CN101146103A - A method fro realizing stable secure protection of broadband access device - Google Patents
A method fro realizing stable secure protection of broadband access device Download PDFInfo
- Publication number
- CN101146103A CN101146103A CNA2007101241842A CN200710124184A CN101146103A CN 101146103 A CN101146103 A CN 101146103A CN A2007101241842 A CNA2007101241842 A CN A2007101241842A CN 200710124184 A CN200710124184 A CN 200710124184A CN 101146103 A CN101146103 A CN 101146103A
- Authority
- CN
- China
- Prior art keywords
- dhcp
- broadband access
- address
- access equipment
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method of realizing safety protection stability of broadband access equipment, which is applied to data communication field and includes the following steps: start interception function of the broadband access equipment and acquire DHCP downstream message sent by a server; after acquiring the DHCP downstream message, the broadband access equipment modifies legal IP address hiring time in the DHCP downstream message into a time value set by users and sends the modified DHCP downstream message to a client end; after receiving the DHCP downstream message, the client end sends DHCP renewal request message for the legal IP address renewal to the server regularly. The invention changes the frequency at the client end sending DHCP request of the IP address renewal and guarantees users normal Internet surfing at the client end, by shortening the IP hire time in the DHCP downstream message.
Description
Technical field
The present invention relates to the safety protection field of broadband access equipment, relate in particular to a kind of method that realizes broadband access equipment security protection stability.
Background technology
Existing DHCP (Dynamic Host Configuration Protocol, DHCP) is a kind of common broadband access authentication agreement, and it is based upon on client-server (client-server) model.In the starting stage of authentication, client user's main frame (DHCP client) is initiated the DHCP request, sends DHCP DISCOVER message, and purpose is the certificate server of finding in the network (DHCPserver).DHCP server in the network gives a response, and sends DHCP OFFER message.DHCPclient may receive the OFFER of a plurality of servers, selects a server, sends the DHCPREQUEST message.If DHCP server then transmits configuration parameter by sending DHCP ACK message to this subscriber's main station can distributing IP; If can't distribute, just send DHCP NAK message.When the user withdraws from connection, send DHCP RELEASE message to the server end, before reclaiming, DHCP server distributes to this user's IP address, and specifically reciprocal process is as shown in Figure 1.
DHCP snooping of the prior art (DHCP monitoring) function, record arrives IP address user information by the broadband access equipment application, its concrete function comprises: extract the DHCP message by the packet capturing mode, key message in the analytic message, establishment and maintenance are at the binding data storehouse (binding database) of user port, shown in Fig. 2 a.Every record in the database comprises following field: and port numbers that the user uses and permanent virtual circuit passage (Permanent Virtual Circuit, PVC); The subscriber's main station MAC Address; Subscriber's main station IP address and IP rental period; Binding IP sign etc.
IP safety protection technique (IP Source Guard) function is on the basis of realizing DHCP snooping function, by identification IP address, user's message is limited and filters, thereby realize a kind of method of broadband access equipment security protection, see also accompanying drawing 2b, it realizes that process step is as follows:
A. behind the device start, the user can not accesses network before obtaining legitimate ip address by DHCP, and this moment, equipment was only caught the DHCP message, and abandoned other all messages;
B. the user obtains legitimate ip address by DHCP, passes through DHCP snooping function recording user IP address on the equipment;
C. equipment is bound IP address and user port by the IP address binding function, only allows address legal IP address message to pass through, and for the illegal message in IP address, will just be abandoned at receiving port.
In the prior art,, realize the safety protection technique of broadband access equipment at the illegal IP message by enabling DHCP snooping function and IP Source guard function.But, in view of having enough memory spaces, some DSLAM equipment is not used for when equipment is restarted, preserving the total data in binding data storehouse, therefore, when restarting, equipment will lose these data.So, after equipment is restarted, have only and wait for that DHCP client initiates the DHCP request next time, could obtain the information of needs, and during this period of time, any message that IP Source guard function will be refused except that DHCP passes through, and will cause the user normally to surf the Net like this.According to consensus standard, DHCP client only uses a half in the Dynamic Host Configuration Protocol server IP address allocated rental period, just can send the DHCP request message (DHCP REQUEST) of the continuous resistance of request IP address once more.Usually the Dynamic Host Configuration Protocol server IP address allocated rental period very long, so at this section in the period, user's legal IP address message can't pass through equipment, normally surf the Net thereby influence the user.
Therefore, prior art awaits improving and development.
Summary of the invention
The object of the present invention is to provide and a kind ofly can shorten the IP address lease time, improve device security protection stability, and can guarantee the method for the normal online of client user.
In order to solve above-mentioned purpose, the invention provides a kind of method that realizes broadband access equipment security protection stability, comprise the steps:
The listening functions of A, startup broadband access equipment obtains the DHCP downlink message that server end sends;
After B, described broadband access equipment obtain described DHCP downlink message, the legitimate ip address rental period of revising in the described DHCP downlink message is user's setting-up time value, and the DHCP downlink message of revising is sent to client;
After C, described client receive described DHCP downlink message, regularly send the DHCP of re-renting described legitimate ip address and re-rent request message to described server.
Described method wherein, comprises among the step B:
B1, described broadband access equipment obtain creates the binding data storehouse;
B2, in described binding data storehouse legitimate ip address rental period of the described server-assignment of record, and on described broadband access equipment user port, bind legitimate ip address;
B3, start the IP function of safety protection on the described broadband access equipment, the legitimate ip address rental period in the described DHCP downlink message is made amendment.
Described method wherein, also comprises after the step C:
D, described broadband access equipment obtain described DHCP and re-rent request message, whether the IP address lease time of judging the actual acquisition of described client is more than or equal to the half of legitimate ip address rental period of described server-assignment, be then to the described DHCP downlink message of described server forwards, otherwise abandon described DHCP and re-rent request message, and construct a new DHCP downlink message and send to described client.
Described method, wherein, described legitimate ip address is the legitimate ip address of server-assignment.
Described method, wherein, described user's setting-up time value is two times of described broadband access equipment start-up time.
Described method, wherein, the account form of the actual acquisition of described client IP address lease time adopts described client to obtain DHCP to re-rent the time of request message and deduct the time that described broadband access equipment obtains the DHCP downlink message that server sends and obtain.
Described method, wherein, if described broadband access equipment is restarted, and the data record in the described binding data storehouse is also carried out following processing when losing after the step D:
After recovery is restarted in E, described broadband access, described client will send the DHCP of re-renting the IP address to this broadband access equipment and re-rent request message, and recover the data record in the described binding data storehouse.
Described method wherein, is provided with filtration packet capturing device at described broadband access equipment, is used to obtain described DHCP downlink message or DHCP and re-rents request message.
Compare with present technology, adopt the inventive method, adopt the legitimate ip address rental period that shortens in the DHCP ACK message (DHCP downlink message), change dhcp client and sent the frequency that the IP Address requests is re-rented in the DHCP request, like this, when broadband access equipment is restarted, just can avoid losing of recorded information in the binding data storehouse, guaranteed that the client user normally surfs the Net; Simultaneously, improved stability effectively based on the broadband access equipment safety protection technique of DHCP message.
Description of drawings
Fig. 1 is a data message reciprocal process schematic diagram between the client and server among the DHCP;
Fig. 2 a is the realization flow figure of prior art DHCP snooping function treatment client ip address requesting method;
Fig. 2 b is the realization flow figure of prior art IP function of safety protection method;
Fig. 3 is the inventive method realizes DHCP monitor function and IP function of safety protection on DSLAM equipment realization flow figure.
Embodiment
Below in conjunction with accompanying drawing, preferred embodiment of the present invention is described in further detail.
Design principle of the present invention: by enabling DHCP Snooping (DHCP monitoring) function and IP Source guard (IP security protection) function in the broadband access equipment, when intercepting and capturing the DHCP ACK message of DHCP server (Dynamic Host Configuration Protocol server) transmission, in the binding data storehouse in the respective entries, the legal IP rental period that the record server provides, the IP address lease time of revising then in the DHCP ACK message is user's setting-up time value of broadband access equipment, and this DHCP ACK message is sent to DHCP client (dhcp client).
Wherein, for broadband access equipment IP address user setting-up time value, can be made amendment by webmaster by the user, the IP address lease time that this user is provided with can be set at short time value, to shorten the IP rental period on the DHCP client.
Because half IP rental period of DHCP client is as blanking time, send DHCP REQUEST (DHCP request) message to DHCP server, the IP address is re-rented in requirement, so after broadband access equipment is intercepted and captured DHCP REQUEST message, find respective record in the binding data storehouse, and compare according to legal IP rental period and the actual acquisition of the DHCP client IP time that server provides, judge whether and need E-Packet to server.If do not need to transmit, then abandon the DHCPREQUEST message, and construct a DHCP ACK message, reply to DHCP client.
At this moment, after broadband access equipment is restarted, will lose all data in the binding data storehouse, yet, because half of the IP address lease time that DHCP client can be provided with the user is as blanking time, send DHCP REQUEST and re-rent request message,, can have influence on the stability of IP Source Guard hardly so the data of losing in the binding data storehouse can be restored very soon.
In the embodiment of the invention, adopt DSLAM (Digital SubscriberLine Access Multiplexer, hereinafter to be referred as DSLAM) as broadband access equipment, on this DSLAM,, realize the safety protection technique of DSLAM at the illegal IP message by enabling DHCP snooping function and IP Source guard function.
See also Fig. 3, a kind of method that realizes broadband access equipment security protection stability, it realizes that process step is as follows:
110, on the ply-yarn drill of DSLAM, enable DHCP snooping function and IP Source guard function;
111, by filtration (filter) the packet capturing device on the DSLAM ply-yarn drill is set again, intercept and capture all DHCP up-downgoing messages by ply-yarn drill, and create a binding data storehouse, be used to write down DHCP Client port data information, i.e. the current running time of IP client port address, client port IP address lease time and described broadband access equipment;
112, by the IP binding technology on the DSLAM ply-yarn drill, be that the legitimate ip address of 0.0.0.0 is tied on the ply-yarn drill port with the IP address, and as the IP address of unique permission by DSLAM;
113, after DHCP Client receives the next DHCP up-downgoing message of DSLAM forwarding, send DHCP Request message (DHCP request message), the request legal IP address;
114, DSLAM intercepts and captures DHCP Request message, and is index with port numbers and medium access control (MAC) address, adds a new record in described binding data storehouse, and transmits this DHCP Request message and give Dynamic Host Configuration Protocol server;
115, after described Dynamic Host Configuration Protocol server receives DHCP Request message, judge according to type of message whether this Dynamic Host Configuration Protocol server IP address allocated is legal, if it is legal, then go to step 116, otherwise described Dynamic Host Configuration Protocol server sends DHCP NAK (DHCP is up) message to DHCP Client, and after intercepting and capturing this DHCP NAK message by DSLAM, search and delete the DHCP Client port data information that is write down in the binding data storehouse, go to step 120;
116, described Dynamic Host Configuration Protocol server sends DHCP ACK message to DHCP Client;
117, after DSLAM intercepts and captures this DHCP ACK message, search and revise the DHCP Client port data information that is write down in the binding data storehouse, i.e. the current running time of client port IP address, client port IP address lease time and described broadband access equipment;
118, according to the content of binding data storehouse record, the legitimate ip address that Dynamic Host Configuration Protocol server is distributed is tied to the user port of DSLAM ply-yarn drill, and this bind properties is on user port, only allows the message of legitimate ip address to pass through;
119, the legitimate ip address rental period of revising in the DHCP ACK message of intercepting and capturing on DSLAM is user's setting-up time value; Wherein, described user's setting-up time value is to be used to set the rental period of renting legitimate ip address, this user is provided with time value can be made as two times of DSLAM start-up time, and purpose is to accelerate client to send DHCP REQUEST and re-rent the frequency of message (DHCP re-rents request message);
120, DSLAM will revise DHCP ACK message and be transmitted to DHCP Client; Wherein, described modification DHCP ACK message is for revising the DHCP ACK message of legitimate ip address after the rental period;
121, after DHCP Client receives described modification downlink message, trigger transmission DHCP REQUEST by timer mechanism and re-rent message; Wherein, value blanking time that triggers of timer is half of IP rental period in the DHCP ACK message that DHCPClient received;
122, DSLAM intercepts and captures described DHCP REQUEST and re-rents message, judge that the actual acquisition of the DHCP Client port IP address lease time is whether more than or equal to half of Dynamic Host Configuration Protocol server IP address allocated rental period, if, go to step 123, otherwise abandon this DHCP REQUEST and re-rent message, and directly construct a DHCP ACK message and respond client;
123, DSLAM transmits DHCP REQUEST and re-rents message to Dynamic Host Configuration Protocol server, and is back to step 115.
Wherein, in the step 119, on the DSLAM ply-yarn drill, the DHCP REQUEST message time that the account form of the actual acquisition of DHCP Client IP address lease time adopts DHCP Client to obtain deducts DSLAM and obtains the DHCP ACK message time that Dynamic Host Configuration Protocol server sends and obtain.
Simultaneously, also there is another kind of situation in the described step 119: if DSLAM judges the half that the actual acquisition IP address lease time of described DHCP Client is less than the described Dynamic Host Configuration Protocol server IP address allocated rental period, then abandon the DHCP request message, and construct a DHCP downlink message and reply dhcp client.
Yet, when carrying out the above-mentioned steps process,, and in restarting process, lost the data such as current running time of IP address, IP address lease time and described broadband access equipment in the binding data storehouse if DSLAM is restarted; After DSLAM is restarted recovery, in its binding data storehouse is without any data, at this moment must wait for and receive the DHCP authentication that DHCP Client initiates, and will receive at short notice that the REQUEST of DHCP Client re-rents message, simultaneously, recover the DHCP Client port data information record in the binding data storehouse, recover IP Source guard function of safety protection subsequently.
In sum, adopt the inventive method, in the DHCP ACK message that obtains, reset short legitimate ip address rental period, change dhcp client and sent the frequency that the IP Address requests is re-rented in the DHCP request, like this, when broadband access equipment is restarted, just can avoid losing of recorded information in the binding data storehouse, guaranteed that the client user normally surfs the Net; Simultaneously, improved stability effectively based on the broadband access equipment safety protection technique of DHCP message.
Should be understood that, for those of ordinary skills, can be improved according to the above description or conversion, and all these improvement and conversion all should belong to the protection range of claims of the present invention.
Claims (8)
1. the method that can realize broadband access equipment security protection stability is characterized in that, this method comprises the steps:
The listening functions of A, startup broadband access equipment obtains the DHCP downlink message that server end sends;
After B, described broadband access equipment obtain described DHCP downlink message, the legitimate ip address rental period of revising in the described DHCP downlink message is user's setting-up time value, and the DHCP downlink message of revising is sent to client;
After C, described client receive described DHCP downlink message, regularly send the DHCP of re-renting described legitimate ip address and re-rent request message to described server.
2. method according to claim 1 is characterized in that, comprises among the step B:
B1, described broadband access equipment are created the binding data storehouse;
B2, in described binding data storehouse legitimate ip address rental period of the described server-assignment of record, and on described broadband access equipment user port, bind legitimate ip address;
B3, start the IP function of safety protection on the described broadband access equipment, the legitimate ip address rental period in the described DHCP downlink message is made amendment.
3. method according to claim 2 is characterized in that, also comprises after the step C:
D, described broadband access equipment obtain described DHCP and re-rent request message, whether the IP address lease time of judging the actual acquisition of described client is more than or equal to the half of legitimate ip address rental period of described server-assignment, be then to the described DHCP downlink message of described server forwards, otherwise abandon described DHCP and re-rent request message, and construct a new DHCP downlink message and send to described client.
4. method according to claim 3 is characterized in that, described legitimate ip address is the legitimate ip address of server-assignment.
5. method according to claim 3 is characterized in that, described user's setting-up time value is two times of described broadband access equipment start-up time.
6. method according to claim 3, it is characterized in that the account form of the actual acquisition of described client IP address lease time adopts described client to obtain described DHCP and re-rents the time of request message and deduct the time that described broadband access equipment obtains the DHCP downlink message that server sends and obtain.
7. method according to claim 3 is characterized in that, if described broadband access equipment is restarted, and the data record in the described binding data storehouse is also carried out following processing when losing after the step D:
After recovery is restarted in E, described broadband access, described client will send the DHCP of re-renting the IP address to this broadband access equipment and re-rent request message, and recover the data record in the described binding data storehouse.
8. according to the arbitrary described method of claim 1 to 7, it is characterized in that, be provided with filtration packet capturing device at described broadband access equipment, be used to obtain described DHCP downlink message or DHCP DHCP and re-rent request message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007101241842A CN101146103A (en) | 2007-10-23 | 2007-10-23 | A method fro realizing stable secure protection of broadband access device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007101241842A CN101146103A (en) | 2007-10-23 | 2007-10-23 | A method fro realizing stable secure protection of broadband access device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101146103A true CN101146103A (en) | 2008-03-19 |
Family
ID=39208391
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007101241842A Pending CN101146103A (en) | 2007-10-23 | 2007-10-23 | A method fro realizing stable secure protection of broadband access device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101146103A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465756B (en) * | 2009-01-14 | 2011-05-04 | 杭州华三通信技术有限公司 | Method and device for making automatic avoidance of illegal DHCP service and DHCP server |
| CN102143009A (en) * | 2010-07-07 | 2011-08-03 | 华为数字技术有限公司 | Message processing method, device and system |
| CN102025574B (en) * | 2009-09-09 | 2012-09-26 | 国基电子(上海)有限公司 | Cable modem termination system and method |
| CN102882861A (en) * | 2012-09-19 | 2013-01-16 | 烽火通信科技股份有限公司 | Method of achieving IP address cheating prevention based on analysis of dynamic host configuration protocol (DHCP) message |
| CN108780304A (en) * | 2016-03-31 | 2018-11-09 | 东芝三菱电机产业系统株式会社 | Complete set of equipments supervisor control data regeneration device |
| CN110677508A (en) * | 2019-09-06 | 2020-01-10 | 四川天邑康和通信股份有限公司 | White box engineering IP network optimization |
-
2007
- 2007-10-23 CN CNA2007101241842A patent/CN101146103A/en active Pending
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465756B (en) * | 2009-01-14 | 2011-05-04 | 杭州华三通信技术有限公司 | Method and device for making automatic avoidance of illegal DHCP service and DHCP server |
| CN102025574B (en) * | 2009-09-09 | 2012-09-26 | 国基电子(上海)有限公司 | Cable modem termination system and method |
| CN102143009A (en) * | 2010-07-07 | 2011-08-03 | 华为数字技术有限公司 | Message processing method, device and system |
| CN102143009B (en) * | 2010-07-07 | 2013-11-06 | 北京华为数字技术有限公司 | Message processing method, device and system |
| CN102882861A (en) * | 2012-09-19 | 2013-01-16 | 烽火通信科技股份有限公司 | Method of achieving IP address cheating prevention based on analysis of dynamic host configuration protocol (DHCP) message |
| CN102882861B (en) * | 2012-09-19 | 2015-11-25 | 烽火通信科技股份有限公司 | The method of anti-IP address swindle is realized based on parsing DHCP message |
| CN108780304A (en) * | 2016-03-31 | 2018-11-09 | 东芝三菱电机产业系统株式会社 | Complete set of equipments supervisor control data regeneration device |
| CN108780304B (en) * | 2016-03-31 | 2021-03-23 | 东芝三菱电机产业系统株式会社 | Data regenerator for monitoring and controlling system of complete equipment |
| CN110677508A (en) * | 2019-09-06 | 2020-01-10 | 四川天邑康和通信股份有限公司 | White box engineering IP network optimization |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102316101B (en) | Safe access method based on dynamic host configuration protocol (DHCP) SNOOPING | |
| CN100388739C (en) | Method and system for contributing DHCP addresses safely | |
| US9628441B2 (en) | Attack defense method and device | |
| Wang et al. | Censorspoofer: asymmetric communication using ip spoofing for censorship-resistant web browsing | |
| WO2016006520A1 (en) | Detection device, detection method and detection program | |
| CN107707435B (en) | Message processing method and device | |
| CN100546304C (en) | A kind of method and system that improves network dynamic host configuration DHCP safety | |
| CN101141492A (en) | Method and system for implementing DHCP address safety allocation | |
| CN106656959A (en) | Access request regulation and control method and device | |
| WO2020083288A1 (en) | Safety defense method and apparatus for dns server, and communication device and storage medium | |
| CN101146103A (en) | A method fro realizing stable secure protection of broadband access device | |
| CN102413105A (en) | Method and device for preventing attack of challenge collapsar (CC) | |
| CN101098227A (en) | User safety protection method of broadband access equipment | |
| CN105812402B (en) | File transmission method and device based on Internet of things | |
| US20120197847A1 (en) | Method and System for Monitoring and Tracing Multimedia Resource Transmission | |
| CN101471936A (en) | Method, device and system for establishing IP conversation | |
| CN101505308B (en) | Authentication method and system for IP over Ethernet | |
| CN105721496A (en) | Security authentication method for automatic distribution protocol of lightweight address | |
| CN101378312B (en) | Safety payment control system and method based on broadband network | |
| Douglas et al. | Salmon: Robust proxy distribution for censorship circumvention | |
| CN101729310B (en) | Method and system for realizing business monitor and information acquisition equipment | |
| CN101150582A (en) | Method and device for configuration information allocation | |
| CN101272247A (en) | Method and equipment and system for implementing user authentication based on DHCP | |
| CN101098290B (en) | Devices for implementing anti-spurious IP address on AN and methods therefor | |
| CN106790134A (en) | The access control method and Security Policy Server of a kind of video monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20080319 |