CN100428721C - Link connection cutting method and access point device in WLAN - Google Patents

Link connection cutting method and access point device in WLAN Download PDF

Info

Publication number
CN100428721C
CN100428721C CNB2006100775532A CN200610077553A CN100428721C CN 100428721 C CN100428721 C CN 100428721C CN B2006100775532 A CNB2006100775532 A CN B2006100775532A CN 200610077553 A CN200610077553 A CN 200610077553A CN 100428721 C CN100428721 C CN 100428721C
Authority
CN
China
Prior art keywords
message
link
wireless user
cut
state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2006100775532A
Other languages
Chinese (zh)
Other versions
CN1881920A (en
Inventor
赵玉金
张海涛
史扬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CNB2006100775532A priority Critical patent/CN100428721C/en
Publication of CN1881920A publication Critical patent/CN1881920A/en
Application granted granted Critical
Publication of CN100428721C publication Critical patent/CN100428721C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention discloses a cut-off method for link connection, which comprises steps that A, when a cut-off link connection message is received by AP, a wireless user corresponding to the message is determined, and the link state of the wireless user is detected by AP; B, when the link state of the wireless user is abnormal, the WLAN link connection of the wireless user is cut off according to the received message. The present invention also discloses an AP device which comprises a data storage module, a communication module and a control module. The attack of an illegal wireless user to a legal wireless user can be effectively defended by the present invention.

Description

Link-attached cutting-off method and access point apparatus in the WLAN (wireless local area network)
Technical field
The present invention relates to the wireless lan (wlan) technology, relate in particular to link-attached cutting-off method and access point (AP) device among the WLAN.
Background technology
Increasingly mature along with the electronics and the communication technology provides the application of WLAN of the wireless connections service in the local area network (LAN) scope also day by day extensive.Electric electronic engineering association (IEEE) 802.11 protocol groups have defined the correlation properties of medium access control (MAC) layer and physics (PHY) layer of WLAN, realize the access of multiple speed, and multiple radio function is provided.Particularly, the IEEE802.11 agreement has realized the wireless access of 2M speed; The IEEE802.11b agreement is supported the wireless access of 11M speed; IEEE802.11g agreement and IEEE802.11a agreement are then supported the wireless access of 54M speed; The IEEE802.11n agreement then can be supported the wireless access of 108M speed; 802.11i be devoted to solve 802.11 safety problem, defined wireless user's authentication and encipherment protection; Or the like.
The IEEE802.11 protocol definition link layer protocol of WLAN, and stipulated to comprise that link scanning (Scanning) stage, link authentication (Authentication) stage and link connect the link negotiation process in (Association) stage etc.The wireless user has only the negotiation through above-mentioned three processes after selecting wlan network, can successfully set up the WLAN link that meets the IEEE802.11 agreement and connect.
Fig. 1 shows the application networking schematic diagram of existing WLAN.As shown in Figure 1, comprise AP and in the wlan network at least as each Station of wireless user.Wherein, AP is the wireless transmitting-receiving equipments as the WLAN service equipment, send after the data that its role is to come from the cable network such as internet (Internet) are converted to wireless signal, and the wireless signal that receives is converted to cable network can be transmitted to cable network after the recognition data.
Usually, AP self is being provided with extended service set (ESS), all corresponding unique ESS service identifiers (ESSID) of each ESS, and AP passes through the Beacon message, all Station broadcasting ESSID in WLAN.Station is by passive reception Beacon message or initiatively send the Probe message to AP, carries out link scanning, obtains ESSID, thereby finds the WLAN service around this Station.When Station need enjoy this WLAN service, then initiate to insert the request of WLAN.AP authenticates Station according to pre-configured link authentication algorithm, and behind authentication success, Station and AP are mutual, carry out the negotiation in Association stage.After finishing Association and consulting, Station just can be linked in the wlan network that this AP provides.
Fig. 2 shows the view of Station among the WLAN.As shown in Figure 2, each Station all has the state that on behalf of this Station, three kinds of states (State): State1 be in bad authentication and do not connect with WLAN; But on behalf of this Station, State2 be in success identity the state that does not connect with WLAN; The state that on behalf of this Station, State3 be in success identity and connected with WLAN.Particularly, when AP receives the message identifying of Station first, create the data structure of this Station correspondence, be used to apply for preserving the internal memory of this Station information, make its corresponding uniquely MAC Address, and the state (State) of this Station is State1 at this moment.When Station successfully passed through link authentication, its state switched to State2.When Station finish and WLAN between link Association process after, its state switches to State3, successfully has been linked in the wlan network.
When AP receive come from the removing authentication (De-authentication) message or remove to connect (Disassociation) message of Station after, cut off this Station and be connected with link between the WLAN.In other words, when Station is in State3, connect message if AP receives, then the state with this Station switches to State2; If AP receives message identifying, then the state with this Station switches to State1.
When adopting said method that the Station among the WLAN is cut off the link connection, illegal wireless user (Rogue Station) can realize the attack to legal wireless user among the WLAN by send counterfeit going connection or remove message identifying to AP.Fig. 3 shows the schematic diagram that the illegal wireless user attacks legal wireless user when adopting existing cut-out link method of attachment.As shown in Figure 3, when legal Station sets up after link is connected with WLAN with 302 through step 301, the illegal wireless user is counterfeit this Station in step 303, remove to connect or go message identifying to the AP transmission, then in step 304, AP receive counterfeit go authentication or go to connect message after, think the transmit leg of this message by mistake legal Station, then cut off this Station and be connected with link between the AP.Like this, legal Station just switches to State2 or State1 by State3, thereby can't conduct interviews to wlan network, also can't enjoy the service that WLAN provides.
As seen, cut off link-attached method among the existing WLAN and can't resist impact of illegal wireless user on legal wireless user, make legal wireless user by wlan network disconnecting link connection mistakenly.In order to continue to obtain the network service that WLAN provides, the negotiation of the three phases that legal wireless user can only be by re-executing IEEE802.11 agreement regulation inserts WLAN once more.Therefore, cut off link-attached method among the existing WLAN and make that the quality of network service is lower, user's satisfaction is relatively poor.
Summary of the invention
In view of this, the invention provides link-attached cutting-off method and AP device among a kind of WLAN, can resist impact of illegal wireless user on legal wireless user.
For achieving the above object, the invention provides link-attached cutting-off method among a kind of WLAN, this method may further comprise the steps:
A. access point AP receives and cuts off link when connecting message, and that determines this message correspondence sets up the link-attached wireless user of WLAN (wireless local area network) WLAN, and this wireless user's of this AP detection Link State also starts the safeguard protection timer that sets in advance;
B. do not receive described wireless user's response as the described AP of described safeguard protection timer run duration, the time, judge that this wireless user's Link State is improper, according to the described message that receives, the WLAN link that disconnects this wireless user connects.
Wherein, steps A is described determines that the link-attached wireless user of WLAN that sets up of this message correspondence comprises:
AP is according to the media access control MAC address, source in the cut-out link connection message that receives, self searching corresponding wireless user, when finding this wireless user, if this wireless user is in authentication success and finishes link-attached state, what then this wireless user is defined as described message correspondence sets up the link-attached wireless user of WLAN.
Wherein, this wireless user's of described this AP detection of steps A Link State is:
AP is to described wireless user's transmit status probe messages.
Wherein, described state detection message is the message that meets the IEEE802.11 agreement.
Wherein, the message of the described IEEE802.11 of meeting agreement is: empty data NULL-Data message.
Preferably, described step B comprises:
B11. the safeguard protection timer expires, if AP does not receive the response to the state detection message that comes from described wireless user at described safeguard protection timer run duration, judges that then described wireless user's Link State is improper;
B12. connect message when going to connect message at described cut-out link, described wireless user is transformed into authentication success but does not finish link-attached state, connect message when removing message identifying at described cut-out link, described wireless user is transformed into authentication not successfully and do not finish link-attached state.
Preferably, after the described safeguard protection timer of step B11 expired, this method further comprised:
If AP receives the response to the state detection message that comes from described wireless user at described safeguard protection timer run duration, the Link State of then judging described wireless user is normal, and finishes the connection of this link and cut off flow process.
Preferably, further comprise before the described step B11:
The cut-out link that AP receives once more corresponding to described wireless connections user connects message, judges the type of whether preserving the cut-out link packet correspondence that receives once more among the AP, if, then abandon this message, and execution in step B11; Otherwise,, then carry out described step B11 with abandoning behind the cut-out link connection message accounting type of message that receives once more;
Described judgement wireless user's Link State be normal after, further comprise: read the minimum type of message of rank in the cut-out link packet type that is write down, and return the described steps A of execution.
Preferably, described step B comprises:
B21. judge whether AP receives the response to the state detection message that comes from described wireless user,, and finish the connection of this link and cut off flow process if then the safeguard protection timer stops timing; Otherwise the safeguard protection timer expires, and judges that described wireless user's Link State is improper, and execution in step B22;
B22. connect message when going to connect message at described cut-out link, described wireless user is transformed into authentication success but does not finish link-attached state, connect message when removing message identifying at described cut-out link, described wireless user is transformed into authentication not successfully and do not finish link-attached state.。
Preferably, before the described AP transmit status probe messages, this method further comprises: the cut-out link that AP recorder is arrived connects the type of message;
Before the described step B12, this method further comprises: AP determines that according to the type of message that self writes down described cut-out link connects message and connects message or remove message identifying for going.
The present invention also provides a kind of AP device, and this device comprises: data memory module, communication module and control module, wherein,
Data memory module is used for preserving the link-attached wireless user's information of WLAN (wireless local area network) WLAN of having set up;
Communication module is used for receiving the cut-out link and connects message, the link that receives is connected message send to control module, under the indication of control module, wireless user's Link State is surveyed, and result of detection submitted to control module, and disconnection of wireless user's link connects;
Control module is used for wireless user's information of preserving according to data memory module, the cut-out of determining to come from communication module connects the wireless user of message correspondence, the indication communication module carries out the detection of Link State to determined wireless user, result of detection according to the communication module submission, determine this wireless user's Link State, and when this wireless user's Link State was improper, the WLAN link that the notification communication module disconnects this wireless user connected.
Preferably, this device further comprises: the safeguard protection timer, and this safeguard protection timer is used for timing under the indication of control module, and in the described control module of timing Inform when done.
Use the present invention, WLAN can resist impact of illegal wireless user on legal wireless user.Particularly, the present invention has following beneficial effect:
When receiving, AP cuts off link when connecting message among the present invention, by sending such as state detection messages such as empty data messages, survey and cut off the Link State that link connects the Station of message correspondence, when having only the Link State of this Station improper, the WLAN link that just disconnects this Station connects.Like this, can resist the illegal wireless user effectively connects message and to the attack that legal wireless user carries out, improves network service quality by counterfeit cut-out link.
Further; can be among the present invention so that AP receives during the timing of safeguard protection timer when connecting message at the cut-out link of this Station once more; when preserving the type of this cut-out link packet correspondence among the AP; directly abandon this message; and when not having the type of preserving this cut-out link connection message correspondence among the AP; abandon after the recorded message type; then when definite this Station is subjected to malicious attack, determine whether to disconnect the WLAN link connection of this Station according to the type of message of record.Like this; even receiving a plurality of identical cut-out links in the safeguard protection phase, AP connects message; also just carry out the record of a type of message; and after the phase of safeguard protection first finishes; at the minimum type of message of rank in the type of message that is write down, resend the NULL-Data message.Therefore, can prevent effectively that the illegal wireless user from sending continuously that a plurality of cut-out links connect messages and the phenomenon that causes the continuous transmit status probe messages of AP, thereby avoid impact that wlan network is caused.
In addition, the present invention utilizes the message in the IEEE802.11 agreement to realize the detection of Link State, realizes that simply operability is stronger.
Description of drawings
To make clearer above-mentioned and other feature and advantage of the present invention of those of ordinary skill in the art by describe exemplary embodiment of the present invention in detail with reference to accompanying drawing below, in the accompanying drawing:
Fig. 1 is the application networking schematic diagram of WLAN;
Fig. 2 is the view of Station among the WLAN;
Fig. 3 is the schematic diagram that the illegal wireless user attacked legal wireless user when link connected cutting-off method among the existing WLAN of employing;
Fig. 4 connects the flow chart of cutting-off method for link among the WLAN of the present invention;
Fig. 5 is the flow chart that link connects cutting-off method in the embodiment of the invention 1;
Fig. 6 is the signaling process figure of Station situation incision under attack chain rupture road method of attachment in the embodiment of the invention 1;
Fig. 7 is the flow chart that link connects cutting-off method in the embodiment of the invention 2;
Fig. 8 is the structural representation of AP device in the embodiment of the invention.
Embodiment
For making purpose of the present invention, technical scheme clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in further detail.
The present invention is a kind of link-attached cutting-off method, its basic thought is: when AP receives when setting up the relevant cut-out link of the link-attached wireless user of WLAN and connect message, state to this wireless user is surveyed, and when this wireless user's link was in abnormal condition, the WLAN link that cuts off this wireless user connected.
Fig. 4 shows the flow chart of link cutting-off method among the present invention.Referring to Fig. 4, this method comprises:
In step 401, receive at AP and to cut off link when connecting message, that determines this cut-outs link connection message correspondence sets up the link-attached wireless user of WLAN, this wireless user's of this AP detection Link State;
In step 402, when this wireless user's Link State was improper, the WLAN link that disconnects this wireless user connected.
Among the present invention, cut off link and connect message and comprise at least and connect message and remove message identifying, and AP can come that the wireless user is carried out Link State and survey with the message that meets the IEEE802.11 agreement as the state detection message.Adopt sending empty data (NULL-Data) message with AP below, to come detection wireless user's Link State be example, and the embodiment of foundation inventive concept is described.
Embodiment 1
Fig. 5 shows and cuts off link-attached method flow diagram in the present embodiment.Referring to Fig. 5, this method may further comprise the steps:
In step 501, normally move as wireless user's Station.
In step 502~503, judge whether AP receives and connect message or remove message identifying, if then search corresponding Station, and continue execution in step 504 according to the source MAC of the message that receives; Otherwise, return execution in step 501.
In WLAN, when Station wants to roll off the production line, can send to AP and remove to connect message or remove message identifying, disconnecting self is connected with WLAN link between the AP, and after sending message, can the message that receive not given a response, can think that the Station of this moment is in abnormal condition.Because all corresponding unique MAC Address of each Station all can carry source MAC in the header that therefore goes to connect message and remove message identifying, is used to represent to send the Station of message.When AP receives when connecting message or removing message identifying, determine the sender of message by the source MAC of this message, promptly AP is index with the source MAC, retrieves in the MAC Address of self preserving.
In step 504~505, judge whether to exist this Station, and when having this Station, judge whether this Station is in the State3 state, be State3 if having this Station and its state, then continue execution in step 506; Otherwise, handle according to the regulation of IEEE802.11 agreement, and finish the connection of this link and cut off flow process.
When AP finds the record identical with source MAC in the MAC Address of self preserving, show to exist and the corresponding Station of message that receives.When having only Station to be in the State3 state, just can be successfully to have set up the WLAN link to connect, promptly this Station be in line states, and therefore, the Station that only is in State3 can refer to disconnecting link is connected the execute protection processing.
Perhaps there is this Station in the Station that goes to connect or go the message identifying correspondence when not existing AP to receive, but it is not to be in when successfully setting up link-attached State3 state, then carries out subsequent operation according to the IEEE802.11 agreement.For example, AP receives message identifying, and when still causing not finding the Station of this message correspondence owing to rolling off the production line of this AP, AP is a destination address with the source MAC in this message, sends and removes message identifying, can normally roll off the production line to guarantee this Station.
In step 506, the cut-out link that AP recorder is arrived connects type of message, starts the safeguard protection timer, and sends the NULL-Data message to Station, surveys the state of this Station.
Present embodiment sets in advance the safeguard protection timer, and the timing duration of this safeguard protection timer equals in the present embodiment safeguard protection phase to Station.During the timing of this timer, AP enters attack protection (Attack-Protection) state at this Station.When AP is in the attack protection state, if receive once more to should Station go connect or remove message identifying, then judge whether preserve the type of going to connect or go the message identifying correspondence that receives once more among the AP, if then abandon this message; Otherwise, after the class record of this message got off, abandon.Then cut off link-attached flow performing and determine to read the minimum type of message of rank in the type of message that is write down under this Station situation under attack after finishing, and determine whether to carry out link and cut off, promptly begin to carry out from step 503 at this.Because the rank of going to connect message is lower than message identifying, therefore exist at the same time and remove to connect message and go under the situation of message identifying, AP resends the NULL-Data message at going to connect message, and when not receiving the ACK message, is State2 with the state exchange of Station.If the requirement of user's reality is to be transformed into State1, extended meeting detects the state of self behind the user, and carries out according to the operation in the existing protocol, finally is transformed into State1.
For example; what AP received first is message identifying, during the timing of safeguard protection timer, receive at same Station remove to connect message, do not connect message and recorded among the AP; then note the type of message received once more for removing to connect message, and with the packet loss that is recorded.Determining that message identifying is after the illegal wireless user of malice sends and keeps the normal operation of Station, at write down start of heading execution in step 503~step 509 operation.
And for example; if in the safeguard protection phase that after AP receives message identifying first, starts; receive and more remove to connect message; then AP just once removes to connect the type of message record of message; and after the safeguard protection phase that starts first, AP only resends a detection once more that the NULL-Data message carries out the Station state.
In addition; if in the safeguard protection phase that after AP receives message identifying first, starts; receive again and once remove to connect message and repeatedly remove message identifying; then AP just connects and goes message identifying respectively to carry out the type of message record one time going; and after the safeguard protection phase that starts first, AP only resends the detection once more that the NULL-Data message carries out the Station state at going to connect message.
As seen, determine to receive first go authentication or remove to connect message to be malicious attack the time, system only needs message identifying execution single treatment is gone to connect or gone to all that receive once more, promptly needn't all send the NULL-Data probe messages one time at each follow-up going authentication or removing to connect message of receiving.Thereby the attack protection that operates in the system that realizes under the situation that does not influence concrete function that abandons is herein protected.
When the safeguard protection timer picked up counting, AP was to the Station transmission NULL-Data message that goes to connect or go the message identifying correspondence that receives.The NULL-Data message is a kind of data message of IEEE802.11 protocol definition, and its type is data message 0x02, and subtype is do-nothing function (Nullfunction) 0x04.Do not comprise any data in this message.According to the IEEE802.11 agreement, for the Station that is in line states,, then return affirmation (ACK) message, in order to confirm to have received this NULL-Data message if receive the NULL-Data message that comes from AP.
In step 507~509, when the safeguard protection timer expires, judge whether AP receives the message that comes from Station during the timing of safeguard protection timer, if then return execution in step 501; Otherwise, connecting message or remove message identifying according to going of receiving of AP, the WLAN link that disconnects this Station connects.
The safeguard protection timer from start to stop timing during be AP be in the attack protection state during.If AP receives ACK message or other any messages of the NULL-Data message correspondence that Station sends during this, show that then this Station is in normal operating condition, it will not disconnect the requirement of connection, AP receives removes the invalid packet that connects or go message identifying then to send for the illegal wireless user, therefore AP does not carry out any operation to this Station, but makes this Station keep normal operation.If when the safeguard protection timer expires, AP does not receive any message that comes from this Station yet, shows that then going that AP receives connects or go message identifying to send for this Station, and the WLAN link that therefore disconnects this Station connects.
The link-attached method of WLAN that present embodiment breaks Station is: AP connects type of message from the cut-out link that self reads in record the step 506, and according to the type of message that is read Station is carried out state exchange.Particularly, if the link of AP record connects message for removing to connect message, then Station is transformed into State2 by State3; If the link of AP record connects message for removing message identifying, then this Station is transformed into State1 by State3.No matter Station is transformed into State1 or State2, is the WLAN link that cuts off this Station and connects.And, after the state exchange of Station is State1, the structural information of this Station that the AP deletion self is preserved.
So far the link of finishing in the present embodiment connects the cut-out flow process.
Fig. 6 shows and uses the signaling process figure that cuts off the link method of attachment in the present embodiment under the Station situation under attack.As shown in Figure 6, when after Station is by the link negotiation in the step 601, normally moving, if AP in step 602, receive corresponding to this Station go connect message or remove message identifying, then in step 603, send the NULL-Data message, survey the state of this Station to this Station; Because the link of Station is normal, remove to connect message or go message identifying to be sent out, so this Station returns ACK message corresponding to the NULL-Data message to AP in step 604 by the illegal wireless user.At this moment, AP confirms that this Station is under attack, then it is not carried out the operation of cutting off link.
By above-mentioned flow process as seen, when receiving, AP cuts off link when connecting message in the present embodiment, by sending the Link State that the NULL-Data message waits the Station that surveys this message correspondence, when having only the Link State of this Station improper, just disconnect the WLAN link connection of this Station.Present embodiment can be resisted the illegal wireless user effectively and connect message and to the attack that legal wireless user carries out, improved network service quality by counterfeit cut-out link.And; if the cut-out link that AP receives during the timing of safeguard protection timer once more at this Station in the present embodiment connects message; directly this literary composition is abandoned; can prevent effectively that the illegal wireless user from sending continuously a plurality of cut-out links and connecting messages and cause AP constantly to send the phenomenon of NULL-Data message, thereby avoid impact that wlan network is caused.In addition, present embodiment utilizes the NULL-Data message in the IEEE802.11 agreement to realize the detection of Link State, realizes that simply operability is stronger.
Embodiment 2
Fig. 7 shows and cuts off link-attached method flow diagram in the present embodiment.Referring to Fig. 7, this method may further comprise the steps:
In step 701, normally move as wireless user's Station.
In step 702~703, judge whether AP receives and connect message or remove message identifying, if then search corresponding Station, and continue execution in step 704 according to the source MAC of the message that receives; Otherwise, return execution in step 701.
In step 704~705, if judge whether to exist this Station and existence, whether this Station is in the State3 state, is State3 if having this Station and its state, then continues execution in step 706; Otherwise, handle according to the regulation of IEEE802.11 agreement, and finish the connection of this link and cut off flow process.
In step 706, the cut-out link that AP recorder is arrived connects type of message, starts the safeguard protection timer that sets in advance, and sends the NULL-Data message to Station, surveys the state of this Station.
Above-mentioned steps 701 to 706 is identical to 506 operation with step 501 among the embodiment 1.
In step 707~710, judge whether AP receives the message that comes from Station, if then the safeguard protection timer stops timing and zero clearing, then return execution in step 701; Otherwise, judge whether the safeguard protection timer expires, when this timer expires, connect message or remove message identifying according to going of receiving of AP, the WLAN link that disconnects this Station connects, and when not yet due, returns execution in step 707.
If AP receives ACK message or other any messages of the NULL-Data message correspondence that Station sends during the timing of safeguard protection timer; show that then this Station is in normal operating condition; the requirement that it does not want disconnecting link to connect; AP receives removes the invalid packet that connects or go message identifying then to send for the illegal wireless user; therefore AP does not carry out any operation to this Station; but stop the safeguard protection timer; end is to the safeguard protection of this Station, and this Station keeps normal operation.If when the safeguard protection timer expires, AP does not receive any message that comes from this Station yet, shows that then going that AP receives connects or go message identifying to send for this Station, and the WLAN link that therefore disconnects this Station connects.
So far, the link of finishing in the present embodiment connects the cut-out flow process.
By each step of present embodiment as seen; when AP receives the message that comes from Station in the present embodiment after sending the NULL-Data message; directly make the safeguard protection timer stop timing and zero clearing, thereby AP withdraw from the attack protection state at this Station.Like this, when AP receives connection at every turn or removes message identifying, all can start the safeguard protection timer, enter the attack protection state, and send the NULL-Data message to this Station.
When receiving, AP cuts off link when connecting message in the present embodiment, by sending the Link State that the NULL-Data message waits the Station that surveys this message correspondence, when having only the Link State of this Station improper, the WLAN link that just disconnects this Station connects.Therefore present embodiment can be resisted the attack that the illegal wireless user connects message and legal wireless user is carried out by counterfeit cut-out link equally effectively, the raising network service quality.And present embodiment also is to utilize messages such as NULL-Data in the IEEE802.11 agreement to realize the detection of Link State, realizes simply, and operability is stronger.
More than be the description that the link of foundation inventive concept is connected the embodiment of cutting-off method, below the AP device that can carry out link connection cutting-off method among the present invention described.
Fig. 8 shows the structural representation of the AP device of the embodiment of the invention.As shown in Figure 8, this AP device comprises: data memory module, communication module and control module, and wherein, data memory module is used for preserving the link-attached wireless user's information of WLAN (wireless local area network) WLAN of having set up; Communication module is used for receiving the cut-out link and connects message, the link that receives is connected message send to control module, under the indication of control module, wireless user's Link State is surveyed, and result of detection submitted to control module, and disconnection of wireless user's link connects; Control module is used for wireless user's information of preserving according to data memory module, the cut-out of determining to come from communication module connects the wireless user of message correspondence, the indication communication module carries out the detection of Link State to determined wireless user, result of detection according to the communication module submission, determine this wireless user's Link State, and when this wireless user's Link State was improper, the WLAN link that the notification communication module disconnects this wireless user connected.
Further, the AP device shown in Fig. 8 also comprises: the safeguard protection timer, and this safeguard protection timer is used for timing under the indication of control module, and in the described control module of timing Inform when done.
Like this, utilize said structure AP to cooperate with Station, the link of carrying out among the present invention connects cutting-off method, resists impact of illegal wireless user on legal wireless user effectively.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (12)

1, a kind of link-attached cutting-off method is characterized in that, this method comprises:
A. access point AP receives and cuts off link when connecting message, and that determines this message correspondence sets up the link-attached wireless user of WLAN (wireless local area network) WLAN, and this wireless user's of this AP detection Link State also starts the safeguard protection timer that sets in advance;
B. when the described AP of described safeguard protection timer run duration does not receive described wireless user's response, judge that this wireless user's Link State is improper, according to the described message that receives, the WLAN link that disconnects this wireless user connects.
2, the method for claim 1 is characterized in that, steps A is described determines that the link-attached wireless user of WLAN that sets up of this message correspondence comprises:
AP is according to the media access control MAC address, source in the cut-out link connection message that receives, self searching corresponding wireless user, when finding this wireless user, if this wireless user is in authentication success and finishes link-attached state, what then this wireless user is defined as described message correspondence sets up the link-attached wireless user of WLAN.
3, the method for claim 1 is characterized in that, this wireless user's of described this AP detection of steps A Link State is:
AP is to described wireless user's transmit status probe messages.
4, method as claimed in claim 3 is characterized in that, described state detection message is the message that meets the IEEE802.11 agreement.
5, method as claimed in claim 4 is characterized in that, the message of the described IEEE802.11 of meeting agreement is: empty data NULL-Data message.
6, as claim 3 or 4 or 5 described methods, it is characterized in that described step B comprises:
B11. the safeguard protection timer expires, if AP does not receive the response to the state detection message that comes from described wireless user at described safeguard protection timer run duration, judges that then described wireless user's Link State is improper;
B12. connect message when going to connect message at described cut-out link, described wireless user is transformed into authentication success but finishes link-attached state, connect message when removing message identifying at described cut-out link, described wireless user is transformed into authentication not successfully and do not finish link-attached state.
7, method as claimed in claim 6 is characterized in that, after the described safeguard protection timer of step B11 expired, this method further comprised:
If AP receives the response to the state detection message that comes from described wireless user at described safeguard protection timer run duration, the Link State of then judging described wireless user is normal, and finishes the connection of this link and cut off flow process.
8, method as claimed in claim 7 is characterized in that, further comprises before the described step B11:
The cut-out link that AP receives once more corresponding to described wireless connections user connects message, judges the type of whether preserving the cut-out link packet correspondence that receives once more among the AP, if, then abandon this message, and execution in step B11; Otherwise,, then carry out described step B11 with abandoning behind the cut-out link connection message accounting type of message that receives once more;
Described judgement wireless user's Link State be normal after, further comprise: read the minimum type of message of rank in the cut-out link packet type that is write down, and return the described steps A of execution.
9, as claim 3,4 or 5 described methods, it is characterized in that described step B comprises:
B21. judge whether AP receives the response to the state detection message that comes from described wireless user,, and finish the connection of this link and cut off flow process if then the safeguard protection timer stops timing; Otherwise the safeguard protection timer expires, and judges that described wireless user's Link State is improper, and execution in step B22;
B22. connect message when going to connect message at described cut-out link, described wireless user is transformed into authentication success but does not finish link-attached state, connect message when removing message identifying at described cut-out link, described wireless user is transformed into authentication not successfully and do not finish link-attached state.
10, method as claimed in claim 6 is characterized in that, before the described AP transmit status probe messages, this method further comprises: the cut-out link that AP recorder is arrived connects the type of message;
Before the described step B12, this method further comprises: AP determines that according to the type of message that self writes down described cut-out link connects message and connects message or remove message identifying for going.
11, a kind of access point AP device is characterized in that this device comprises: data memory module, communication module and control module, wherein,
Data memory module is used for preserving the link-attached wireless user's information of WLAN (wireless local area network) WLAN of having set up;
Communication module is used for receiving the cut-out link and connects message, the link that receives is connected message send to control module, under the indication of control module, wireless user's Link State is surveyed, and result of detection submitted to control module, and disconnection of wireless user's link connects;
Control module is used for wireless user's information of preserving according to data memory module, the cut-out of determining to come from communication module connects the wireless user of message correspondence, the indication communication module carries out the detection of Link State to determined wireless user, result of detection according to the communication module submission, determine this wireless user's Link State, and when this wireless user's Link State was improper, the WLAN link that the notification communication module disconnects this wireless user connected.
12, device as claimed in claim 11 is characterized in that, this device further comprises: the safeguard protection timer, and this safeguard protection timer is used for timing under the indication of control module, and in the described control module of timing Inform when done.
CNB2006100775532A 2006-04-30 2006-04-30 Link connection cutting method and access point device in WLAN Expired - Fee Related CN100428721C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2006100775532A CN100428721C (en) 2006-04-30 2006-04-30 Link connection cutting method and access point device in WLAN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2006100775532A CN100428721C (en) 2006-04-30 2006-04-30 Link connection cutting method and access point device in WLAN

Publications (2)

Publication Number Publication Date
CN1881920A CN1881920A (en) 2006-12-20
CN100428721C true CN100428721C (en) 2008-10-22

Family

ID=37519906

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2006100775532A Expired - Fee Related CN100428721C (en) 2006-04-30 2006-04-30 Link connection cutting method and access point device in WLAN

Country Status (1)

Country Link
CN (1) CN100428721C (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104254139B (en) * 2013-06-25 2019-02-19 华为终端有限公司 A kind of message transmitting method, system and website
CN105356956B (en) * 2015-10-22 2018-11-27 普联技术有限公司 Communication quality detection method and device between wireless extensions device and access point
CN105635185A (en) * 2016-03-25 2016-06-01 珠海网博信息科技股份有限公司 Method and device for preventing sniffing under WIFI environment
CN108924842A (en) * 2017-03-23 2018-11-30 华为技术有限公司 It is a kind of to keep associated method and wireless access point device
CN108289299B (en) * 2017-05-31 2020-12-29 新华三技术有限公司 Method and device for preventing user from being offline
CN110418431A (en) * 2019-07-26 2019-11-05 新华三技术有限公司成都分公司 A kind of control method and device of communication connection
CN112822141B (en) * 2019-10-31 2023-03-31 中国电信股份有限公司 Method, apparatus, user terminal and computer readable medium for preventing attacks in a WLAN
CN111223219A (en) * 2019-12-31 2020-06-02 深圳阜时科技有限公司 Identity recognition method and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1491056A (en) * 2002-09-12 2004-04-21 Lg电子株式会社 Method for managing wireless bearing in mobile communication system
US20050262569A1 (en) * 2004-05-10 2005-11-24 Trusted Network Technologies, Inc. System, apparatuses, methods and computer-readable media for determining security status of computer before establishing connection thereto first group of embodiments-claim set II
US20050268342A1 (en) * 2004-05-14 2005-12-01 Trusted Network Technologies, Inc. System, apparatuses, methods and computer-readable media for determining security status of computer before establishing network connection second group of embodiments-claim set II
CN1735278A (en) * 2004-06-17 2006-02-15 Lg电子株式会社 mobile telecommunication system and method for session termination
CN1756201A (en) * 2004-09-28 2006-04-05 上海贝尔阿尔卡特股份有限公司 Connection interrupt detecting method and device for IPv6 access network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1491056A (en) * 2002-09-12 2004-04-21 Lg电子株式会社 Method for managing wireless bearing in mobile communication system
US20050262569A1 (en) * 2004-05-10 2005-11-24 Trusted Network Technologies, Inc. System, apparatuses, methods and computer-readable media for determining security status of computer before establishing connection thereto first group of embodiments-claim set II
US20050268342A1 (en) * 2004-05-14 2005-12-01 Trusted Network Technologies, Inc. System, apparatuses, methods and computer-readable media for determining security status of computer before establishing network connection second group of embodiments-claim set II
CN1735278A (en) * 2004-06-17 2006-02-15 Lg电子株式会社 mobile telecommunication system and method for session termination
CN1756201A (en) * 2004-09-28 2006-04-05 上海贝尔阿尔卡特股份有限公司 Connection interrupt detecting method and device for IPv6 access network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
US2005/0268342A1 2005.12.01

Also Published As

Publication number Publication date
CN1881920A (en) 2006-12-20

Similar Documents

Publication Publication Date Title
CN100428721C (en) Link connection cutting method and access point device in WLAN
US7969937B2 (en) System and method for centralized station management
JP4477882B2 (en) Hidden node detection in wireless local area networks
US8817788B2 (en) Wireless communication terminal, method, program, recording medium, and wireless communication system
US7783756B2 (en) Protection for wireless devices against false access-point attacks
US8203996B2 (en) Communication device, wireless communication device, and control method
US10243974B2 (en) Detecting deauthentication and disassociation attack in wireless local area networks
JP4410070B2 (en) Wireless network system and communication method, communication apparatus, wireless terminal, communication control program, and terminal control program
CN104580152A (en) Protection method and system against wifi (wireless fidelity) phishing
EP2109986A2 (en) Approach for mitigating the effects of rogue wireless access points
US8619995B2 (en) Methods and apparatus related to address generation, communication and/or validation
CN102480729A (en) Method for preventing faked users and access point in radio access network
JP7079994B1 (en) Intrusion blocking method for unauthorized wireless terminals using WIPS sensor and WIPS sensor
US9444837B2 (en) Process and devices for selective collision detection
US20060133401A1 (en) Communication apparatus, wireless communication terminal, wireless communication system, and wireless communication method
CN106454812A (en) Method and device for receiving data
US8117658B2 (en) Access point, mobile station, and method for detecting attacks thereon
CN113132993B (en) Data stealing identification system applied to wireless local area network and use method thereof
CN107579955B (en) Dynamic host configuration protocol monitoring and protecting method and system
JP7473972B2 (en) Access point, communication system, and communication method
JP4882591B2 (en) Radio base station, radio base station program and control method
CN117296296A (en) Method for defending attempts to disconnect two entities and associated system
KR20050049471A (en) Wireless local or metropolitan area network with intrusion detection features and related methods
TW201112811A (en) Service network detecting system and method
WO2007123228A1 (en) Multicast packet transmitting apparatus, multicast packet transferring apparatus and multicast packet receiving apparatus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, 466

Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd.

CP03 Change of name, title or address
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20081022

CF01 Termination of patent right due to non-payment of annual fee