CN112822148B - Internet of things sensing layer terminal ARP man-in-the-middle attack protection design - Google Patents

Internet of things sensing layer terminal ARP man-in-the-middle attack protection design Download PDF

Info

Publication number
CN112822148B
CN112822148B CN202010828742.9A CN202010828742A CN112822148B CN 112822148 B CN112822148 B CN 112822148B CN 202010828742 A CN202010828742 A CN 202010828742A CN 112822148 B CN112822148 B CN 112822148B
Authority
CN
China
Prior art keywords
network
arp
internet
man
same
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010828742.9A
Other languages
Chinese (zh)
Other versions
CN112822148A (en
Inventor
顾铠羟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Credit Information Technology Co ltd
Original Assignee
Beijing Credit Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Credit Information Technology Co ltd filed Critical Beijing Credit Information Technology Co ltd
Priority to CN202010828742.9A priority Critical patent/CN112822148B/en
Publication of CN112822148A publication Critical patent/CN112822148A/en
Application granted granted Critical
Publication of CN112822148B publication Critical patent/CN112822148B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the field of computer terminal access security, in particular to an ARP (address resolution protocol) man-in-the-middle attack protection design of a terminal of an Internet of things sensing layer, which comprises the following two parts: 1. network data and ARP data messages in the same network segment sent by the terminal of the Internet of things are led to walk through a network subsystem Net filter module of a Linux kernel, and ARP communication message data in the same IP network segment are captured; 2. the method comprises the steps of executing an ARP (address resolution protocol) man-in-the-middle attack behavior judging function in a Net filter, and detecting the ARP man-in-the-middle attack behavior, wherein the detection and the safety isolation of a kernel layer of ARP data in the same network segment are realized by using an MTK SOC scheme based on an MIPS (mobile industry processor interface) framework and modifying a kernel module of a Linux network subsystem, the ARP man-in-the-middle attack protection is realized, and meanwhile, the SOC chips of an MTK7621 system, an MTK7628 system and an MKT7620 system are low in price and can be arranged on an edge layer of the Internet of things in a large quantity.

Description

Internet of things sensing layer terminal ARP man-in-the-middle attack protection design
Technical Field
The invention relates to the field of computer terminal access security, in particular to an ARP (address resolution protocol) man-in-the-middle attack protection design of a sensing layer terminal of an Internet of things.
Background
With the development of computer networks and the growth of industrial internet and internet of things, the network environment safety puts higher safety requirements on equipment in the network; thing networking perception layer: in particular to the internet of things network environment, those terminal devices which are located at the most marginal layer of the network and perform information acquisition and instruction execution are the most tail ends of the whole network environment, cannot be connected with downstream network devices, and are often deployed in the unattended environment, such as intelligent cameras, road monitoring, intelligent street lamps, community electronic publicity screens and other devices.
The current market implementation:
1. the method is realized by a three-layer switch, the devices with different network types and familiar networks are divided into different IP network segments, in the example of IP address attack, if the IP address of A is 192.168.40.A and the IP address of B is 192.168.1.B, the devices are forwarded through a route or NAT, so that the network discovery between AB is realized through a route protocol, and further, an ARP middle person attacks the scenes which are not exerted. The problem with such implementations: because the sensing terminals are large in number and long in deployment and planning time, which is a long-term process, the scheme provides each terminal with an independent IP section, so that the network topology complexity and the implementation cost are increased, and the method is not sustainable (an IP network segment needs to be newly divided and designed every time a new deployment terminal is added, the engineering quantity is huge, and the method is basically infeasible), so that the method is mainly used in a convergence layer and is basically infeasible in an Internet of things sensing layer.
2. Through the gateway implementation with the transverse isolation function, most of the devices are implemented on an X86 architecture chip of Intel, and few of the devices are implemented on self-developed chips (such as Huashi), so that the devices are expensive (more than 4000 yuan), and are difficult to be massively deployed at the upstream of each Internet of things sensing layer terminal. But also for the convergence layer. Some terminals of the sensing layer of the Internet of things are deployed in remote areas and are powered by a solar panel and a storage battery,
and the power supply of a gateway with high power cannot be supported.
A large number of common gateways deployed at the edge layer of the Internet of things are large in number, but do not have the security defense function of ARP man-in-the-middle attack, so that a method for sensing the ARP man-in-the-middle attack of a layer terminal and carrying out corresponding protection and control needs to be provided.
Disclosure of Invention
The invention aims to solve the defects in the prior art, and provides a design for protecting against man-in-the-middle attack in an ARP (address resolution protocol) of a sensing layer terminal of the Internet of things.
In order to achieve the purpose, the invention adopts the technical scheme that: the design for protecting the Internet of things perception layer terminal ARP man-in-the-middle attack comprises the following two parts:
(1) The method comprises the following steps that network data and ARP data messages in the same network segment sent by an Internet of things terminal are led to a network subsystem Net filter module of a Linux kernel network, and ARP communication message data in the same IP network segment are captured;
(i) Taking an SOC chip supporting a plurality of network ports, wherein the SOC chip is specifically one of SOC chips of an MTK7621 system, an MTK7628 system and an MKT7620 system, and each network port of the SOC chip is divided into a virtual local area network;
(ii) Mounting each virtual local area network to the same network bridge;
(iii) Sending the network data and ARP data message in the same network segment to a network subsystem Net filter module of a Linux kernel;
(iv) The Net filter sends the processed network data and ARP data message in the same network segment to the network bridge, and sends the processed communication flow to other network ports except the sending network port through the network bridge;
(2) Executing an ARP man-in-the-middle attack behavior judgment function in the Net filter, and detecting the ARP man-in-the-middle attack behavior, wherein the specific implementation steps are as follows:
(i) After passing through a network filter module of a Linux kernel network subsystem, mounting a hook function at an NF _ ARP _ FORWARD node of the network filter, capturing an ARP frame type protocol, and further capturing and separating the ARP network message;
(ii) The Net filter module carries out protocol analysis on the captured ARP message and analyzes whether the IP bound by the MAC address carried by the ARP message in broadcasting and communication is a real IP or not;
(iii) And if the IP analyzed by the Net filter module is a non-real IP, the Net filter module immediately blocks communication.
Furthermore, the internet of things terminal IP remains unchanged, and the IP in the same LAN is in the same network segment, wherein the internet of things terminal is deployed in the same network segment, and the network segment of the IP does not need to be subdivided.
Compared with the prior art, the invention has the following beneficial effects:
1. the cost is reduced, and a large amount of the system can be deployed at the edge layer of the Internet of things;
2. the power consumption is reduced. The power consumption of MTK SOC is far lower than that of the schemes such as X86 and the like;
3. realizing ARP attack detection and blocking control in the same IP network segment and preventing ARP man-in-the-middle attack. The edge layer of the Internet of things is deployed on the same IP network segment, so that the deployment requirement is met, the long-period and sustainable deployment is met.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention may be realized and attained by the means of the instrumentalities and combinations particularly pointed out hereinafter.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below, and it is obvious that the described embodiments are some, but not all embodiments of the present invention.
In the above description of the invention, it is noted that the orientation or positional relationship conventionally used in the manufacture of the invention is for convenience in describing and simplifying the invention, and is not intended to indicate or imply that the device or element so referred to must have a particular orientation, be constructed and operated in a particular orientation, and is therefore not to be construed as limiting the invention. Furthermore, the terms "first," "second," and the like are used merely to distinguish one description from another, and are not to be construed as indicating or implying relative importance.
Further, the term "identical" and the like do not mean that the components are absolutely required to be identical, but may have slight differences. The term "perpendicular" merely means that the positional relationship between the components is more perpendicular than "parallel", and does not mean that the structure must be perfectly perpendicular, but may be slightly inclined.
The following description is presented to disclose the invention so as to enable any person skilled in the art to practice the invention. The preferred embodiments described below are by way of example only, and other obvious variations will occur to those skilled in the art.
The design for protecting the Internet of things perception layer terminal ARP man-in-the-middle attack comprises the following two parts:
(1) The method comprises the following steps that network data and ARP data messages in the same network segment sent by an Internet of things terminal are led to a network subsystem Net filter module of a Linux kernel network, and ARP communication message data in the same IP network segment are captured;
(v) Taking an SOC chip supporting a plurality of network ports, wherein the SOC chip is specifically one of SOC chips of an MTK7621 system, an MTK7628 system and an MKT7620 system, and each network port of the SOC chip is divided into a virtual local area network;
(vi) Mounting each virtual local area network to the same network bridge;
(vii) Sending the same network segment network data and ARP data message to a network subsystem Net filter module of a Linux kernel;
(viii) The Net filter sends the processed network data and ARP data message in the same network segment to the network bridge, and sends the processed communication flow to other network ports except the sending network port through the network bridge;
(2) Executing an ARP man-in-the-middle attack behavior judgment function in the Net filter, and detecting the ARP man-in-the-middle attack behavior, wherein the specific implementation steps are as follows:
(iv) After passing through a network filter module of a Linux kernel network subsystem, mounting a hook function at an NF _ ARP _ FORWARD node of the network filter, capturing an ARP frame type protocol, and further capturing and separating the ARP network message;
(v) The Net filter module carries out protocol analysis on the captured ARP message and analyzes whether the IP bound by the MAC address carried by the ARP message in broadcasting and communication is a real IP or not;
(vi) And if the IP analyzed by the Net filter module is a non-real IP, the Net filter module immediately blocks communication.
The IP of the terminal of the Internet of things is kept unchanged, and the IP under the same LAN is in the same network segment, wherein the terminal of the Internet of things is deployed under the same network segment without re-dividing the network segment of the IP.
The foregoing shows and describes the general principles, essential features, and advantages of the invention.
It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are merely illustrative of the principles of the invention, but various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined by the appended claims.
The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (1)

1. The internet of things perception layer terminal ARP man-in-the-middle attack protection method is characterized by comprising the following two parts:
(1) The method comprises the following steps that network data and ARP data messages in the same IP network segment sent by an Internet of things terminal are led to a Linux kernel network subsystem Netfilter module to realize capturing of the ARP data messages in the same IP network segment, and the specific implementation steps are as follows;
(i) Taking an SOC chip supporting a plurality of network ports, wherein the SOC chip is specifically one of SOC chips of an MTK7621 system, an MTK7628 system and an MTK7620 system, and each network port of the SOC chip is divided into a virtual local area network;
(ii) Mounting each virtual local area network to the same network bridge;
(iii) Sending network data in the same IP network segment and an ARP data message to a Netfilter module of a Linux kernel network subsystem;
(iv) The Netfilter module sends the processed network data and ARP data message of the same ip network segment to the network bridge, and sends the processed communication flow to other network ports except the sending network port through the network bridge;
(2) In the processing operation process of the step (iv), a function for judging man-in-the-middle attack behavior in the ARP data message is executed in the Netfilter module, and man-in-the-middle attack behavior in the ARP data message is detected, and the specific implementation steps are as follows:
(i) Enabling the ARP data message to pass through a Netfilter module of a Linux kernel network subsystem, mounting a homefunction at an NF _ ARP _ FORWARD node of the Netfilter module, capturing an ARP protocol frame, and further capturing and separating the ARP data message;
the Netfilter module performs protocol analysis on the captured ARP data message and analyzes whether the IP bound by the MAC address carried by the ARP data message in broadcasting and communication is a real IP or not; if the bound IP analyzed by the Netfilter module is a non-real IP, the Netfilter module immediately blocks communication, the IP of the Internet of things terminal is kept unchanged, and the IP under the same virtual local area network is the IP under the same network segment, wherein the terminal of the Internet of things is deployed under the same IP network segment without re-dividing the network segment of the IP.
CN202010828742.9A 2020-08-17 2020-08-17 Internet of things sensing layer terminal ARP man-in-the-middle attack protection design Active CN112822148B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010828742.9A CN112822148B (en) 2020-08-17 2020-08-17 Internet of things sensing layer terminal ARP man-in-the-middle attack protection design

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010828742.9A CN112822148B (en) 2020-08-17 2020-08-17 Internet of things sensing layer terminal ARP man-in-the-middle attack protection design

Publications (2)

Publication Number Publication Date
CN112822148A CN112822148A (en) 2021-05-18
CN112822148B true CN112822148B (en) 2023-02-21

Family

ID=75853212

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010828742.9A Active CN112822148B (en) 2020-08-17 2020-08-17 Internet of things sensing layer terminal ARP man-in-the-middle attack protection design

Country Status (1)

Country Link
CN (1) CN112822148B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105262738A (en) * 2015-09-24 2016-01-20 上海斐讯数据通信技术有限公司 Router and method for preventing ARP attacks thereof
CN106982234A (en) * 2017-05-26 2017-07-25 杭州迪普科技股份有限公司 A kind of ARP attack defense methods and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102017810B1 (en) * 2012-04-18 2019-10-21 짐페리엄 리미티드 Preventive Instrusion Device and Method for Mobile Devices

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105262738A (en) * 2015-09-24 2016-01-20 上海斐讯数据通信技术有限公司 Router and method for preventing ARP attacks thereof
CN106982234A (en) * 2017-05-26 2017-07-25 杭州迪普科技股份有限公司 A kind of ARP attack defense methods and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于Linux的ARP检测与防御系统;陈军 等;《网络空间安全》;20180131;第09卷(第01期);全文 *

Also Published As

Publication number Publication date
CN112822148A (en) 2021-05-18

Similar Documents

Publication Publication Date Title
CN108429637B (en) System and method for dynamically detecting process layer network topology of intelligent substation
US8458319B2 (en) System and method for tracking network resources
CN111049843A (en) Intelligent substation network abnormal flow analysis method
CN113132385B (en) Method and device for preventing gateway ARP spoofing
CN104270325A (en) System and method of implementing limitation of public network access user number based on Linux for CPE (Customer Premise Equipment)
CN103368849A (en) OAM (Operations, Administration and Management) message processing method and device
CN101238684B (en) System for cluster managing in the Ethernet switch layer and the method thereof
CN115484047A (en) Method, device, equipment and storage medium for identifying flooding attack in cloud platform
CN112822148B (en) Internet of things sensing layer terminal ARP man-in-the-middle attack protection design
CN102984202B (en) A kind of cross-over NAT equipment realizes the System and method for of Telnet webmaster
CN201821163U (en) Intelligent transformer substation network performance analysis device
CN113241848B (en) Comprehensive monitoring system for power distribution network
CN111431763B (en) Connectivity detection method for SDN controller
CN110290124B (en) Switch input port blocking method and device
CN201657204U (en) System for realizing network video monitoring off internet platform
CN102131072A (en) System and method for realizing network video monitoring under internet platform
CN102882887A (en) Smooth software updating method and equipment
CN107528847B (en) Protection method based on MAC shunting
CN110753135A (en) IP address configuration method, configuration equipment and storage medium
CN112822149B (en) Terminal access control design based on intelligent router physical port, MAC and IP
CN214011787U (en) High-interaction honeypot device based on real industrial control environment
Cisco Release Notes for Catalyst 4000 Family Software Release 4.x
KR100501210B1 (en) Intrusion detection system and method based on kernel module in security gateway system for high-speed intrusion detection on network
CN109361781A (en) Message forwarding method, device, server, system and storage medium
CN113055217A (en) Equipment offline repair method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant