CN101119376A - Method and network appliance for preventing IPv6 packet attack - Google Patents
Method and network appliance for preventing IPv6 packet attack Download PDFInfo
- Publication number
- CN101119376A CN101119376A CNA2007101218193A CN200710121819A CN101119376A CN 101119376 A CN101119376 A CN 101119376A CN A2007101218193 A CNA2007101218193 A CN A2007101218193A CN 200710121819 A CN200710121819 A CN 200710121819A CN 101119376 A CN101119376 A CN 101119376A
- Authority
- CN
- China
- Prior art keywords
- message
- route
- ipv6
- address
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a network device for preventing IPv6 notice attack. The method comprises that: receiving IPv6 notices with 0 type route header, judging whether the notices meet the repeating conditions of preset route header or not according to the addresses in the 0 type route header of the notices; if the answer is yes, the notices are specified as IPv6 attacking notices, the last IPv6 address in the 0 type route header addresses of the attacking notices replaces the target address of the attacking notices, and the residua sections inside the attacking notices are set as 0 so as to subtransmit the attacking notices to the last target node corresponding to the last IPv6 address in the 0 type route header. The invention avoids the IPv6 notices are repeatedly transmitted at the same route, also enables the non attacking aimed IPv6 notices transmitted from source node to be normally subtransmitted so as to improve the accuracy on preventing IPv6 notice attacks.
Description
Technical field
The present invention relates to the Internet Protocol technical field, be specifically related to a kind of method and network equipment of the IPv6 of preventing message aggression.
Background technology
Defined strict source routing and free source routing among the IPv4, similar function is also arranged in IPv6, IPv6 has defined type 0 and 2 two kinds of route heads of type in the route extension header of bag.Source node is listed bag and is arrived the specific address of node that destination node must be passed through in the type 0 route head of IPv6 bag, these specific nodes can be that IPv6 wraps by the whole nodes on the path, also can be by the part of nodes on the path.
Fig. 1 has provided the form schematic diagram of the IPv6 message with type 0 route head, and as shown in Figure 1, the IPv6 message mainly is made up of the basic head of IPv6 and IPv6 load two parts.
The basic head of IPv6 comprises: fields such as version number, next stature, source address, destination address, and wherein, version number represents that this message still is the IPv6 message for the IPv4 message, on duty is to represent that IPv4 message, value were to represent the IPv6 message at 6 o'clock at 4 o'clock; Next leader will, next stature of the basic head of expression IPv6, on duty is 43 o'clock, represents that next stature is the route head; Source address is the address of source node of this message of starting, and destination address is the address of next jumping of this message.
The IPv6 payload segment mainly comprises the route head, and the option in the route head partly comprises: type field, residue hop count field and data field.Wherein, type field is used to represent that the type of route head, value are 0 expression type, 0 route head, and value is 1 expression Class1 route head; Residue hop count field, the number of the specific node that expression message arrival final purpose node also need pass through; Containing type 0 route head in the data field, comprise message in the type 0 route head and arrived the specific address of node that the final destination must be passed through, as: IPv6 address [1], IPv6 address [2] ..., last IPv6 address is the final purpose node address of IPv6 message.
Fig. 2 is the flow chart that existing forwarding has the IPv6 message of type 0 route head, and as shown in Figure 2, its concrete steps are as follows:
Step 201: source node is structural type 0 route head in the IPv6 message, comprise in the type 0 route head that message arrives the specific address of node that the final purpose node need pass through, the residue hop count is set to the sum of specific node, be basic destination address with first address setting of jumping of IPv6 message.
Step 202: source node sends the IPv6 message.
Step 203:IPv6 message arrives a node, and this node judges whether the destination address of basic head is self address, if, execution in step 205; Otherwise, execution in step 204.
Step 204: node directly forwards the IPv6 message, goes to step 203.
Step 205: the next leader will in the basic head of node inspection, find that this is masked as 43, determine that this IPv6 message has the route head.
Step 206: the option part in the route head of node inspection IPv6 message, find that type field is 0, determine that then the IPv6 message has type 0 route head.
Step 207: node judges whether the residue hop count in the option part of route head is 0, if, execution in step 208; Otherwise, execution in step 209.
Step 208: node determines self to be the final purpose node of this IPv6 message, and the content after the route head of IPv6 message is handled, and this flow process finishes.
Step 209: node is according to sum of the address in the type 0 route head and residue hop count, determine the next specific address of node that the IPv6 message will pass through, substitute the destination address of the basic head of IPv6 with this address, and will remain hop count and subtract 1, then the IPv6 message is forwarded, go to step 203.
From step 203~209 as can be seen, that has only the IPv6 message must be through node, next of IPv6 message of promptly starting jump and type 0 route head in the pairing specific node in address, just can handle the route head of message, other intermediate node will be ignored the route head of message.
With Fig. 1 is example, when source node will be constructed good IPv6 message when sending, message can at first arrive the destination address in the basic head: the node of 3000::2 correspondence, this node finds that the destination address of the basic head of message is self address, and next stature that is checked through the basic head of message is the route head, then check the type field in the option part of route head, determine that message has type 0 route head, then check residue hop count field, find that the residue hop count is 6, determine that self is not the final purpose node, then according to the address sum in the type 0 route head: 6 and the residue hop count: 6, with the destination address in the alternative basic head of IPv6 address [1]: 3000::3: 3000::2, remain hop count and be set to 5, then message is forwarded; The rest may be inferred, arrives the final purpose node of 3000::8 correspondence until message.
Characteristics based on the IPv6 message with type 0 route head: the specific node that must pass through each the address correspondence in the type 0 route head successively could arrive the final purpose node, often has illegal person to utilize these characteristics to make the IPv6 attack message.Typical IPv6 attack message is: repeat the address in the type 0 route head, as shown in Figure 3, address 3000::3 and 3000::4 are filled in type 0 route head repeatedly, like this, message will repeatedly mail to one or more addresses, as shown in Figure 3, message can send between address 3000::3 and 3000::4 repeatedly, thereby takies the cpu resource of the network bandwidth and the network equipment.In the type 0 route head 255 addresses can be set at most, like this, send an IPv6 attack message, just can make 255 these messages of network device processing at most with type 0 route head.
Existingly prevent that the method for illegal IP v6 message aggression from being to dispose acl rule on node, listed the address of distrusting the source in this acl rule, so that all are fallen from the IPv6 packet filtering of distrusting the source.The shortcoming of this method is: can't careful differentiation attack message and non-attack message, prevent that the accuracy of illegal IP v6 message aggression is lower.In case certain source is confirmed as the distrust source, even then the IPv6 message of non-attack purpose is sent in this source, this message also can be filtered.
Summary of the invention
The invention provides a kind of method and the network equipment of the IPv6 of preventing message aggression, prevent the accuracy of IPv6 message aggression with raising.
Technical scheme of the present invention is achieved in that
A kind of method that prevents the IPv6 message aggression, this method comprises:
Node receives the IPv6 message with type 0 route head, according to the address in the type 0 route head of message, judge whether this message satisfies predefined route repeat condition, if satisfy, then be defined as attack message, replace the destination address of attack message with last IPv6 address of address in the type 0 route head of attack message, and the residue hop count in the attack message is made as 0, attack message directly is forwarded to the final purpose node of last IPv6 address correspondence in the type 0 route head.
Described predefined route repeat condition is: there is an address to repeat more than a time in all addresses of type 0 route head,
Perhaps, there be b address to repeat more than c time in all addresses of type 0 route head,
Perhaps, there is an address to repeat more than d time in the default address realm of type 0 route head,
Perhaps, there be e address to repeat more than f time in the default address realm of type 0 route head,
Wherein, a, b, c, d, e, f is default constant.
Described node judges whether message satisfies predefined route repeat condition and comprise:
Node is determined from judging whether the residue hop count in the message is 0, if determine that message has arrived final purpose node, process ends through node as message; Otherwise, judge whether message satisfies predefined route repeat condition.
A kind of network equipment that prevents the IPv6 message aggression, this network equipment comprises:
The message receiver module receives the IPv6 message with type 0 route head, and definite present networks equipment be message must then message be sent to route duplicate detection module through node;
Route duplicate detection module receives the IPv6 message, according to the address in the type 0 route head of message, if detecting message satisfies predefined route repeat condition, then is defined as attack message, will repeat indication and IPv6 message and send to the forwarding processing module;
Transmit processing module, receive route and repeat indication and IPv6 message, the destination address with the alternative message in last IPv6 address of address in the type 0 route head of message is made as 0 with the residue hop count in the message, and message is forwarded.
Described message receiver module comprises:
Must receive the IPv6 message through the node detection module, be the present networks device address if detect the destination address of message, and message is sent to type 0 a route detection module; Otherwise, message is transmitted to next node;
Type 0 a route detection module receives the IPv6 message, if the next head that detects in the basic head of message is masked as route header will, and the type field that detects in the route head represents type 0, and message is sent to residue hop count detection module;
Residue hop count detection module receives the IPv6 message, is 0 if detect the residue hop count, determines that then message has arrived the final purpose node; Otherwise, the IPv6 message is sent to route duplicate detection module.Compared with prior art, the present invention is when receiving the IPv6 message with type 0 route head at node, according to the address in the type 0 route head of message, judge whether this message satisfies the route repeat condition, if satisfy, then be defined as the IPv6 attack message, with last the IPv6 address of address in the type 0 route head of attack message destination address as attack message, and the residue hop count of attack message is made as 0, make the IPv6 attack message can directly be sent to the final purpose node, avoided the IPv6 attack message on same route, to repeat transmission, the IPv6 message of the non-attack purpose that the also feasible simultaneously source node that sends this IPv6 attack message is sent can normally be transmitted, and has improved the accuracy that prevents the IPv6 message aggression.
Description of drawings
Fig. 1 is the schematic diagram with IPv6 message of type 0 route head;
Fig. 2 has the flow chart of the IPv6 message of type 0 route head for existing forwarding;
Fig. 3 is the schematic diagram with IPv6 attack message of type 0 route head;
The flow chart that prevents the IPv6 message aggression that Fig. 4 provides for the embodiment of the invention;
The structural representation of the network equipment that prevents the IPv6 message aggression that Fig. 5 provides for the embodiment of the invention.
Embodiment
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
The flow chart that prevents zhang attack of IPv6 newspaper that Fig. 4 provides for the embodiment of the invention, as shown in Figure 4, its concrete steps are as follows:
Step 401: source node is structural type 0 route head in the IPv6 message, comprise in this route head that message arrives the specific address of node that the final purpose node need pass through, the residue hop count is set to the sum of specific node, be basic destination address with first address setting of jumping of IPv6 message.
Step 402: source node sends the IPv6 message.
Step 403:IPv6 message arrives a node, and this node judges whether the destination address of basic head is self address, if, execution in step 405; Otherwise, execution in step 404.
Step 404: node directly forwards this message by next hop address, goes to step 403.
Step 405: the next leader will in the basic head of node inspection, find that this is masked as 43, determine that this IPv6 message has the route head.
Step 406: the option part in the route head of node inspection IPv6 message, find that type field is 0, determine that then this message has type 0 route head.
Step 407: node judges whether the residue hop count in the option part of route head is 0, if, execution in step 408; Otherwise, execution in step 409.
Step 408: node determines self to be the final purpose node of this IPv6 message, and the content after the route head of IPv6 message is handled, and this flow process finishes.
Step 409: node judges according to the address in the type 0 route head whether the IPv6 message satisfies predefined route repeat condition, if, execution in step 410; Otherwise, execution in step 411.
The situation that route repeats has a variety of, perhaps has only the part address to repeat in all addresses of type 0 route head, and perhaps all addresses are all identical.The route repeat condition can be set according to node deployment situation in the network and experience, can be set at: as long as there is an address to occur just thinking more than a time that route repeats in all addresses of type 0 route head; Perhaps be set at, have b address to occur just thinking more than c time that route repeats in all addresses of type 0 route head; Perhaps be set at: as long as there is an address to occur just thinking more than d time that route repeats in the default address realm in the type 0 route head, for example, there is an address to occur just thinking more than 2 times that route repeats in IPv6 address [1]~IPv6 address [10] in the type 0 route head; Perhaps be set at, have e address to occur just thinking more than f time that route repeats in the default address realm in the type 0 route head, or the like.The a here, b, c, d, e, f and preset range can be set according to the deployment scenario and the experience of network node.
Step 410: node is with the destination address in the basic head of last the address substitute I Pv6 message in the IPv6 type of message 0 route head, and the residue hop count in route the option part is made as 0, the IPv6 message is forwarded, go to step 403 so that message directly is transmitted to the final purpose node.
Step 411: node is according to the address sum in residue hop count and the type 0 route head, determine the next specific address of node that message will pass through, substitute the destination address of the basic head of IPv6 with this address, and will remain hop count and subtract 1, by next hop address the IPv6 message is forwarded then, go to step 403.
From as can be seen embodiment illustrated in fig. 4, when the IPv6 message must be when the particular sections point detects message and satisfies the route repeat condition, just directly with last address in the type 0 route head of IPv6 message as the destination address in the basic head of message, and will remain hop count and be made as 0, like this, the IPv6 message will directly be forwarded to the final purpose node, has avoided message repeating on certain route to transmit.And as can be seen, the method that this embodiment provides is irrelevant with the source of sending the IPv6 message, even the IPv6 attack message was once sent in this source, the IPv6 message of the non-attack purpose that send subsequently in this source still can normally be transmitted.
Node in embodiment illustrated in fig. 4 refers generally to have route, the network equipment of function of exchange, as: router, switch etc.
The structure composition diagram of the network equipment that prevents the IPv6 message aggression that Fig. 5 provides for the embodiment of the invention, as shown in Figure 5, it mainly comprises: message receiver module 51, route duplicate detection module 52 and forwarding processing module 53, wherein, message receiver module 51 by: must form through node detection module 511, type 0 a route detection module 512 and residue hop count detection module 513, the function of each module is distinguished as follows:
Must be through node detection module 511: receiving the IPv6 message that other node is sent, be the present networks device address if detect the destination address of message, and message is sent to type 0 a route detection module 512; Otherwise, directly message is transmitted to next node by next hop address.
Type 0 a route detection module 512: the IPv6 message that reception must be sent through node detection module 511, if the next head that detects in the basic head of message is masked as route header will, and the type field that detects in the option part of route head is represented type 0, and message is sent to residue hop count detection module 513.
Residue hop count detection module 513: the IPv6 message that type of receipt 0 a route detection module 512 is sent, as if the residue hop count in the option part of the route head that detects message is 0, determine that then present networks equipment is the final purpose node of message, handles the content after the route head of message; Otherwise, the IPv6 message is sent to route duplicate detection module 52.
Route duplicate detection module 52: receive the IPv6 message that residue hop count detection module 513 is sent, according to the address in the type 0 route head of message, judge whether the IPv6 message satisfies predefined route repeat condition, if satisfy, route is repeated indication and this IPv6 message send to and transmit processing module 53; If do not satisfy, only the IPv6 message is sent to and transmit processing module 53.
Transmit processing module 53: receive the route that route duplicate detection module 52 sends and repeat indication and IPv6 message, with the destination address in the alternative basic head in last address in the type 0 route head of IPv6 message, residue hop count in the message is set to 0, message is forwarded, make message directly arrive the final purpose node; Receive only the IPv6 message that route duplicate detection module 52 is sent, according to the address sum that comprises in residue hop count in the IPv6 message and the type 0 route head, address of selective sequential substitutes the destination address in the basic head from type 0 route head, and will remain hop count and subtract 1, by next hop address message is forwarded then.
The above only is process of the present invention and method embodiment, in order to restriction the present invention, all any modifications of being made within the spirit and principles in the present invention, is not equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (5)
1. a method that prevents the IPv6 message aggression is characterized in that, this method comprises:
Node receives the IPv6 message with type 0 route head, according to the address in the type 0 route head of message, judge whether this message satisfies predefined route repeat condition, if satisfy, then be defined as attack message, replace the destination address of attack message with last IPv6 address of address in the type 0 route head of attack message, and the residue hop count in the attack message is made as 0, attack message directly is forwarded to the final purpose node of last IPv6 address correspondence in the type 0 route head.
2. the method for claim 1 is characterized in that, described predefined route repeat condition is: there is an address to repeat more than a time in all addresses of type 0 route head,
Perhaps, there be b address to repeat more than c time in all addresses of type 0 route head,
Perhaps, there is an address to repeat more than d time in the default address realm of type 0 route head,
Perhaps, there be e address to repeat more than f time in the default address realm of type 0 route head,
Wherein, a, b, c, d, e, f is default constant.
3. the method for claim 1 is characterized in that, described node judges whether message satisfies predefined route repeat condition and comprise:
Node is determined from judging whether the residue hop count in the message is 0, if determine that message has arrived final purpose node, process ends through node as message; Otherwise, judge whether message satisfies predefined route repeat condition.
4. a network equipment that prevents the IPv6 message aggression is characterized in that, this network equipment comprises:
The message receiver module receives the IPv6 message with type 0 route head, and definite present networks equipment be message must then message be sent to route duplicate detection module through node;
Route duplicate detection module receives the IPv6 message, according to the address in the type 0 route head of message, if detecting message satisfies predefined route repeat condition, then is defined as attack message, will repeat indication and IPv6 message and send to the forwarding processing module;
Transmit processing module, receive route and repeat indication and IPv6 message, the destination address with the alternative message in last IPv6 address of address in the type 0 route head of message is made as 0 with the residue hop count in the message, and message is forwarded.
5. the network equipment as claimed in claim 4 is characterized in that, described message receiver module comprises:
Must receive the IPv6 message through the node detection module, be the present networks device address if detect the destination address of message, and message is sent to type 0 a route detection module; Otherwise, message is transmitted to next node;
Type 0 a route detection module receives the IPv6 message, if the next head that detects in the basic head of message is masked as route header will, and the type field that detects in the route head represents type 0, and message is sent to residue hop count detection module;
Residue hop count detection module receives the IPv6 message, is 0 if detect the residue hop count, determines that then message has arrived the final purpose node; Otherwise, the IPv6 message is sent to route duplicate detection module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101218193A CN101119376B (en) | 2007-09-14 | 2007-09-14 | Method and network appliance for preventing IPv6 packet attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101218193A CN101119376B (en) | 2007-09-14 | 2007-09-14 | Method and network appliance for preventing IPv6 packet attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101119376A true CN101119376A (en) | 2008-02-06 |
| CN101119376B CN101119376B (en) | 2010-06-16 |
Family
ID=39055310
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101218193A Expired - Fee Related CN101119376B (en) | 2007-09-14 | 2007-09-14 | Method and network appliance for preventing IPv6 packet attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101119376B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243549A (en) * | 2014-07-24 | 2014-12-24 | 北京天公瑞丰科技有限公司 | Distribution automation communication method and device based on TG-Inwicos |
| CN109039919A (en) * | 2018-10-11 | 2018-12-18 | 平安科技(深圳)有限公司 | Forward-path determines method, apparatus, system, computer equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100384153C (en) * | 2005-12-26 | 2008-04-23 | 北京交通大学 | Network performance analysis report system based on IPv6 and its implementing method |
| CN100364306C (en) * | 2006-09-19 | 2008-01-23 | 清华大学 | Identifying method for IPv6 actual source address between autonomy systems based on signature |
-
2007
- 2007-09-14 CN CN2007101218193A patent/CN101119376B/en not_active Expired - Fee Related
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243549A (en) * | 2014-07-24 | 2014-12-24 | 北京天公瑞丰科技有限公司 | Distribution automation communication method and device based on TG-Inwicos |
| CN109039919A (en) * | 2018-10-11 | 2018-12-18 | 平安科技(深圳)有限公司 | Forward-path determines method, apparatus, system, computer equipment and storage medium |
| CN109039919B (en) * | 2018-10-11 | 2021-09-21 | 平安科技(深圳)有限公司 | Forwarding path determining method, device, system, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101119376B (en) | 2010-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Arkko et al. | Failure detection and locator pair exploration protocol for IPv6 multihoming | |
| US10798060B2 (en) | Network attack defense policy sending method and apparatus, and network attack defending method and apparatus | |
| US8175096B2 (en) | Device for protection against illegal communications and network system thereof | |
| US7746781B1 (en) | Method and apparatus for preserving data in a system implementing Diffserv and IPsec protocol | |
| EP1906591B1 (en) | Method, device, and system for detecting layer 2 loop | |
| KR101058625B1 (en) | Relay device, communication method and recording medium | |
| US7729271B2 (en) | Detection method for abnormal traffic and packet relay apparatus | |
| JP2010532633A (en) | Method and mechanism for port redirection in a network switch | |
| US8340092B2 (en) | Switching system and method in switching system | |
| CN101674312B (en) | Method for preventing source address spoofing in network transmission and device thereof | |
| CN102340451B (en) | Trace route testing method, system, device and equipment | |
| CN101753637A (en) | Method and network address translation device preventing network attacks | |
| EP1185039A2 (en) | Policy enforcing switch | |
| CN101552728B (en) | Path MTU discovery method and system facing to IPV6 | |
| CN101119376B (en) | Method and network appliance for preventing IPv6 packet attack | |
| US20090285103A1 (en) | Apparatus for controlling tunneling loop detection | |
| US9515960B2 (en) | Obtaining information from data items | |
| WO2012077308A1 (en) | Communication path verification system, path verification device, communication path verification method, and path verification program | |
| JP2010193083A (en) | Communication system, and communication method | |
| US20090141712A1 (en) | Router device | |
| CN101848113B (en) | Network device and method for automatically detecting uplink bandwidth of network | |
| Malone et al. | Analysis of ICMP quotations | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100616 Termination date: 20200914 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |