CN101945117A - Method and equipment for preventing source address spoofing attack - Google Patents

Method and equipment for preventing source address spoofing attack Download PDF

Info

Publication number
CN101945117A
CN101945117A CN2010102948439A CN201010294843A CN101945117A CN 101945117 A CN101945117 A CN 101945117A CN 2010102948439 A CN2010102948439 A CN 2010102948439A CN 201010294843 A CN201010294843 A CN 201010294843A CN 101945117 A CN101945117 A CN 101945117A
Authority
CN
China
Prior art keywords
message
address
route
source
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2010102948439A
Other languages
Chinese (zh)
Inventor
林涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN2010102948439A priority Critical patent/CN101945117A/en
Publication of CN101945117A publication Critical patent/CN101945117A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and equipment for preventing a source address spoofing attack. The method comprises the following steps of: carrying out URPF (Unicast Reverse Path Forwarding) checking on a received message by the equipment, if a checking result is legal, forwarding the message, and if the checking result is illegal, searching routes corresponding to a source IP (Internet Protocol) address of the message in a route original database of the equipment; when an outlet interface of any one of the searched routes is consistent with an inlet interface of the message, forwarding the message according to a target IP address of the message; and if the corresponding routes are not searched or the outlet interfaces of all the searched are not consistent with the inlet interface, discarding the message. The invention avoids false message discards caused by preventing the source address spoofing attack by using the URPF technology.

Description

Prevent the method and apparatus that source address spoofing is attacked
Technical field
The present invention relates to the communications field, relate in particular to a kind of method and apparatus that prevents that source address spoofing from attacking.
Background technology
It is that the assailant has a kind of mode that the message of cook source address is attacked the network equipment by transmission that source address spoofing is attacked.For the equipment that uses based on the IP address validation, this attack method can cause uncommitted user to obtain the authority of access system with other people identity, or even visit with administrator right, even response message can not reach the assailant, equally also can cause by the destruction of object of attack.As shown in Figure 1, cook source address is the message of 2.2.2.1/8 on attacker's equipment Router A, initiates request to server Router B, and the source address 2.2.2.1/8 according to this message during Router B response request sends message to equipment C.This invalid packet has all caused attack to Router B and Router C.
Attack for fear of source address spoofing, available technology adopting URPF (Unicast Reverse PathForwarding, reversal path of unicast is transmitted) technology is used to prevent the attack based on source address spoofing.When equipment judges that according to the URPF technology message is illegal, dropping packets.The URPF technology is obtained the source address and the incoming interface of message, is destination address with the source address, and whether the outgoing interface of searching this destination address correspondence in transmitting mates with incoming interface.If do not match then think source address be the camouflage (illegally), abandon this message.When the outgoing interface of destination address correspondence and incoming interface did not match, the URPF technology can also judge whether this incoming interface mates ACL (Access Control List, access control lists); If the match is successful for ACL, then message is proceeded normal forwarding (this type of message be called be suppressed the message that abandons); If it fails to match for ACL, then message is invalid packet and is dropped.In this way URPF just effectively in the guarding network by revising the generation of the malicious attack behavior that source address carries out.
If all routes all are symmetrical, when promptly the message trip path is consistent, use existing URPF technology to prevent that source address spoofing from attacking is no problem.But when trip path was inconsistent, existing URPF technology prevents that source address spoofing from attacking will wrong dropping packets, causes network obstructed.Network for example shown in Figure 2, the total interface of supposing all-router has all started the URPF function, PC1 is to the message of PC2, the path of going is PATH1:R1->R3->R4->R5->R2, return path is PATH2:R2->R8->R7->R6->R1, promptly goes to the route of PC2 on the R1 for to transmit from Eth0/1 (interface 0/1).If R1 receives message from PC2 from R6, R1 with the source IP address of message be purpose IP address search to transmit the outgoing interface that obtains be Eth0/1, different with the incoming interface Eth0/2 of message, so R1 judges that message is the cook source address message, abandons this message.Along with the development of network application, the situation of this asymmetric route is more and more, therefore, how to avoid using the URPF technology to prevent the wrong dropping packets that the source address spoofing attack causes, and becomes a problem demanding prompt solution.
Summary of the invention
The invention provides a kind of method and apparatus that prevents that source address spoofing from attacking, avoided using the URPF technology to prevent the wrong dropping packets that the source address spoofing attack causes.
The invention provides a kind of method that prevents that source address spoofing from attacking, be applied to use reversal path of unicast to transmit the equipment that the URPF technology prevents that source address spoofing from attacking, this method comprises:
The message that equipment interconnection is received carries out URPF to be checked, when check result when being legal, transmits described message, when check result when being illegal, searches the route corresponding with the source IP address of described message in the route raw data base of equipment;
When the outgoing interface of arbitrary route in the route that finds is consistent with the incoming interface of described message, transmit described message according to the purpose IP address of described message;
When the outgoing interface of all routes that do not find corresponding route or find and described incoming interface are inconsistent, abandon described message.
When the outgoing interface of arbitrary route in the route that finds is consistent with the incoming interface of described message, also comprise: be provided with and transmit rule so that the URPF check result of described message is legal.
The described setting transmitted rule so that described message is judged as legal comprising according to the URPF technology: the corresponding relation that described incoming interface and described source IP address are set in access control lists ACL; The corresponding relation of described source IP address and described incoming interface perhaps is set, and the priority that described incoming interface is set is lower than the priority of the outgoing interface of the original correspondence of described source IP address in described transmitting.
When the outgoing interface of arbitrary route in the route that finds is consistent with the incoming interface of described message, also comprise: the described message of notice upstream device is legal.
The described message of described notice upstream device legal comprising: in the extension header of described message, carry legal sign of message and the described message of device forwards downstream; Perhaps in the extension header of empty message, carry the equipment transmission downstream of described source IP address and the legal sign of message.
Also comprise: after the legal notice of the message that described equipment reception upstream equipment sends, transmit corresponding message and forwarding is set regular so that the URPF check result of the message of described correspondence is legal according to this notice.
Described be provided with transmit rule so that described message according to the URPF technology be judged as legal after, also comprise: obtain the routing index of described incoming interface and described source IP address correspondence in described route raw data base, store the corresponding relation of described routing index and described incoming interface and described source IP address;
When the route of correspondence in described route raw data base is deleted when described incoming interface and described source IP address, search corresponding IP address and interface according to the routing index of this deleted route, the described incoming interface of deletion storage in ACL or described transmitting and the corresponding relation of described source IP address.
When described incoming interface and described source IP address corresponding route in described route raw data base is deleted, also comprise: search corresponding IP address according to the routing index of this deleted route, the deletion of notice upstream device is the pairing forwarding rule of message of source IP address with the IP address that finds.
A kind of equipment that prevents that source address spoofing from attacking uses reversal path of unicast to transmit the URPF technology and prevents the source address spoofing attack, and this equipment comprises:
Inspection unit, the message that is used for that described equipment is received carry out URPF and check;
Search the unit, be connected, be used for check result when described inspection unit and be described message when illegal, in the route raw data base of equipment, search the route corresponding with the source IP address of described message with described inspection unit;
Retransmission unit, with described inspection unit with search the unit and be connected, be used for check result when described inspection unit and be described message when legal, transmit described message; When the described outgoing interface of searching arbitrary route in the route that the unit finds is consistent with the incoming interface of described message, transmit described message according to the purpose IP address of described message;
Discarding unit is connected with the described unit of searching, and is used for searching that the unit does not find corresponding route or the outgoing interface of all routes of finding and described incoming interface when inconsistent when described, abandons described message.
Also comprise the unit is set, be connected, be used for when the described outgoing interface of searching the arbitrary route of route that the unit finds is consistent with the incoming interface of described message, is provided with and transmits rule so that the URPF check result of described message is legal with the described unit of searching.
The described unit that is provided with specifically is used for:
The corresponding relation of described incoming interface and described source IP address is set in access control lists ACL; The corresponding relation of described source IP address and described incoming interface perhaps is set, and the priority that described incoming interface is set is lower than the priority of the interface of the original correspondence of described source IP address in described transmitting.
Described retransmission unit also is used for: the described message of notice upstream device is legal.
Described retransmission unit specifically is used for: carry legal sign of message and the described message of device forwards downstream at the extension header of described message; Perhaps in the extension header of empty message, carry the equipment transmission downstream of described source IP address and the legal sign of message.
Also comprise:
Receiving element is used to receive message and the legal notice of message that upstream equipment sends;
Described retransmission unit is connected with described receiving element, transmits described message when being used for knowing that according to described notice message is legal message;
The described unit that is provided with is connected with described receiving element, is used to be provided with transmit rule so that the URPF check result of described message is legal.
Also comprise:
Memory cell is connected with the described unit that is provided with, and is used to obtain the routing index of described incoming interface and described source IP address correspondence in described route raw data base, stores the corresponding relation of described routing index and described incoming interface and described source IP address;
Delete cells, with described memory cell with the unit be set be connected, be used for when described incoming interface and described source IP address corresponding route in described route raw data base is deleted, search corresponding IP address and interface according to the routing index of this deleted route, the described incoming interface of deletion storage in ACL or described transmitting and the corresponding relation of described source IP address.
Also comprise transmitting element, be connected with described memory cell, be used for searching corresponding IP address according to the routing index of the deleted route of described cell stores, equipment dispatch order downstream, the deletion of notice upstream device are that pairing forwardings of message of source IP address is regular with the IP address that finds.
Compared with prior art, the present invention has the following advantages at least:
When the URPF check result of the message of receiving when equipment interconnection is illegal, by in the route raw data base, searching the route corresponding with the message source IP address, and then the legitimacy of message further judged,, avoided the mistake of message is abandoned for illegal but have the message of corresponding route normally to transmit in the route raw data base for the URPF check result.
Description of drawings
Fig. 1 is that source address spoofing is attacked schematic diagram in the prior art;
Fig. 2 uses the URPF technology to prevent the network scenarios schematic diagram that source address spoofing is attacked in the prior art;
Fig. 3 is the schematic flow sheet that prevents the method that source address spoofing is attacked that the embodiment of the invention one provides;
Fig. 4 is the schematic flow sheet that prevents the method that source address spoofing is attacked that the embodiment of the invention two provides;
Fig. 5-the 6th, the structural representation that prevents the equipment that source address spoofing is attacked that the embodiment of the invention three provides.
Embodiment
For the method that prevents that source address spoofing from attacking provided by the invention clearly is described, this method is described in detail below in conjunction with different embodiment.
Embodiment one
The embodiment of the invention one provides a kind of method that prevents that source address spoofing from attacking, equipment uses the URPF technology to prevent the source address spoofing attack, the message that equipment interconnection is received carries out URPF and checks, when check result when being legal, transmit described message, when check result when being illegal, as shown in Figure 3, this method may further comprise the steps:
Step 301 is searched the route corresponding with the source IP address of message in the route raw data base of equipment; If the outgoing interface of arbitrary route is consistent with the incoming interface of message in the route that finds, execution in step 302; If the outgoing interface of all routes that do not find corresponding route or find and the incoming interface of message are inconsistent, execution in step 303.
Equipment may learn many for the route that arrives same IP address when carrying out route learning, during this moment, equipment can select the route of an optimum to add to from many routes to transmit, learning equipment to other routes be stored in the route raw data base.In the embodiment of the invention, the route of considering route raw data base stored is that normal study obtains, and therefore when equipment judges that according to the URPF technology message is illegal, further judges by the route of route initial data library storage whether message is legal.
Need to prove that the route raw data base can wear out and renewal to the route of storage, this ageing process is specifically as follows the time threshold that the route storage is set, and the time of certain bar route storage is eliminated when arriving this threshold value.
Step 302 is transmitted described message according to the purpose IP address of described message.
Equipment is searched the route corresponding with the purpose IP address of message in transmitting, carry out message according to this route and transmit.
Step 303 abandons described message.
In conjunction with shown in Figure 2, after the method that the use present embodiment provides, if R1 receives message from PC2 from R6, R1 is that to transmit the outgoing interface that obtains be Eth0/1 in purpose IP address search with the source IP address of message, different with the incoming interface Eth0/2 of message, then R1 searches source IP address and the corresponding route of interface Eth0/2 that whether exists with message in its route raw data base.Can know according to the network topology among Fig. 2, R1 can learn the route that source IP address is the IP address of PC2 respectively from R3 and R6 when carrying out route learning, promptly at IP address learning to two route of PC2, wherein R1 is higher from the priority that R3 learns route, so R1 adds the route of learning from R3 (outgoing interface is Eth0/1) in transmitting, but in the route raw data base, continue the route (outgoing interface is Eth0/2) that storage R1 learns from R6.Therefore, R1 can find the route of learning from R6 of the IP address correspondence of PC2 in the route raw data base, and the outgoing interface of this route is Eth0/2, and is identical with the incoming interface of message, then R1 judges that message is normal, and then E-Packets according to the purpose IP address of message.
Need to prove that consistent with the incoming interface of message when the interface that finds, equipment during this message of device forwards, can add the hop-by-hop extension head for message downstream, carries the legal sign of message in this extension header.Receive carry this prolate-headed message after, equipment does not need to judge the legitimacy of message again, directly transmits according to the purpose IP address search of message and carries out message and transmit.
Embodiment two
The embodiment of the invention two provides a kind of method that prevents that source address spoofing from attacking, on the basis of embodiment one, for fear of equipment the message of same data flow is repeated to search the route raw data base, when the outgoing interface of equipment arbitrary route in the route that the route raw data base finds was consistent with the incoming interface of message, equipment was also stored the IP address that finds and the corresponding relation of interface.
Be the method that example explanation present embodiment provides with R7 among Fig. 2 below, suppose that R7 can learn the IP address A of PC2 from R8 and R6 respectively when route learning, R7 judges the priority height from the route of R6, the corresponding relation of memory address A and Eth0/1 in transmitting, but in the route of route raw data base stored from the arrival PC2 of R8 study, the outgoing interface of this route is Eth0/2, and as shown in Figure 4, this method may further comprise the steps:
Step 401, the source IP address that R7 receives the R8 transmission is the message of address A, it is consistent with the incoming interface of message to find the outgoing interface Eth0/2 that has route at the route raw data base, R7 be provided with transmit rule so that source IP address is the message of address A be judged as according to the URPF technology legal.
Wherein, be provided with and transmit rule: the corresponding relation of memory interface Eth0/2 and address A at ACL or in transmitting so that message is judged as legal comprising according to the URPF technology.Concrete, R7 can set into the corresponding relation of interface Eth0/2 and address A in ACL.In the embodiment of the invention, R7 is after the source IP address of transmitting for the first time the R8 transmission is the message of A, and whether the follow-up still message that judgement receives according to the URPF technology is legal.When the interface Eth0/1 of the address A correspondence that is finding in R7 is transmitting and the incoming interface Eth0/2 of message are inconsistent, R7 finds address A and incoming interface Eth0/2 coupling in ACL, promptly allowing incoming interface Eth0/2 to go up source IP address is that the message of address A passes through, and E-Packets according to the purpose IP address of message.
R7 also can be provided with the corresponding relation of the incoming interface Eth0/2 of address A and message in transmitting, and the priority that this incoming interface Eth0/2 is set is lower than the priority of the interface Eth0/1 of the original correspondence of address A.R7 is follow-up receive the message that source IP address is address A after, in transmitting, find corresponding interface that the interface Eth0/1 of the original correspondence of address A and the incoming interface Eth0/2 of message are arranged according to address A, R1 judges that message is legal, further carries out message according to the purpose IP address of message and transmits.Wherein, R7 is at ACL with when the corresponding relation of incoming interface Eth0/2 of address A and message is set in transmitting, normally transmit with the message of data flow in order to guarantee follow-up and this message, the five-tuple of this message or the corresponding relation that seven tuple information equal incoming interface Eth0/2 can be set, and specific implementation the present invention does not limit.
When R1 receives purpose IP address when being the message of address A, R1 searches and transmits, because the priority of interface Eth0/2 is lower than the priority of interface Eth0/1, therefore, R1 E-Packets by interface Eth0/1.
Step 402, R7 is legal by the message that E-Packets and/or empty message notifying upstream device address A is a source IP address, and upstream device is provided with to be transmitted rule and makes that to be with address A that the message of source IP address is judged as according to the URPF technology legal.
Concrete, R7 is that the message of source IP address is when legal by the notice upstream device address A that E-Packets, need in the extension header that this E-Packets, carry the legal sign of message, R7 when legal, need carry legal sign of message and message source IP address A by the empty message notifying upstream device address A message that is source IP address in the extension header that this E-Packets.
R7 can by E-Packet and empty message in message wherein a kind of or that two kinds of notice upstream device address A are source IP address legal.After the upstream device of R7 (for example R6 and R1) receives and E-Packets, judge that message is legal, E-Packet according to the purpose IP address of message.After the upstream device of R7 receives the sky message, storage source IP address A wherein and the corresponding relation that receives the interface of this sky message, follow-up receive the message that address A is a source IP address by this interface after, the upstream device of R7 judges that message is legal, carries out message according to the purpose IP address of message and transmits.
The upstream device of R7 can also be provided with to be transmitted rule and makes that to be with address A that the message of source IP address is judged as according to the URPF technology legal.This set-up mode of transmitting rule is similar with R7, can memory address A and the corresponding relation of interface Eth0/2.Concrete, similar with step 401, the upstream device of R7 also can be at ACL or the corresponding relation of memory interface Eth0/2 and address A transmitting in, and specifically mode can refer step 401.
Step 403, R1 receives the message from PC2 that R6 sends, and the extension header of deletion message is transmitted this message according to the purpose IP address of message to PC1.
Step 404, when address A is corresponding with interface Eth0/2 in the route raw data base of R7 route is eliminated, the corresponding relation of R7 deletion address stored A and interface Eth0/2 at ACL or transmitting in, and to notify the upstream device of R7 to delete with address A be the forwarding rule of the message correspondence of source IP address.
Concrete, in the embodiment of the invention, behind the corresponding relation of R7 address stored A and interface Eth0/2 at ACL or in transmitting, R7 also obtains the routing index of interface Eth0/2 and address A correspondence in the route raw data base, sets up the corresponding relation that data stream list is stored this routing index and Eth0/2 and address A.When the route corresponding with interface Eth0/2 of address A in the route raw data base is eliminated, R7 searches corresponding list item according to the routing index of this route at data stream list, obtain the corresponding relation of Eth0/2 and address A, so deletion ACL or transmit in the corresponding relation of address stored A and interface Eth0/2.
Can only store the corresponding relation of routing index and incoming interface (Eth0/2) and source IP address (the IP address of PC2) in this data stream list, the corresponding relation of all right storage purpose IP address (the IP address of PC1) and purpose interface (Eth0/1), example data stream list as shown in table 1 has wherein been stored the corresponding relation of source IP address (the IP address of PC2), message incoming interface Eth0/2, purpose IP address (the IP address of PC1), purpose interface Eth0/1 and routing index.
Table 1
Source IP address Incoming interface Purpose IP address The purpose interface Routing index
The IP address of PC2 Eth0/2 The IP address of PC1 Eth0/1 RT2
After step 405, the upstream device of R7 received the notice of forwarding rule of message correspondence that deletion is source IP address with address A, what deletion was provided with was the forwarding rule of the message correspondence of source IP address with address A.
Concrete, the corresponding relation of the upstream device deletion of R7 address stored A and interface Eth0/2 at ACL or in transmitting.
Need to prove that E-Packet and the prolate-headed form of empty message that provide in the embodiment of the invention can be adjusted according to actual needs flexibly, only need to carry the information of mentioning in the foregoing description.In order more clearly to introduce the method that present embodiment provides, following mask body provides Option (option) form in a kind of extension header, and is as follows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-?-?-?-?-?-?-?-?-
| Option?Type |?Opt?Data?Len?| Option?Data
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-?-?-?-?-?-?-?-?-
Wherein, Option Type (type) is 8, and type is decided to be 200; Opt Data Len (data length) is 8, the expression option.Option Data (data) uses the TLV expansion, can record rule command word (adding or deletion), route authentication information, source address information and destination address information.Concrete, the content of Option Data comprises:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-?-?-?-?-?-?-?-?-
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-?-?-?-?-?-?-?-?-
Wherein, Type occupies 8 bite positions, Type is 1, the content of expression Option Data is the regular command word, Type=2 represents that the content of Option Data is the route authentication information, Type=3 represents that the content of OptionData is a source address information, and Type=4 represents that the content of Option Data is a destination address information.Type is 1 o'clock, if Value=1, equipment is storage and source address and receive the corresponding relation of the interface of message at ACL or in transmitting, if Value=0, unit deletion store at ACL or transmitting in source address and receive the corresponding relation of the interface of message.
By the method that adopts the above embodiment of the present invention to provide, when the URPF check result of the message of receiving when equipment interconnection is illegal, by in the route raw data base, searching the route corresponding with the message source IP address, and then the legitimacy of message further judged,, avoided the mistake of message is abandoned for illegal but have the message of corresponding route normally to transmit in the route raw data base for the URPF check result.
Embodiment three
The embodiment of the invention three provides a kind of equipment that prevents that source address spoofing from attacking, and uses reversal path of unicast to transmit the URPF technology and prevents the source address spoofing attack, and as shown in Figure 5, this equipment comprises:
Inspection unit 10, the message that is used for that described equipment is received carry out URPF and check;
Search unit 11, be connected, be used for check result when described inspection unit 10 and be described message when illegal, in the route raw data base of equipment, search the route corresponding with the source IP address of described message with described inspection unit 10;
Retransmission unit 12, with described inspection unit 10 with search unit 11 and be connected, be used for check result when described inspection unit 10 and be described message when legal, transmit described message; When the described outgoing interface of searching arbitrary route in the route that unit 11 finds is consistent with the incoming interface of described message, transmit described message according to the purpose IP address of described message;
Discarding unit 13 is connected with the described unit 11 of searching, and is used for searching that unit 11 does not find corresponding route or the outgoing interface of all routes of finding or the interface that finds and described incoming interface when inconsistent when described, abandons described message.
As shown in Figure 6, this equipment also comprises unit 14 is set, be connected with the described unit 11 of searching, be used for when the described outgoing interface of searching the arbitrary route of route that unit 11 finds is consistent with the incoming interface of described message, is provided with and transmits rule so that the URPF check result of described message is legal.Concrete, unit 14 is set is used for: the corresponding relation that described incoming interface and described source IP address are set at access control lists ACL; The corresponding relation of described source IP address and described incoming interface perhaps is set, and the priority that described incoming interface is set is lower than the priority of the interface of the original correspondence of described source IP address in described transmitting.
Described retransmission unit 12 also is used for: the described message of notice upstream device is legal.Concrete, retransmission unit 12 carries legal sign of message and the described message of device forwards downstream in the extension header of described message; Perhaps in the extension header of empty message, carry the equipment transmission downstream of described source IP address and the legal sign of message.
This equipment also comprises:
Receiving element 15 is used to receive message and the legal notice of message that upstream equipment sends; For example, in extension header, carry the message of the legal sign of message, perhaps the empty message that in extension header, carries legal sign of message and source IP address of upstream equipment transmission;
Described retransmission unit 12 is connected with described receiving element 15, transmits described message when being used for knowing that according to described notice message is legal message;
The described unit 14 that is provided with, also be connected with described receiving element 15, be used to be provided with and transmit rule, unit 14 is set in ACL, is provided with and receives the interface of described message and the corresponding relation of described source IP address so that the URPF check result of described message is legal, concrete; Perhaps in described transmitting, be provided with and receive the interface of described message and the corresponding relation of described source IP address, and the setting priority that receives the interface of described message is lower than the priority of the interface of the original correspondence of described source IP address.
This equipment also comprises:
Memory cell 16 is connected with the described unit 14 that is provided with, and is used to obtain the routing index of described incoming interface and described source IP address correspondence in described route raw data base, stores the corresponding relation of described routing index and described incoming interface and described source IP address;
Delete cells 17, with described memory cell 16 with unit 14 be set be connected, be used for when described incoming interface and described source IP address corresponding route in described route raw data base is deleted, search corresponding IP address and interface according to the routing index of this deleted route, the described incoming interface of deletion storage in ACL or described transmitting and the corresponding relation of described source IP address.
Transmitting element 18, also be connected with described memory cell 16, be used for searching corresponding IP address according to the routing index of the deleted route of described cell stores, equipment dispatch order downstream, the deletion of notice upstream device are that pairing forwardings of message of source IP address is regular with the IP address that finds.
By the equipment that adopts the embodiment of the invention to provide, when the URPF check result of the message of receiving when equipment interconnection is illegal, by in the route raw data base, searching the route corresponding with the message source IP address, and then the legitimacy of message further judged,, avoided the mistake of message is abandoned for illegal but have the message of corresponding route normally to transmit in the route raw data base for the URPF check result.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium, comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.

Claims (16)

1. a method that prevents that source address spoofing from attacking is applied to use reversal path of unicast to transmit the equipment that the URPF technology prevents that source address spoofing from attacking, and it is characterized in that, comprising:
The message that equipment interconnection is received carries out URPF to be checked, when check result when being legal, transmits described message, when check result when being illegal, searches the route corresponding with the source IP address of described message in the route raw data base of equipment;
When the outgoing interface of arbitrary route in the route that finds is consistent with the incoming interface of described message, transmit described message according to the purpose IP address of described message;
When the outgoing interface of all routes that do not find corresponding route or find and described incoming interface are inconsistent, abandon described message.
2. the method for claim 1 is characterized in that, when the outgoing interface of arbitrary route in the route that finds is consistent with the incoming interface of described message, also comprises: be provided with and transmit rule so that the URPF check result of described message is legal.
3. method as claimed in claim 2 is characterized in that, the described setting transmitted rule so that described message is judged as legal comprising according to the URPF technology: the corresponding relation that described incoming interface and described source IP address are set in access control lists ACL; The corresponding relation of described source IP address and described incoming interface perhaps is set, and the priority that described incoming interface is set is lower than the priority of the outgoing interface of the original correspondence of described source IP address in described transmitting.
4. the method for claim 1 is characterized in that, when the outgoing interface of arbitrary route in the route that finds is consistent with the incoming interface of described message, also comprises: the described message of notice upstream device is legal.
5. method as claimed in claim 4 is characterized in that, the described message of described notice upstream device legal comprising: carry legal sign of message and the described message of device forwards downstream in the extension header of described message; Perhaps in the extension header of empty message, carry the equipment transmission downstream of described source IP address and the legal sign of message.
6. the method for claim 1, it is characterized in that, also comprise: after the legal notice of the message that described equipment reception upstream equipment sends, transmit corresponding message and forwarding is set regular so that the URPF check result of the message of described correspondence is legal according to this notice.
7. method as claimed in claim 3, it is characterized in that, described be provided with transmit rule so that described message according to the URPF technology be judged as legal after, also comprise: obtain the routing index of described incoming interface and described source IP address correspondence in described route raw data base, store the corresponding relation of described routing index and described incoming interface and described source IP address;
When the route of correspondence in described route raw data base is deleted when described incoming interface and described source IP address, search corresponding IP address and interface according to the routing index of this deleted route, the described incoming interface of deletion storage in ACL or described transmitting and the corresponding relation of described source IP address.
8. method as claimed in claim 7, it is characterized in that, when described incoming interface and described source IP address corresponding route in described route raw data base is deleted, also comprise: search corresponding IP address according to the routing index of this deleted route, the deletion of notice upstream device is the pairing forwarding rule of message of source IP address with the IP address that finds.
9. an equipment that prevents that source address spoofing from attacking uses reversal path of unicast to transmit the URPF technology and prevents the source address spoofing attack, it is characterized in that this equipment comprises:
Inspection unit, the message that is used for that described equipment is received carry out URPF and check;
Search the unit, be connected, be used for check result when described inspection unit and be described message when illegal, in the route raw data base of equipment, search the route corresponding with the source IP address of described message with described inspection unit;
Retransmission unit, with described inspection unit with search the unit and be connected, be used for check result when described inspection unit and be described message when legal, transmit described message; When the described outgoing interface of searching arbitrary route in the route that the unit finds is consistent with the incoming interface of described message, transmit described message according to the purpose IP address of described message;
Discarding unit is connected with the described unit of searching, and is used for searching that the unit does not find corresponding route or the outgoing interface of all routes of finding and described incoming interface when inconsistent when described, abandons described message.
10. equipment as claimed in claim 9, it is characterized in that, also comprise the unit is set, be connected with the described unit of searching, be used for when the described outgoing interface of searching the arbitrary route of route that the unit finds is consistent with the incoming interface of described message, is provided with and transmits rule so that the URPF check result of described message is legal.
11. equipment as claimed in claim 10 is characterized in that, the described unit that is provided with specifically is used for:
The corresponding relation of described incoming interface and described source IP address is set in access control lists ACL; The corresponding relation of described source IP address and described incoming interface perhaps is set, and the priority that described incoming interface is set is lower than the priority of the interface of the original correspondence of described source IP address in described transmitting.
12. equipment as claimed in claim 9 is characterized in that, described retransmission unit also is used for: the described message of notice upstream device is legal.
13. equipment as claimed in claim 12 is characterized in that, described retransmission unit specifically is used for: carry legal sign of message and the described message of device forwards downstream at the extension header of described message; Perhaps in the extension header of empty message, carry the equipment transmission downstream of described source IP address and the legal sign of message.
14. equipment as claimed in claim 9 is characterized in that, also comprises:
Receiving element is used to receive message and the legal notice of message that upstream equipment sends;
Described retransmission unit is connected with described receiving element, transmits described message when being used for knowing that according to described notice message is legal message;
The described unit that is provided with is connected with described receiving element, is used to be provided with transmit rule so that the URPF check result of described message is legal.
15. equipment as claimed in claim 11 is characterized in that, also comprises:
Memory cell is connected with the described unit that is provided with, and is used to obtain the routing index of described incoming interface and described source IP address correspondence in described route raw data base, stores the corresponding relation of described routing index and described incoming interface and described source IP address;
Delete cells, with described memory cell with the unit be set be connected, be used for when described incoming interface and described source IP address corresponding route in described route raw data base is deleted, search corresponding IP address and interface according to the routing index of this deleted route, the described incoming interface of deletion storage in ACL or described transmitting and the corresponding relation of described source IP address.
16. equipment as claimed in claim 15, it is characterized in that, also comprise transmitting element, be connected with described memory cell, be used for searching corresponding IP address according to the routing index of the deleted route of described cell stores, equipment dispatch order downstream, the deletion of notice upstream device are that pairing forwardings of message of source IP address is regular with the IP address that finds.
CN2010102948439A 2010-09-28 2010-09-28 Method and equipment for preventing source address spoofing attack Pending CN101945117A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010102948439A CN101945117A (en) 2010-09-28 2010-09-28 Method and equipment for preventing source address spoofing attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010102948439A CN101945117A (en) 2010-09-28 2010-09-28 Method and equipment for preventing source address spoofing attack

Publications (1)

Publication Number Publication Date
CN101945117A true CN101945117A (en) 2011-01-12

Family

ID=43436884

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010102948439A Pending CN101945117A (en) 2010-09-28 2010-09-28 Method and equipment for preventing source address spoofing attack

Country Status (1)

Country Link
CN (1) CN101945117A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102325079A (en) * 2011-06-27 2012-01-18 杭州华三通信技术有限公司 Message transmission method and egress router
CN103220255A (en) * 2012-01-18 2013-07-24 中兴通讯股份有限公司 Method and device for realizing unicast reverse path forwarding (URPF) examination
CN103377261A (en) * 2012-04-28 2013-10-30 瑞昱半导体股份有限公司 Access control list management device, executive device and method
WO2019196562A1 (en) * 2018-04-12 2019-10-17 南京中兴新软件有限责任公司 Message processing method and device, storage medium and processor
CN110392034A (en) * 2018-09-28 2019-10-29 新华三信息安全技术有限公司 A kind of message processing method and device
WO2020052499A1 (en) * 2018-09-15 2020-03-19 华为技术有限公司 Method, device, and system for anti-phishing attack check
CN111200611A (en) * 2020-01-06 2020-05-26 清华大学 Method and device for verifying intra-domain source address based on boundary interface equivalence class
CN111654485A (en) * 2020-05-26 2020-09-11 新华三信息安全技术有限公司 Client authentication method and device
CN112187635A (en) * 2019-07-01 2021-01-05 中兴通讯股份有限公司 Message forwarding method and device
CN112929279A (en) * 2021-03-09 2021-06-08 清华大学 Distributed generation method and device for source address verification table in internet domain
CN113660667A (en) * 2021-10-18 2021-11-16 四川浮舟科技有限责任公司 Method and system for rapidly monitoring illegal hijacking for operator network

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567900A (en) * 2003-07-06 2005-01-19 华为技术有限公司 A method for implementing message forwarding control in routing equipment
CN1750512A (en) * 2005-09-27 2006-03-22 杭州华为三康技术有限公司 Single broadcast reverse path repeating method
CN1788264A (en) * 2003-05-13 2006-06-14 基永有限公司 System and method for routing packets in a wired or wireless network
CN1947455A (en) * 2004-05-14 2007-04-11 思科技术公司 Supporting a network behind a wireless station
CN1960321A (en) * 2005-10-31 2007-05-09 中兴通讯股份有限公司 Control method for implementing security of multicast
WO2007082405A1 (en) * 2006-01-16 2007-07-26 Zte Corporation An implementing method for detecting the legitimacy of label message path
CN101146026A (en) * 2006-09-13 2008-03-19 中兴通讯股份有限公司 Packet filtering method, system and device
CN101340293A (en) * 2008-08-12 2009-01-07 杭州华三通信技术有限公司 Packet safety detection method and device
WO2009146622A1 (en) * 2008-06-03 2009-12-10 华为技术有限公司 Method, router and system for implementing multicast

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1788264A (en) * 2003-05-13 2006-06-14 基永有限公司 System and method for routing packets in a wired or wireless network
CN1567900A (en) * 2003-07-06 2005-01-19 华为技术有限公司 A method for implementing message forwarding control in routing equipment
CN1947455A (en) * 2004-05-14 2007-04-11 思科技术公司 Supporting a network behind a wireless station
CN1750512A (en) * 2005-09-27 2006-03-22 杭州华为三康技术有限公司 Single broadcast reverse path repeating method
CN1960321A (en) * 2005-10-31 2007-05-09 中兴通讯股份有限公司 Control method for implementing security of multicast
WO2007082405A1 (en) * 2006-01-16 2007-07-26 Zte Corporation An implementing method for detecting the legitimacy of label message path
CN101146026A (en) * 2006-09-13 2008-03-19 中兴通讯股份有限公司 Packet filtering method, system and device
WO2009146622A1 (en) * 2008-06-03 2009-12-10 华为技术有限公司 Method, router and system for implementing multicast
CN101340293A (en) * 2008-08-12 2009-01-07 杭州华三通信技术有限公司 Packet safety detection method and device

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102325079A (en) * 2011-06-27 2012-01-18 杭州华三通信技术有限公司 Message transmission method and egress router
CN102325079B (en) * 2011-06-27 2014-02-26 杭州华三通信技术有限公司 Message transmission method and egress router
CN103220255A (en) * 2012-01-18 2013-07-24 中兴通讯股份有限公司 Method and device for realizing unicast reverse path forwarding (URPF) examination
CN103220255B (en) * 2012-01-18 2017-07-21 南京中兴新软件有限责任公司 It is a kind of to realize the method and device that reversal path of unicast forwarding URPF is checked
CN103377261A (en) * 2012-04-28 2013-10-30 瑞昱半导体股份有限公司 Access control list management device, executive device and method
WO2019196562A1 (en) * 2018-04-12 2019-10-17 南京中兴新软件有限责任公司 Message processing method and device, storage medium and processor
CN110912853A (en) * 2018-09-15 2020-03-24 华为技术有限公司 Method, equipment and system for checking anti-counterfeiting attack
WO2020052499A1 (en) * 2018-09-15 2020-03-19 华为技术有限公司 Method, device, and system for anti-phishing attack check
CN110392034A (en) * 2018-09-28 2019-10-29 新华三信息安全技术有限公司 A kind of message processing method and device
CN112187635A (en) * 2019-07-01 2021-01-05 中兴通讯股份有限公司 Message forwarding method and device
CN111200611A (en) * 2020-01-06 2020-05-26 清华大学 Method and device for verifying intra-domain source address based on boundary interface equivalence class
CN111654485A (en) * 2020-05-26 2020-09-11 新华三信息安全技术有限公司 Client authentication method and device
CN111654485B (en) * 2020-05-26 2023-04-07 新华三信息安全技术有限公司 Client authentication method and device
CN112929279A (en) * 2021-03-09 2021-06-08 清华大学 Distributed generation method and device for source address verification table in internet domain
CN112929279B (en) * 2021-03-09 2021-11-30 清华大学 Distributed generation method and device for source address verification table in internet domain
CN113660667A (en) * 2021-10-18 2021-11-16 四川浮舟科技有限责任公司 Method and system for rapidly monitoring illegal hijacking for operator network

Similar Documents

Publication Publication Date Title
CN101945117A (en) Method and equipment for preventing source address spoofing attack
KR101270041B1 (en) System and method for detecting arp spoofing
US8695089B2 (en) Method and system for resilient packet traceback in wireless mesh and sensor networks
CN104243472A (en) Network with MAC table overflow protection
CN101674306B (en) Address resolution protocol message processing method and switch
CN101674312B (en) Method for preventing source address spoofing in network transmission and device thereof
KR20080028381A (en) Method for defending against denial of service attacks in ip networks by target victim self-identification and control
CN103428032A (en) Attack positioning and assistant positioning device and method
Verma et al. Bloom‐filter based IP‐CHOCK detection scheme for denial of service attacks in VANET
KR20080026122A (en) Method for defending against denial of service attacks in ip networks by target victim self-identification and control
Saurabh et al. ICMP based IP traceback with negligible overhead for highly distributed reflector attack using bloom filters
CN108462633B (en) Network security routing scheduling method and system based on SDN
US20090158426A1 (en) Traceback method and signal receiving apparatus
CN106254152A (en) A kind of flow control policy treating method and apparatus
CN112154635A (en) Attack source tracing in SFC overlay networks
Ma An effective method for defense against IP spoofing attack
EP2048813B1 (en) A method and device for realizing unicast reverse path check
US20220360519A1 (en) Method and device for packet forwarding
CN109347810B (en) Method and device for processing message
Araghi et al. A secure model for prevention of black hole attack in wireless mobile ad hoc networks
Diep et al. Detecting flooding attack in delay tolerant networks by piggybacking encounter records
Syed et al. Avoidance of Black hole affected routes in AODV-based MANET
KR101440154B1 (en) Apparatus and method for user authentication of network security system
CN107888624B (en) Method and device for protecting network security
CN106209661B (en) Flow inhibition method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20110112