CN101030945A - Method for preventing PPPoE from being attacked by personnel server and false server - Google Patents
Method for preventing PPPoE from being attacked by personnel server and false server Download PDFInfo
- Publication number
- CN101030945A CN101030945A CNA2007100904260A CN200710090426A CN101030945A CN 101030945 A CN101030945 A CN 101030945A CN A2007100904260 A CNA2007100904260 A CN A2007100904260A CN 200710090426 A CN200710090426 A CN 200710090426A CN 101030945 A CN101030945 A CN 101030945A
- Authority
- CN
- China
- Prior art keywords
- pppoe
- server
- interface
- link
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The method is used in the middleware for connecting the PPPoE client side and the PPPoE server and dividing the link or interface on the middleware into trusted link/interface or distrusted link/interface. It comprises: 202) starting the PPPoE monitoring function on the middleware; 204) configuring the trusted link/interface and the distrusted link/interface on the middleware; 206) discarding the abnormal PPPoE message on the distrusted link/interface; the trusted link/interface relays the normal message; building PPPoE monitoring database to trace abnormal PPPoE server.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to the method that a kind of PPPoE (Point-to-PointProtocol over Ethernet, the peer-peer protocol on the Ethernet) prevents unlicensed server and personation server attack.
Background technology
PPPoE is based on the peer-peer protocol of Ethernet, and pppoe session comprises discovery stage and PPP (Point-to-Point Protocol, peer-peer protocol) two stages of session.The discovery stage is stateless customer end/server mode, and purpose is MAC (Media AccessControl, the medium access control system) address that obtains the PPPoE terminating end, and sets up a unique pppoe session sign.The communication process in discovery stage is as follows:
B1) pppoe client at first initiatively sends broadcast packet PADI (PPPoE Active DiscoveryInitiation, PPPoE initiatively find beginning) and seeks the PPPoE server;
B2) after the PPPoE server is received the PADI bag, check the service of client-requested,, then respond unicast packet PADO of pppoe client (PPPoEActive Discovery Offer, PPPoE initiatively find to provide) if the service of main frame requirement can be provided;
B3) pppoe client is selected a suitable servers in the PPPoE server of responding PADO, and transmission unicast packet PADR (PPPoE Active Discovery Request, PPPoE active discovery request) informs the PPPoE server;
B4) after the PPPoE server is received the PADR bag, confirm whether to support the service of client-requested, if support, then begin to distribute a unique Session ID for the user, start the ppp state machine to prepare beginning PPP session, and bag PADS (PPPoE ActiveDiscovery Session-confirmation, PPPoE initiatively find the session affirmation) is confirmed in the session that sends a clean culture.
The discovery stage just enters the PPP session stage after finishing.The PPP session stage mainly is the negotiations process of LCP (LinkControl Protocol, LCP), authentication, three agreements of NCP (Network Control Protocol, Network Control Protocol).Authentication protocol mainly contains PAP (PasswordAuthentication Protocol, password authentication protocol) and CHAP (Challenge HandshakeAuthentication Protocol, challenge handshake authentication protocol), password in the pap authentication agreement is that expressly the password in the chap authentication agreement is encrypted.In the PPP session stage, all messages all are clean cultures.
As can be seen from the above, it is bridging environment that PPPoE requires from client to server end, because first message PADI of PPPoE is a broadcast packet, not only the PPPoE server can be received it, other equipment that are present on the network can receive that also this just provides condition for unlicensed server and personation server attack.
Suppose that a user has set up the PPPoE server illegally, then might select the PADO bag of the server response set up illegally other users of a bridging environment, and continue and the server set up illegally carries out pppoe session with him.In authentication phase, because the server of setting up illegally does not have other users' number of the account, could not get on to the Net so cause authentification failure, the worst situation can cause other users all to could not get on to the Net.
Suppose a user counterfeit PPPoE server, then might select the PADO bag of the server response palmed off other users of a bridging environment, and continue and the server of personation carries out pppoe session with him.In authentication phase, because the password in the pap authentication agreement is expressly, so the server of personation can be stolen number of the account and the MAC Address of using other users that the PAP agreement authenticates.When the worst situation occurs in legal PPPoE server and breaks down, at this moment the server that only has a personation on the network, all users with net can carry out session authentication with it, and all numbers of the account that connect and MAC Address all will be stolen before the legal server fault recovery.Another kind of situation is, the assailant uses a legal account number and legal server to set up pppoe session, the role who serves as the agency then transmits the user's data that connects with it and arrives legal server, like this all data that the assailant just can monitoring user.Also have a kind of situation to be, the assailant utilizes the server of pretending to be, for the user distributes a DNS (Domain Name Server through revising, name server) address, under the situation that the user has no to discover, be directed into pre-configured websites such as false finance, gain user account and password by cheating, perhaps flow is redirected to the malicious node that intention is carried out the flow intercepting.
Though have authentication protocol to authenticate between PPPoE server and the user, but generally be whether PPPoE server authentication user is legal, whether the user does not authenticate the PPPoE server legal, even the PPPoE server is supported the function of authentification of user PPPoE server, present pppoe client is not generally supported this function.Pppoe client still can not prevent the generation of top unlicensed server and personation server attack.
Summary of the invention
The objective of the invention is to, in order to realize that PPPoE intercepts (PPPoE Snooping) function, promptly filter out the packet that illegal PPPoE server sends on network, make the user can pass through legal PPPoE server access network, thoroughly take precautions against setting up illegally and impersonation attack of illegal PPPoE server, to improve the fail safe that PPPoE inserts, the invention provides the method that a kind of PPPoE prevents unlicensed server and personation server attack.
Technical program of the present invention lies in, provide a kind of PPPoE of being used for to prevent the method for unlicensed server and personation server attack, it is applied on the intermediate equipment that connects pppoe client and PPPoE server, be designated hereinafter simply as intermediate equipment, simultaneously link on the intermediate equipment or interface are divided into trust link/interface and distrust link/interface, trust link/interface is to connect legal PPPoE server (as BAS Broadband Access Server) or PPPoE Relay agent (PPPoE relay agent) (as DSLAM (DSL Access Multiplex, the DSL couple in multiplexer), the access network based on ethernet switch) link/interface, it is the network side link/interface of intermediate equipment normally.Distrust that link/interface is the link/interface that connects user or other network, it is the link/interface of the user side of intermediate equipment normally.
The present invention includes following steps:
Step S202 opens the PPPoE listening functions on the intermediate equipment;
Step S204, trust link/interface on the configuration intermediate equipment and distrust link/interface;
Step S206 intercepts the PPPoE message of distrusting link/interface;
Step S208 loses the improper PPPoE message of distrusting on the link/interface, and trust link/interface is normally transmitted the PPPoE message.
And step S210, make up PPPoE interception data storehouse and follow the tracks of illegal PPPoE server.
According to the present invention, step S202, under default situation, the PPPoE listening functions on the intermediate equipment is a closed condition.
According to the present invention, step S204, this step also can be described as disposing the trust state of intermediate equipment uplink/interface.Link/interface on the intermediate equipment can be physical link/interface or virtual link/interface, and they are set to trust link/interface and distrust link/interface.Under default situation, the link/interface on the intermediate equipment is the distrust link/interface.
According to the present invention, step S206, the message of being intercepted comprises PADI, PADO, PADR and PADS.This step is further comprising the steps of: at least one PPPoE server is received after the PADI message that initiatively sends from pppoe client, loopback PADO message; Pppoe client is selected one in the PPPoE server of loopback PADO message, and informs selected PPPoE server to its transmission PADR message; After selected PPPoE server receives the PADR message, distribute a unique Session ID, start the ppp state machine and prepare beginning PPP session, and send session confirmation message PADS for client; And pppoe client enters the PPP session stage after receiving the PADS message.In addition, when any sent PADT (PPPoE Active Discovery Terminate, PPPoE initiatively find to stop) message in pppoe client and the PPPoE server, session stopped.
According to the present invention, step S208, intermediate equipment is not transmitted PADI and PADR message to the PADO and the PADS packet loss that receive to the down direction of distrusting link/interface simultaneously on the up direction of distrusting on the link/interface.Normally transmit the PPPoE message at trust link/interface.
According to the present invention, step S210, PPPoE interception data storehouse comprises the information of illegal PPPoE server and the link/interface information of the corresponding illegal server on the intermediate equipment, and the information of illegal PPPoE server comprises its MAC Address and link information at least.
Therefore, the present invention has realized following technique effect.The user can pass through legal PPPoE server access network, and that takes precautions against illegal PPPoE server sets up and palm off the server attack behavior illegally, thereby has improved the fail safe that PPPoE inserts.
Description of drawings
Accompanying drawing is used to provide further understanding of the present invention, and constitutes the part of specification, is used from explanation the present invention with embodiments of the invention one, is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is a network structure according to an embodiment of the invention;
Fig. 2 is the flow chart that the present invention is used to prevent unlicensed server and palms off the method for server attack;
Fig. 3 is the communication view that PPPoE finds the stage.
Embodiment
Below in conjunction with accompanying drawing the preferred embodiments of the present invention are described, should be appreciated that preferred embodiment described herein only is used for description and interpretation the present invention, and be not used in qualification the present invention.
Fig. 1 is a network structure according to an embodiment of the invention.Fig. 2 is that the present invention is used for the flow chart that PPPoE prevents unlicensed server and personation server attack.Fig. 3 is the communication view that PPPoE finds the stage.
As shown in Figure 1, this network is made of pppoe client 102, illegal PPPoE server 104, intermediate equipment 106 and legal PPPoE server 108.Wherein, pppoe client 102 is connected on the legal PPPoE server 108 by intermediate equipment 106.In the present embodiment, intermediate equipment 106 is an example with the switch, and legal PPPoE server 108 equipment are example with the BAS Broadband Access Server.
Describe the detailed process of Fig. 2 in detail below with reference to Fig. 1 and Fig. 3, the present invention is applied on the intermediate equipment that connects pppoe client and PPPoE server, simultaneously link on the intermediate equipment or interface are divided into trust link/interface and distrust link/interface, trust link/interface is to connect legal PPPoE server (as BAS Broadband Access Server) or PPPoE Relay agent (as DSLAM, the access network based on ethernet switch) link/interface, it is the network side link/interface of intermediate equipment normally.Distrust that link/interface is the link/interface that connects user or other network, it is the link/interface of the user side of intermediate equipment normally.In an embodiment of the present invention, the present invention is applied on the intermediate equipment 106.
As shown in Figure 2, PPPoE prevents that the method for unlicensed server and personation server attack from may further comprise the steps:
Step S202 opens the PPPoE listening functions on the intermediate equipment.It here is the PPPoE listening functions of opening on the intermediate equipment.But under default setting, the PPPoE listening functions on the intermediate equipment can be set to closed condition.
Step S204, trust link/interface on the configuration intermediate equipment and distrust link/interface.This step also can be described as disposing the trust state of intermediate equipment uplink/interface.Here be trust link/interface and the distrust link/interface on the configuration intermediate equipment.Wherein, the link/interface on the intermediate equipment can be physical link/interface or virtual link/interface, and they are set to trust link/interface and distrust link/interface.Under default situation, the link/interface on the intermediate equipment is the distrust link/interface.In an embodiment of the present invention, its concrete steps are as follows:
The link/interface that PPPoE as shown in Figure 2 intercepts intermediate equipment 106 is set to trust link/interface and distrusts link/interface.Trust link/interface herein is the link/interface 1 that intermediate equipment 106 connects legal PPPoE server 108; Distrust link/interface herein is that intermediate equipment 106 connects the link/interface 2 of pppoe client 102 and the link/interface 3 that connects illegal PPPoE server 104.Under default situation, the link/interface of intermediate equipment is the distrust link/interface.
Step S206 intercepts the PPPoE message of distrusting link/interface.Wherein, the message of being intercepted comprises PADI, PADO, PADR and PADS.
Describe the process of specifically intercepting of step S206 in detail hereinafter with reference to Fig. 3:
At first, at least one PPPoE server 304 is received after the PADI message that initiatively sends from pppoe client 302, loopback PADO message;
Then, pppoe client 302 is selected one at least one PPPoE server 304 of loopback PADO message, and informs selected PPPoE server 304 to its transmission PADR message;
Then, after selected PPPoE server 304 receives the PADR message, distribute a unique Session ID, start the PPPoE state machine and prepare the beginning pppoe session, and send the PADS message for client 302; And
At last, pppoe client 302 enters the PPP session stage after receiving the PADS message.
But, it is pointed out that session will stop when any sends the PADT message in pppoe client 302 and the PPPoE server 304.
Step S208 loses the improper PPPoE message of distrusting on the link/interface, and trust link/interface is normally transmitted the PPPoE message.
According to embodiments of the invention, among Fig. 2 among the step S208, intermediate equipment is the PADO as shown in Figure 3 and the PADS packet loss that receive on the up direction of distrusting on the link/interface, simultaneously not to the down direction forwarding PADI and the PADR message as shown in Figure 3 of distrusting link/interface.Illegal PPPoE message is blocked by intermediate equipment, thereby reaches the purpose of filtering illegal PPPoE server.Like this, trust link just can normally be transmitted the PPPoE message, thereby, guarantee that the user can pass through legal PPPoE server access network.
Step S210 makes up PPPoE interception data storehouse and follows the tracks of illegal PPPoE server.PPPoE interception data storehouse comprises the information of illegal PPPoE server and the link/interface information of the corresponding illegal server on the intermediate equipment, and the information of illegal PPPoE server comprises its MAC Address and link information at least.According to embodiments of the invention, PPPoE interception data storehouse comprise in have: the interface message of the corresponding illegal link on the MAC Address of illegal PPPoE server 104, link/interface 3, the intermediate equipment 106.These information can be shown by the management system of equipment, thereby follow the tracks of illegal PPPoE server.
As mentioned above, realized that PPPoE prevents the method for unlicensed server and personation server attack, thereby, on intermediate equipment, realize the PPPoE listening functions, filtered out the packet that illegal PPPoE server sends on network, make the user connect network by legal PPPoE server, that takes precautions against illegal PPPoE server up hill and dale sets up and palms off the server attack behavior illegally, and then has improved the fail safe that PPPoE inserts.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. a PPPoE prevents unlicensed server and the method for palming off server attack, be applied on the intermediate equipment that connects pppoe client and PPPoE server, simultaneously link on the intermediate equipment or interface be divided into trust link/interface and distrust link/interface; It is characterized in that, may further comprise the steps:
Step S202 opens the PPPoE listening functions on the intermediate equipment;
Step S204, trust link/interface on the configuration intermediate equipment and distrust link/interface;
Step S206 intercepts the PPPoE message of distrusting link/interface;
Step S208 loses the improper PPPoE message of distrusting on the link/interface, and trust link/interface is normally transmitted the PPPoE message;
Step S210 makes up PPPoE interception data storehouse and follows the tracks of illegal PPPoE server.
2 PPPoE according to claim 1 prevent the method for unlicensed server and personation server attack, it is characterized in that described step S202, and the PPPoE listening functions on the intermediate equipment is closed condition under default situation.
3. PPPoE according to claim 1 prevents the method for unlicensed server and personation server attack, it is characterized in that described step S204 also can be the trust state of configuration intermediate equipment uplink/interface.
4. PPPoE according to claim 3 prevents the method for unlicensed server and personation server attack, it is characterized in that the link/interface on the intermediate equipment can be physical link/interface or virtual link/interface, they are set to trust link/interface and distrust link/interface.
5. prevent unlicensed server and the method for palming off server attack according to claim 3 or 4 described PPPoE, it is characterized in that the link/interface on the intermediate equipment is the distrust link/interface under default situation.
6. PPPoE according to claim 1 prevents the method for unlicensed server and personation server attack, it is characterized in that among the described step S206, and the message of being intercepted comprises PADI, PADO, PADR and PADS.
7. PPPoE according to claim 6 prevents the method for unlicensed server and personation server attack, it is characterized in that described step S206 is further comprising the steps of:
At least one PPPoE server is received after the PADI message that initiatively sends from pppoe client, loopback PADO message;
Pppoe client is selected one in the PPPoE server of loopback PADO message, and informs selected PPPoE server to its transmission PADR message;
After selected PPPoE server receives the PADR message, distribute a unique Session ID, start the ppp state machine and prepare beginning PPP session, and send session confirmation message PADS for client;
And pppoe client enters the PPP session stage after receiving the PADS message.
8. prevent unlicensed server and the method for palming off server attack according to claim 6 or 7 described PPPoE, when it is characterized in that any sends PADT message in pppoe client and the PPPoE server, session stops.
9. PPPoE according to claim 1 prevents the method for unlicensed server and personation server attack, it is characterized in that described step S208, intermediate equipment is not transmitted PADI and PADR message to the PADO and the PADS packet loss that receive to the down direction of distrusting link/interface simultaneously on the up direction of distrusting on the link/interface; Normally transmit the PPPoE message at trust link/interface.
10. PPPoE according to claim 1 prevents the method for unlicensed server and personation server attack, it is characterized in that described step S210, PPPoE interception data storehouse comprises the information of illegal PPPoE server and the link/interface information of the corresponding illegal server on the intermediate equipment, and the information of illegal PPPoE server comprises its MAC Address and link information at least.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100904260A CN101030945A (en) | 2007-04-06 | 2007-04-06 | Method for preventing PPPoE from being attacked by personnel server and false server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100904260A CN101030945A (en) | 2007-04-06 | 2007-04-06 | Method for preventing PPPoE from being attacked by personnel server and false server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101030945A true CN101030945A (en) | 2007-09-05 |
Family
ID=38716029
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007100904260A Pending CN101030945A (en) | 2007-04-06 | 2007-04-06 | Method for preventing PPPoE from being attacked by personnel server and false server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101030945A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141396B (en) * | 2007-09-18 | 2010-12-15 | 华为技术有限公司 | Packet processing method and network appliance |
| CN102594810A (en) * | 2012-02-08 | 2012-07-18 | 神州数码网络(北京)有限公司 | Method and device for preventing path maximum transmission unit (PMTU) attack of internet protocol version 6 (IPv6) network |
| CN103441893A (en) * | 2013-08-16 | 2013-12-11 | 大连梯耐德网络技术有限公司 | User internet-surfing behavior analysis method based on broadcast television network |
| CN107534665A (en) * | 2015-04-24 | 2018-01-02 | 思科技术公司 | The scalable intermediary network device extended using SSL session tickets |
-
2007
- 2007-04-06 CN CNA2007100904260A patent/CN101030945A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141396B (en) * | 2007-09-18 | 2010-12-15 | 华为技术有限公司 | Packet processing method and network appliance |
| CN102594810A (en) * | 2012-02-08 | 2012-07-18 | 神州数码网络(北京)有限公司 | Method and device for preventing path maximum transmission unit (PMTU) attack of internet protocol version 6 (IPv6) network |
| CN102594810B (en) * | 2012-02-08 | 2016-03-30 | 神州数码网络(北京)有限公司 | The method and apparatus that a kind of IPv6 network prevents PMTU from attacking |
| CN103441893A (en) * | 2013-08-16 | 2013-12-11 | 大连梯耐德网络技术有限公司 | User internet-surfing behavior analysis method based on broadcast television network |
| CN107534665A (en) * | 2015-04-24 | 2018-01-02 | 思科技术公司 | The scalable intermediary network device extended using SSL session tickets |
| CN107534665B (en) * | 2015-04-24 | 2020-10-16 | 思科技术公司 | Scalable intermediary network device utilizing SSL session ticket extensions |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100563158C (en) | Access control method and system | |
| US7765309B2 (en) | Wireless provisioning device | |
| US7684405B2 (en) | Broadband access method with great capacity and the device and the system thereof | |
| CN100499554C (en) | Network admission control method and network admission control system | |
| CN100512109C (en) | Access authentication system and method by verifying safety of accessing host | |
| WO2006116926A1 (en) | Method system and server for implementing dhcp address security allocation | |
| WO2008080314A1 (en) | A method, forwarding engine and communication device for message acces control | |
| WO2006114053A1 (en) | A method, system and apparatus for preventing from counterfeiting the mac address | |
| WO2005024567A2 (en) | Network communication security system, monitoring system and methods | |
| GB2388498A (en) | Checking address information of a wireless terminal in a wireless LAN | |
| CN104601566B (en) | authentication method and device | |
| EP2838242B1 (en) | Method and apparatus for preventing network-side media access control address from being counterfeited | |
| CN101459653B (en) | Method for preventing DHCP packet attack based on Snooping technique | |
| EP1843624B1 (en) | Method for protecting digital subscriber line access multiplexer, DSLAM and XDSL single service board | |
| CN107277058A (en) | A kind of interface authentication method and system based on BFD agreements | |
| CN101030945A (en) | Method for preventing PPPoE from being attacked by personnel server and false server | |
| CN100571272C (en) | Improve the method for LAN communication safety | |
| JP2001326696A (en) | Method for controlling access | |
| WO2008037212A1 (en) | An access terminal and a method for the terminal binding to the operator | |
| CN1228943C (en) | User authentication management method in Ethernet broadband access system | |
| CN100471167C (en) | Method and apparatus for managing wireless access-in wide-band users | |
| EP2073432B1 (en) | Method for binding an access terminal to an operator and corresponding access terminal | |
| CN1527557A (en) | Method of transmitting 802.1X audit message via bridging device | |
| CN1225870C (en) | Method and apparatus for VLAN based network access control | |
| KR20050076410A (en) | Xdsl modem and system including dhcp spoofing server, and pppoe method for connecting internet using the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20070905 |