CN100563245C - A kind of prevention method at the ARP overflowing attack - Google Patents
A kind of prevention method at the ARP overflowing attack Download PDFInfo
- Publication number
- CN100563245C CN100563245C CNB2005100698565A CN200510069856A CN100563245C CN 100563245 C CN100563245 C CN 100563245C CN B2005100698565 A CNB2005100698565 A CN B2005100698565A CN 200510069856 A CN200510069856 A CN 200510069856A CN 100563245 C CN100563245 C CN 100563245C
- Authority
- CN
- China
- Prior art keywords
- address
- request message
- arp request
- resolution protocol
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention provides a kind of prevention method at the ARP overflowing attack, this method is according to arp request message that receives or the IP address in the address resolution protocol response message, the new arp request message of equipment structure by the operation address resolution protocol, send this arp request message once more, initiatively to confirm the correctness of address mapping relation; The equipment of operation address resolution protocol is provided with transmitting counter, utilize the transmission inhibit feature to avoid repeating to send a large amount of arp request messages, by transmitting counter the arp request message of IP address that has the mapping of address mapping relation or temporary address is counted, to realize sending inhibit feature.The inventive method can guarantee the correctness of address mapping relation, thereby prevents the radio network forwarding fault that the address resolution protocol puppet is emitted or overflowing attack caused, and data are normally carried out in the forwarding of physical network aspect.
Description
Technical field
The present invention relates to the data communication network safety problem, be particularly related to a kind of at ARP (Address Resolution Protocol address resolution protocol, ARP is for the IP address provides mapping between the corresponding hardware address, finishes the conversion work between the address of the IP address of 32bit and any kind that data link layer is used) prevention method of overflowing attack.
Background technology
The IP agreement is the data communication network layer protocol standard that is most widely used at present.The IP agreement uses the IP address of 32bit to come unique identification equipment, and the propagation of data message on network layer all is based on the IP address and finishes addressing.But the IP address is only effective to network layer, carries the hardware device of IP network and do not rely on the IP address to carry out addressing.Such as, the Ethernet physical equipment is to use unique 48bit ethernet address to discern hardware interface, and device driver is never checked the purpose IP address in the IP datagram.On radio network, the mapping between these two kinds of address formats is finished by address resolution protocol.This mapping process is finished automatically, and general application user or system manager needn't be concerned about.
In the system that realizes address resolution protocol, address resolution protocol can dynamically generate and keep the mapping relations between IP address and the hardware address in a period of time, when needs use hardware address, system can be that unique identification is searched mapping relations with the IP address, the discernible address of needed hardware that E-Packets on physical network exactly of the hardware address in the mapping relations that found.The generation of this kind mapping relations depends on two kinds of protocol massages of address resolution protocol, and arp request and address resolution protocol are replied.
When the system of operation address resolution protocol did not have to find the mapping relations of needed IP address and hardware address, this system will send the arp request message, asks the hardware address of needed IP address.Sending request system can be included in IP address and the hardware address corresponding relation of oneself in this message, and indicates the IP address information that needs the request hardware address.This message sends with broadcast mode in network.According to common realization, the system that any one receives this arp request and moves address resolution protocol, all should use the request sender's who is comprised in this request message IP address and hardware address information to generate mapping relations, if the mapping relations that to have existed with this IP address be sign then should use the hardware address in this message to upgrade this mapping relations.
When the IP address of the needs request hardware address of being named in the arp request message that receives of system discovery of certain operation address resolution protocol is the IP address of oneself, then can send the address resolution protocol response message to the requestor.With the hardware address notice request person of oneself, this message is that mode of unicast sends, and after the requestor receives this response message, just can generate mapping relations between corresponding IP address and the hardware address according to the information that comprises in this response message.
The key of the normal operation of address resolution protocol is the correctness that guarantees the mapping relations of IP address and hardware address.The system of operation address resolution protocol can not initiatively find the mistake of mapping relations, if generated wrong mapping relations, the sender of message will send message according to the hardware address of mistake, the recipient can't receive message, thereby cause the interruption of data forwarding, even more serious is, because the sender of message thinks that message recipient's hardware address has been arranged oneself, therefore the request message that just can not send address resolution protocol upgrades this mapping relations, the mapping of this mistake will keep within a certain period of time always, sent the just possible correction of address analysis protocol message up to the both sides that relate to the message transmission, this can have a strong impact on the use of data network.
At this weakness of address resolution protocol, the assailant of malice can realize the attack to the network of operation address resolution protocol by the method for forging the address resolution protocol request message.The method of attacking is as follows:
1, the malicious attacker transmission purpose network address is the arp request message of broadcast address, and requestor's source address is the victim's of assailant's forgery IP address in the message, and the hardware address of statement is wrong address;
2, because the destination address of arp request message is a broadcast address, thus on this radio network arbitrarily main frame all should receive this message.According to the common realization of address resolution protocol, the main frame that receives this request message can associate the formation mapping relations with logical this wrong hardware address in victim's IP address;
So, because the hardware address of message message that the sender sends not is the real hardware address of victim, the victim can't normally receive message, can reach the purpose of the message forwarding of blocking the victim.This kind attacked us and is referred to as the address resolution protocol puppet and emits attack.Usually the quantity as the address resolution protocol mapping relations of the equipment of gateway is limited in the radio network, if the pseudo-respectively address resolution message request message that emits different source IP addresss of a large amount of transmissions of assailant, the data forwarding of whole radio network is broken down, and this moment, attack also can be called as the address resolution protocol overflowing attack.
At the address resolution protocol puppet emit/overflowing attack main guard method at present is static configuration address resolution protocol mapping relations.Said as preamble, the address resolution protocol mapping relations are dynamically to generate, and also just because of be dynamically to generate, have caused puppet to emit other users to send message for the assailant of malice, the chance of blocking-up data message forwarding.And the static configuration address resolution protocol is meant the mapping relations message that is disposed generation IP address and hardware address by the user, and these mapping relations do not change along with the time.Because its priority is higher than the dynamic mapping relations that produce by address resolution protocol, therefore can not change along with information entrained in the address analysis protocol message yet.Though static configuration address resolution protocol mapping relations can solve the address resolution protocol puppet effectively to be emitted/problem that data message forwarding that overflowing attack causes is blocked, but, static configuration address resolution protocol mapping relations must manually generate and safeguard a large amount of IP addresses and the mapping relations of hardware address, discarded the benefit that address resolution protocol is brought fully, only actually is to have simulated the final result that address resolution protocol generates, and has abandoned address resolution protocol itself.This method has a lot of problems:
1,,, the keeper to safeguard that correct IP address and hardware address mapping relations almost can not operate because the data volume that will safeguard is huge for large-scale radio network.
2, according to common realization, the quantity of the static address analysis protocol mapping relations of permission configuration can be less than the quantity of the address mapping relation of learning automatically by address resolution protocol on the equipment of use address resolution protocol, at the bigger radio network of scale, might the static address mapping relations can't cover whole device addresses, cause the address that is not capped part still can't avoid being subjected to the harm that malice address resolution protocol puppet is emitted attack, can not implement for large-scale radio network.
3, at present, more and more equipments is taked the high availability implementation method of two-node cluster hot backup, for this realization, main equipment can use identical IP address with alternate device, alternate device was not worked when main equipment was normal, only monitor the state of main equipment, in case main equipment generation problem, alternate device can upgrade the IP address of preserving on other equipment in the radio network and the mapping relations between the hardware address by sending the arp request message, if what other equipment were taked is the method for static configuration address resolution protocol mapping relations, the renewal of so this dynamic address mapping relation just can't be finished, and the switching of main equipment and stand-by equipment also just can't normally be used.
Summary of the invention
The objective of the invention is to, a kind of prevention method at the ARP overflowing attack is provided, thereby prevent the radio network forwarding fault that the address resolution protocol puppet is emitted or overflowing attack caused.
For achieving the above object, a kind of prevention method of the present invention at the ARP overflowing attack, according to the IP address in arp request message that receives or the address resolution protocol response message, the new arp request message of equipment structure by the operation address resolution protocol, send this new arp request message once more, with the hardware address of this IP address of active request; According to after the address analysis protocol message that receives confirm the correctness of address mapping relation, described method comprises the following steps:
1) the equipment receiver address analysis protocol request message of operation address resolution protocol;
2) construct the arp request message once more according to requestor's entrained in this request message IP address;
3) in radio network, send, ask the hardware address of requestor in original request message;
4) if received address resolution protocol response message, then set up address mapping relation to this request;
5), think that then the arp request message of receiving originally is wrong or the pseudo-message that emits if within certain hour, do not receive address resolution protocol response message to this request.
Step 3) further is included in the equipment that moves address resolution protocol transmitting counter is set, the step of utilizing transmitting counter that the request message that sends is counted.
Transmitting counter has the transmission upper limit threshold of regulation, if the quantity to the arp request message of particular ip address that sends has within a certain period of time reached the transmission upper limit threshold, then no longer send arp request message in the cycle at this particular ip address at certain hour.
The invention has the advantages that, this method can effectively be taken precautions against the puppet of carrying out at address resolution protocol and be emitted or overflowing attack, by implementing the correctness that the present invention can safeguard the address resolution protocol mapping relations, guaranteed that by active learned addresses analysis protocol mapping relations address mapping relation is not changed by the arp request that puppet is emitted, thereby guaranteed the normal operation of radio network.
Description of drawings
Fig. 1 is the process chart of arp request message of the present invention;
Fig. 2 is the process chart of address resolution protocol response message of the present invention.
Embodiment
As depicted in figs. 1 and 2, the equipment of operation address resolution protocol after receiving that source address is the equipment of particular ip address the arp request message or response message that send, local temporary address mapping relations that whether exist at this particular ip address of inquiry at first.
There is following state in mapping relations at any one specific I P address and hardware address:
T0, when the address mapping relations were in the T0 state, there was not the address mapping relation at this particular ip address in expression.
T1, when the address mapping relations are in the T1 state, there are the temporary address mapping relations at particular ip address in expression, it is this that provisional to show as this address mapping relation very short effective time, the hardware address that illustrates in these mapping relations can not be considered as the particular ip address required hardware address that E-Packets on physical network, that is to say, if the map addresses of being carried out at the message repeating process is in the stage, the mapping relations that the equipment of operation address resolution protocol finds are in the T1 state, and then the mapping relations that find with the equipment that moves address resolution protocol are in the identical processing of employing under the T0 state status.
T2, when the address mapping relations are in the T2 state, there are the effective address mapping relations at particular ip address in expression, this validity shows that this address mapping relation is longer than the address mapping relation that is in the T1 state far away effective time, and the hardware address in these mapping relations is considered to the specific I P address and transmits needed hardware address in physical network.
Conversion between the above-mentioned state is by following event-driven:
E0, the equipment of operation address resolution protocol receive that source address is the arp request message of the equipment transmission of particular ip address;
E1, the equipment of operation address resolution protocol receive that source address is the address resolution protocol response message of the equipment transmission of particular ip address;
E2, the equipment of operation address resolution protocol sends the arp request message, the address mapping relation of request particular ip address.
Table 1 is not for possessing the conventional state transition table of realizing of address resolution protocol of the present invention:
Annotate: state runs into same column incident state afterwards for colleague's initial condition in the form, and NA represents not have this state.
Table 2 is for possessing the state transition table of the address resolution protocol realization after the present invention:
Annotate: state runs into state after the same column incident for colleague's initial condition in the form, and NA represents not have this state, in the time of representations of events state exchange in (), and the action that the equipment of operation address resolution protocol initiatively carries out.
(1) equipment of operation address resolution protocol is in the T0 state, receives the arp request message that particular ip address equipment sends.
(1.1) equipment of operation address resolution protocol is created the temporary address mapping relations at this particular ip address;
(1.2) equipment of operation address resolution protocol is constructed the arp request message at this particular ip address, and this message is sent the hardware address of active request particular ip address in radio network;
(1.3) pass through a large amount of arp request messages that send for fear of malicious attacker, cause the equipment of having realized this programme to repeat to send a large amount of arp request messages, realize that the equipment of this programme carries out the counting of arp request message to the IP address that has the mapping of address mapping relation or temporary address, only send the arp request message to particular ip address of some within a certain period of time, if transmitting counter has arrived the transmission upper limit threshold of regulation, then no longer send arp request message at this particular ip address in the cycle at certain hour; This function is called to send and suppresses;
(1.4) state exchange at particular ip address is T1 on the equipment of operation address resolution protocol.
(2) equipment of operation address resolution protocol is in the T0 state, receives the address resolution protocol response message that particular ip address equipment sends.
Under this state, the processing procedure that the device processes flow process of operation address resolution protocol and (1) brief summary are described is in full accord.
(3) equipment of operation address resolution protocol is in the T0 state, sends the arp request message at particular ip address equipment.
(3.1) equipment of operation address resolution protocol is created the temporary address mapping relations at this particular ip address;
(3.2) pass through a large amount of arp request messages that send for fear of malicious attacker, cause the equipment of having realized this programme to repeat to send a large amount of arp request messages, realize that the equipment of this programme carries out the counting of arp request message to the IP address that has address mapping relation or temporary address mapping relations, only send the arp request message to particular ip address of some within a certain period of time, if transmitting counter has arrived the transmission upper limit threshold of regulation, then no longer send arp request message at this particular ip address in the cycle at certain hour.This function is called to send and suppresses.
Because the equipment of operation address resolution protocol has initiatively sent the arp request message at particular ip address equipment, therefore, under the state that this brief summary is described, need not send the arp request message once more.
(3.3) state exchange at particular ip address is T1 on the equipment of operation address resolution protocol.
(4) equipment of operation address resolution protocol is in the T1 state, receives the arp request message that particular ip address equipment sends.
(4.1) equipment inspection of operation address resolution protocol is at the legitimacy of the arp request message of the address mapping relation of this particular ip address, if this request message is legal, then to the source IP address of request message and the response message of source hardware address transmission address resolution protocol.
(4.2) change into T2 at the state of particular ip address on the equipment of operation address resolution protocol.
(5) equipment of operation address resolution protocol is in the T1 state, receives the address resolution protocol response message that particular ip address equipment sends.
(5.1) equipment state of operation address resolution protocol is converted to the T2 state, and the address mapping relation between particular ip address and the hardware address is set up.
(6) equipment of operation address resolution protocol is in the T1 state, sends the arp request message that particular ip address equipment sends.
Under this state, the processing procedure that the device processes flow process of operation address resolution protocol and (4) brief summary are described is in full accord.
(7) equipment of operation address resolution protocol is in the T2 state, receives the arp request message that particular ip address equipment sends
(7.1) equipment inspection of operation address resolution protocol is at the arp request packet accouter of the address mapping relation of this particular ip address, if arrive the upper limit threshold that allows transmission, structure is at the arp request message of this particular ip address, and this message sent in radio network, the hardware address of active request particular ip address (E2), if arrive the upper limit threshold that sends, no longer construct and send this request message.
(7.2) state at particular ip address remains T2 on the equipment of operation address resolution protocol.
(8) equipment of operation address resolution protocol is in the T2 state, receives the address resolution protocol response message that particular ip address equipment sends.
(8.1) separating according to this address at the address mapping relation of particular ip address on the equipment of operation address resolution protocol is that content in the agreement response message is updated, and state keeps T2 constant.
Claims (6)
1, a kind of prevention method at the ARP overflowing attack, it is characterized in that, according to the IP address in arp request message that receives or the address resolution protocol response message, by the new arp request message of equipment structure of operation address resolution protocol; Send this new arp request message once more, with the hardware address of this IP address of active request; According to after the address analysis protocol message that receives confirm the correctness of address mapping relation.
2, the prevention method at the ARP overflowing attack according to claim 1 is characterized in that described method comprises the following steps:
1) equipment of operation address resolution protocol receives the arp request message that particular ip address equipment sends;
2) equipment of operation address resolution protocol is constructed new arp request message once more according to this particular ip address;
3) in radio network, send this new arp request message, requestor's hardware address in the original arp request message of active request;
4) if received address resolution protocol response message, then set up the address mapping relation of particular ip address equipment at this new arp request message;
5), think that then the arp request message of receiving originally is wrong or the pseudo-message that emits if do not receive address resolution protocol response message at this new arp request message.
3, the prevention method at the ARP overflowing attack according to claim 1 is characterized in that described method comprises the following steps:
1) equipment of operation address resolution protocol receives the arp request message that particular ip address equipment sends;
2) equipment of operation address resolution protocol is constructed new arp request message once more according to this particular ip address;
3) in radio network, send this new arp request message, requestor's hardware address in the original arp request message of active request;
4) if received the new arp request message that this particular ip address equipment sends, then move the legitimacy of this new arp request message of equipment inspection of address resolution protocol; If this new arp request message is legal, then set up the address mapping relation of particular ip address equipment.
4, the prevention method at the ARP overflowing attack according to claim 1 is characterized in that described method comprises the following steps:
1) equipment of operation address resolution protocol receives the address resolution protocol response message that particular ip address equipment sends;
2) equipment of operation address resolution protocol is constructed new arp request message once more according to this particular ip address;
3) in radio network, send this new arp request message, requestor's hardware address in the original arp request message of active request;
4) if received address resolution protocol response message at this new arp request message, new arp request message and this new arp request message of perhaps having received this particular ip address equipment transmission are legal, then set up the address mapping relation of particular ip address equipment.
5, according to each described prevention method of claim 2 to 4 at the ARP overflowing attack, it is characterized in that: step 3) further is included in the equipment that moves address resolution protocol transmitting counter is set, the step of utilizing transmitting counter that the request message that sends is counted.
6, the prevention method at the ARP overflowing attack according to claim 5, it is characterized in that: transmitting counter has the transmission upper limit threshold of regulation, if the quantity to the arp request message of particular ip address that sends has within a certain period of time reached the transmission upper limit threshold, then no longer send arp request message in the cycle at this particular ip address at certain hour.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100698565A CN100563245C (en) | 2005-04-27 | 2005-04-27 | A kind of prevention method at the ARP overflowing attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100698565A CN100563245C (en) | 2005-04-27 | 2005-04-27 | A kind of prevention method at the ARP overflowing attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1855929A CN1855929A (en) | 2006-11-01 |
| CN100563245C true CN100563245C (en) | 2009-11-25 |
Family
ID=37195761
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100698565A Active CN100563245C (en) | 2005-04-27 | 2005-04-27 | A kind of prevention method at the ARP overflowing attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100563245C (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101094235B (en) * | 2007-07-04 | 2010-11-24 | 中兴通讯股份有限公司 | Method for preventing attack of address resolution protocol |
| CN101345643B (en) * | 2007-07-09 | 2011-09-21 | 珠海金山软件有限公司 | Method and device for early warning of network appliance |
| CN101094236B (en) | 2007-07-20 | 2011-08-10 | 华为技术有限公司 | Method for processing message in address resolution protocol, communication system, and forwarding planar process portion |
| CN101110821B (en) | 2007-09-06 | 2010-07-07 | 华为技术有限公司 | Method and apparatus for preventing ARP address cheating attack |
| CN101247217B (en) * | 2008-03-17 | 2010-09-29 | 北京星网锐捷网络技术有限公司 | Method, unit and system for preventing address resolution protocol flux attack |
| CN101257517B (en) * | 2008-04-09 | 2012-05-09 | 中兴通讯股份有限公司 | Method and device for processing address analysis protocol request message |
| CN101345755B (en) * | 2008-08-29 | 2011-06-22 | 中兴通讯股份有限公司 | Method and system for preventing address analysis protocol message attack |
| CN107360182B (en) * | 2017-08-04 | 2020-05-01 | 南京翼辉信息技术有限公司 | Embedded active network defense system and defense method thereof |
| CN112165483B (en) * | 2020-09-24 | 2022-09-09 | Oppo(重庆)智能科技有限公司 | ARP attack defense method, device, equipment and storage medium |
-
2005
- 2005-04-27 CN CNB2005100698565A patent/CN100563245C/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN1855929A (en) | 2006-11-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100563245C (en) | A kind of prevention method at the ARP overflowing attack | |
| CN101110821B (en) | Method and apparatus for preventing ARP address cheating attack | |
| Barbosa et al. | Flow whitelisting in SCADA networks | |
| CN100553202C (en) | The method and system that is used for dynamic device address management | |
| US11206285B2 (en) | Systems and methods for preventing remote attacks against transportation systems | |
| CN102611571B (en) | Method and device for rapidly recovering port control protocol | |
| CN101674306B (en) | Address resolution protocol message processing method and switch | |
| US8887280B1 (en) | Distributed denial-of-service defense mechanism | |
| Ma et al. | Bayes-based ARP attack detection algorithm for cloud centers | |
| CN100536474C (en) | Method and equipment for preventing network attack by using address analytic protocol | |
| CN105959282A (en) | Protection method and device for DHCP attack | |
| CN101426014A (en) | Method and system for multicast source attack prevention | |
| CN111147524B (en) | Message sending end identification method and device and computer readable storage medium | |
| Chavez et al. | Network randomization and dynamic defense for critical infrastructure systems | |
| CN105743868B (en) | A kind of data collection system and method for supporting encryption and non-encrypted agreement | |
| CN104410642B (en) | Equipment access cognitive method based on ARP protocol | |
| US8655957B2 (en) | System and method for confirming that the origin of an electronic mail message is valid | |
| US8515079B1 (en) | Hybrid rekey distribution in a virtual private network environment | |
| CN103501298B (en) | A kind of non-interrupting service escalation process ensures the method and apparatus that link does not stop | |
| CN105141526A (en) | Virtual network communication method and device | |
| Kwon et al. | Network security management using ARP spoofing | |
| CN101969478A (en) | Intelligent DNS message processing method and processing device | |
| CN104468497A (en) | Data isolation method and device of monitoring system | |
| Kang et al. | ARP modification for prevention of IP spoofing | |
| CN104601456B (en) | Gateway replacement method, gateway and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |