CN1564538A - Method for preventing IP address from forged based on rewritten address - Google Patents
Method for preventing IP address from forged based on rewritten address Download PDFInfo
- Publication number
- CN1564538A CN1564538A CN 200410026055 CN200410026055A CN1564538A CN 1564538 A CN1564538 A CN 1564538A CN 200410026055 CN200410026055 CN 200410026055 CN 200410026055 A CN200410026055 A CN 200410026055A CN 1564538 A CN1564538 A CN 1564538A
- Authority
- CN
- China
- Prior art keywords
- address
- port
- network access
- access equipment
- single computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention is widely applicable to network access devices such as Ethernet exchange, router, dial server, DSL concentrator, especially, single computer connected to network access devices based on rewritten IP address. Network access device maintains a 'port-IP address corresponding table' for single computer no matter using dynamic IP address or static IP address. The invention prevents forged IP address.
Description
Technical field
The present invention relates to computer communication field, be widely used in the diverse network access device, as Ethernet switch, router, dialup server, DSL concentrator etc., particularly single computer directly is connected the pseudo-making method in the anti-IP address based on address rewrite of occasion with network access equipment.
Background technology
Forge the IP address is problem common in the network application, when Net-connected computer carries out based on the communication of ICP/IP protocol, can send the IP packet.Wherein, in the source address field, should fill in the IP address of distributing to oneself by network mechanism, revise but this address is easy to the person of being sent out.Many network attack persons can utilize this characteristic, carry out anonymous attack, as DoS (denial of service).
At present, prevent that the main method that forge the IP address from having two kinds:
A kind of is to utilize IPsec.AH agreement among the IPsec can produce verify data to IP packet header, is called ICV.The content that ICV calculates comprises the immovable field of transmission course intermediate value in the IP packet header (for the field that value changes, supposing during calculating that its value is 0), AH packet header (the authentication data field initial value is 0), upper-layer protocol data (supposing can not change in the transmission course) etc.
The algorithm that calculates the ICV use can be based on the message authentication code (MAC) of one-way Hash function and symmetric key algorithm, as HMAC-MD5-96, HMAC-SHA-1-96 etc., also can be based on the digital signature of one-way Hash function and public key algorithm.
Subject matter based on the IPsec method is to realize relatively difficulty, needs the support of extensive cipher key authority.This method prevents mainly that IP from wrapping in the transmission course and distorted, forges, but can't prevent that the IP address of user side from forging.
The another kind of method that adopts MAC Address, IP address binding.This method can be forged the IP address in the two-way communication certain containment effect, but can't prevent, because user side can be revised MAC Address, IP address simultaneously.Existing method also can't prevent the source IP address forgery of unidirectional (user side sends the IP packet).
Summary of the invention
The object of the present invention is to provide a kind of pseudo-making method of forging succinct, as can to prevent user side IP address in the anti-IP address based on address rewrite of operating.
Technical scheme of the present invention is to solve like this:
Network access equipment is when directly connecting single computer, no matter single computer adopts dynamic IP addressing or static ip address, network access equipment all can be safeguarded one " port-IP address correspondence table " simultaneously, and (IP address allocated is identical with the IP address field value of i item in " port-IP address correspondence table " on the single computer of 1≤i≤n) connected for port i.
Concrete treatment step is as follows:
1) if the port i of network access equipment (1≤i≤n) do not connect single computer, then the IP address field of i item is set to 0 in " port-IP address correspondence table ";
If (1≤i≤n) has connected single computer the port i of network access equipment, and the static ip address Xi that uses network management mechanism to distribute, then network management mechanism carries out manual configuration by control desk, network management protocol, Telnet mode to access device, static ip address Xi is set to simultaneously the IP address field of i item in " port-IP address correspondence table ";
If (1≤i≤n) has connected single computer the port i of network access equipment, and use dynamic IP addressing, network access equipment has obtained single computer behind the dynamic authentication of network management mechanism, address allocation information, the dynamic IP addressing that obtains is set to simultaneously the IP address field of i item in " port-IP address correspondence table ";
2) (after 1≤i≤n) received the IP packet, the IP address field value in the network access equipment inspection " port-IP address correspondence table " in the i item if value is 0, then abandoned the IP packet to network access equipment port i; If the IP address field value is not 0, then the IP address field value is write the source IP address field of IP packet, obtain by the IP packet of address rewrite, network access equipment is transmitted this IP packet.
Said " port-IP address correspondence table " is meant:
| Port numbers | The IP address |
| ????1 | ????X1 |
| ????2 | ????X2 |
| ????… | ????… |
| ????n | ????Xn |
Adopt method of the present invention and step, because the access device address rewrite is enforceable, no matter whether source address is forged in the IP that computer the is sent out bag, access device all will write the IP address again, thereby forge the IP address that has effectively prevented user side.Because it is rewrite operation is very simple, therefore, also very little to the network performance influence.
Description of drawings
Fig. 1 is a flow chart of the present invention;
Fig. 2 is that access device is safeguarded " port-IP address correspondence table " among the present invention.
Embodiment
Accompanying drawing is specific embodiments of the invention;
Below in conjunction with accompanying drawing content of the present invention is described in further detail;
With reference to shown in Figure 1, the 1st, carry out the network management mechanism of address assignment.Network access equipment 2 can be Ethernet switch, dialup server, DSL concentrator etc., and the port numbers that is used to connect computer is 1~N.Single computer 3 directly is connected with network access equipment 2.IP packet 4 is IP bags that single computer 3 is sent.IP packet 5 is through the bag of the IP after access device 2 address rewrites.
Implementation procedure of the present invention is rewritten by source IP address field in address assignment, the IP bag to be formed.
1) if the port i of network access equipment 2 (1≤i≤n) do not connect single computer 3, then the IP address field of i item is set to 0 in " port-IP address correspondence table ";
If (1≤i≤n) has connected single computer 3 the port i of network access equipment 2, and the static ip address Xi that uses network management mechanism 1 to distribute, then network management mechanism 1 carries out manual configuration by control desk, network management protocol, Telnet mode to network access equipment 2, static ip address Xi is set to simultaneously the IP address field of i item in " port-IP address correspondence table ";
If (1≤i≤n) has connected single computer 3 the port i of network access equipment 2, and use dynamic IP addressing, network access equipment 2 has obtained single computer 3 behind the dynamic authentication of network management mechanism 1, address allocation information, the dynamic IP addressing that obtains is set to simultaneously the IP address field of i item in " port-IP address correspondence table ";
2) network access equipment 2 port i (after 1≤i≤n) receives IP packet 4, check the IP address field value of i item in " port-IP address correspondence table ", if value is 0, then abandon IP packet 4; If be not 0, then the IP address field value is write the source IP address field of IP packet 4.Obtain IP packet 5, network access equipment 2 is transmitted IP packet 5.
With reference to shown in Figure 2, safeguard one " port-IP address correspondence table " on the network access equipment 2, main field is the IP address in the table.
Claims (3)
1, the pseudo-making method in a kind of anti-IP address based on address rewrite, it is characterized in that, implementation procedure is rewritten and is formed by address assignment, IP bag source IP address, if network access equipment (2) port i, i.e. 1≤i≤n, when connecting single computer (3), single computer (3) is no matter adopt dynamic IP addressing or static ip address, network access equipment (2) all can be safeguarded one " port-IP address correspondence table " simultaneously, and it is identical with the IP address field value of " port-IP address correspondence table " i item to guarantee that single computer (3) goes up IP address allocated.
2, the pseudo-making method in the anti-IP address based on address rewrite according to claim 1 is characterized in that concrete treatment step is as follows:
1) address assignment:
If the port i of network access equipment (2), promptly 1≤i≤n does not connect single computer (3), and then the IP address field of i item is set to 0 in " port-IP address correspondence table ";
If the port i of network access equipment (2), i.e. 1≤i≤n, connected single computer (3), and the static ip address Xi that uses network management mechanism (1) to distribute, then network management mechanism (1) carries out manual configuration by control desk, network management protocol, Telnet mode to access device (2), static ip address Xi is set to simultaneously the IP address field of i item in " port-IP address correspondence table ";
If the port i of network access equipment (2), i.e. 1≤i≤n, connected single computer (3), and use dynamic IP addressing, network access equipment (2) has obtained single computer (3) behind the dynamic authentication of network management mechanism (1), address allocation information, the dynamic IP addressing that obtains is set to simultaneously the IP address field of i item in " port-IP address correspondence table ";
2) IP bag source IP address rewrites
Network access equipment (2) port i, i.e. 1≤i≤n, receive IP packet (4) after, network access equipment (2) is checked the IP address field value of i item in " port-IP address correspondence table ", if value is 0, then abandons IP packet (4); If the IP address field value is not 0, then the IP address field value is write the source IP address field of IP packet (4), obtain IP packet (5), network access equipment (2) is transmitted IP packet (5).
3, the pseudo-making method in the anti-IP address based on address rewrite according to claim 1 is characterized in that said " port-IP address correspondence table " is meant:
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100260556A CN100463429C (en) | 2004-04-19 | 2004-04-19 | Method for preventing IP address from forged based on rewritten address |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100260556A CN100463429C (en) | 2004-04-19 | 2004-04-19 | Method for preventing IP address from forged based on rewritten address |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1564538A true CN1564538A (en) | 2005-01-12 |
| CN100463429C CN100463429C (en) | 2009-02-18 |
Family
ID=34480560
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100260556A Expired - Fee Related CN100463429C (en) | 2004-04-19 | 2004-04-19 | Method for preventing IP address from forged based on rewritten address |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100463429C (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102301653A (en) * | 2009-01-28 | 2011-12-28 | 三菱电机株式会社 | IP address delivery device and IP address delivery method |
| CN103179221A (en) * | 2011-12-21 | 2013-06-26 | 英业达股份有限公司 | Servo system and method for setting address of distribution unit |
| US10341332B2 (en) | 2016-07-26 | 2019-07-02 | International Business Machines Corporation | System and method for providing persistent user identification |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5757924A (en) * | 1995-09-18 | 1998-05-26 | Digital Secured Networks Techolognies, Inc. | Network security device which performs MAC address translation without affecting the IP address |
| KR100277061B1 (en) * | 1998-11-04 | 2001-01-15 | 윤종용 | Short message compression device of mobile communication terminal and corresponding short message transmission method |
-
2004
- 2004-04-19 CN CNB2004100260556A patent/CN100463429C/en not_active Expired - Fee Related
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102301653A (en) * | 2009-01-28 | 2011-12-28 | 三菱电机株式会社 | IP address delivery device and IP address delivery method |
| US8755307B2 (en) | 2009-01-28 | 2014-06-17 | Mitsubishi Electric Corporation | IP-address distribution device and IP-address distribution method |
| CN102301653B (en) * | 2009-01-28 | 2015-10-21 | 三菱电机株式会社 | IP address distribution device and IP address distribution method |
| CN103179221A (en) * | 2011-12-21 | 2013-06-26 | 英业达股份有限公司 | Servo system and method for setting address of distribution unit |
| US10341332B2 (en) | 2016-07-26 | 2019-07-02 | International Business Machines Corporation | System and method for providing persistent user identification |
| US11032268B2 (en) | 2016-07-26 | 2021-06-08 | International Business Machines Corporation | System and method for providing persistent user identification |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100463429C (en) | 2009-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Rigney et al. | Remote authentication dial in user service (RADIUS) | |
| EP1943802B1 (en) | Method for protecting against denial of service attacks | |
| US20030126252A1 (en) | Method and apparatus for dynamic client-side load balancing system | |
| US8800032B2 (en) | System and method for secure distributed execution | |
| CN1177439C (en) | Method of acting address analytic protocol Ethernet Switch in application | |
| CN1414746A (en) | Method of providing internal service apparatus in network for saving IP address | |
| US20070199062A1 (en) | Apparatus and method for performing dynamic security in internet protocol (IP) system | |
| CN102984031B (en) | Method and device for allowing encoding equipment to be safely accessed to monitoring and control network | |
| US20040059944A1 (en) | System and method for repelling attack data streams on network nodes in a communications network | |
| CN1968087A (en) | Subscriber authentication realizing method in broadband access network | |
| CN1152517C (en) | Method of guarding network attack | |
| CN1496642A (en) | Firewall with index to access rule | |
| CN100403742C (en) | A method of safety authentication between media gateway and media gateway controller | |
| CN1564538A (en) | Method for preventing IP address from forged based on rewritten address | |
| CN1225864C (en) | Safety management method of network comprehensive switch on equipment | |
| WO2003038621A1 (en) | Reverse firewall packet transmission control system | |
| CN1640094A (en) | System and method for management of passive network devices usingconvert connections | |
| CN101364877B (en) | Security policy configuring method and apparatus thereof | |
| CN105357332B (en) | A kind of method for network address translation and device | |
| CN1859384A (en) | Method for controlling user's message passing through network isolation device | |
| CN106454823A (en) | Authentication method for network security access and authentication system for implementing method | |
| CN1505345A (en) | A method for accessing user forced access identification server | |
| CN101827079A (en) | Blocking and attacking-resistant terminal connection building method and terminal access authenticating system | |
| CN103491096A (en) | Anti-attack IPv6 fragmentation message reassembling method and device | |
| CN1630256A (en) | A realizing method for preventing IP address embezzlement during connection to Internet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090218 Termination date: 20120419 |