initiation protocol
JP2006050250A (en) Call control method and call control system for IP telephone system
JP2006340260A (en) Call control method of internet telephone

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08700808

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08700808

Country of ref document: EP

Kind code of ref document: A1