CN100505757C - Anti-offence method for ARP buffer storage list - Google Patents
Anti-offence method for ARP buffer storage list Download PDFInfo
- Publication number
- CN100505757C CN100505757C CNB2005100918372A CN200510091837A CN100505757C CN 100505757 C CN100505757 C CN 100505757C CN B2005100918372 A CNB2005100918372 A CN B2005100918372A CN 200510091837 A CN200510091837 A CN 200510091837A CN 100505757 C CN100505757 C CN 100505757C
- Authority
- CN
- China
- Prior art keywords
- arp
- address
- request message
- cache table
- sender
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
This invention discloses a method for anti-offence of ARP buffer storage list, in which, the information source of the generation and refreshment of the ARP buffer-storage list is provided by the ARP response messages with even higher differentiation so as to reduce the possibility for being cheated by counterfeit information and attacked.
Description
Technical field
The present invention relates to a kind of network service processing method, relate in particular to a kind of arp cache table anti-attack method of the network equipment.
Background technology
Equipment on the data link needs a kind of method to find neighbours' data link sign (being MAC Address), so that data are sent to correct destination.The ARP of internet is address resolution protocol is obtained correspondence according to the IP address (being network layer address) of appointment a MAC Address (media access control address).
According to Internet Standard RFC826, the mechanism of ARP (address resolution protocol) is: when a network equipment need obtain the MAC Address of another network equipment on the same link, it will assemble the ARP request message, in this message, comprise: the MAC Address of requesting service and IP address, i.e. sender's MAC Address and sender IP address; The IP address of target device.Then, the ARP request message is broadcasted on data link, and promptly all devices on the data link all will be received this frame, and must check the message of encapsulation in the frame.The IP address target machine identical with target ip address in the ARP request message will send the arp response message to the sender address of ARP request message, and so that the MAC Address of oneself to be provided, other equipment then can not send the answer message.So the result of address resolution operation is exactly the MAC Address that the sender has obtained target machine, and in the arp cache table of this locality the MAC Address of record object machine and the mapping relations of IP address.
Because the size of arp cache is always limited, if the ARP list item unrestrictedly increases, is certain to be full of the space of whole ARP high-speed cache so.Under the situation of cache tables resource-constrained, if the ARP list item all corresponding the normal network equipment, this is an acceptable so; But in the ARP high-speed cache, if periodically exist (even a large amount of) invalid ARP list item, this has just constituted " pollution " to the ARP high-speed cache so.
One of main source of " ARP pollution " problem of generation is exactly that ARP attacks, and ARP attacks and can directly cause the network equipment can not normally send message.The generation or the renewal of ARP list item are when receiving ARP request message, arp response message at present, check the validity of destination address, sender IP address, MAC Address simply, if effectively, read sender's MAC Address so, sender IP address value generates or refresh an ARP list item.Like this, the assailant is easy to utilize on the numerical value effective I P address and MAC Address to initiate ARP to attack.
Also do not prevent at present the general approach that ARP attacks.For the prevention that ARP attacks, agreement does not have concrete regulation, and the aging mechanism of arp cache table only is provided, and is shared with this list item that guarantees that high-speed cache can not be disabled, and can delete these list items in time.The ARP agreement is not stipulated the standard of preventing ARP aggression, its main cause is based on following hypothesis: the network equipment under same link generally is at same floor or same internal institution, the possibility that the ARP attack takes place is lower, be to be trusty between the network equipment under the same link, so do not need to pay close attention to the problem that ARP attacks.But along with the popular of network service popularized, the network equipment under the same link may be distributed between the different buildings of same community, between the different districts, between different blocks or the like.Like this, no longer be trusty between the network equipment under the same link, therefore must pay close attention to the problem that ARP attacks, particularly the malice that the ARP aging mechanism is suffered easily, periodic ARP attacks that corresponding reply way will be arranged.
Summary of the invention
In view of above-mentioned existing in prior technology problem, the purpose of this invention is to provide a kind of anti-attack method of the arp cache table that can effectively prevent the periodicity attack of malice, can dock with existing ARP mechanism maintenance compatibility again.
The objective of the invention is to be achieved through the following technical solutions:
The invention provides a kind of arp cache table anti-attack method, comprise: this arp cache table only carries out the generation and the renewal of list item according to sender's address information of arp response message, and described arp response message should comprise the sign that corresponding ARP request message generates at random when sending;
The described sign that generates at random replaces sender's IP address field that sender IP address information is inserted the ARP request message as the ARP command code.
Described ARP command code adopts the form consistent with the IP address, is made of place subnet number and a host number at random.
The range of choice at random of described ARP command code should be that book Webweb network equipment does not also not use, is those IP addresses of present networks equipment reservation.
Described ARP command code adopts sender's self real IP address when sending the gratuitous ARP request message, and also will insert the target ip address field of gratuitous ARP request message.
The recipient of described gratuitous ARP request message sends the ARP request message of clean culture when the target ip address of this gratuitous ARP request message is in cache table.
Described arp response message should be received in a period of time after the ARP request message sends.
As seen from the above technical solution provided by the invention, the present invention is by being provided generation of arp cache table list item and updated information source by the arp response message, and the arp response message that requires to be received should be included in a sign that generates at random when the ARP request message sends, thereby has significantly reduced possibility contaminated, that attack; By making the sign that generates at random adopt the form consistent with the IP address and replacing the related measures such as sender's IP address field that sender IP address information is inserted the ARP request message as the ARP command code, the present invention can also be docked with the existing ARP mechanism of miscellaneous equipment compatibility simultaneously.
Description of drawings
Fig. 1 is an ARP command code of the present invention working mechanism schematic diagram;
Fig. 2 is that ARP request message of the present invention sends the handling process schematic diagram;
Fig. 3 is that ARP message of the present invention receives the handling process schematic diagram;
Embodiment
Core concept of the present invention be by differentiate and the information source of restriction arp cache table to reach the effect that attack protection pollutes, the measure of this restriction and discriminating comprises that the corresponding relation that only obtains IP address and MAC Address not from the ARP request message from the arp response message, the ARP command code that generates at random for the message setting reduce the possibility that the arp response message is pretended to be as identifying.
The present invention is further illustrated below in conjunction with accompanying drawing.
Existing ARP can obtain the address corresponding relation again from the ARP request message from the arp response message, but because the arp response message need be to send the ARP request message, and transmit with mode of unicast, and response time of arp response message there is regularly restriction, and the ARP request message can send with broadcast mode at any time, so assailant's main means are exactly to reach the purpose of attacking pollution arp cache table by sending a large amount of ARP request messages.Therefore, the measure that at first will take in the prevention method is exactly that generation of arp cache table list item and updated information source can be provided by high distinctive arp response message by having, and can not obtain the corresponding relation of IP address and MAC Address from the sender's address information the ARP request message.
ARP message with higher identifiability is meant that having one when sending corresponding ARP request message generates sign at random, and requires corresponding arp response message also should comprise a same sign.
For can be better compatible with existing ARP mechanism, this sign replaces sender's IP address field that sender IP address information is inserted the ARP request message as the ARP command code, and the form that employing is consistent with the IP address is made of place subnet number and a host number at random.Like this, even if the network equipment of being inquired about employing is existing ARP mechanism, also can the ARP command code be transmitted, thereby realized compatibility by the target ip address field of arp response message.The mechanism of ARP operating code mode with regularly restriction is combined, then can differentiate better and whether definite arp response message is that the ARP request message that sent in for the previous period earlier with this machine is corresponding.
As shown in Figure 1, the IP address of the network equipment 11 is 188.1.1.4, and MAC Address is 0003.10a1.f024; And the IP address of the network equipment 12 is 188.1.1.21, and MAC Address is 000e.2a11.fc88.The network equipment 11 is not known but need be known the MAC Address of the network equipment 12, such as the network equipment 11 are gateways, receive that from outer net a message sends to the network equipment 12 that the IP address is 188.1.1.21, because the network equipment 12 belongs to a subnet with the network equipment 11, so the network equipment 11 need be known the MAC Address of the network equipment 12, so that message is directly sent to the network equipment 12 in the mode of clean culture.
In the present invention, during the network equipment 11 requester network equipment 12, not simply ARP request message 13 to be put in the IP address of the address information of oneself (comprising IP address and MAC Address) and the network equipment 12 to send at local subnet in the mode (being that destination-mac address is 0000.0000.0000) of broadcasting then; But add that with subnet number (188.1.1.0) host number (such as 128) at random replaces the IP address of the network equipment 11 to insert sender's IP address field of ARP request message 13 as ARP command code (188.1.1.128), carries out broadcast transmission at local subnet then.
When adopting the network equipment 12 of the present invention to receive ARP request message 13, can't be that the corresponding relation of IP address field and MAC Address field contents carries out the generation or the renewal of arp cache table list item as the information of existing ARP mechanism basis sender's address field wherein; But, mechanism that can be in existing ARP ARP request message 13 in the content of sender's IP address field be the ARP command code as arp response message 14 in the content of target ip address field, the content of the content of sender's MAC Address field in the ARP request message 13 as destination-mac address field in the arp response message 14, simultaneously the address information of oneself is comprised that IP address and MAC Address insert in the arp response message 14, send to the network equipment of inquiring about 11 in the mode of clean culture.
Among the present invention, when the network equipment 11 receives the arp response message, whether will the ARP command code that the content of target ip address field in the message generates when sending the ARP request message be compared (rather than compare with self real IP address), be the response to the ARP request message of previous transmission to differentiate this response message.If this arp response message is the response to the ARP request message that sends in the previous certain hour, then comprise that according to sender's address information field in this arp response message the content of IP address field and MAC Address field generates, upgrades the list item of arp cache table.
So, the ARP command code that generates at random for the message setting more can reduce the possibility that the arp response message is pretended to be as comparing with self IP Address Recognition message among sign and the existing ARP, thereby prevents that better the arp cache table from being attacked pollution.Simultaneously, should be noted that, when the existing employing of a subnet network equipment of the present invention had the network equipment that adopts existing ARP mechanism again, the range of choice at random of ARP command code should be the subordinate IP address (general device allows a plurality of subordinate IP address) of also unappropriated those IP addresses or this machine in this subnet; Like this, just can avoid adopting the network equipment of existing ARP mechanism to cause confusion owing to from the ARP request message that adopts the network equipment of the present invention to send, obtaining the address corresponding relation.
Among the present invention, the processing of gratuitous ARP request message there is corresponding adjustment.The gratuitous ARP request message in fact also is a kind of ARP request message, it is that the content of the content of sender's IP address field of this message and target ip address field is the same with the difference of common ARP request message, this is in existing ARP mechanism, and its main peculiar function is the conflict that is used for detecting the IP address.
Among the present invention, kept the function that the IP address conflict of gratuitous ARP request message detects, caused the effect that other network equipment sends the ARP request message, thereby realized the purpose of the announcement that address relationship changes but also have simultaneously.Among the present invention, the content of inserting two IP address fields when sending the gratuitous ARP request message is an its own IP address, rather than the ARP command code that generates at random, does not also generate corresponding dynamic ARP entry; And when receiving gratuitous ARP packet, except when discovery target ip address field contents wherein is identical with its own IP address, sending gratuitous ARP response message, the report conflict as existing ARP mechanism; Even if conflict should not respond yet, the mode of response is the ARP request message that sends a clean culture, rather than does not respond as existing ARP mechanism.If can receive corresponding arp response message in time, then can carry out the generation or the renewal of arp cache table list item in time.Like this, by the gratuitous ARP request message of the zero-address conflict ARP request message with clean culture is responded, can announce the variation of address corresponding relation safely and apace, the arp cache that upgrades in time table.
Like this, the transmission of ARP of the present invention request and message receive flow process and roughly can represent with Fig. 2, Fig. 3.
As shown in Figure 2, when sending the ARP request message, at first enter step 21 and trigger the ARP request, whether this normally causes by some incidents, clash etc. such as giving the message clean culture network equipment, the address corresponding relation of MAC Address the unknown change to need announcement or detecting the IP address; Enter step 22 then and judge whether to send out the gratuitous ARP request message: if then enter step 24 and send gratuitous ARP request (use real IP address this moment usually, rather than the ARP command code that generates at random); Otherwise, enter step 23 generation and record ARP command code, enter the ARP request that step 25 sends the present invention's regulation again.Send the ARP request message need be in the arp cache table when (comprising the gratuitous ARP request message) recording-related information check so that when receiving response message, differentiate; Just arriving step 26 after being sent completely finishes.
Wherein, the arp cache table can adopt the form shown in the table 1.ARP can also be used to depositing the relevant information of the ARP request message that is sent except writing down the definite IP address and the corresponding relation of the MAC Address corresponding relation of its own IP address and MAC Address (but do not write down).By this table, the present invention can be the same with existing ARP mechanism, (MAC Address then suspense is the unknown to write down the target ip address that has sent the ARP request message, wait for after the arp response message response dynamic refresh again), be used for determining the arp response message whether overtime the time interocclusal record such as transmitting time etc. differentiate the arp response message so that check; In addition, more than the arp cache table of the present invention an ARP opcode field, can further improve taste to the arp response message.
Arp cache hoist pennants on table 1, the network equipment 11
| The IP address | MAC Address | The ARP command code | The time record | …… |
| …… | ||||
| 188.1.1.21 | 0000.0000.0000 | 188.1.1.128 | XXXX | |
| 188.1.1.29 | 0000.0000.0000 | 188.1.1.14 | XXXX | |
| …… |
As shown in Figure 3, when receiving the ARP message, the incident from step 31 reception ARP message at first enters step 32 and judges whether the arp response message.
If the arp response message then enters step 34 and judges whether relevant ARP list item exists.Judge whether it is gratuitous ARP response if " sender IP address " in the message not in the arp cache table, then carries out step 38,, shown in step 42, enter step 43 then and finish if then show and have IP address conflict; If not the gratuitous ARP response, directly enter step 43 and finish.If " sender IP address " in the message is in the arp cache table, then enter step 37 and judge whether equating of writing down in ARP command code and the corresponding A RP list item, if equate, then enter step 41 and generate arp cache table list item, the corresponding relation of sender IP address and MAC Address in the message is charged to the arp cache table, enter step 43 then and finish; If unequal, directly enter step 43 and finish.
If not the arp response message, then be the ARP request message, just enter step 33 and judge whether it is the gratuitous ARP request message.
If not, then enter step 35 and judge whether " sender IP address " be the same with its own IP address,, then show it is to oneself sending ARP request, inquiry MAC Address if the same, just enter step 39 transmission arp response message and report MAC Address, enter step 43 then and finish to the other side; If differ the Chinese catalpa, then directly enter step 43 and finish.
If the request message of gratuitous ARP request, then enter step 36 and judge whether relevant ARP list item exists, if " sender IP address " in the message be not in the arp cache table, then enter step 35 and judge whether " sender IP address " be the same with its own IP address, if it is the same, then showing has conflict, just enters step 39 transmission arp response message and reports conflict to the other side, enters step 43 then and finishes; If differ the Chinese catalpa, directly enter step 43 and finish.If " sender IP address " in the message in the arp cache table, then enters step 40 and send clean culture ARP request message, wait for the arp response message; Enter step 43 end behind the corresponding A RP list item that do wrong processing if the arp response message response is overtime, dynamically generates when deletion sends request message.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (6)
1, a kind of arp cache table anti-attack method, it is characterized in that, comprise: this arp cache table only carries out the generation and the renewal of list item according to sender's address information of arp response message, and described arp response message should comprise the sign that corresponding ARP request message generates at random when sending; The described sign that generates at random replaces sender's IP address field that sender IP address information is inserted the ARP request message as the ARP command code.
2, arp cache table anti-attack method according to claim 1 is characterized in that, described ARP command code adopts the form consistent with the IP address, is made of place subnet number and a host number at random.
3, arp cache table anti-attack method according to claim 2 is characterized in that, the range of choice at random of described ARP command code should be that book Webweb network equipment does not also not use, is those IP addresses of present networks equipment reservation.
4, arp cache table anti-attack method according to claim 3 is characterized in that, described ARP command code adopts sender's self real IP address when sending the gratuitous ARP request message, and also will insert the target ip address field of gratuitous ARP request message.
5, arp cache table anti-attack method according to claim 4 is characterized in that, the recipient of described gratuitous ARP request message sends the ARP request message of clean culture when the target ip address of this gratuitous ARP request message is in cache table.
6, according to each described arp cache table anti-attack method of claim 1 to 5, it is characterized in that described arp response message should be received in a period of time after the ARP request message sends.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100918372A CN100505757C (en) | 2005-08-09 | 2005-08-09 | Anti-offence method for ARP buffer storage list |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100918372A CN100505757C (en) | 2005-08-09 | 2005-08-09 | Anti-offence method for ARP buffer storage list |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1870627A CN1870627A (en) | 2006-11-29 |
| CN100505757C true CN100505757C (en) | 2009-06-24 |
Family
ID=37444175
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100918372A Expired - Fee Related CN100505757C (en) | 2005-08-09 | 2005-08-09 | Anti-offence method for ARP buffer storage list |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100505757C (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100466583C (en) * | 2007-04-06 | 2009-03-04 | 华为技术有限公司 | Fast ring network method against attack based on RRPP, apparatus and system |
| CN101094236B (en) | 2007-07-20 | 2011-08-10 | 华为技术有限公司 | Method for processing message in address resolution protocol, communication system, and forwarding planar process portion |
| CN101247217B (en) * | 2008-03-17 | 2010-09-29 | 北京星网锐捷网络技术有限公司 | Method, unit and system for preventing address resolution protocol flux attack |
| CN101494562B (en) * | 2009-03-18 | 2011-06-29 | 杭州华三通信技术有限公司 | Maintenance method for terminal list item of network equipment and network equipment |
| CN101552677B (en) * | 2009-05-12 | 2011-06-01 | 杭州华三通信技术有限公司 | Processing method and exchange equipment for address detected message |
| CN101562542B (en) * | 2009-05-21 | 2011-06-29 | 杭州华三通信技术有限公司 | Response method for free ARP request and gateway device thereof |
| CN102857584B (en) * | 2011-06-28 | 2019-05-31 | 中兴通讯股份有限公司 | A kind of arp cache entry update method and equipment |
| CN103347031B (en) * | 2013-07-26 | 2016-03-16 | 迈普通信技术股份有限公司 | A kind of method and apparatus taking precautions against ARP message aggression |
| CN103595711A (en) * | 2013-11-06 | 2014-02-19 | 神州数码网络(北京)有限公司 | Adjusting safety access method and exchanger |
| CN105939332B (en) * | 2016-03-03 | 2019-09-17 | 杭州迪普科技股份有限公司 | Defend the method and device of ARP attack message |
| CN106899706B (en) * | 2017-01-11 | 2020-04-17 | 新华三技术有限公司 | Flooding inhibition method and device |
| CN109033826B (en) * | 2018-06-26 | 2019-06-28 | 天津飞腾信息技术有限公司 | The caching reinforcement means and device of side channel analysis can be resisted |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1604575A (en) * | 2003-09-29 | 2005-04-06 | 华为技术有限公司 | A method for preventing counterfeit IP Ethernet gateway |
-
2005
- 2005-08-09 CN CNB2005100918372A patent/CN100505757C/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1604575A (en) * | 2003-09-29 | 2005-04-06 | 华为技术有限公司 | A method for preventing counterfeit IP Ethernet gateway |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1870627A (en) | 2006-11-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100505757C (en) | Anti-offence method for ARP buffer storage list | |
| CN100490377C (en) | Method and arrangement for preventing illegitimate use of IP addresses | |
| CN101179566B (en) | Method and apparatus for preventing ARP packet attack | |
| CN100525215C (en) | Communication apparatus, system, and method | |
| US20070286209A1 (en) | System and method for handling address resolution protocol requests | |
| CN101656763B (en) | IP address automatic distribution method, client and server | |
| US7440424B2 (en) | Apparatus and method for detecting duplicate IP addresses in mobile ad hoc network environment | |
| CA2601117C (en) | Power-save control for network master device | |
| US20120263179A1 (en) | Ip address delivery system and ip address delivery method | |
| AU2002216994A1 (en) | Fraud detection method for mobile telecommunication networks | |
| CN101175080A (en) | Method and system for preventing ARP message attack | |
| CN102118453B (en) | Method, service device, client and communication system for automatic configuration of IP address | |
| CN102694884B (en) | IPv6 address configuration and management method of wireless sensor network | |
| US20080069107A1 (en) | Scalable packet based network | |
| CN101562542B (en) | Response method for free ARP request and gateway device thereof | |
| CN102014142A (en) | Source address validation method and system | |
| CN100536474C (en) | Method and equipment for preventing network attack by using address analytic protocol | |
| CN110062064A (en) | A kind of Address Resolution Protocol ARP request message response method and device | |
| JP2006287299A (en) | Network control method and device, and control program | |
| CN101631076A (en) | Message transmission control method and fiber channel over Ethernet protocol system | |
| KR100825735B1 (en) | Method for Address Space Management about nodes incapable of communication over ZigBee Network | |
| CN103501355A (en) | Detection method and device of Internet protocol address conflict and gateway device | |
| JP2011049745A (en) | Device for defending dns cache poisoning attack | |
| CN101800782B (en) | Method for upgrading IPv4 website to support IPv6 with mirror images | |
| KR101684875B1 (en) | Method for advertising channel reservations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090624 Termination date: 20150809 |
|
| EXPY | Termination of patent right or utility model |