【作者】 彭乐；

【导师】 王春露；

【作者基本信息】 北京邮电大学 ， 计算机科学与技术， 2008， 硕士

【摘要】 伴随网络快速发展,人们广泛采用防火墙、入侵检测/防御系统(IDS/IPS)等系统来检测和防御各种攻击。然而,网络穿透技术融合了代理技术、加密隧道与P2P技术、匿名通信技术等各种技术,可以轻易突破现有安全设备,达到访问不法网站,并将攻击代码、隐秘数据送到目标主机的目的,极大地扰乱和恶化了网络环境,威胁了个人、企业和国家的信息安全。因此,对网络穿透技术的开展研究具有重要的学术意义、社会意义和实用价值,而且也具有很大的挑战性。本论文首先在基于对网络穿透中常用的代理技术、加密隧道技术、匿名通信技术等原理的分析基础上,针对常用工具Privoxy、Stunnel、TOR做了详尽的剖析和研究。并在此基础上,设计并实现了穿透代理系统PROProxy。该系统采用了目前流行的匿名系统TOR作为平台与外界进行匿名通信,实现了HTTP与SOCKS5代理模块的相互转化,解决了本地解析域名可能泄露被访问服务器地址的问题。另外,通过OPENSSL库实现SSL身份验证,弥补了TOR目前不支持身份验证功能;通过Crypto++库实现了加密通信功能,保证了匿名系统结构中发送者和可信代理之间的安全性。经测试对比,PROProxy运行稳定,性能优越,可成功穿透网络。其次,本论文从正向研究穿透系统,目的是更深层次地理解和掌握穿透技术,从而设计并实现穿透防御过滤系统。为此,我们成功地将数据流管理概念引入穿透数据流的管理过滤中,设计并实现了过滤系统DSFS。该系统通过对捕获的包进行协议分析、包分类及流重组、特征匹配等处理后,能对网络流进行实时查询统计和过滤功能,性能稳定,运行良好。最后对论文工作进行了总结,对穿透技术的未来研究进行了展望。更多还原

【Abstract】 With the rapid development of network, Firewalls, IDS/IPS are widely adopted to detect and protect various network attacks. But, network penetrating technology is now hot and popular, which integrates proxy technology, encrypt tunnel and P2P technology, etc. It can easily penetrate the current security devices, so easily access illegal websites and put the attacking code and the private data to destination host, this damages network environment and threatens information security of individual, company and the nation. So the research of network penetrating technology is full of the important academic meaning, social significance and practical value, and is very challenging.Firstly, this paper analyzes and researches the popular application tools like Privoxy, Stunnel and TOR; then, a penetrating proxy system which called PROProxy has been designed and implemented. This system uses TOR as the platform to communicate anonymously with outside, implements the mutual conversion between HTTP and SOCKS5 proxy modules, and solve the problem of leaking address of visiting server by local DNS. In addition, SSL authorization is implemented by OPENSSL library, which makes up of TOR to support authorization function; encrypted communication is implemented by Crypto++ library, which ensures the security between sender and trusted proxy in anonymous system. The test results show that PROProxy is stable, excellent, and can penetrate network security devices successfully.Secondly, this paper makes a forward research to penetrating system, and aims at comprehending and mastering penetrating technique to design and implement penetrating protection filtering system. Thus, we bring data flow management concept to penetrating system successfully, and design and implement the filtering system DSFS. This system can inquire and filter the network behaviors on-line; it includes packet capturing, packet classification, flow recombination, pattern matching, and so on. This system runs well and stable.At last, this paper summarizes all the work, and point out the future research of penetrating technology.更多还原