CN100428721C - Link connection cutting method and access point device in WLAN - Google Patents
Link connection cutting method and access point device in WLAN Download PDFInfo
- Publication number
- CN100428721C CN100428721C CNB2006100775532A CN200610077553A CN100428721C CN 100428721 C CN100428721 C CN 100428721C CN B2006100775532 A CNB2006100775532 A CN B2006100775532A CN 200610077553 A CN200610077553 A CN 200610077553A CN 100428721 C CN100428721 C CN 100428721C
- Authority
- CN
- China
- Prior art keywords
- message
- link
- wireless user
- cut
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000005520 cutting process Methods 0.000 title description 2
- 238000004891 communication Methods 0.000 claims abstract description 20
- 238000001514 detection method Methods 0.000 claims description 30
- 230000008569 process Effects 0.000 claims description 12
- 230000004044 response Effects 0.000 claims description 9
- 239000000523 sample Substances 0.000 claims description 7
- 230000002159 abnormal effect Effects 0.000 abstract description 3
- 238000013500 data storage Methods 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention discloses a cut-off method for link connection, which comprises steps that A, when a cut-off link connection message is received by AP, a wireless user corresponding to the message is determined, and the link state of the wireless user is detected by AP; B, when the link state of the wireless user is abnormal, the WLAN link connection of the wireless user is cut off according to the received message. The present invention also discloses an AP device which comprises a data storage module, a communication module and a control module. The attack of an illegal wireless user to a legal wireless user can be effectively defended by the present invention.
Description
Technical field
The present invention relates to the wireless lan (wlan) technology, relate in particular to link-attached cutting-off method and access point (AP) device among the WLAN.
Background technology
Increasingly mature along with the electronics and the communication technology provides the application of WLAN of the wireless connections service in the local area network (LAN) scope also day by day extensive.Electric electronic engineering association (IEEE) 802.11 protocol groups have defined the correlation properties of medium access control (MAC) layer and physics (PHY) layer of WLAN, realize the access of multiple speed, and multiple radio function is provided.Particularly, the IEEE802.11 agreement has realized the wireless access of 2M speed; The IEEE802.11b agreement is supported the wireless access of 11M speed; IEEE802.11g agreement and IEEE802.11a agreement are then supported the wireless access of 54M speed; The IEEE802.11n agreement then can be supported the wireless access of 108M speed; 802.11i be devoted to solve 802.11 safety problem, defined wireless user's authentication and encipherment protection; Or the like.
The IEEE802.11 protocol definition link layer protocol of WLAN, and stipulated to comprise that link scanning (Scanning) stage, link authentication (Authentication) stage and link connect the link negotiation process in (Association) stage etc.The wireless user has only the negotiation through above-mentioned three processes after selecting wlan network, can successfully set up the WLAN link that meets the IEEE802.11 agreement and connect.
Fig. 1 shows the application networking schematic diagram of existing WLAN.As shown in Figure 1, comprise AP and in the wlan network at least as each Station of wireless user.Wherein, AP is the wireless transmitting-receiving equipments as the WLAN service equipment, send after the data that its role is to come from the cable network such as internet (Internet) are converted to wireless signal, and the wireless signal that receives is converted to cable network can be transmitted to cable network after the recognition data.
Usually, AP self is being provided with extended service set (ESS), all corresponding unique ESS service identifiers (ESSID) of each ESS, and AP passes through the Beacon message, all Station broadcasting ESSID in WLAN.Station is by passive reception Beacon message or initiatively send the Probe message to AP, carries out link scanning, obtains ESSID, thereby finds the WLAN service around this Station.When Station need enjoy this WLAN service, then initiate to insert the request of WLAN.AP authenticates Station according to pre-configured link authentication algorithm, and behind authentication success, Station and AP are mutual, carry out the negotiation in Association stage.After finishing Association and consulting, Station just can be linked in the wlan network that this AP provides.
Fig. 2 shows the view of Station among the WLAN.As shown in Figure 2, each Station all has the state that on behalf of this Station, three kinds of states (State): State1 be in bad authentication and do not connect with WLAN; But on behalf of this Station, State2 be in success identity the state that does not connect with WLAN; The state that on behalf of this Station, State3 be in success identity and connected with WLAN.Particularly, when AP receives the message identifying of Station first, create the data structure of this Station correspondence, be used to apply for preserving the internal memory of this Station information, make its corresponding uniquely MAC Address, and the state (State) of this Station is State1 at this moment.When Station successfully passed through link authentication, its state switched to State2.When Station finish and WLAN between link Association process after, its state switches to State3, successfully has been linked in the wlan network.
When AP receive come from the removing authentication (De-authentication) message or remove to connect (Disassociation) message of Station after, cut off this Station and be connected with link between the WLAN.In other words, when Station is in State3, connect message if AP receives, then the state with this Station switches to State2; If AP receives message identifying, then the state with this Station switches to State1.
When adopting said method that the Station among the WLAN is cut off the link connection, illegal wireless user (Rogue Station) can realize the attack to legal wireless user among the WLAN by send counterfeit going connection or remove message identifying to AP.Fig. 3 shows the schematic diagram that the illegal wireless user attacks legal wireless user when adopting existing cut-out link method of attachment.As shown in Figure 3, when legal Station sets up after link is connected with WLAN with 302 through step 301, the illegal wireless user is counterfeit this Station in step 303, remove to connect or go message identifying to the AP transmission, then in step 304, AP receive counterfeit go authentication or go to connect message after, think the transmit leg of this message by mistake legal Station, then cut off this Station and be connected with link between the AP.Like this, legal Station just switches to State2 or State1 by State3, thereby can't conduct interviews to wlan network, also can't enjoy the service that WLAN provides.
As seen, cut off link-attached method among the existing WLAN and can't resist impact of illegal wireless user on legal wireless user, make legal wireless user by wlan network disconnecting link connection mistakenly.In order to continue to obtain the network service that WLAN provides, the negotiation of the three phases that legal wireless user can only be by re-executing IEEE802.11 agreement regulation inserts WLAN once more.Therefore, cut off link-attached method among the existing WLAN and make that the quality of network service is lower, user's satisfaction is relatively poor.
Summary of the invention
In view of this, the invention provides link-attached cutting-off method and AP device among a kind of WLAN, can resist impact of illegal wireless user on legal wireless user.
For achieving the above object, the invention provides link-attached cutting-off method among a kind of WLAN, this method may further comprise the steps:
A. access point AP receives and cuts off link when connecting message, and that determines this message correspondence sets up the link-attached wireless user of WLAN (wireless local area network) WLAN, and this wireless user's of this AP detection Link State also starts the safeguard protection timer that sets in advance;
B. do not receive described wireless user's response as the described AP of described safeguard protection timer run duration, the time, judge that this wireless user's Link State is improper, according to the described message that receives, the WLAN link that disconnects this wireless user connects.
Wherein, steps A is described determines that the link-attached wireless user of WLAN that sets up of this message correspondence comprises:
AP is according to the media access control MAC address, source in the cut-out link connection message that receives, self searching corresponding wireless user, when finding this wireless user, if this wireless user is in authentication success and finishes link-attached state, what then this wireless user is defined as described message correspondence sets up the link-attached wireless user of WLAN.
Wherein, this wireless user's of described this AP detection of steps A Link State is:
AP is to described wireless user's transmit status probe messages.
Wherein, described state detection message is the message that meets the IEEE802.11 agreement.
Wherein, the message of the described IEEE802.11 of meeting agreement is: empty data NULL-Data message.
Preferably, described step B comprises:
B11. the safeguard protection timer expires, if AP does not receive the response to the state detection message that comes from described wireless user at described safeguard protection timer run duration, judges that then described wireless user's Link State is improper;
B12. connect message when going to connect message at described cut-out link, described wireless user is transformed into authentication success but does not finish link-attached state, connect message when removing message identifying at described cut-out link, described wireless user is transformed into authentication not successfully and do not finish link-attached state.
Preferably, after the described safeguard protection timer of step B11 expired, this method further comprised:
If AP receives the response to the state detection message that comes from described wireless user at described safeguard protection timer run duration, the Link State of then judging described wireless user is normal, and finishes the connection of this link and cut off flow process.
Preferably, further comprise before the described step B11:
The cut-out link that AP receives once more corresponding to described wireless connections user connects message, judges the type of whether preserving the cut-out link packet correspondence that receives once more among the AP, if, then abandon this message, and execution in step B11; Otherwise,, then carry out described step B11 with abandoning behind the cut-out link connection message accounting type of message that receives once more;
Described judgement wireless user's Link State be normal after, further comprise: read the minimum type of message of rank in the cut-out link packet type that is write down, and return the described steps A of execution.
Preferably, described step B comprises:
B21. judge whether AP receives the response to the state detection message that comes from described wireless user,, and finish the connection of this link and cut off flow process if then the safeguard protection timer stops timing; Otherwise the safeguard protection timer expires, and judges that described wireless user's Link State is improper, and execution in step B22;
B22. connect message when going to connect message at described cut-out link, described wireless user is transformed into authentication success but does not finish link-attached state, connect message when removing message identifying at described cut-out link, described wireless user is transformed into authentication not successfully and do not finish link-attached state.。
Preferably, before the described AP transmit status probe messages, this method further comprises: the cut-out link that AP recorder is arrived connects the type of message;
Before the described step B12, this method further comprises: AP determines that according to the type of message that self writes down described cut-out link connects message and connects message or remove message identifying for going.
The present invention also provides a kind of AP device, and this device comprises: data memory module, communication module and control module, wherein,
Data memory module is used for preserving the link-attached wireless user's information of WLAN (wireless local area network) WLAN of having set up;
Communication module is used for receiving the cut-out link and connects message, the link that receives is connected message send to control module, under the indication of control module, wireless user's Link State is surveyed, and result of detection submitted to control module, and disconnection of wireless user's link connects;
Control module is used for wireless user's information of preserving according to data memory module, the cut-out of determining to come from communication module connects the wireless user of message correspondence, the indication communication module carries out the detection of Link State to determined wireless user, result of detection according to the communication module submission, determine this wireless user's Link State, and when this wireless user's Link State was improper, the WLAN link that the notification communication module disconnects this wireless user connected.
Preferably, this device further comprises: the safeguard protection timer, and this safeguard protection timer is used for timing under the indication of control module, and in the described control module of timing Inform when done.
Use the present invention, WLAN can resist impact of illegal wireless user on legal wireless user.Particularly, the present invention has following beneficial effect:
When receiving, AP cuts off link when connecting message among the present invention, by sending such as state detection messages such as empty data messages, survey and cut off the Link State that link connects the Station of message correspondence, when having only the Link State of this Station improper, the WLAN link that just disconnects this Station connects.Like this, can resist the illegal wireless user effectively connects message and to the attack that legal wireless user carries out, improves network service quality by counterfeit cut-out link.
Further; can be among the present invention so that AP receives during the timing of safeguard protection timer when connecting message at the cut-out link of this Station once more; when preserving the type of this cut-out link packet correspondence among the AP; directly abandon this message; and when not having the type of preserving this cut-out link connection message correspondence among the AP; abandon after the recorded message type; then when definite this Station is subjected to malicious attack, determine whether to disconnect the WLAN link connection of this Station according to the type of message of record.Like this; even receiving a plurality of identical cut-out links in the safeguard protection phase, AP connects message; also just carry out the record of a type of message; and after the phase of safeguard protection first finishes; at the minimum type of message of rank in the type of message that is write down, resend the NULL-Data message.Therefore, can prevent effectively that the illegal wireless user from sending continuously that a plurality of cut-out links connect messages and the phenomenon that causes the continuous transmit status probe messages of AP, thereby avoid impact that wlan network is caused.
In addition, the present invention utilizes the message in the IEEE802.11 agreement to realize the detection of Link State, realizes that simply operability is stronger.
Description of drawings
To make clearer above-mentioned and other feature and advantage of the present invention of those of ordinary skill in the art by describe exemplary embodiment of the present invention in detail with reference to accompanying drawing below, in the accompanying drawing:
Fig. 1 is the application networking schematic diagram of WLAN;
Fig. 2 is the view of Station among the WLAN;
Fig. 3 is the schematic diagram that the illegal wireless user attacked legal wireless user when link connected cutting-off method among the existing WLAN of employing;
Fig. 4 connects the flow chart of cutting-off method for link among the WLAN of the present invention;
Fig. 5 is the flow chart that link connects cutting-off method in the embodiment of the invention 1;
Fig. 6 is the signaling process figure of Station situation incision under attack chain rupture road method of attachment in the embodiment of the invention 1;
Fig. 7 is the flow chart that link connects cutting-off method in the embodiment of the invention 2;
Fig. 8 is the structural representation of AP device in the embodiment of the invention.
Embodiment
For making purpose of the present invention, technical scheme clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in further detail.
The present invention is a kind of link-attached cutting-off method, its basic thought is: when AP receives when setting up the relevant cut-out link of the link-attached wireless user of WLAN and connect message, state to this wireless user is surveyed, and when this wireless user's link was in abnormal condition, the WLAN link that cuts off this wireless user connected.
Fig. 4 shows the flow chart of link cutting-off method among the present invention.Referring to Fig. 4, this method comprises:
In step 401, receive at AP and to cut off link when connecting message, that determines this cut-outs link connection message correspondence sets up the link-attached wireless user of WLAN, this wireless user's of this AP detection Link State;
In step 402, when this wireless user's Link State was improper, the WLAN link that disconnects this wireless user connected.
Among the present invention, cut off link and connect message and comprise at least and connect message and remove message identifying, and AP can come that the wireless user is carried out Link State and survey with the message that meets the IEEE802.11 agreement as the state detection message.Adopt sending empty data (NULL-Data) message with AP below, to come detection wireless user's Link State be example, and the embodiment of foundation inventive concept is described.
Embodiment 1
Fig. 5 shows and cuts off link-attached method flow diagram in the present embodiment.Referring to Fig. 5, this method may further comprise the steps:
In step 501, normally move as wireless user's Station.
In step 502~503, judge whether AP receives and connect message or remove message identifying, if then search corresponding Station, and continue execution in step 504 according to the source MAC of the message that receives; Otherwise, return execution in step 501.
In WLAN, when Station wants to roll off the production line, can send to AP and remove to connect message or remove message identifying, disconnecting self is connected with WLAN link between the AP, and after sending message, can the message that receive not given a response, can think that the Station of this moment is in abnormal condition.Because all corresponding unique MAC Address of each Station all can carry source MAC in the header that therefore goes to connect message and remove message identifying, is used to represent to send the Station of message.When AP receives when connecting message or removing message identifying, determine the sender of message by the source MAC of this message, promptly AP is index with the source MAC, retrieves in the MAC Address of self preserving.
In step 504~505, judge whether to exist this Station, and when having this Station, judge whether this Station is in the State3 state, be State3 if having this Station and its state, then continue execution in step 506; Otherwise, handle according to the regulation of IEEE802.11 agreement, and finish the connection of this link and cut off flow process.
When AP finds the record identical with source MAC in the MAC Address of self preserving, show to exist and the corresponding Station of message that receives.When having only Station to be in the State3 state, just can be successfully to have set up the WLAN link to connect, promptly this Station be in line states, and therefore, the Station that only is in State3 can refer to disconnecting link is connected the execute protection processing.
Perhaps there is this Station in the Station that goes to connect or go the message identifying correspondence when not existing AP to receive, but it is not to be in when successfully setting up link-attached State3 state, then carries out subsequent operation according to the IEEE802.11 agreement.For example, AP receives message identifying, and when still causing not finding the Station of this message correspondence owing to rolling off the production line of this AP, AP is a destination address with the source MAC in this message, sends and removes message identifying, can normally roll off the production line to guarantee this Station.
In step 506, the cut-out link that AP recorder is arrived connects type of message, starts the safeguard protection timer, and sends the NULL-Data message to Station, surveys the state of this Station.
Present embodiment sets in advance the safeguard protection timer, and the timing duration of this safeguard protection timer equals in the present embodiment safeguard protection phase to Station.During the timing of this timer, AP enters attack protection (Attack-Protection) state at this Station.When AP is in the attack protection state, if receive once more to should Station go connect or remove message identifying, then judge whether preserve the type of going to connect or go the message identifying correspondence that receives once more among the AP, if then abandon this message; Otherwise, after the class record of this message got off, abandon.Then cut off link-attached flow performing and determine to read the minimum type of message of rank in the type of message that is write down under this Station situation under attack after finishing, and determine whether to carry out link and cut off, promptly begin to carry out from step 503 at this.Because the rank of going to connect message is lower than message identifying, therefore exist at the same time and remove to connect message and go under the situation of message identifying, AP resends the NULL-Data message at going to connect message, and when not receiving the ACK message, is State2 with the state exchange of Station.If the requirement of user's reality is to be transformed into State1, extended meeting detects the state of self behind the user, and carries out according to the operation in the existing protocol, finally is transformed into State1.
For example; what AP received first is message identifying, during the timing of safeguard protection timer, receive at same Station remove to connect message, do not connect message and recorded among the AP; then note the type of message received once more for removing to connect message, and with the packet loss that is recorded.Determining that message identifying is after the illegal wireless user of malice sends and keeps the normal operation of Station, at write down start of heading execution in step 503~step 509 operation.
And for example; if in the safeguard protection phase that after AP receives message identifying first, starts; receive and more remove to connect message; then AP just once removes to connect the type of message record of message; and after the safeguard protection phase that starts first, AP only resends a detection once more that the NULL-Data message carries out the Station state.
In addition; if in the safeguard protection phase that after AP receives message identifying first, starts; receive again and once remove to connect message and repeatedly remove message identifying; then AP just connects and goes message identifying respectively to carry out the type of message record one time going; and after the safeguard protection phase that starts first, AP only resends the detection once more that the NULL-Data message carries out the Station state at going to connect message.
As seen, determine to receive first go authentication or remove to connect message to be malicious attack the time, system only needs message identifying execution single treatment is gone to connect or gone to all that receive once more, promptly needn't all send the NULL-Data probe messages one time at each follow-up going authentication or removing to connect message of receiving.Thereby the attack protection that operates in the system that realizes under the situation that does not influence concrete function that abandons is herein protected.
When the safeguard protection timer picked up counting, AP was to the Station transmission NULL-Data message that goes to connect or go the message identifying correspondence that receives.The NULL-Data message is a kind of data message of IEEE802.11 protocol definition, and its type is data message 0x02, and subtype is do-nothing function (Nullfunction) 0x04.Do not comprise any data in this message.According to the IEEE802.11 agreement, for the Station that is in line states,, then return affirmation (ACK) message, in order to confirm to have received this NULL-Data message if receive the NULL-Data message that comes from AP.
In step 507~509, when the safeguard protection timer expires, judge whether AP receives the message that comes from Station during the timing of safeguard protection timer, if then return execution in step 501; Otherwise, connecting message or remove message identifying according to going of receiving of AP, the WLAN link that disconnects this Station connects.
The safeguard protection timer from start to stop timing during be AP be in the attack protection state during.If AP receives ACK message or other any messages of the NULL-Data message correspondence that Station sends during this, show that then this Station is in normal operating condition, it will not disconnect the requirement of connection, AP receives removes the invalid packet that connects or go message identifying then to send for the illegal wireless user, therefore AP does not carry out any operation to this Station, but makes this Station keep normal operation.If when the safeguard protection timer expires, AP does not receive any message that comes from this Station yet, shows that then going that AP receives connects or go message identifying to send for this Station, and the WLAN link that therefore disconnects this Station connects.
The link-attached method of WLAN that present embodiment breaks Station is: AP connects type of message from the cut-out link that self reads in record the step 506, and according to the type of message that is read Station is carried out state exchange.Particularly, if the link of AP record connects message for removing to connect message, then Station is transformed into State2 by State3; If the link of AP record connects message for removing message identifying, then this Station is transformed into State1 by State3.No matter Station is transformed into State1 or State2, is the WLAN link that cuts off this Station and connects.And, after the state exchange of Station is State1, the structural information of this Station that the AP deletion self is preserved.
So far the link of finishing in the present embodiment connects the cut-out flow process.
Fig. 6 shows and uses the signaling process figure that cuts off the link method of attachment in the present embodiment under the Station situation under attack.As shown in Figure 6, when after Station is by the link negotiation in the step 601, normally moving, if AP in step 602, receive corresponding to this Station go connect message or remove message identifying, then in step 603, send the NULL-Data message, survey the state of this Station to this Station; Because the link of Station is normal, remove to connect message or go message identifying to be sent out, so this Station returns ACK message corresponding to the NULL-Data message to AP in step 604 by the illegal wireless user.At this moment, AP confirms that this Station is under attack, then it is not carried out the operation of cutting off link.
By above-mentioned flow process as seen, when receiving, AP cuts off link when connecting message in the present embodiment, by sending the Link State that the NULL-Data message waits the Station that surveys this message correspondence, when having only the Link State of this Station improper, just disconnect the WLAN link connection of this Station.Present embodiment can be resisted the illegal wireless user effectively and connect message and to the attack that legal wireless user carries out, improved network service quality by counterfeit cut-out link.And; if the cut-out link that AP receives during the timing of safeguard protection timer once more at this Station in the present embodiment connects message; directly this literary composition is abandoned; can prevent effectively that the illegal wireless user from sending continuously a plurality of cut-out links and connecting messages and cause AP constantly to send the phenomenon of NULL-Data message, thereby avoid impact that wlan network is caused.In addition, present embodiment utilizes the NULL-Data message in the IEEE802.11 agreement to realize the detection of Link State, realizes that simply operability is stronger.
Embodiment 2
Fig. 7 shows and cuts off link-attached method flow diagram in the present embodiment.Referring to Fig. 7, this method may further comprise the steps:
In step 701, normally move as wireless user's Station.
In step 702~703, judge whether AP receives and connect message or remove message identifying, if then search corresponding Station, and continue execution in step 704 according to the source MAC of the message that receives; Otherwise, return execution in step 701.
In step 704~705, if judge whether to exist this Station and existence, whether this Station is in the State3 state, is State3 if having this Station and its state, then continues execution in step 706; Otherwise, handle according to the regulation of IEEE802.11 agreement, and finish the connection of this link and cut off flow process.
In step 706, the cut-out link that AP recorder is arrived connects type of message, starts the safeguard protection timer that sets in advance, and sends the NULL-Data message to Station, surveys the state of this Station.
Above-mentioned steps 701 to 706 is identical to 506 operation with step 501 among the embodiment 1.
In step 707~710, judge whether AP receives the message that comes from Station, if then the safeguard protection timer stops timing and zero clearing, then return execution in step 701; Otherwise, judge whether the safeguard protection timer expires, when this timer expires, connect message or remove message identifying according to going of receiving of AP, the WLAN link that disconnects this Station connects, and when not yet due, returns execution in step 707.
If AP receives ACK message or other any messages of the NULL-Data message correspondence that Station sends during the timing of safeguard protection timer; show that then this Station is in normal operating condition; the requirement that it does not want disconnecting link to connect; AP receives removes the invalid packet that connects or go message identifying then to send for the illegal wireless user; therefore AP does not carry out any operation to this Station; but stop the safeguard protection timer; end is to the safeguard protection of this Station, and this Station keeps normal operation.If when the safeguard protection timer expires, AP does not receive any message that comes from this Station yet, shows that then going that AP receives connects or go message identifying to send for this Station, and the WLAN link that therefore disconnects this Station connects.
So far, the link of finishing in the present embodiment connects the cut-out flow process.
By each step of present embodiment as seen; when AP receives the message that comes from Station in the present embodiment after sending the NULL-Data message; directly make the safeguard protection timer stop timing and zero clearing, thereby AP withdraw from the attack protection state at this Station.Like this, when AP receives connection at every turn or removes message identifying, all can start the safeguard protection timer, enter the attack protection state, and send the NULL-Data message to this Station.
When receiving, AP cuts off link when connecting message in the present embodiment, by sending the Link State that the NULL-Data message waits the Station that surveys this message correspondence, when having only the Link State of this Station improper, the WLAN link that just disconnects this Station connects.Therefore present embodiment can be resisted the attack that the illegal wireless user connects message and legal wireless user is carried out by counterfeit cut-out link equally effectively, the raising network service quality.And present embodiment also is to utilize messages such as NULL-Data in the IEEE802.11 agreement to realize the detection of Link State, realizes simply, and operability is stronger.
More than be the description that the link of foundation inventive concept is connected the embodiment of cutting-off method, below the AP device that can carry out link connection cutting-off method among the present invention described.
Fig. 8 shows the structural representation of the AP device of the embodiment of the invention.As shown in Figure 8, this AP device comprises: data memory module, communication module and control module, and wherein, data memory module is used for preserving the link-attached wireless user's information of WLAN (wireless local area network) WLAN of having set up; Communication module is used for receiving the cut-out link and connects message, the link that receives is connected message send to control module, under the indication of control module, wireless user's Link State is surveyed, and result of detection submitted to control module, and disconnection of wireless user's link connects; Control module is used for wireless user's information of preserving according to data memory module, the cut-out of determining to come from communication module connects the wireless user of message correspondence, the indication communication module carries out the detection of Link State to determined wireless user, result of detection according to the communication module submission, determine this wireless user's Link State, and when this wireless user's Link State was improper, the WLAN link that the notification communication module disconnects this wireless user connected.
Further, the AP device shown in Fig. 8 also comprises: the safeguard protection timer, and this safeguard protection timer is used for timing under the indication of control module, and in the described control module of timing Inform when done.
Like this, utilize said structure AP to cooperate with Station, the link of carrying out among the present invention connects cutting-off method, resists impact of illegal wireless user on legal wireless user effectively.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (12)
1, a kind of link-attached cutting-off method is characterized in that, this method comprises:
A. access point AP receives and cuts off link when connecting message, and that determines this message correspondence sets up the link-attached wireless user of WLAN (wireless local area network) WLAN, and this wireless user's of this AP detection Link State also starts the safeguard protection timer that sets in advance;
B. when the described AP of described safeguard protection timer run duration does not receive described wireless user's response, judge that this wireless user's Link State is improper, according to the described message that receives, the WLAN link that disconnects this wireless user connects.
2, the method for claim 1 is characterized in that, steps A is described determines that the link-attached wireless user of WLAN that sets up of this message correspondence comprises:
AP is according to the media access control MAC address, source in the cut-out link connection message that receives, self searching corresponding wireless user, when finding this wireless user, if this wireless user is in authentication success and finishes link-attached state, what then this wireless user is defined as described message correspondence sets up the link-attached wireless user of WLAN.
3, the method for claim 1 is characterized in that, this wireless user's of described this AP detection of steps A Link State is:
AP is to described wireless user's transmit status probe messages.
4, method as claimed in claim 3 is characterized in that, described state detection message is the message that meets the IEEE802.11 agreement.
5, method as claimed in claim 4 is characterized in that, the message of the described IEEE802.11 of meeting agreement is: empty data NULL-Data message.
6, as claim 3 or 4 or 5 described methods, it is characterized in that described step B comprises:
B11. the safeguard protection timer expires, if AP does not receive the response to the state detection message that comes from described wireless user at described safeguard protection timer run duration, judges that then described wireless user's Link State is improper;
B12. connect message when going to connect message at described cut-out link, described wireless user is transformed into authentication success but finishes link-attached state, connect message when removing message identifying at described cut-out link, described wireless user is transformed into authentication not successfully and do not finish link-attached state.
7, method as claimed in claim 6 is characterized in that, after the described safeguard protection timer of step B11 expired, this method further comprised:
If AP receives the response to the state detection message that comes from described wireless user at described safeguard protection timer run duration, the Link State of then judging described wireless user is normal, and finishes the connection of this link and cut off flow process.
8, method as claimed in claim 7 is characterized in that, further comprises before the described step B11:
The cut-out link that AP receives once more corresponding to described wireless connections user connects message, judges the type of whether preserving the cut-out link packet correspondence that receives once more among the AP, if, then abandon this message, and execution in step B11; Otherwise,, then carry out described step B11 with abandoning behind the cut-out link connection message accounting type of message that receives once more;
Described judgement wireless user's Link State be normal after, further comprise: read the minimum type of message of rank in the cut-out link packet type that is write down, and return the described steps A of execution.
9, as claim 3,4 or 5 described methods, it is characterized in that described step B comprises:
B21. judge whether AP receives the response to the state detection message that comes from described wireless user,, and finish the connection of this link and cut off flow process if then the safeguard protection timer stops timing; Otherwise the safeguard protection timer expires, and judges that described wireless user's Link State is improper, and execution in step B22;
B22. connect message when going to connect message at described cut-out link, described wireless user is transformed into authentication success but does not finish link-attached state, connect message when removing message identifying at described cut-out link, described wireless user is transformed into authentication not successfully and do not finish link-attached state.
10, method as claimed in claim 6 is characterized in that, before the described AP transmit status probe messages, this method further comprises: the cut-out link that AP recorder is arrived connects the type of message;
Before the described step B12, this method further comprises: AP determines that according to the type of message that self writes down described cut-out link connects message and connects message or remove message identifying for going.
11, a kind of access point AP device is characterized in that this device comprises: data memory module, communication module and control module, wherein,
Data memory module is used for preserving the link-attached wireless user's information of WLAN (wireless local area network) WLAN of having set up;
Communication module is used for receiving the cut-out link and connects message, the link that receives is connected message send to control module, under the indication of control module, wireless user's Link State is surveyed, and result of detection submitted to control module, and disconnection of wireless user's link connects;
Control module is used for wireless user's information of preserving according to data memory module, the cut-out of determining to come from communication module connects the wireless user of message correspondence, the indication communication module carries out the detection of Link State to determined wireless user, result of detection according to the communication module submission, determine this wireless user's Link State, and when this wireless user's Link State was improper, the WLAN link that the notification communication module disconnects this wireless user connected.
12, device as claimed in claim 11 is characterized in that, this device further comprises: the safeguard protection timer, and this safeguard protection timer is used for timing under the indication of control module, and in the described control module of timing Inform when done.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2006100775532A CN100428721C (en) | 2006-04-30 | 2006-04-30 | Link connection cutting method and access point device in WLAN |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2006100775532A CN100428721C (en) | 2006-04-30 | 2006-04-30 | Link connection cutting method and access point device in WLAN |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1881920A CN1881920A (en) | 2006-12-20 |
CN100428721C true CN100428721C (en) | 2008-10-22 |
Family
ID=37519906
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB2006100775532A Expired - Fee Related CN100428721C (en) | 2006-04-30 | 2006-04-30 | Link connection cutting method and access point device in WLAN |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100428721C (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104254139B (en) * | 2013-06-25 | 2019-02-19 | 华为终端有限公司 | A kind of message transmitting method, system and website |
CN105356956B (en) * | 2015-10-22 | 2018-11-27 | 普联技术有限公司 | Communication quality detection method and device between wireless extensions device and access point |
CN105635185A (en) * | 2016-03-25 | 2016-06-01 | 珠海网博信息科技股份有限公司 | Method and device for preventing sniffing under WIFI environment |
CN108924842A (en) * | 2017-03-23 | 2018-11-30 | 华为技术有限公司 | It is a kind of to keep associated method and wireless access point device |
CN108289299B (en) * | 2017-05-31 | 2020-12-29 | 新华三技术有限公司 | Method and device for preventing user from being offline |
CN110418431A (en) * | 2019-07-26 | 2019-11-05 | 新华三技术有限公司成都分公司 | A kind of control method and device of communication connection |
CN112822141B (en) * | 2019-10-31 | 2023-03-31 | 中国电信股份有限公司 | Method, apparatus, user terminal and computer readable medium for preventing attacks in a WLAN |
CN111223219A (en) * | 2019-12-31 | 2020-06-02 | 深圳阜时科技有限公司 | Identity recognition method and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1491056A (en) * | 2002-09-12 | 2004-04-21 | Lg电子株式会社 | Method for managing wireless bearing in mobile communication system |
US20050262569A1 (en) * | 2004-05-10 | 2005-11-24 | Trusted Network Technologies, Inc. | System, apparatuses, methods and computer-readable media for determining security status of computer before establishing connection thereto first group of embodiments-claim set II |
US20050268342A1 (en) * | 2004-05-14 | 2005-12-01 | Trusted Network Technologies, Inc. | System, apparatuses, methods and computer-readable media for determining security status of computer before establishing network connection second group of embodiments-claim set II |
CN1735278A (en) * | 2004-06-17 | 2006-02-15 | Lg电子株式会社 | mobile telecommunication system and method for session termination |
CN1756201A (en) * | 2004-09-28 | 2006-04-05 | 上海贝尔阿尔卡特股份有限公司 | Connection interrupt detecting method and device for IPv6 access network |
-
2006
- 2006-04-30 CN CNB2006100775532A patent/CN100428721C/en not_active Expired - Fee Related
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1491056A (en) * | 2002-09-12 | 2004-04-21 | Lg电子株式会社 | Method for managing wireless bearing in mobile communication system |
US20050262569A1 (en) * | 2004-05-10 | 2005-11-24 | Trusted Network Technologies, Inc. | System, apparatuses, methods and computer-readable media for determining security status of computer before establishing connection thereto first group of embodiments-claim set II |
US20050268342A1 (en) * | 2004-05-14 | 2005-12-01 | Trusted Network Technologies, Inc. | System, apparatuses, methods and computer-readable media for determining security status of computer before establishing network connection second group of embodiments-claim set II |
CN1735278A (en) * | 2004-06-17 | 2006-02-15 | Lg电子株式会社 | mobile telecommunication system and method for session termination |
CN1756201A (en) * | 2004-09-28 | 2006-04-05 | 上海贝尔阿尔卡特股份有限公司 | Connection interrupt detecting method and device for IPv6 access network |
Non-Patent Citations (1)
Title |
---|
US2005/0268342A1 2005.12.01 |
Also Published As
Publication number | Publication date |
---|---|
CN1881920A (en) | 2006-12-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN100428721C (en) | Link connection cutting method and access point device in WLAN | |
US7969937B2 (en) | System and method for centralized station management | |
JP4477882B2 (en) | Hidden node detection in wireless local area networks | |
US8817788B2 (en) | Wireless communication terminal, method, program, recording medium, and wireless communication system | |
US7783756B2 (en) | Protection for wireless devices against false access-point attacks | |
US8203996B2 (en) | Communication device, wireless communication device, and control method | |
US10243974B2 (en) | Detecting deauthentication and disassociation attack in wireless local area networks | |
JP4410070B2 (en) | Wireless network system and communication method, communication apparatus, wireless terminal, communication control program, and terminal control program | |
CN104580152A (en) | Protection method and system against wifi (wireless fidelity) phishing | |
EP2109986A2 (en) | Approach for mitigating the effects of rogue wireless access points | |
US8619995B2 (en) | Methods and apparatus related to address generation, communication and/or validation | |
CN102480729A (en) | Method for preventing faked users and access point in radio access network | |
JP7079994B1 (en) | Intrusion blocking method for unauthorized wireless terminals using WIPS sensor and WIPS sensor | |
US9444837B2 (en) | Process and devices for selective collision detection | |
US20060133401A1 (en) | Communication apparatus, wireless communication terminal, wireless communication system, and wireless communication method | |
CN106454812A (en) | Method and device for receiving data | |
US8117658B2 (en) | Access point, mobile station, and method for detecting attacks thereon | |
CN113132993B (en) | Data stealing identification system applied to wireless local area network and use method thereof | |
CN107579955B (en) | Dynamic host configuration protocol monitoring and protecting method and system | |
JP7473972B2 (en) | Access point, communication system, and communication method | |
JP4882591B2 (en) | Radio base station, radio base station program and control method | |
CN117296296A (en) | Method for defending attempts to disconnect two entities and associated system | |
KR20050049471A (en) | Wireless local or metropolitan area network with intrusion detection features and related methods | |
TW201112811A (en) | Service network detecting system and method | |
WO2007123228A1 (en) | Multicast packet transmitting apparatus, multicast packet transferring apparatus and multicast packet receiving apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, 466 Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
CP03 | Change of name, title or address | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20081022 |
|
CF01 | Termination of patent right due to non-payment of annual fee |