CN100536474C - Method and equipment for preventing network attack by using address analytic protocol - Google Patents
Method and equipment for preventing network attack by using address analytic protocol Download PDFInfo
- Publication number
- CN100536474C CN100536474C CNB2006101272297A CN200610127229A CN100536474C CN 100536474 C CN100536474 C CN 100536474C CN B2006101272297 A CNB2006101272297 A CN B2006101272297A CN 200610127229 A CN200610127229 A CN 200610127229A CN 100536474 C CN100536474 C CN 100536474C
- Authority
- CN
- China
- Prior art keywords
- arp
- list item
- message
- attack protection
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to a method for preventing using address analysis protocol to attack network. Wherein, it comprises: actively triggering the identification on the former user of ARP item mark before receiving address analysis protocol APR report and modifying the ARP item; if receiving the answer of former user, forbidding the modification on the ARP item; if not receiving the answer of former user, actively triggering the identification on the new user of received ARP report mark; if receiving the answer of new user, modifying the ARP item; if not receiving the answer of new user, forbidding the modification on ARP item. The invention also discloses a relative device, which comprises report sender/receiver, report checker, user identifier, and ARP item modifier. The invention can improve the safety of network.
Description
Technical field
The present invention relates to networking technology area, be specifically related to a kind of strick precaution and utilize address resolution protocol to carry out the method and apparatus of network attack.
Background technology
In Ethernet, to communicate with one another between the IP device, must obtain MAC (medium access control) address of the corresponding next-hop device of destination device earlier, obtaining by ARP (address resolution protocol) agreement of MAC Address realizes.ARP provides dynamic mapping for the IP address between the corresponding hardware address.Its process is as follows:
Message source sends an ethernet data frame that is called the ARP request to each online main frame of ether.After the ARP layer of destination host is received this broadcasting packet, identify this be transmitting terminal in the IP address of inquiring about it, so send an arp reply, this arp reply comprises its IP address and corresponding MAC Address.After message source is received arp reply, just can send IP datagram to destination host according to its IP address and corresponding MAC Address.
Owing at the beginning of the ARP design of protocol, do not consider any security mechanism, so the ARP agreement is an agreement that is very easy under fire.Common ARP attacks following several types:
1. forge the ARP message of other IP address, distort the user ARP on the gateway device, make the communication failure of gateway and this validated user.
As shown in Figure 1, validated user A, B communicate by letter with extraneous by gateway G, set up dynamic ARP entry IP A-MAC A, IP B-MAC B on G.Assailant C forges the ARP of validated user, and the IP address of supposing its forgery is B, but MAC Address is C or other invalid MAC Address.Receive the ARP message of user C as gateway G after, learning the IP address according to this message is that the MAC Address of B correspondence is C, thereby revise the ARP list item, that is to say, user C distorts the ARP list item of the user B correspondence on the gateway G by the ARP message of forging, like this, the ARP list item after gateway G receives behind the message that need to send user B and to distort according to this will send to C, thereby makes the communication failure of gateway G and user B.
2. forge the ARP message of gateway ip address, distort the gateway A RP of other users in the network, make the communication failure of other validated users and gateway.
3.ARP scanning attack promptly sends the ARP message of a large amount of different IP to other equipment, make the ARP of other equipment reach maximum specification, can not learn new ARP; Also may comprise the attack of preceding two classes in the scanning attack.
For first kind attack, in the network of IP address by DHCP (DHCP) dynamic assignment, can be by on gateway, keeping DHCP IP address allocated and user's MAC address to information, study is filtered to ARP, alleviates the chance of this type of attack to a certain extent.But Dynamic ARP does not have other security mechanisms, very easily is illegally modified, and causes the validated user network to interrupt.For the network that does not have configuration DHCP strobe utility or IP address static allocation, can only prevent that at present ARP is illegally modified by the mode of configuring static ARP.
Because the mac address information of validated user is easily collecting not, under the more environment of number of users, the configuration effort amount is big, and when a validated user need be revised the IP address, needs to revise synchronously the Static ARP on the gateway.Therefore, this configuration mode is loaded down with trivial details, and flexibility is low.
Summary of the invention
Main purpose of the present invention provides a kind of strick precaution and utilizes address resolution protocol to carry out the method for network attack, prevent that by static configuration ARP the mode that ARP attacks from disposing the problem of complexity, shortage flexibility to solve in the prior art, prevent that simply, effectively validated user ARP is modified on the network equipment, strengthen network reliability.
Another object of the present invention provides a kind of strick precaution and utilizes address resolution protocol to carry out the equipment of network attack, to strengthen the reliability of the network equipment.
For this reason, the invention provides following technical scheme:
A kind of strick precaution utilizes address resolution protocol to carry out the method for network attack, and described method comprises step:
A, receive ARP message and the ARP list item made amendment before the original subscriber of ARP list item sign is confirmed;
If B receives replying of original subscriber, then forbid the ARP list item is made amendment.
If C does not receive replying of original subscriber, then the new user to the ARP message identification received confirms;
If D receives replying of new user, then revise the ARP list item;
If E does not receive replying of new user, then forbid the ARP list item is made amendment.
Alternatively, described method further comprises:
The attack protection record field of corresponding each ARP list item is set in the ARP chained list, and described attack protection record field comprises: the MAC Address when the ARP message of receiving requires to upgrade list item, attack protection mark.
Described steps A comprises:
If the ARP message that A1 receives does not relate to the MAC Address of revising in the corresponding ARP list item, then continue ARP and learn more new technological process;
If the ARP message that A2 receives relates to the MAC Address of revising in the corresponding ARP list item, the mac address information in attack protection record field record ARP message then, and the original subscriber of ARP list item sign triggered clean culture ARP request.
Carrying out ARP when learning more new technological process, if existing attack protection record field in the corresponding ARP list item is then removed this attack protection record field.
Described step C comprises:
Check that the attack protection in the attack protection record field of ARP list item of described correspondence marks whether to confirm to send for the original subscriber;
If then the new user to the ARP message identification that receives sends clean culture ARP request.
Described step D is specially:
If the source MAC in the ARP message of receiving is identical with MAC Address in the described attack protection record field, and the attack protection in this attack protection record field is labeled as new user and confirms to send, then revises already present ARP list item.
Preferably, described method further comprises:
Whether each the ARP list item in the regular check ARP chained list has the attack protection record field;
If the attack protection record field is arranged, and attack protection is labeled as initial value, then according to the ARP list item original subscriber initiated clean culture ARP request, and revises attack protection and be labeled as the original subscriber and confirm to send;
If the attack protection record field is arranged, and attack protection is labeled as the original subscriber and confirms to send, then according to the attack protection recorded information new user initiated clean culture ARP request, and revises attack protection and be labeled as new user and confirm to send;
If the attack protection record field is arranged, and attack protection is labeled as new user and confirms to send, then removes described attack protection recorded information;
If there is not the attack protection record field, then finish inspection to this ARP list item.
Described method further comprises:
If the ARP message of receiving relates to the MAC Address of revising in the corresponding ARP list item, and ARP surpasses pre-set threshold update time, then abandons the ARP message of reception.
A kind of strick precaution utilizes address resolution protocol to carry out the equipment of network attack, comprising: the packet sending and receiving unit,
The message audit unit is used to check the ARP type of message of receiving the packet sending and receiving unit;
User's confirmation unit links to each other with described message audit unit, is used for the check result according to the message audit unit, triggers to the original subscriber of ARP list item sign and/or to the new user's of the ARP message identification received affirmation; If described message audit unit is checked through described packet sending and receiving unit and receives replying of original subscriber, then indicate the APR list item to revise the unit and the ARP list item is not made any modification, if described message audit unit is checked through described packet sending and receiving unit and receives replying of new user, then indicate the APR list item to revise the unit and revise corresponding ARP list item;
Described ARP list item is revised the unit, links to each other with the message audit unit, is used for the learning process at ARP, revises corresponding ARP list item according to the indication of message audit unit.
Described equipment further comprises:
ARP storage of linked list unit is revised the unit with the ARP list item respectively and is linked to each other with the message audit unit, is used to store the ARP chained list, and described ARP chained list comprises ARP list item and the attack protection recorded information corresponding with it;
ARP list item maintenance unit is used for each ARP list item of ARP chained list is carried out ARP attack inspection, and upgrades the attack protection recorded information according to check result.
Described equipment further comprises:
The threshold setting unit is used to be provided with ARP threshold value update time;
Timer is revised the unit with threshold setting unit, message audit unit, ARP list item respectively and is linked to each other, and be used for timing is carried out in the modification of ARP list item, and after timing time reached described threshold value, notice is revised performance element and can be made amendment to the ARP list item.
By above technical scheme provided by the invention as can be seen, the present invention initiatively triggered the affirmation to the original subscriber of ARP list item sign before the network equipment is received the ARP message and the ARP list item made amendment, if receive replying of original subscriber, then forbid the ARP list item is made amendment.If do not receive replying of original subscriber, then allow the ARP list item is made amendment.In this case, the present invention also further initiatively triggers the affirmation to the new user of the ARP message identification of receiving, if do not receive replying of new user, then forbids the ARP list item is made amendment.Only receiving under new user's the situation of replying, just allowing to revise corresponding ARP list item.Thereby under the situation that validated user exists, the affirmation by initiatively former validated user being initiated has prevented that validated user ARP is modified on the equipment, has strengthened the reliability of network; Do not receiving under the situation that former validated user is replied,, preventing that the simple unresponsive ARP of request that only forges from attacking by initiatively new Client-initiated being confirmed.
In addition, utilize the present invention, can after former validated user discharges the IP address resource, make new validated user can directly use this IP, needn't revise configuration, reduced the configuration effort amount.
Description of drawings
Fig. 1 carries out the schematic diagram that ARP attacks by the ARP message of forging other IP address in the prior art:
Fig. 2 is the realization flow figure of a preferred embodiment of the inventive method;
Fig. 3 is a flow chart of revising the ARP list item in the inventive method according to the information of attack protection record field;
Fig. 4 is the flow chart of ARP linked list maintenance process in the inventive method;
Fig. 5 is the theory diagram of present device first embodiment;
Fig. 6 is the theory diagram of present device second embodiment.
Embodiment
Core of the present invention is the affirmation that initiatively triggered before the network equipment is received the ARP message and the ARP list item made amendment the original subscriber of ARP list item sign, if receive replying of original subscriber, then forbids the ARP list item is made amendment.If do not receive replying of original subscriber, then allow the ARP list item is made amendment.In order further to ensure the fail safe of network, can not receive under original subscriber's the situation of replying that also active triggers the affirmation to the new user of the ARP message identification of receiving, if do not receive replying of new user, then forbids the ARP list item is made amendment.Only receiving under new user's the situation of replying, just allowing to revise corresponding ARP list item.When specific implementation, the mode of attack protection record field that can be by corresponding each ARP list item is set in the ARP chained list is provided with different attack protection marks when receiving the replying of original subscriber and Xin user.According to this label information, when relating to MAC Address and revise, only allow that the attack protection record is labeled as new user and confirm that the ARP list item that has sent makes amendment.Simultaneously, regularly each the ARP list item in the ARP chained list is attacked inspection, according to the information of check result renewal attack protection record field, to guarantee the accuracy of this information.
In order to make those skilled in the art person understand the present invention program better, the present invention is described in further detail below in conjunction with drawings and embodiments.
With reference to Fig. 2, Fig. 2 shows the flow chart of a preferred embodiment of the present invention, may further comprise the steps:
Step 201: the attack protection record field that corresponding each ARP list item is set in the ARP chained list.
Described attack protection record field comprises: the MAC Address when the ARP message of receiving requires to upgrade list item, attack protection mark.Attack protection is made as initial value when being marked at the attack protection information creating.
Step 202: the network equipment receives the ARP message.
Step 203: carry out ARP study, judge whether to exist corresponding ARP list item.If there is no, then enter step 204; Otherwise, enter step 205.
Step 204: add corresponding ARP list item according to the ARP message of receiving.
Step 205: judge whether to relate to MAC Address and revise.Do not revise if do not relate to MAC Address, then enter step 206; Otherwise, enter step 209.
The present invention mainly is at the ARP message of forging other IP address, distorts the behavior that the user ARP message on the network equipment is attacked.Therefore, after the network equipment receives the ARP message, can take corresponding strategy at the modification that whether relates to MAC Address.Describedly judge whether to relate to MAC Address and revise and be meant whether the MAC Address judged in the ARP message that receives is identical with MAC Address in having corresponding ARP list item, if it is identical, certainly also just not relating to MAC Address revises, otherwise, may needs revise mac address information in the ARP list item according to this message.
Step 206: judge whether the ARP list item has corresponding attack protection recorded information.If have, then enter step 207; Otherwise, enter step 208.
Step 207: the attack protection recorded information of removing ARP list item correspondence.
Step 208: continue ARP and learn more new technological process.
Step 209: judge whether surpass ARP update time the fixed time.If do not surpass, then enter step 210; Otherwise, enter step 211.
Consider the network connection characteristics, if normal validated user, its network connects mostly a time course, and therefore APR that should the user being upgraded also just has a time period.Therefore, cause unnecessary network traffic and resource occupation, can preestablish ARP threshold value update time, that is to say the fixed time described in the step 209 for fear of the frequent updating of ARP.Each ARP entry updating has only above just allowing after this time.Otherwise,, also to forbid this ARP entry updating even the ARP message of receiving requires to upgrade corresponding ARP list item.Such as, it is 1 minute that this threshold value is set, because normal condition unlikely relates to the modification of MAC within following 1 minute, if promptly relate to modification within 1 minute, can think to attack.
Step 210: abandon the ARP message, withdraw from learning process.
Step 211: revise already present ARP list item according to the information of attack protection record field.
The front is mentioned, distort the ARP list item of storing on the network equipment in order to stop illegal ARP message effectively, when the present invention relates to the MAC Address modification in the ARP learning process, need initiatively the former validated user of ARP list item sign to be initiated to confirm earlier, do not receiving under original subscriber's the situation of replying, also needing the new user of the ARP message identification received is confirmed.Only receiving under new user's the situation of replying, just allowing already present ARP list item is made amendment.And, in this embodiment, can know affirmation result simply, easily to original subscriber and Xin user in order to make the network equipment, the attack protection record field of corresponding each ARP list item is set in the ARP chained list.Can determine whether to allow to revise already present ARP list item according to the information in this field.Specifically how revising already present ARP list item according to the information of attack protection record field will be described in detail later.
In order to ensure the accuracy of the information in this field, also need regularly each the ARP list item in the ARP chained list to be carried out ARP and attack inspection, and upgrade the information of attack protection record field according to check result.
Certainly, except the attack protection record field that is provided with of foregoing description writes down the situation that former validated user and new user are confirmed, can also adopt other any usual ways in the ARP chained list.As long as guarantee in the ARP learning process, revise if relate to MAC Address, before modification, former validated user is initiatively confirmed, just allow corresponding APR list item is made amendment after only can not receive the replying of former validated user.
With reference to Fig. 3, Fig. 3 shows the flow process of revising the ARP list item in the inventive method according to the information of attack protection record field, may further comprise the steps:
Step 301: the attack protection record field that obtains the ARP list item correspondence that needs modification.
Step 302: judge whether existing attack protection recorded information.If no, then enter step 303; Otherwise, enter step 304.
Step 303: record attack protection information, the original subscriber that the ARP list item is identified initiates clean culture ARP request, withdraws from the ARP learning process afterwards.
When record attack protection information, the MAC Address in the ARP message of receiving need be write in the attack protection field, and tag field is made as initial value.
Step 304: whether the MAC Address in MAC Address in the APR message that further judgement is received and the former attack protection record is identical.If inequality, then enter step 305; Otherwise, enter step 306.
Step 305: abandon this ARP message, withdraw from the ARP learning process.
Step 306: judge that further attack protection marks whether to confirm to send for new user.If not, then enter step 305; Otherwise, enter step 307.
Step 307: continue the ARP modification process.
Confirm to send if the attack protection of ARP list item correspondence is labeled as new user, illustrate that then the ARP message that receives is new user's a response message.At this moment, just can revise corresponding ARP list item, that is to say, new user's MAC address learning in the ARP list item, is finished the ARP learning process according to the information in this message.
In order to ensure the accuracy of the information in the attack protection field, need regularly the ARP chained list to be safeguarded.
Fig. 4 shows the flow process of ARP linked list maintenance process in the inventive method, may further comprise the steps:
Step 401: the initial value of setting ARP list item numbering variable n is 1.
Step 402: obtain n ARP list item in the ARP chained list.
Step 403: judge whether this ARP list item has the attack protection recorded information.If no, then enter step 410; Otherwise, enter step 404.
Step 404: judge that attack protection marks whether to be initial value.If then enter step 405; Otherwise, enter step 406.
Step 405: trigger unitcast request, and revise attack protection and be labeled as the original subscriber and confirm to send to the original subscriber.
Step 406: judge that further attack protection marks whether to confirm to send for the original subscriber.If then enter step 407; Otherwise, enter step 408.
Step 408: judge that further attack protection marks whether to confirm to send for new user.If then enter step 409; Otherwise, enter step 410.
Step 409: remove the attack protection recorded information.
Step 410: judge whether to also have unchecked ARP list item.If have, then enter step 411; Otherwise, enter step 412.
Step 411: n adds 1 with variable.Return step 402 then, continue to check next ARP list item.
Step 412: withdraw from ARP chain table look-up flow process.
By foregoing description as seen, the present invention is by confirming to the former validated user of ARP list item sign and to the new user's of the ARP message identification that receives active, prevented that effectively illegal ARP message from distorting the network attack of form to the ARP list item.
With reference to Fig. 5, Fig. 5 shows the theory diagram of an embodiment of present device:
This equipment comprises: packet sending and receiving unit 501, message audit unit 502, user's confirmation unit 503, ARP list item are revised unit 504.
Wherein, packet sending and receiving unit 501 is used to receive the message of other network equipments transmissions or sends message to other equipment; Message audit unit 502 is used to check the ARP type of message of receiving the packet sending and receiving unit; User's confirmation unit 503 is used for the check result according to the message audit unit, triggers to the original subscriber of ARP list item sign and/or to the new user's of the ARP message identification received affirmation; The ARP list item is revised unit 504 and is linked to each other with message audit unit 502, is used for the learning process at ARP, revises corresponding ARP list item according to described original subscriber and replying of Xin user that the message audit unit is checked through.
After packet sending and receiving unit 501 receives the ARP message,,, then the address information in the ARP message is learnt in the ARP chained list if do not have by whether the ARP list item corresponding with this ARP message is arranged in the message audit unit 502 checkout facility buffer memorys; If have, then judge whether to relate to MAC Address and revise.If do not need, then indicating equipment is proceeded ARP study renewal; If desired, then indicate user's confirmation unit that the original subscriber of ARP list item sign is carried out the active affirmation.If message audit unit 502 is checked through packet sending and receiving unit 501 and receives replying of original subscriber, show that then the ARP message that originally received may be illegal message, indicating equipment is not made any modification to ARP.If message audit unit 502 is not checked through replying of original subscriber, then indicate user's confirmation unit that the new user of the ARP message identification of original reception is carried out the active affirmation.If message audit unit 502 is checked through packet sending and receiving unit 501 and receives replying of new user, show that then the message that receives is new user's a legal message, indication ARP list item is revised unit 504 and is revised corresponding APR list item.If message audit unit 502 is not checked through replying of new user, show that then the ARP message that receives may be illegal message, indicating equipment is not made any modification to the ARP list item.
In order to make message audit unit 502 obtain inspection message accurately, ARP storage of linked list unit 505 and ARP list item maintenance unit 506 can also be set, as shown in FIG. in this equipment.
Wherein, ARP storage of linked list unit 505 is revised unit 504 with the ARP list item respectively and is linked to each other with message audit unit 502, is used to store the ARP chained list, and this ARP chained list comprises ARP list item and the attack protection recorded information corresponding with it.ARP list item maintenance unit 506 is used for each ARP list item of ARP chained list is carried out ARP attack inspection, and upgrades the attack protection recorded information according to check result.
The detailed process that each ARP list item in 506 pairs of ARP chained lists of ARP list item maintenance unit carries out ARP attack inspection is also identical with the description in the inventive method of front.
With reference to Fig. 6, Fig. 6 shows the theory diagram of second embodiment of present device:
With embodiment illustrated in fig. 5 different be in this embodiment, to have increased threshold setting unit 601 and coupled timer 602.Wherein, threshold setting unit 601 is used to be provided with ARP threshold value update time; Timer 602 is arranged on message audit unit 502 and the ARP list item is revised between the unit 504, be used for timing is carried out in the modification of ARP list item, and after timing time reached described threshold value, notice ARP list item is revised unit 504 and can be made amendment to the ARP list item.Its detailed operation process can be with reference to the description in the inventive method of front.
Utilize this embodiment, can further reduce network traffics, save device resource.
Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.
Claims (11)
1, a kind of strick precaution utilizes address resolution protocol to carry out the method for network attack, it is characterized in that described method comprises step:
A, receive ARP message and the ARP list item made amendment before the original subscriber of ARP list item sign is confirmed;
If B receives replying of original subscriber, then forbid the ARP list item is made amendment.
If C does not receive replying of original subscriber, then the new user to the ARP message identification received confirms;
If D receives replying of new user, then revise the ARP list item;
If E does not receive replying of new user, then forbid the ARP list item is made amendment.
2, method according to claim 1 is characterized in that, described method further comprises:
The attack protection record field of corresponding each ARP list item is set in the ARP chained list, and described attack protection record field comprises: the MAC Address when the ARP message of receiving requires to upgrade list item, attack protection mark.
3, method according to claim 2 is characterized in that, described steps A comprises:
If the ARP message that A1 receives does not relate to the MAC Address of revising in the corresponding ARP list item, then continue ARP and learn more new technological process;
If the ARP message that A2 receives relates to the MAC Address of revising in the corresponding ARP list item, the mac address information in attack protection record field record ARP message then, and the original subscriber of ARP list item sign triggered clean culture ARP request.
4, method according to claim 3 is characterized in that,
Carrying out ARP when learning more new technological process, if existing attack protection record field in the corresponding ARP list item is then removed this attack protection record field.
5, method according to claim 2 is characterized in that, described step C comprises:
Check that the attack protection in the attack protection record field of ARP list item of described correspondence marks whether to confirm to send for the original subscriber;
If then the new user to the ARP message identification that receives sends clean culture ARP request.
6, method according to claim 2 is characterized in that, described step D is specially:
If the source MAC in the ARP message of receiving is identical with MAC Address in the described attack protection record field, and the attack protection in this attack protection record field is labeled as new user and confirms to send, then revises already present ARP list item.
7, method according to claim 2 is characterized in that, described method further comprises:
Whether each the ARP list item in the regular check ARP chained list has the attack protection record field;
If the attack protection record field is arranged, and attack protection is labeled as initial value, then according to the ARP list item original subscriber initiated clean culture ARP request, and revises attack protection and be labeled as the original subscriber and confirm to send;
If the attack protection record field is arranged, and attack protection is labeled as the original subscriber and confirms to send, then according to the attack protection recorded information new user initiated clean culture ARP request, and revises attack protection and be labeled as new user and confirm to send;
If the attack protection record field is arranged, and attack protection is labeled as new user and confirms to send, then removes described attack protection recorded information;
If there is not the attack protection record field, then finish inspection to this ARP list item.
8, method according to claim 1 is characterized in that, described method further comprises:
If the ARP message of receiving relates to the MAC Address of revising in the corresponding ARP list item, and ARP surpasses pre-set threshold update time, then abandons the ARP message of reception.
9, a kind of strick precaution utilizes address resolution protocol to carry out the equipment of network attack, comprising: the packet sending and receiving unit, it is characterized in that, and also comprise:
The message audit unit is used to check the ARP type of message of receiving the packet sending and receiving unit;
User's confirmation unit links to each other with described message audit unit, is used for the check result according to the message audit unit, triggers to the original subscriber of ARP list item sign and/or to the new user's of the ARP message identification received affirmation; If described message audit unit is checked through described packet sending and receiving unit and receives replying of original subscriber, then indicate the APR list item to revise the unit and the ARP list item is not made any modification, if described message audit unit is checked through described packet sending and receiving unit and receives replying of new user, then indicate the APR list item to revise the unit and revise corresponding ARP list item;
Described ARP list item is revised the unit, links to each other with the message audit unit, is used for the learning process at ARP, revises corresponding ARP list item according to the indication of message audit unit.
10, equipment according to claim 9 is characterized in that, described equipment further comprises:
ARP storage of linked list unit is revised the unit with the ARP list item respectively and is linked to each other with the message audit unit, is used to store the ARP chained list, and described ARP chained list comprises ARP list item and the attack protection recorded information corresponding with it;
ARP list item maintenance unit is used for each ARP list item of ARP chained list is carried out ARP attack inspection, and upgrades the attack protection recorded information according to check result.
11, equipment according to claim 9 is characterized in that, described equipment further comprises:
The threshold setting unit is used to be provided with ARP threshold value update time;
Timer is revised the unit with threshold setting unit, message audit unit, ARP list item respectively and is linked to each other, and be used for timing is carried out in the modification of ARP list item, and after timing time reached described threshold value, notice is revised performance element and can be made amendment to the ARP list item.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101272297A CN100536474C (en) | 2006-09-14 | 2006-09-14 | Method and equipment for preventing network attack by using address analytic protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101272297A CN100536474C (en) | 2006-09-14 | 2006-09-14 | Method and equipment for preventing network attack by using address analytic protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1921491A CN1921491A (en) | 2007-02-28 |
| CN100536474C true CN100536474C (en) | 2009-09-02 |
Family
ID=37779061
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101272297A Expired - Fee Related CN100536474C (en) | 2006-09-14 | 2006-09-14 | Method and equipment for preventing network attack by using address analytic protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100536474C (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110821B (en) | 2007-09-06 | 2010-07-07 | 华为技术有限公司 | Method and apparatus for preventing ARP address cheating attack |
| CN101257517B (en) * | 2008-04-09 | 2012-05-09 | 中兴通讯股份有限公司 | Method and device for processing address analysis protocol request message |
| CN101567891B (en) * | 2009-05-31 | 2012-05-02 | 成都市华为赛门铁克科技有限公司 | Source address verification method, device and system |
| CN101567886B (en) * | 2009-06-03 | 2012-04-25 | 杭州华三通信技术有限公司 | Method and equipment for list item safety management |
| CN101621525B (en) * | 2009-08-05 | 2012-09-05 | 杭州华三通信技术有限公司 | Method and equipment for treating legal entries |
| CN101820396B (en) * | 2010-05-24 | 2012-04-18 | 杭州华三通信技术有限公司 | Method and device for verifying message safety |
| CN104780139B (en) * | 2014-01-09 | 2018-02-13 | 北京东土科技股份有限公司 | A kind of defence method and system based on MAC Address attack |
| CN110401616A (en) * | 2018-04-24 | 2019-11-01 | 北京码牛科技有限公司 | A kind of method and system improving MAC Address and IP address safety and stability |
| CN114268542A (en) * | 2021-12-21 | 2022-04-01 | 奇安信科技集团股份有限公司 | Network card information modification method and device, storage medium and computer equipment |
-
2006
- 2006-09-14 CN CNB2006101272297A patent/CN100536474C/en not_active Expired - Fee Related
Non-Patent Citations (2)
| Title |
|---|
| ARP协议欺骗原理分析与抵御方法. 任侠,吕述望.计算机工程,第29卷第9期. 2003 |
| ARP协议欺骗原理分析与抵御方法. 任侠,吕述望.计算机工程,第29卷第9期. 2003 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1921491A (en) | 2007-02-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100536474C (en) | Method and equipment for preventing network attack by using address analytic protocol | |
| CN101179566B (en) | Method and apparatus for preventing ARP packet attack | |
| CN1682516B (en) | Method and apparatus for preventing spoofing of network addresses | |
| CN101572712B (en) | Method for preventing attack of counterfeit message and repeater equipment thereof | |
| CN102045331B (en) | Method, device and system for processing inquiry request message | |
| CN101345643B (en) | Method and device for early warning of network appliance | |
| CN103609089B (en) | A kind of preventing is attached to the method and device of Denial of Service attack on the main frame of subnet | |
| US20080250496A1 (en) | Frame Relay Device | |
| CN104243472A (en) | Network with MAC table overflow protection | |
| CN102255804B (en) | Message processing method, device and network equipment | |
| CN102014142B (en) | Source address validation method and system | |
| CN101562542B (en) | Response method for free ARP request and gateway device thereof | |
| CN105262738A (en) | Router and method for preventing ARP attacks thereof | |
| CN101453495A (en) | Method, system and equipment for preventing authentication address resolution protocol information loss | |
| CN101321102A (en) | Detection method and access equipment of DHCP server | |
| CN100563245C (en) | A kind of prevention method at the ARP overflowing attack | |
| CN101820432A (en) | Safety control method and device of stateless address configuration | |
| CN100499524C (en) | Method and device for maintaining DHCP safety property list by detecting customer terminal | |
| CN101827138A (en) | Optimized method and device for processing IPV6 filter rule | |
| JP2006287299A (en) | Network control method and device, and control program | |
| CN101605070B (en) | Method and device for verifying source address based on control message monitoring | |
| CN103209411B (en) | The method and apparatus that wireless network anti-counterfeiting accesses | |
| CN102427460A (en) | Multistage detection and defense method to ARP spoof | |
| CN101494562B (en) | Maintenance method for terminal list item of network equipment and network equipment | |
| CN101505478B (en) | Method, apparatus and system for filtering packets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090902 Termination date: 20200914 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |