CN101043356A - Method for preventing MAC address cheat - Google Patents
Method for preventing MAC address cheat Download PDFInfo
- Publication number
- CN101043356A CN101043356A CNA2006100608224A CN200610060822A CN101043356A CN 101043356 A CN101043356 A CN 101043356A CN A2006100608224 A CNA2006100608224 A CN A2006100608224A CN 200610060822 A CN200610060822 A CN 200610060822A CN 101043356 A CN101043356 A CN 101043356A
- Authority
- CN
- China
- Prior art keywords
- mac address
- port
- ethernet frame
- forwarding table
- mac
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The disclosed method for preventing the cheat of MAC address comprises: setting user port into learning-controlled state; when coming Ethernet frame, checking whether there is list item same as the original MAC address and VLAN ID in the MAC address transmission list, if yes, sending the frame to CPU to process and decide further whether the port in item is up port. This invention can record user port suffered malevolent attack and the attack time to notify user through CPU system man-machine interface and network management system in time, and finds out the attacking user.
Description
Technical field
The present invention relates to the data communication field, specifically, relate to a kind of method that prevents MAC address spoofing.
Background technology
The IEEE802.3 standard code in the ethernet mac frame of a standard, has target MAC (Media Access Control) address and source MAC, and length all is 6 bytes, and Fig. 1 is the ethernet mac frame format of standard, wherein:
Destination Address: target MAC (Media Access Control) address, 6Bytes
Source Address: source MAC, 6Bytes
Length/type: data length or type of message, 2Bytes
DATA: ethernet frame data carried by data territory
FCS: Frame Check Sequence
Which platform physical equipment target MAC (Media Access Control) address will be sent in order to the sign ethernet frame, and which platform physical equipment source MAC is sent by in order to the sign ethernet frame.First bit position of target MAC (Media Access Control) address (the minimum bit position of first byte) expression target MAC (Media Access Control) address is unicast address or multicast address, if 0, the expression target MAC (Media Access Control) address is a unicast address, if 1, the expression target MAC (Media Access Control) address is a multicast address.
If the target MAC (Media Access Control) address of ethernet frame is a unicast mac address, ethernet frame is behind access arrangement, equipment can be searched the mac address forwarding table item according to the target MAC (Media Access Control) address and the VLAN ID (Virtual LAN ID) of ethernet frame, if find, then according to the port numbers in the forwarding-table item, ethernet frame is forwarded from this port,, then all of the port of ethernet frame in this VLAN can be broadcasted if do not find.
IEEE 802.1Q (Virtual Bridged Local Area Networks) has stipulated the implementation of VLAN in the Ethernet.After the source MAC of the ethernet frame of standard, increase the 802.1Q label of one 4 byte, Fig. 2 is the 802.1Q frame format of standard, 802.1Q label comprises the tag protocol identifier (TPID of 2 bytes, Tag Protocol Identifier) and the tag control information of two bytes (TCI, TagControl Information).The TPID value is hexadecimal 8100, is used to identify the ethernet frame that this Ether frame is the 802.1Q label; The detailed content of TCL as shown in Figure 3, wherein (VLAN ID VLANIdentifier) is one 12 territory to VID, identifies different VLAN, and value is 0~4095, is used to distinguish 4096 VLAN.Each data message of supporting the equipment of 802.1Q agreement to send out all can comprise this territory, to indicate own affiliated VLAN.
If equipment is received one not with the ethernet frame of 802.1Q label, can increase the label of 802.1Q according to port (or according to source MAC or message protocol type etc.); If receive the ethernet frame that has the 802.1Q label, ethernet frame is not made any modification.After receiving ethernet frame, equipment can increase corresponding forwarding-table item, and source MAC, VLAN ID and the port numbers of ethernet frame are noted, and this is called the study of MAC Address, and the basic format of ethernet mac address forwarding-table item as shown in Figure 4.
Source MAC is before study, equipment can be searched the mac address forwarding table item according to source MAC and VLAN ID, if find identical list item, and the port numbers difference, can upgrade forwarding-table item according to new port numbers, this is called website and shifts (station movement).If do not find identical list item, can increase a new forwarding-table item.The mac address forwarding table item can be divided into static mac address forwarding-table item and dynamic MAC address forwarding-table item, the static mac address forwarding-table item can only manual configuration in equipment, can not carry out website shifts, be that the port numbers of static mac address forwarding-table item can not enter automatically from different ports according to ethernet frame and upgrades, and dynamic MAC address can carry out the website transfer, be that the port numbers of dynamic MAC address forwarding-table item can enter automatically from different ports according to ethernet frame and upgrades, dynamic MAC address can wear out within a certain period of time, promptly can be deleted by network exchanging chip.
Usually can support the learning state of multiple MAC Address in the port attribute of network exchanging chip; commonly used is that MAC Address can be learnt to shift with website automatically; port can also be arranged to learn slave mode in addition: port can not learnt MAC Address automatically; if the source MAC in the ethernet frame does not exist on this port; hardware is not transmitted this ethernet frame, and delivers cpu system.
Because in access device, port can be divided into uplink port and user port, uplink port is meant the port that links to each other with upstream plant, upstream plant typically refers to three-tier switch or BAS (Broadband AccessServer, BAS Broadband Access Server), user port is meant the port that links to each other with subscriber computer or other two, three-tier switch.May learn the MAC Address of upstream plant at uplink port, may learn the MAC Address of subscriber equipment at user port, the ethernet frame that subscriber equipment sends, target MAC (Media Access Control) address is the MAC Address of upstream plant, after such ethernet frame arrival equipment, equipment can be searched the mac address forwarding table item, because the port numbers in the upstream plant mac address forwarding table item is a uplink port, institute's ethernet frame can be forwarded from uplink port by equipment, as shown in Figure 5.
If the MAC Address of subscriber equipment 1 is identical with the MAC Address of upstream plant, the perhaps MAC Address of the counterfeit upstream plant of subscriber equipment 1 malice, at this moment the MAC Address of upstream plant will be learnt at user port 1, the ethernet frame that subscriber equipment 2 sends to upstream plant, will be forwarded to user port 1 mistakenly, thereby cause subscriber equipment 2 to send ethernet frame to upstream plant, subscriber equipment 2 can't normally be surfed the Net, as shown in Figure 6.
Simultaneously, when the MAC Address of upstream plant was carried out the website transfer, equipment can not notify cpu system to handle, so can't detect the MAC Address of the counterfeit upstream plant of which subscriber equipment.
And do not support the situation of MAC Address collision detection in the prior art for common chip, common way is:
In uplink port configuring static MAC Address, described MAC Address is the MAC Address of upstream plant; If have a plurality of VLAN to exist, need in each VLAN, dispose a static mac address.When the source MAC of the ethernet frame that enters from user port is identical with the upstream plant MAC Address,, shift so website can not take place such MAC Address because uplink port has disposed static MAC Address.
But prior art has following shortcoming:
(1) because static configuration need be known the MAC Address of upstream plant earlier, do not knowing to realize static configuration under the upstream plant MAC Address situation;
(2) when a plurality of VLAN exist, need be in each VLAN the configuring static MAC Address, configuration is complicated;
(3) the website transfer that static mac address can only limit MAC Address is set, which port generation MAC Address conflict can't detect is.
Summary of the invention
Described in view of this, the method and apparatus that prevents MAC address spoofing provided by the invention has solved the MAC Address that need know upstream plant when uplink port configuring static MAC Address of the prior art, and configuration is complicated; And the MAC Address website problem of not notifying CPU to handle when shifting.
A kind of method that prevents MAC address spoofing provided by the invention comprises:
A. user port is arranged to learn slave mode;
B. ethernet frame is when user port enters, check in mac address forwarding table, whether exist with
Too the list item identical with VLAN ID of the source MAC in the net frame when existing, transfers to cpu system with this ethernet frame and handles, and judges further whether the port in this list item is uplink port, prevents MAC address spoofing.
This method also further comprises: after cpu system was received ethernet frame, the port that detects this list item record in the mac address forwarding table was not a uplink port, and cpu system upgrades mac address forwarding table; Otherwise what prove that this ethernet frame has is illegal MAC Address, mac address forwarding table is not upgraded.
The renewal that wherein said cpu system carries out mac address forwarding table be meant cpu system will in mac address forwarding table, upgrade with this ethernet frame in the source MAC mac address forwarding table item identical with VLAN ID in port numbers be updated to the user port number that this ethernet frame enters.
This method also comprises according to noting described illegal MAC Address and port information generation port access control tabulation.
Also further comprise described MAC Address and port information are exported or the informing network management system by man-machine interface.
Utilize the present invention, can solve because the subscriber equipment that MAC address spoofing or MAC Address repeat to cause can't send the problem of ethernet frame to upstream plant.By on the subscriber equipment that appears at the different user port in identical MAC Address the time, prevent that the MAC Address between the user port from shifting arbitrarily, avoid the ethernet frame that upstream plant mails to subscriber equipment to be forwarded on the wrong user port.
Simultaneously further when detecting user port the MAC Address identical with upstream plant arranged, can write down the user port number that malicious attack takes place, and the time of carrying out malicious attack.
Further can in time notify the user, give security carrying out malicious attack for which user port is fast detecting go out by cpu system man-machine interface and network management system.
Description of drawings
Fig. 1 is an ethernet mac frame schematic diagram;
Fig. 2 is the ethernet frame schematic diagram that has the 802.1Q label;
Fig. 3 is the tag control information TCL part schematic diagram in the 802.1Q label;
Fig. 4 ethernet mac address forwarding-table item schematic diagram;
Fig. 5 correctly is forwarded to uplink port schematic diagram and mac address forwarding table item thereof for the user port ethernet frame;
Fig. 6 is forwarded to other port schematic diagram and mac address forwarding table item thereof for user port ethernet frame mistake;
Fig. 7 is MAC address spoofing testing process figure in the embodiments of the invention;
Embodiment
Core concept of the present invention is the user port in the equipment to be arranged to not learn automatically the state of MAC Address, promptly is set to learn slave mode.When ethernet frame enters from uplink port, when carrying out MAC address learning, do not do any inspection, MAC Address can normally learn uplink port or website shifts (transferring to uplink port from user port); But when ethernet frame when user port enters, check earlier whether the source MAC in the ethernet frame exists, and if there is no, hardware is not transmitted this ethernet frame on this port, handle but be sent to cpu system.
Below in conjunction with diagram, utilize example that the processing procedure of ethernet frame of the present invention when user port enters is specifically described, as shown in Figure 7:
Step 1: ethernet frame enters from user port USER_PORT1;
Step 2: search mac address forwarding table MAC_TABLE according to source MAC in the ethernet frame and VLAN ID, confirm whether to exist the mac address forwarding table item all identical with VLAN ID with the source MAC of this ethernet frame;
If there is no all identical with VLAN ID mac address forwarding table item with the source MAC of this ethernet frame, can there be the possibility of MAC address spoofing this moment, then change step 3 over to, in mac address forwarding table MAC_TABLE, increase this new mac address forwarding table item, MAC Address in the list item and VLAN ID are source MAC and the VLAN ID in the ethernet frame, and the port numbers in the list item is the user port USER_PORT1 that ethernet frame enters;
If there be the mac address forwarding table item all identical with VLAN ID with the source MAC of this ethernet frame, then change step 4 over to, judge that further the port numbers that writes down in this list item is whether identical with the port USER_PORT1 that this ethernet frame enters;
Step 5: if the port numbers that writes down in this list item is identical with the port USER_PORT1 that ethernet frame enters, illustrate that this ethernet frame is normal, transmit described too net frame, flow process finishes.
Step 6: if the port that port numbers that writes down in this list item and ethernet frame enter is inequality, because port is in the study slave mode, this moment website can not take place and shift, this ethernet frame can be delivered cpu system and handle, and network exchanging chip can not transmitted this ethernet frame;
After ethernet frame was received by step 7:CPU system, whether the port numbers that writes down in check and this described mac address forwarding table item that too source MAC in the net frame is identical with VLAN ID was uplink port;
Step 8: if there is no one with this mac address forwarding table item that too source MAC in the net frame is identical with VLAN ID in the port numbers that writes down be uplink port, show from the ethernet frame that user port enters, source MAC is legal, cpu system will upgrade in the mac address forwarding table and this source MAC mac address forwarding table item identical with VLAN ID in the net frame too, the port numbers that is about in this list item is updated to the user port USER_PORT1 that ethernet frame enters, transmit described too net frame then, flow process finishes.
Step 9: if exist one with this mac address forwarding table item that too source MAC in the net frame is identical with VLAN ID in the port numbers that writes down be uplink port, the source MAC of explanation from the ethernet frame that user port USER_PORT1 enters and the MAC Address repetition of upstream plant are illegal MAC Address;
The port numbers that MAC address spoofing will take place in step 10:CPU system records in the database, and writes down the time of carrying out MAC address spoofing, and form is as follows:
| | | |
| | User port 2 | Time 2 |
| …… | …… | …… |
| MAC Address n | User port n | Time n |
The port numbers of MAC address spoofing and the time of generation can take place by man-machine interface or network management system inquiry in the user.
When cpu system at record the port numbers of MAC address spoofing takes place, also port numbers and the corresponding M AC address repeat listing that MAC address spoofing takes place can be printed by man-machine interface, and active report network management system.
Step 11:CPU system is at the port that the MAC deception takes place; access control list ACL (access control list) is set; Access Control List (ACL) is mated by source MAC; type of action is to forbid; just forbid entering the ethernet frame that source MAC is a upstream plant protection cpu system from user port.The form of Access Control List (ACL) is as shown in the table:
| Control port | The control matching domain | Action |
| User port SER_PORT1 | MAC address, ethernet frame source MAC_ENTRY1 | Forbid |
Because the quantity of the Access Control List (ACL) that can store is limited, if the disabled user is more, may run out, so Access Control List (ACL) must regularly be deleted by system.When Access Control List (ACL) uses up, with the port shutdown of MAC address spoofing takes place, do not allow to have again message to enter, with the protection cpu system from this port.
This equipment is supported the situation of a plurality of uplink ports simultaneously, if equipment has a plurality of uplink ports, needs simultaneously a plurality of uplink ports to be checked judgement.The MAC Address that this programme not only can detect subscriber equipment and upstream plant repeats, and the MAC Address that can detect between the subscriber equipment repeats, in step (7), cpu system is when checking the mac address forwarding table item, port numbers can not only be checked upstream port number, but also checks whether be other user port.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (6)
1, a kind of method that prevents MAC address spoofing is characterized in that, comprising:
A. user port is arranged to learn slave mode;
B. ethernet frame is when user port enters, inspection in mac address forwarding table, whether exist with ethernet frame in source MAC and all identical list item of VLAN ID, when existing, this ethernet frame is transferred to cpu system to be handled, further judge whether the port in this list item is uplink port, prevents MAC address spoofing.
2. method according to claim 1 is characterized in that, also comprises: among the step B, after cpu system was received ethernet frame, the port that detects this list item record in the mac address forwarding table was not a uplink port, and cpu system upgrades mac address forwarding table; Otherwise what think that this ethernet frame has is illegal MAC Address, mac address forwarding table is not upgraded.
3. method according to claim 1 is characterized in that, among the step B, when the source MAC in the ethernet frame in mac address forwarding table and VLAN ID when the list item of described user port does not exist, in mac address forwarding table, add this list item.
4. method according to claim 2, it is characterized in that, among the step B, the renewal that described cpu system carries out mac address forwarding table be meant cpu system will in mac address forwarding table, upgrade with this ethernet frame in the source MAC mac address forwarding table item identical with VLAN ID in port numbers be updated to the user port number that this ethernet frame enters.
5. method according to claim 2 is characterized in that, among the step B, cpu system is according to described illegal MAC Address and port information record and generate port access control tabulation.
6. method according to claim 2 is characterized in that, also comprises described MAC Address and port information are exported or the informing network management system by man-machine interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100608224A CN100488118C (en) | 2006-05-19 | 2006-05-19 | Method for preventing MAC address cheat |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100608224A CN100488118C (en) | 2006-05-19 | 2006-05-19 | Method for preventing MAC address cheat |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101043356A true CN101043356A (en) | 2007-09-26 |
| CN100488118C CN100488118C (en) | 2009-05-13 |
Family
ID=38808587
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100608224A Expired - Fee Related CN100488118C (en) | 2006-05-19 | 2006-05-19 | Method for preventing MAC address cheat |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100488118C (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101252530B (en) * | 2008-03-28 | 2010-09-29 | 中兴通讯股份有限公司 | Message forwarding method, system as well as switch |
| CN102006289A (en) * | 2010-08-05 | 2011-04-06 | 清华大学 | Spoofed source address filtering method and device |
| CN101494562B (en) * | 2009-03-18 | 2011-06-29 | 杭州华三通信技术有限公司 | Maintenance method for terminal list item of network equipment and network equipment |
| CN102624943A (en) * | 2012-04-12 | 2012-08-01 | 广东省电力调度中心 | Method and system for ensuring switch to carry out automatic learning on intelligent electronic equipment ports |
| CN103152728A (en) * | 2013-02-20 | 2013-06-12 | 大唐移动通信设备有限公司 | Establishment method and device for remote connection |
| CN104869125A (en) * | 2015-06-09 | 2015-08-26 | 上海斐讯数据通信技术有限公司 | SDN-based method for dynamically preventing MAC address spoofing |
| CN105262732A (en) * | 2015-09-21 | 2016-01-20 | 北京鼎普科技股份有限公司 | Method and apparatus for detecting MAC address spoofing |
| CN112087534A (en) * | 2020-09-12 | 2020-12-15 | 洪世协 | Simple traceable wireless router implementation method |
-
2006
- 2006-05-19 CN CNB2006100608224A patent/CN100488118C/en not_active Expired - Fee Related
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101252530B (en) * | 2008-03-28 | 2010-09-29 | 中兴通讯股份有限公司 | Message forwarding method, system as well as switch |
| CN101494562B (en) * | 2009-03-18 | 2011-06-29 | 杭州华三通信技术有限公司 | Maintenance method for terminal list item of network equipment and network equipment |
| CN102006289A (en) * | 2010-08-05 | 2011-04-06 | 清华大学 | Spoofed source address filtering method and device |
| CN102006289B (en) * | 2010-08-05 | 2014-04-16 | 清华大学 | Spoofed source address filtering method and device |
| CN102624943A (en) * | 2012-04-12 | 2012-08-01 | 广东省电力调度中心 | Method and system for ensuring switch to carry out automatic learning on intelligent electronic equipment ports |
| CN102624943B (en) * | 2012-04-12 | 2014-09-17 | 广东省电力调度中心 | Method and system for ensuring switch to carry out automatic learning on intelligent electronic equipment ports |
| CN103152728A (en) * | 2013-02-20 | 2013-06-12 | 大唐移动通信设备有限公司 | Establishment method and device for remote connection |
| CN104869125A (en) * | 2015-06-09 | 2015-08-26 | 上海斐讯数据通信技术有限公司 | SDN-based method for dynamically preventing MAC address spoofing |
| CN105262732A (en) * | 2015-09-21 | 2016-01-20 | 北京鼎普科技股份有限公司 | Method and apparatus for detecting MAC address spoofing |
| CN112087534A (en) * | 2020-09-12 | 2020-12-15 | 洪世协 | Simple traceable wireless router implementation method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100488118C (en) | 2009-05-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100438439C (en) | Method for preventing MAC address cheat | |
| CN101043356A (en) | Method for preventing MAC address cheat | |
| CN1132347C (en) | Method for maintaining routing between selected network station and mobile station | |
| CN102263774B (en) | Method and device for processing source role information | |
| CN101741855B (en) | Maintenance method of address resolution protocol cache list and network equipment | |
| CN101977245A (en) | Method, network equipment and system for detecting IP (Internet Protocol) address conflict | |
| CN101562542B (en) | Response method for free ARP request and gateway device thereof | |
| JP4179300B2 (en) | Network management method and apparatus, and management program | |
| CN103414801B (en) | The method and apparatus of Media Access Controlled address synchronization in a kind of pile system | |
| CN101635731B (en) | Method and equipment for defending MAC address deception attack | |
| CN100407704C (en) | Method of dynamically learning address on MAC layer | |
| CN101631076B (en) | Message transmission control method and fiber channel over Ethernet protocol system | |
| CN101179603A (en) | Method and device for controlling user network access in IPv6 network | |
| CN1175621C (en) | Method of detecting and monitoring malicious user host machine attack | |
| CN1859304A (en) | Method for realizing neighbour discovery | |
| CN101827138A (en) | Optimized method and device for processing IPV6 filter rule | |
| CN1188988C (en) | Local network path control system capable of changing active terminal | |
| CN101645904A (en) | Method and device for reducing utilization rate of central processing unit of switch | |
| CN1490995A (en) | Apparatus for connecting wireless network with at least one other network | |
| US11182114B2 (en) | System and method for automatic on-boarding of printers in a printer management system | |
| CN102263679B (en) | Source role information processing method and forwarding chip | |
| CN1878122A (en) | Information insulating method and device for downlink broadcast, flood of Ethernet passive optical network | |
| CN1249956C (en) | Method for virtual Ethernet adapter card | |
| CN1388683A (en) | Data network node with enhanced safety character | |
| CN101938411A (en) | Method and equipment for processing ND snooping item |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090513 Termination date: 20160519 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |