CN101175080A - Method and system for preventing ARP message attack - Google Patents

Method and system for preventing ARP message attack Download PDF

Info

Publication number
CN101175080A
CN101175080A CN 200710129801 CN200710129801A CN101175080A CN 101175080 A CN101175080 A CN 101175080A CN 200710129801 CN200710129801 CN 200710129801 CN 200710129801 A CN200710129801 A CN 200710129801A CN 101175080 A CN101175080 A CN 101175080A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
arp
dhcp
user terminal
entry
address
Prior art date
Application number
CN 200710129801
Other languages
Chinese (zh)
Inventor
雷 秦
Original Assignee
杭州华三通信技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Abstract

本发明公开了一种防止地址解析协议ARP报文攻击的方法,包括以下步骤:动态主机配置协议DHCP服务器在DHCP报文中添加IP地址-MAC地址对并向用户终端发送;用户终端接收该DHCP报文,解析该DHCP报文中包括的IP地址-MAC地址对并将其配置为本地不可被动态改写的ARP表项,以防止攻击报文通过更改用户终端的ARP表项对网络进行攻击。 The present invention discloses a method of preventing the Address Resolution Protocol ARP packet attack, comprising the steps of: Dynamic Host Configuration Protocol DHCP server adds the IP address of the sending terminal address -MAC to the user in the DHCP packet; the user terminal receives the DHCP packet, -MAC resolve the IP address of the DHCP address included in the packet and can not be dynamically configured as a local ARP entries rewritten, to prevent attacks by changing the user terminal packets ARP entry attack the network. 本发明还公开了一种防止ARP报文攻击的系统。 The present invention also discloses a method for preventing ARP attack system. 通过使用本发明,使得网络中的网关设备以及用户终端能够有效的防御接收到的ARP攻击报文。 By using the present invention, the gateway device and the user terminal such that the network can effectively attack defense received ARP packet. 另外,通过DHCP服务器对网络中用户终端的重要ARP表项进行统一配置,便于集中管理。 Further, for the unified configuration ARP entry important network user terminal by the DHCP server, facilitates centralized management.

Description

防止ARP报文攻击的方法和系统 Methods and systems to prevent ARP attack packets

技术领域 FIELD

本发明涉及通信技术领域,尤其涉及一种防止ARP (Address Resolution Protocol,地址解析协议)报文攻击的方法和系统。 The present invention relates to communications technologies, and in particular relates to a method and system ARP (Address Resolution Protocol, ARP) packet attacks prevented.

背景技术 Background technique

在当前网络技术中,终端设备在网络中是以IP (Internet Protocol ,因特网协议)地址来区分的。 In the current network technology, the terminal device based on IP (Internet Protocol, Internet Protocol) address to distinguish the network. 在通信中,发起通信的源终端设备向其他终端设备发送报文时,需要获取目标终端设备的MAC (Media Access Control,媒体访问控制)地址以完成对报文的封装。 In the communication, the originating source communication terminal device sends a packet to the other terminal device, the terminal device needs to obtain the target MAC (Media Access Control, media access control) address to complete encapsulation of the packets. 这就需要实现设备IP地址与MAC地址间的转换。 This requires the device to switch between IP address and MAC address. 目前。 Currently. 该转换由ARP协议实现。 This conversion is implemented by the ARP protocol. ARP协议实现了将目标终端设备的IP 地址转换为MAC地址的功能,保证了通信的顺利进行。 ARP protocol converting the IP address of the target terminal device for the MAC address of the function to ensure smooth communication.

ARP协议在网络中的主要实现机制如下:网络中每台支持IP协议的终端设备内部均保存有ARP表项,ARP表项中的IP地址与MAC地址一"^"对应,代表了终端设备IP地址与MAC地址的映射关系。 The main mechanism of ARP protocol implemented in the network as follows: Each supported network protocol internal IP terminal are stored ARP entry, IP address and MAC address in an ARP entry in a "^" corresponds represents the IP terminal equipment mapping between address and MAC address. 该映射关系可以通过ARP4艮文动态学习的方式获取,即终端设备在收到其它终端设备发送的ARP报文后,将报文中该终端设备的IP地址-MAC地址与其自身ARP表项中的数据相比较,如果报文中的IP地址-MAC地址在ARP表项中不存在,则在ARP表项中创建新的ARP表项,并将该IP地址-MAC地址填入;该映射关系还可以通过用户静态配置的方式获取,即用户创建ARP表项中的ARP表项,并将IP地址-MAC地址填入,以表示特定的终端设备。 The mapping relationship may be acquired through dynamic learning ARP4 Gen packet, i.e., the terminal device receives an ARP packet sent by other terminals, the IP address of the packet -MAC address of the terminal device with its own entry in the ARP data is compared, if the IP address -MAC address of the packet does not exist in the ARP entries, you create a new entry in the ARP ARP entries, and fill in the IP address -MAC address; the mapping relationship also It may be acquired by way of static configuration of user, i.e. user creates an ARP entry in the ARP table entry, and the IP address of the address -MAC filled to represent a specific terminal device.

由于在ARP协议设计之初没有考虑安全机制问题,因此ARP协议是一个非常容易受攻击的协议。 Since there is no mechanism to consider the issue of security in the ARP protocol designed from the beginning, so the ARP protocol is a very vulnerable agreement. 在当前网络技术中,网络上基于ARP协议欺骗的网络病毒和攻击行为越来越猖獗。 In the current network technology, network viruses and attacks based on the ARP protocol spoofing more and more rampant on the Internet.

现有技术中,网关设备被普遍配置为对接收到的ARP报文不进行解析处理,而进行该ARP报文的直接二层转发,即直接将源终端设备发送的ARP报文转发至目标终端设备。 In the prior art, the gateway device is generally configured to received ARP packet analysis processing is not performed, the ARP message is performed directly Layer forwarding, i.e. directly to the transmission source terminal device ARP packets forwarded to the target terminal equipment. 较常见的ARP报文攻击的示意图如图1所示,其中包括B。 More common ARP attack schematic diagram shown in Figure 1, including B.

图1A所示为正常情况下网络中的情况,合法终端设备A通过网关设备G与网络保持通信。 FIG 1A shows the case where the network under normal circumstances, remains valid terminal apparatus A communicates with the network through the gateway device G. 此时,在网关设备G的ARP表项中建立终端设备A的ARP表项: "IPA-MACA",在终端设备A的ARP表项中建立网关ARP表项:"IPG-MACG"。 At this time, the establishment of the terminal device A in the gateway device G ARP entry in the ARP entry: "IPA-MACA", establishing a gateway ARP entry in the ARP entry terminal apparatus A: "IPG-MACG".

图1B所示为非法的终端设备B进行ARP报文攻击时的情况。 Figure 1B for the case where the ARP attack illegal terminal apparatus B. 该情况下,非法的终端设备B通过单播或广播,伪造网关设备G的IP地址向终端设备A发送ARP报文,报文中的源MAC地址为终端设备B自身的MAC地址。 In this case, the terminal apparatus B via illegal unicast or broadcast, the gateway device G fake IP address of the transmission source MAC address in the ARP packet, the packet A to the terminal device is a terminal device B's own MAC address. 此时终端设备A进行ARP报文动态学习,终端设备A的ARP表项中网关ARP表项由"IP G-MACG" #^'务改为:"IPG-MACB"。 At this time, the terminal device A dynamic learning an ARP packets, ARP entry terminal device A in the gateway by the ARP entry "IP G-MACG" # ^ 'works to: "IPG-MACB". 通过同样的方法,终端设备B也可以将网关设备G中保存的终端设备A的ARP表项:"IP A-MAC A"修改为"IP A-MAC B"。 By the same method, the terminal apparatus B may be saved in the gateway device G ARP entry terminal device A: "IP A-MAC A" modify "IP A-MAC B". 因此,在之后的通信过程中,用户终端A和网关设备G之间交互的才艮文都首先要经过用户终端B,因此用户终端B可以窃取用户终端A和网关设备G之间的通信,达到网络窃听的目的。 Thus, in the communication process after the interaction between the user terminal A and the gateway device G before the packets are the first to go through the Gen user terminal B, terminal B may steal the user communications between the user terminal A and the gateway device G, to achieve the purpose of eavesdropping network. 另外,当非法的终端设备伪造的ARP报文中的MAC为无效地址时,还会造成通信中断。 In addition, when an illegal terminal equipment fake ARP packets in the MAC address is not valid, it will result in communication interruption.

现有技术中针对上述ARP报文攻击的一种处理方法为动态ARP检测技术DAI (Dynamic ARP Inspection),此才支术是基于DHCP (Dynamic Host Configuration Protocol,动态主机配置协议)协议,在网关设备上监控客户端的DHCP通信,记录客户端的IP-MAC对应关系,将待转发ARP才艮文全部送上网关设备的CPU处理。 The prior art is directed to a method for processing the above-mentioned ARP attack detection techniques for dynamic ARP DAI (Dynamic ARP Inspection), before performing this technique is based DHCP (Dynamic Host Configuration Protocol, Dynamic Host Configuration Protocol) protocol gateway device monitoring the client's DHCP communications, recording the IP-MAC client correspondence relationship, to be forwarded ARP packet before all sent Gen gateway device CPU. 其示意图如图2所示:网关设备首先根据对DHCP报文的监控得到IP-MAC对应关系;在需要转发ARP报文的时候,网关设备对待转发ARP报文的源IP-MAC对应关系进行检查。 2 which is a schematic view: Firstly gateway IP-MAC to obtain the corresponding relationship based on monitoring the DHCP packet; forwarding ARP packets, when needed, the gateway device to treat the source IP-MAC forwarding ARP packets corresponding relationship check . 检查通过,则转发ARP报文, 检查不通过则不转发ARP报文,从而达到防御ARP欺骗的目的。 Check, the ARP packet forwarding, do not pass inspection are not forwarded ARP packets, so as to achieve the purpose of defense ARP spoofing.

使用上述动态ARP检测技术时,网关设备需要对所有ARP报文的转发进行校验,而ARP报文通常在网络内流量也是比较大,导致可能造成网关设备的CPU负担。 When using the dynamic ARP inspection technology, the gateway device needs to be for all ARP packet forwarding check, and ARP packets are usually traffic within the network is relatively large, leading to possible cause CPU load of the gateway device. 因此为了防止ARP报文的达流量导致网关设备的CPU过载,通常需 Therefore, in order to prevent the flow of ARP packet gateway device causes the CPU overload, usually takes

要对ARP报文进行限速,这也有可能在网络繁忙时造成客户端ARP失败,影响客户端正常的网络业务。 To limit the rate of ARP packets, which may cause the client ARP failure, affecting the normal client network traffic when the network is busy.

发明内容 SUMMARY

本发明要解决的问题是提供一种防止ARP报文攻击的方法和系统,以使得网络中的用户终端以及网关设备能够有效地防御ARP报文攻击。 The present invention is to solve is to provide a method and system for preventing ARP packet attacks, so that the user terminal and a gateway device in the network can be effectively defense ARP attack.

为达到上述目的,本发明提供一种防止地址解析协议ARP报文攻击的方法,包括以下步骤: To achieve the above object, the present invention provides a method of preventing the Address Resolution Protocol ARP packet attack, comprising the steps of:

动态主机配置协议DHCP服务器在DHCP报文中添加IP地址-MAC地址对并向用户终端发送; Dynamic Host Configuration Protocol DHCP server adds the IP address in the DHCP address -MAC terminal transmits packets to a user;

所述用户终端接收所述DHCP报文,解析所述DHCP报文中包括的IP地址-MAC地址对并将其配置为本地不可被动态改写的ARP表项,以防止攻击报文通过更改用户终端的ARP表项对网络进行攻击。 The user terminal receives the DHCP message, -MAC resolve the IP address of the DHCP address included in the packet and can not be dynamically configured as a local ARP entries rewritten, to prevent attacks by changing the user terminal packets the ARP entry attack the network. 对,和网络中特定网络设备的IP地址-MAC地址对,所述特定网络设备至少包括与所述用户终端连接的网关设备;不同的网络i殳备分别选择对应的IP地址-MAC地址对并将其配置为本地不可被动改写的ARP表项。 To, IP addresses and network address for a particular network -MAC device, said particular network device comprising at least a gateway device connected to the user terminal; Shu different network apparatus i respectively corresponding to selected address and the IP address -MAC configure it to local non-rewritable passive ARP entries.

其中,所述DHCP服务器在DHCP才艮文中添加IP地址-MAC地址对并向用户终端发送的步骤后还包括: Wherein after the step of adding the IP address of the DHCP server -MAC address to the user terminal before transmitting the DHCP Gen article further comprises:

网关设备接收所述DHCP服务器向用户终端发送的DHCP报文; The gateway device receives the DHCP packets sent by the DHCP server to the user terminal;

对配置为本地不可被动态改写的ARP表项; Configuration to the local ARP entry can not be dynamically rewritten;

所述网关i殳备向用户终端发送所述DHCP才艮文。 The gateway device sends the DHCP i Shu Gen message only to the user terminal.

其中,所述不可被动态改写的ARP表项为静态ARP表项,或优先级高于动态ARP表项的ARP表项。 Wherein the non-dynamic ARP entry is rewritten static ARP entries, or a higher priority than the dynamic ARP entry ARP entries.

其中,所述用户终端在本地配置的为优先级高于动态ARP表项的ARP 表项时,所述用户终端解析DHCP报文中包括的IP地址-MAC地址对并将其 Wherein the user terminal is disposed above the local ARP table entry is ARP entries dynamic priority, the user terminal parses the DHCP packet comprises an IP address and address -MAC

配置为本地不可^皮动态改写的ARP表项后还包括步骤: ^ Is not configured as a local skin after rewriting dynamic ARP entries further comprises the step of:

所述用户终端根据预先设定的机制对所述ARP表项进行老化和更新< 其中,所述用户终端根据预先设定的机制对ARP表项进行老化和更^ The user terminal according to the mechanism of aging and updating the preset ARP entry <wherein the user terminal further aging and with ARP mechanism according to a preset ^

步骤具体为: Specific steps are:

在续约或者重新获得IP的时候,更新所述ARP表项和老化时间;或在释放IP地址资源或复位时,删除所述ARP表项;或重新通过DHCP服务器获得IP时,刷新所述ARP表项; 中的一种或多种。 In the contract or time to regain the IP, ARP entries and updating the aging time; or at the time of the release of IP address resources or reset, delete the ARP entries; or when re-obtain IP via DHCP server, refresh the ARP one or more of; entries.

其中,所述网关设备在本地配置的为优先级高于动态ARP表项的ARP 表项时,所述网关设备向用户终端发送DHCP报文后还包括步骤: Wherein, the gateway device is disposed above the local ARP table entry is ARP entries dynamic priority, the gateway device transmits to the user terminal the DHCP packets further comprising the step of:

步骤具体为: Specific steps are:

接收到用户终端向DHCP服务器发送的IP地址释放请求时,删除所述用户终端对应的ARP表项;或 Receiving an ARP entry of the IP address of the user terminal transmitting to the DHCP server release request to delete the corresponding user terminal; or

在满足DHCP中继老化DHCP安全表项时,删除用户终端对应的ARP表项;或 When satisfied aging DHCP relay DHCP security entries, remove an ARP entry corresponding to the user terminal; or

在满足DHCP Snooping老化其监听表项的时候,删除用户终端对应的ARP表项;或 When listening to meet its aging DHCP Snooping entry, remove an ARP entry corresponding to the user terminal; or

监听到用户终端的DHCP报文时,更新所述用户终端对应的ARP表项; 中的一种或多种。 Listening to the user terminal when a DHCP packet, updating the ARP entry corresponding to the user terminal; one or more of the.

其中,其特4正在于,所述IP ;也址-MAC地址对包含在DHCP才艮文中的Option域; Wherein Laid which are to 4, said the IP; -MAC also addresses contained in the address field of the DHCP Option Gen only the text;

所述DHCP报文为DHCP OFFER报文、和/或DHCP ACK报文。 The DHCP message is a DHCP OFFER packet, and / or DHCP ACK messages. 本发明提供一种防止ARP报文攻击的系统,包括DHCP服务器和用户终 The present invention provides a system for preventing ARP attack, including the DHCP server and user terminal

端, end,

所述DHCP服务器,用于在DHCP报文中添加IP地址-MAC地址对并向所述用户终端发送; The DHCP server, the IP address for adding -MAC address in the DHCP message for transmission to said user terminal;

所述用户终端,用于解析所述DHCP服务器发送的DHCP报文中包括的IP地址-MAC地址对并将其配置为本地不可被动态改写的ARP表项。 The user terminal is configured to resolve the IP address -MAC address of the DHCP server, DHCP packets sent and configured to include a non-local ARP table entry is rewritten dynamically.

其中,所述DHCP服务器,除包括报文发送模块外,还包括: Wherein, the DHCP server, in addition to the message sending module comprising an outer, further comprising:

报文生成模块,用于将IP地址-MAC地址对添加到向用户终端发送的DHCP报文中,并通过所述报文发送模块向所述用户终端发送。 Message generating module, configured to send the IP address to the address -MAC user terminal to the DHCP packets sent by the user terminal, via the packet transmission module.

对应关系生成模块,用于根据向用户终端分配的IP地址、以及用户终端的MAC地址,生成用户终端的IP地址-MAC地址对,并提供给所述报文生成模块; Correspondence relation generating module, according to the user terminal is assigned an IP address, and the MAC address of the user terminal, the user terminal generates an IP address -MAC address, and supplies the message generating module;

对应关系存储模块,用于存储网络中特定网络设备的IP地址-MAC地址对,并提供给所述报文生成模块。 The corresponding relationship storage module, for storing the IP address of the network address -MAC particular network device, and provided to the packet generating module.

其中,所述用户终端包括: Wherein the user terminal comprises:

报文解析模块,用于解析DHCP服务器向本用户终端发送的DHCP报文, 解析所述DHCP报文中携带的特定网络设备的IP地址-MAC地址对,并通知终端表项模块; Packet parsing module, for parsing the DHCP server DHCP packets sent to this user terminal, -MAC resolve the IP address of the network device address of a specific DHCP message carries on, and notifies the terminal entry module;

终端表项模块,用于根据所述报文解析模块获取的特定网络设备的IP地址- MAC地址对,将其配置为本地不可被动态改写的ARP表项。 Entry terminal module, the IP address for a specific network device of the acquired packet parsing module - MAC address of pair, configured to local ARP entry can not be dynamically rewritten.

其中,所述用户终端还包括: Wherein the user terminal further comprises:

终端表项更新模块,用于根据预先设定的机制对所述终端表项模块中的ARP表项进4于老化和更新。 Terminal entry update module, according to the mechanism set in advance for the terminal entry in the ARP module entry into 4 to aging and updating.

其中,还包括网关设备,用于将所述DHCP服务器发送的DHCP报文中包括的IP地址-MAC地址对配置为本地不可被动态改写的ARP表项;所述网关设备包括: Wherein the apparatus further includes a gateway, an IP address for the DHCP packet -MAC address sent by the DHCP server is configured to include the non-local ARP entries is dynamically rewritten; the gateway device comprising:

报文监听模块,用于监听DHCP服务器向用户终端发送的DHCP报文,解析所述DHCP报文中携带的用户终端的IP地址-MAC地址对,并通知表项维护模块; Packet monitoring module for monitoring the DHCP server to the user terminal transmits a DHCP message, -MAC resolve the IP address of the DHCP address carried in the message to the user terminal, and notify the maintenance module entries;

表项维护模块,用于根据所述报文监听模块获取的用户终端的IP地址-MAC地址对,将其配置为本地不可被动态改写的ARP表项。 Maintenance module entry, according to the IP address of the user terminal address -MAC the packet monitoring module acquired configure it as a local ARP entry can not be dynamically rewritten. 其中,所述网关设备还包括: Wherein the gateway device further comprises:

表项更新模块,用于根据预先设定的机制对所述表项维护模块中的ARP 表项进行老化和更新。 Entry update module for updating the aging and maintenance of the entry in the ARP entry module according to the mechanism set in advance.

与现有4支术相比,本发明具有以下优点: 4 compared with the prior art, the present invention has the following advantages:

提供了一套简单有效的ARP攻击报文防御解决方案,使得网络中的网关设备以及用户终端能够有效的防御接收到的ARP攻击报文。 Provides a simple and effective ARP attack prevention solution, such that a user terminal and a gateway device in the network can effectively ARP attack defense received. 另夕卜,通过DHCP 服务器对网络中用户终端的重要ARP表项进行统一配置,便于集中管理。 Another evening Bu, unified configuration ARP entry for important network user terminal through a DHCP server for centralized management.

附图说明 BRIEF DESCRIPTION

图1 A和图1B是现有技术中ARP报文攻击的示意图; FIG 1 A and 1B are a schematic view of the prior art ARP packet attack;

图2是现有技术中动态ARP检测技术的示意图; FIG 2 is a schematic of a prior art dynamic ARP detection technique;

图3是本发明的实施例一中防止ARP报文攻击的方法的示意图; FIG 3 is a process ARP attack embodiment of the present invention preventing a schematic;

图4是本发明的实施例一中使用到的DHCP报文格式示意图; FIG 4 is an embodiment of the present invention to use a DHCP message format diagram;

图5是本发明的实施例一中使用的Option域的格式示意图; FIG 5 is a format diagram of an embodiment of the present invention for use in Option field;

图6是本发明的实施例二中防止ARP报文攻击的方法的示意图; FIG 6 is a method of ARP attack in the two embodiments of the present invention prevents a schematic view;

图7是本发明的实施例三中防止ARP报文攻击的的系统示意图。 FIG 7 is a system schematic view of three embodiments of the invention to prevent the attack of ARP packets.

具体实施方式 detailed description

以下结合附图和实施例,对本发明的实施方式做进一步说明。 The following embodiments and the accompanying drawings, embodiments of the present invention will be further described. 对一个IP网络设备,存储在ARP表项中的协议地址-物理地址对(IP地址-Mac地址对)是必不可少的。 IP network to a device protocol address stored in the ARP table entry - the physical address (IP address -Mac address) is essential. 目前对ARP的管理, 一般都包括动态ARP表项部分和静态ARP表项部分。 Currently the management of the ARP, are generally part including dynamic ARP entries and static ARP entry section. 其中,动态ARP表项为网络设备在通信过程中通过ARP协议所学习的ARP表项;静态ARP表项为用户或管理员在网络设备上直接配置的ARP表项。 Wherein the dynamic network device ARP entries learned by the ARP protocol during communication ARP entries; static ARP entries for a user or administrator, the network configurator ARP entries directly. 一般来说,静态ARP表项是不能被动态ARP表项所覆盖的, 动态表项的学习更新也不能与静态表项相冲突,在查询ARP表项进行地址解析的时候,静态表项的优先级也高于动态表项,且静态ARP不会被超时老化。 In general, the static ARP entry can not be covered by the dynamic ARP entries, updated learning dynamic entries can not be in conflict with the static entries in the ARP entry when the query geocode static priority entry stage is also higher than the dynamic entries and static ARP timeout will not be aging. 目前基于ARP协议的欺骗攻击主要是通过修改动态ARP表项进行的,通过 Currently based ARP protocol spoofing attacks mainly carried out by modifying the dynamic ARP entries, by

向网络设备发送ARP欺骗协议报文来让网络设备学习到被篡改后的ARP表项, 从而在网络设备上建立错误的动态ARP表项以供攻击者利用。 Sent to the network device ARP spoofing packets to allow network devices to learn ARP entries after being tampered with, so as to establish a dynamic ARP entry error on a network device for an attacker to exploit. 因此如果预先将网关、服务器等关键设备的IP地址-Mac地址关系设置为不可被动态改写的ARP表项,则这些地址关系对应的表项不能被ARP欺骗协议报文所覆盖,其IP -MAC对应关系也不会被篡改。 Therefore, if the IP address in advance the relationship between the key address -Mac gateway device, server or the like is set as unavailable ARP entries is dynamically rewritten, the relationship between these addresses corresponding entry can not be covered ARP spoofing protocol packet, which IP -MAC the corresponding relationship will not be tampered with. 因此,基于该原理,可以在用户终端和网关设备上,直接配置不可被动态改写的ARP表项,以免在接收到攻击者的ARP 协议报文时正确的IP地址-Mac地址关系被篡改。 Thus, based on this principle, it is possible on the user terminal and a gateway device, directly ARP entry can not be dynamically rewritten, not when receiving an ARP packets attacker's IP address -Mac correct address relationships been tampered with. 该不可被动态改写的ARP表项的具体方式可以为静态ARP表项,或优先级高于动态ARP表项的ARP表项。 DETAILED DESCRIPTION The non-ARP entries is dynamically rewritten may be higher than the dynamic ARP entry static ARP entries ARP entry, or priority.

考虑到现有技术中用户终端的IP地址都是由DHCP服务器进行动态分配的,因此,本发明的实施例一中提出一种防止ARP报文攻击的方法。 Considering the prior art, the IP address of the user terminal is dynamically assigned by the DHCP server, and therefore, embodiments of the present invention, a method is proposed an ARP attack prevention. 该实施例中的组网形式为:用户终端通过网关设备与DHCP服务器连接。 Network forms of this embodiment: user terminal is connected to the DHCP server through the gateway device. 如图3所示, 该防止ARP^艮文攻击的方法包括如下步骤: 3, to prevent the attack packets ARP ^ Gen method comprising the steps of:

步骤sl01、 DHCP服务器接收到用户终端的DHCP DISCOVER (发现)报文后,向用户终端发送包括IP地址-Mac地址对的DHCP OFFER(提供)报文。 Step sl01, DHCP server to the user terminal receives the DHCP DISCOVER (found) message, it sends to the user terminal comprises a DHCP OFFER IP address -Mac address pair (providing) packets.

现有技术中,用户终端向网络中广播DHCP DISCOVER报文寻找网络中存在的DHCP服务器。 In the prior art, a user terminal in the network DHCP DISCOVER broadcast message to find a DHCP server present in the network. 接收到该DHCPDISCOVER报文的服务器向用户终端发送DHCP OFFER才艮文,其中携带向用户终端发送的地址。 Receiving the DHCPDISCOVER message server to the user terminal sends a DHCP OFFER packet only Burgundy, which carry the address transmitted to the user terminal.

本发明实施例的该步骤中,该DHCP服务器向用户终端发送的DHCP OFFER寺艮文中除携带向用户终端分配的IP地址外,还包括该用户终端的IP地址-Mac地址对,以及网络中的一些重要设备,如网关设备、数据库服务器等的IP地址-Mac地址对。 Embodiment of the present invention, the procedure of Example of, DHCP OFFERs temple Gen herein the DHCP server terminal transmits to the user in addition to portable terminal assigned to a user's IP address, further comprising the IP address -Mac address of the user terminal, and the network IP address -Mac address a number of important equipment, such as a gateway device, such as a database server.

步骤sl02、网关设备将DHCP服务器发送的DHCP OFFER报文向用户终端转发。 Step sl02, the gateway device DHCP OFFER message sent by the DHCP server forwards the user terminal.

步骤sl03、用户终端向选定的DHCP服务器发送DHCP REQUEST (请求) 报文,并根据该选定的DHCP服务器发送的DHCP OFFER报文进行本地静态ARP表项的配置。 Step SL03, the user terminal sends the REQUEST DHCP selected DHCP server (Request) message, and configure the local static ARP entries according to the DHCP OFFER message to the selected DHCP server sends.

用户终端可能接收到多个DHCP服务器发送的DHCP OFFER报文,根据预定的策略选择其中的一个DHCP服务器并广播DHCP REQUEST报文,其中携带所选择的DHCP服务器的标识。 The user terminal may receive a DHCP OFFER message sent by a plurality of DHCP server, DHCP server select one according to a predetermined strategy and broadcast DHCP REQUEST message carries the identifier of the selected DHCP server.

本发明实施例的该步骤中,用户终端除向选定的DHCP服务器发送DHCP REQUEST报文外,还根据该选定的DHCP服务器发送的DHCP OFFER报文, 解析该DHCP OFFER报文中携带的网关设备、数据库服务器等的IP地址-Mac 地址对,并将这些解析出的IP地址-Mac地址对加入本地的静态ARP表项。 The procedure of Example of the present invention, in addition to the user terminal transmits DHCP REQUEST packet to the DHCP server selected, but also according to the selected DHCP OFFER message sent by a DHCP server, the gateway parses the DHCP OFFER packet carried equipment, such as a database server IP address -Mac address, and parse out these IP addresses -Mac address local static ARP entry to join. 通过该步骤,即可保证用户终端对网络中网关设备以及其他设备的网络地址进行正确解析,不受ARP攻击报文的影响。 By this step, you can ensure that the user terminal in the network gateway device and the network address of other devices correctly parse, it is not affected by ARP attack packets. 该步骤也可在下面用户终端接收DHCP服务器发送的DHCP ACK (应答)报文之后进行。 Performed after (response) of the DHCP ACK message receiving step may also be sent by the DHCP server the following user terminal.

步骤sl04、用户终端选定的DHCP服务器向用户终端发送DHCP ACK才艮文,其中携带分配给用户终端的IP,为其提供服务。 Step SL04, the selected user terminal transmits the DHCP server to the user terminal before Gen DHCP ACK message, which carries the IP assigned to the user terminal, to provide service.

本发明实施例的该步骤中,该DHCP服务器向用户终端发送的DHCP OFFER才艮文中除携带向用户终端分配的IP地址外,也还包括该用户终端的IP 地址-Mac地址对,以及网络中的一些重要设备,如网关设备、数据库服务器等的IP地址-Mac地址对。 The procedure of Example of the present invention, DHCP OFFERs only Gen herein the DHCP server terminal transmits to the user in addition to portable terminal assigned to a user's IP address, further comprising an IP address -Mac address of the user terminal, and the network IP address -Mac address some important equipment, such as a gateway device, such as a database server.

步骤s 105 、网关设备根据接收到的DHCP ACK报文进行本地静态ARP表项的配置。 Step s 105, the gateway device configured local static ARP entries based on the received DHCP ACK packets.

如前所述,ARP报文的欺骗攻击往往是双向的,在向用户终端发送外造的网关设备的ARP报文的同时,也向网关设备发送伪造的ARP报文。 As described above, the ARP packet spoofing attacks tend to be bi-directional, the external gateway device to the user terminal made ARP packets but also forged ARP packet transmitted to the gateway device. 因此,本发明的实施例中,网关设备具有DHCP中继(Relay)功能,能够对接收到的DHCP报文进行监听,并根据DHCP报文维护本地存储的ARP表项。 Thus, embodiments of the present invention, the gateway DHCP relay device (Relay) function, can be received DHCP packets monitor and maintain the local DHCP packets stored according ARP entry.

具体的,网关设备在步骤sl02中接收到DHCP服务器向用户终端发送的DHCP OFFER报文时直接进行转发,因为当时用户终端尚未确定使用由哪个DHCP服务器提供的IP地址。 Forwarded directly Specifically, the gateway device receives a DHCP OFFER message to the DHCP server transmits to the user terminal in step SL02, when the user terminal has not been determined because the IP address provided by which DHCP server. 而网关设备在接收到DHCP服务器向用户终端发送的DHCP ACK才艮文时,可以将DHCP ACK才艮文中该用户终端的IP地址-Mac地址对添加到本地的静态ARP表项中。 The gateway device when receiving the DHCP server to the DHCP ACK to the user terminal only transmits packets Burgundy, it may be Gen DHCP ACK message to the IP address of the user terminal -Mac address pair to the local static ARP entry. 通过此方法,网关设备在之后某时刻接收到攻击者发送的包括用户终端伪造IP地址-Mac地址对的ARP协议报文时,因为静态ARP表项的优先级高于动态ARP表项,因此无法改变用户终端的IP地址-Mac地址对。 By this method, the gateway device a certain time after receiving the attacker sends a fake IP address of the user terminal include address -Mac ARP packets to the time, since priority is higher than the static ARP entries dynamic ARP entry, can not be changing the IP address of the user terminal -Mac address pair. 通过该步骤,在网关设备上对通过DHCP服务器 By this step, at the gateway from a DHCP server devices

合法获得IP地址的用户终端的ARP表项进行了保护,实现了对ARP报文攻击 Legally acquired user terminal IP address of the ARP entry is protected, the realization of ARP attack

的防范。 Prevention.

步骤sl06、用户终端根据接收到的DHCP ACK报文进行本地静态ARP表项 Step sl06, the user terminal performs local static ARP entries according to the DHCP ACK message received

的配置。 Configuration.

具体的,用户终端接收到DHCPACK报文后,按照DHCP服务器向其分配的IP地址进行终端IP地址的配置。 Specifically, after the user terminal receives the DHCPACK packet, the terminal is configured to assign IP addresses according to the IP address of the DHCP server. 另外,如果用户终端在接收到DHCP OFFER 报文时没有进行本地静态ARP表项的配置,则也可以在接收到该DHCP服务器发送的DHCP ACK报文后,解析DHCP ACK报文中携带的网关设备、数据库服务器等的IP地址-Mac地址对,并将这些解析出的IP地址-Mac地址对加入本地的静态ARP表项。 After the addition, no local static configuration ARP entry if the user terminal receives the DHCP OFFER packet, it may be received DHCP ACK message to the DHCP server sends parses gateway DHCP ACK message carried , database server IP address -Mac address, and parse out these IP addresses -Mac address to join the local static ARP entries. 通过该步骤,即可保证用户终端对网络中网关设备以及其他设备的网络地址进行正确解析,不受ARP攻击报文的影响。 By this step, you can ensure that the user terminal in the network gateway device and the network address of other devices correctly parse, it is not affected by ARP attack packets.

在上述实施例一步骤的实现中,要求DHCP服务器可以在发送给用户终端的DHCP报文中携带IP地址-Mac地址对。 In a step to achieve the above embodiment embodiment, it is required to carry the IP address of the DHCP server can -Mac address to the user terminal in a DHCP packet. 该携带可以通过设置DHCP报文中的Option域实现。 This can be achieved by setting the carry DHCP packets Option field. DHCP协议中规定的DHCP报文格式如图4所示。 DHCP protocol DHCP predetermined packet format shown in FIG. 其中Option 域为可以根据需要进行扩展的部分,因此,为了实现本发明实施例的目的, 需要通过此Option域进行DHCP协议的扩展,定义一个新的DHCP报文中的Option来配置用户终端、网关设备等的IP地址-Mac地址对。 Wherein Option domain portions may be extended according to need, and therefore, in order to achieve the purpose of embodiments of the present invention, needs to be extended DHCP protocol by this Option field, the definition of a new DHCP packets Option configuring a user terminal, the gateway IP address of the device, etc. -Mac address right.

该Option域的格式如图5中的(5A )所示,包括: The format of the Option field shown in FIG. 5 (5A), comprising:

xx:表示Option号,对于该新定义的Option项,该Option号暂时以xx代替; N:表示Option的长度,该长度不包括xx; xx: Option number indicates, for the newly defined term Option, the Option No. xx temporarily place; N: Option indicates the length of, the length does not include xx;

i 1至iN:标识Option中的子项,每一Option子项包括一组ARP信息。 i 1 to iN: Option in identify child, each child Option information comprises a set of ARP.

其中,每一子项的结构如图5中的(5B)所示,包括: Wherein each subkey structure shown in (5B) shown in FIG. 5, comprising:

S:子项序号,每条ARP信息对应一个子项,从1开始编号,依次递增; S: subkey number, each corresponding to a child ARP information, numbering from 1, in ascending order;

SN:子项长度,即SubOptl和SubOpt2的长度之和; SN: child length, i.e. the length and SubOptl and SubOpt2;

SubOptl:携带协议地址,在以太网中为IP地址; SubOptl: carrying protocol address, an IP address in the Ethernet;

SubOpt2:携带硬/f牛地址,以太网中为Maci也址。 SubOpt2: Hard Carrying / f cattle address, Ethernet is also Maci site.

其中,SubOptl和SubOpt2具有相同的结构,如图5中的(5C)和(5D) 所示,以其中的SubOptl为例,S1N为协议地址的长度,Protocol Address为协议地址,长度为S1N字节。 Wherein, SubOptl SubOpt2 and have the same structure, in FIG. 5 (5C) and (5D) as shown, for example in which SubOptl, S1N length protocol address, Protocol Address for the protocol address, byte length S1N .

通过该方法,DHCP服务器在为用户终端分配IP地址后,可以将客户端的IP地址-Mac地址对配置在Option域中,并在发送的DHCP报文中添加Option 域并发送。 By this method, the DHCP server assigns an IP address for the user terminal, the IP address may be the address of the client -Mac disposed Option field, and add the Option field to the DHCP packets sent and transmitted. 对于网关设备等网络设备,其IP地址-Mac地址是预先已经设置好的,直接添加在Option域中即可,其添加方法同添加用户终端的IP地址-Mac 地址对的方法相同。 For network devices other gateway device, the IP address -Mac address already set in advance, can be directly added to the Option field, which is the same method of addition method with adding the IP address of the user terminal -Mac address pair. 用户终端、网关设备等设备收到带有Option域的DHCP报文后,根据上述报文结构解析Option域,并将IP地址-Mac地址对配置为本地静态ARP表项。 After the user terminal, the gateway device and other equipment receives the DHCP Option field with a packet, the packet structure analysis based on the Option field, and the IP address of the local address -Mac static ARP entries to the configuration.

以上实施例一中,以DHCP服务器在DHCP报文中添加IP地址-Mac地址对,由用户终端以及网关设备解析该DHCP报文并维护静态ARP表项为例,实现了对ARP报文攻击的防御。 In one embodiment the above embodiment, to add the IP address of the DHCP server in the DHCP address -Mac packets, parsed by the user terminal and the gateway device to maintain the DHCP message and the static ARP entries as an example, to achieve the ARP packet attack defense. 除了采取维护静态ARP表项的方法之外,还可以采用设置新的ARP表项优先级的方法。 In addition to taking method of maintaining a static ARP entry, you can also adopt a new set of priorities ARP entry method. 具体的,可以设置一类新的ARP表项, 这类ARP表项在网络设备上以优先级高于动态ARP表项的形式存在,不能被ARP报文动态改写。 Specifically, a new class may be set ARP entry, the ARP entry of such devices on a network to present a higher priority than the dynamic ARP entry form, can not be dynamically rewritten ARP packets. 这样,同样可以保证网络设备所经常使用一些关键的ARP 不会被ARP攻击报文篡改,保持正确。 In this way, the same can ensure that the network equipment often use a number of key ARP ARP attack packet can not be tampered with, keep the right. 这类优先级高于动态ARP表项的ARP 表项,与静态ARP表项的区别在于:静态ARP表项一般不存在老化机制,只能手动删除而不会因过期自动删除,而且有的系统的静态ARP表项不可以被动态刷新。 Such a higher priority than the dynamic ARP entries ARP entries, the difference between static ARP entries are: static ARP entry general aging mechanism does not exist, only manually deleted are not automatically deleted due to expire, and some systems static ARP entries can not be dynamically refreshed. 因此通过设置具有新优先级的ARP表项,可以通过设置老化机制和刷新机制进行维护。 Therefore, by setting new priorities have ARP entries, can be maintained by setting the aging mechanism and refresh mechanisms.

关于此类新ARP表项的老化机制,对于用户终端而言,可以将表项老化时间设定为用户终端从DHCP服务器获得IP的租约时间,在续约或者重新获得IP的时候,此类新ARP表项的内容和老化时间也随之更新;在用户终端发生释放IP地址资源,以及网络接口DOWN或复位等事件,此类新表项应随之删除, 在用户终端重新通过DHCP获得IP的时候,重新建立这类新ARP表项。 Aging mechanisms for such new ARP entries, for the user terminal, the aging time can be set to obtain an IP terminal lease time from the DHCP server for the user, or at renewal time to regain the IP, such new content ARP entry aging time and also will be updated; the user releases the IP address resource, and a network interface or DOWN terminal such as reset event occurs, such new entry should be deleted and the user terminal to regain the IP via DHCP time, to re-establish this new ARP entry.

关于此类新ARP表项的老化机制,对于网关设备而言,在如下情况应考虑删除这类新ARP表项:(1 )在收到用户终端向DHCP服务器发送的Release (释放)报文,请求释放IP地址资源时,应删除用户终端对应的这类新ARP 表项。 Aging mechanisms for such new ARP entries, for a gateway device, in the following cases should consider deleting these new ARP entry: (1) receipt of a user terminal in Release sent to the DHCP server (release) message, when the request to release the IP address resources should delete these new ARP entry corresponding to the user terminal. (2)在满足DHCP中继老化DHCP安全表项的时候,应考虑删除用户终端对应的这类新ARP表项。 (2) When satisfied DHCP relay aging DHCP security entries should consider removing such new ARP entry corresponding to the user terminal. (3 )在满足DHCP - Snooping ( DHCP监听)老化其监听表项的时候,应考虑删除用户终端对应的这类新ARP表项。 (3) meet the DHCP - when Snooping (DHCP listener) listens aging of its entries, you should consider deleting these new ARP entry corresponding to the user terminal. 另外,在网关设备监听到ACK报文时,应该考虑更新原有客户端对应的这类新ARP表项。 In addition, the gateway device listens to the ACK packet, you should consider this new update existing ARP entry corresponding to the client.

本发明的实施例二中,结合一个具体的应用场景,对本发明的实施方式作进一步的说明。 Two embodiments of the invention, the binding of a specific application scenario, embodiments of the present invention will be further described.

设网络中存在DHCP服务器、网关设备以及用户终端A。 DHCP server, the gateway device and a user terminal provided the network A. 其中用户终端A 的MAC地址是52-54-ab-27-82-83;用户终端A通告网关设备与Internet网络连接,网关设备的IP地址为192.168.1.1, MAC地址为00-88-CC-06-05-43,该网关设备支持DHCP中继功能。 Wherein the MAC address of the user terminal A is 52-54-ab-27-82-83; A user terminal advertisement gateway device connected to the Internet, IP address, the gateway device is 192.168.1.1, MAC address of 00-88-CC- 06-05-43, the gateway device supports DHCP relay function. 则用户终端A连接网络的过程如图6所示,包括如下步骤: A process of the user terminal connected to the network shown in Figure 6, comprising the steps of:

步骤s601 、 DHCP服务器接收到用户终端广播的DHCPDISCOVER报文。 Step s601, DHCP server receives the DHCPDISCOVER message broadcast to a terminal user. 步骤s602、 DHCP服务器向用户终端发送DHCP OFFER报文。 Step s602, DHCP server terminal sends a DHCP OFFER message to the user.

设DHCP服务器从本地地址资源中为用户终端分配的IP地址为192.168.1.2,则该DHCPOFFER才艮文中除携带向用户终端分配的IP地址外,还携带网关设备的IP地址-MAC地址对"192.168.1.1 00-88-CC-06-05-43"。 DHCP server terminal provided from the local address assigned resources for the user the IP address of 192.168.1.2, gen only the DHCPOFFER message, in addition to the user portable terminal an IP address assigned, the gateway device also carries an IP address -MAC address "192.168 .1.1 00-88-CC-06-05-43 ".

步骤s603、用户终端向该DHCP服务器发送DHCP REQUEST报文,同时 Step S603, the user terminal sends a DHCP REQUEST packet to the DHCP server,

将网关设备的IP地址-MAC地址对添加到本地的ARP表项。 The IP address of the gateway device address -MAC local ARP entry to add to.

设用户终端选择该DHCP服务器为其提供IP地址分配服务,则向该DHCP Provided the user terminal selects the DHCP server to provide IP address allocation, to the DHCP

服务器发送DHCPREQUEST报文。 The server sends DHCPREQUEST messages. 另外,用户终端将DHCP OFFER报文中携 Further, the user terminal will carry DHCP OFFER packet

带的网关设备的IP地址-MAC地址对"192.168.1.1 00-88-CC-06-05-43"添加 IP address -MAC address of the gateway device with the "192.168.1.1 00-88-CC-06-05-43" Add

到本地的ARP表项,该ARP的优先级高于动态ARP表项。 To the local ARP entry, the ARP priority over the dynamic ARP entry.

步骤s604、 DHCP服务器向网关设备发送DHCP ACK报文。 Step s604, DHCP server sends a DHCP ACK message to the gateway device.

DHCP服务器为用户终端分配的IP地址为192.168.1.2,则该ACK报文中除携带用户终端的IP地址外,还携带有用户终端的IP地址_ MAC地址对"192.168.1.2 52-54-ab-27-82-83 ,,以及网关设备的IP地址-MAC地址对"192.168.1.1 00-88-CC-06-05-43"。 DHCP server for the user terminal is assigned an IP address is 192.168.1.2, the ACK packet, in addition to the IP address carried in the user terminal, the user terminal further carries the MAC address of the IP address _ "192.168.1.2 52-54-ab IP address -MAC address -27-82-83 ,, as well as the gateway device to "192.168.1.1 00-88-CC-06-05-43".

步骤s605、网关设备解析该DHCP ACK报文,将用户终端的IP地址-MAC Step S605, the gateway device parses the DHCP ACK packet, the IP address of the user terminal -MAC

地址对添加到本地的ARP表项。 Added to the local address of the ARP entry.

网关设备将DHCP ACK报文中携带的用户终端的IP地址-MAC地址对"192.168丄2 52-54-ab-27-82-83"添加到本地的ARP表项,该ARP的优先级高于动态ARP表项。 The IP address of the gateway device -MAC address carried in the DHCP ACK message to user terminal "192.168 Shang 2 52-54-ab-27-82-83" to the local ARP entry, the ARP priority over dynamic ARP entries.

步骤s606、网关设备向用户终端发送DHCPACK报文。 Step s606, the gateway device transmits a DHCPACK message to the terminal user.

步骤s607、用户终端解析该DHCP ACK报文,将网关设备的IP地址-MAC 地址对添加到本地的ARP表项。 Step S607, the user terminal parses the DHCP ACK packet, the IP address of the device address of the gateway -MAC added to the local ARP entry.

如步骤s603中用户终端未将DHCP OFFER报文中携带的网关设备的IP地址- MAC地址对添加到本地的ARP表项。 In step s603 is not the user terminal to the IP address of the gateway device DHCP OFFER message carries the - MAC address of the pair to the local ARP entry. 则本步骤中用户终端将DHCP ACK 报文中携带的网关设备的IP地址-MAC地址对"192.168.1.1 00-88-CC-06-05-43"添加到本地的ARP表项,该ARP的优先级高于动态ARP 表项。 In this step the IP address of the user terminal -MAC address of the gateway device carried in the DHCP ACK message to "192.168.1.1 00-88-CC-06-05-43" to the local ARP entry, the ARP is a higher priority than the dynamic ARP entries.

至此,完成了在用户终端A和网关设备上的ARP表项的配置。 This completes the ARP entry on the user terminal A and the gateway device. 当用户终端A和网关设备接收到网络中的ARP攻击报文时,其维护的ARP表项不会被动态学习到的IP地址-MAC地址对所修改,从而达到了防御ARP报文攻击的目的。 When the user terminal A and the gateway device receives the ARP attack packet network, which maintains the ARP table entries are not dynamically learned address to the IP address -MAC modified, so as to achieve the object of the ARP packet attack defense .

通过使用以上基于DHCP协议的防止ARP报文攻击的方法,提供了一套简单有效的ARP攻击报文防御解决方案。 By using the above method based on the DHCP protocol packets to prevent ARP attacks, it provides a simple and effective ARP attack prevention solution. 使得网络中的网关设备以及用户终端能够有效的防御接收到的ARP攻击报文。 Such that a user terminal and a gateway device in the network can effectively attack defense received ARP packet. 另外,通过DHCP服务器对网络中用户终端的重要ARP表项进行统一配置,便于集中管理。 Further, for the unified configuration ARP entry important network user terminal by the DHCP server, facilitates centralized management.

本发明的实施例三还提供了一种防止ARP报文攻击的系统,如图7所示, 该系统由DHCP服务器IO、网关设备20和至少一个用户终端30组成。 Three embodiments of the present invention further provides a method of preventing ARP attack system, shown in Figure 7, the IO system by the DHCP server, the gateway device 20 and composed of at least one user terminal 30. 其中DHCP 服务器用于向请求服务的用户终端分配IP,并将必要的网络设备以及用户终端的IP地址-MAC地址对添加到DHCP报文中向用户终端发送。 Wherein a DHCP server for allocating IP service request to the user terminal, and the necessary IP address of the network device -MAC address of the user terminal to the DHCP packets sent to the user terminal. 网关设备用于对DHCP服务器发送的DHCP报文进行监听,根据DHCP报文配置本地的关于用户终端的ARP表项为不可被动态改写的ARP表项(包括静态ARP表项或优先级高于动态ARP表项的ARP表项)。 DHCP packets to the gateway device for transmitting a DHCP server to monitor, according to the user terminal ARP entry DHCP packet can not be configured as a local dynamic ARP entries rewritten (static ARP entries including a higher priority than the dynamic or ARP entries ARP entries). 用户终端根据DHCP服务器发送的DHCP报文,配置本地如网关设备等网络设备的ARP表项为不可被动态改写的ARP表项(包括静态ARP表项或优先级高于动态ARP表项的ARP表项)。 The DHCP user terminal message sent from the DHCP server, configure the local ARP entry gateway devices and other network devices is not dynamic ARP entry is rewritten (static ARP entries or higher priority than the dynamic ARP table entry is ARP table item). 具体》也,DHCP月良务器10包才舌: Specifically, "also, DHCP May 10 good service package only tongue:

对应关系生成模块ll,用于根据向发送DHCPDISCOVER报文、或DHCP REQUEST才艮文的用户终端分配的IP地址、以及用户终端的MAC地址,生成用户终端的IP地址-MAC地址对,并向报文生成模块13提供。 Correspondence relation generating module ll, MAC address according to DHCPDISCOVER packet, or a DHCP REQUEST packet was Gen user terminal is assigned an IP address, and a user terminal, the user terminal generates an IP address -MAC address, and packets message generating module 13 provided.

对应关系存储模块12,用于存储网络中的网关设备、数据库服务器等网络设备的IP地址-MAC地址对,并向报文生成模块13提供。 The corresponding relationship storage module 12, an IP address of the network device address -MAC gateway device in the storage network, a database server, and provides message generating module 13.

报文生成模块13,用于将对应关系生成模块ll发送的用户终端的IP地址-MAC地址对,以及对应关系存储模块12发送的网络设备的IP地址-MAC地址对,添加到向用户终端发送的DHCP报文中,该报文可以为DHCP OFFER报文、 和/或DHCP ACK才艮文。 Message generating module 13, an IP address for the IP address of the address -MAC -MAC address of the user terminal transmitting ll correspondence relation generating module, and the network device transmitting the correspondence relationship storage module 12, is added to the transmission to the user terminal DHCP message, the message can be DHCP OFFER message, and / or DHCP ACK Gen text only.

地址分配模块14,用于向发送DHCP DISCOVER报文、和/或DHCP REQUEST报文的用户终端分配IP地址,并将分配的IP地址通知对应关系生成模块ll。 Address assignment module 14 is configured to assign IP addresses to the DHCP DISCOVER message sent by a user, and / or DHCP REQUEST message terminal, and notifies the correspondence relation generating module ll assigned IP address.

报文发送模块15,用于将报文生成模块13生成的DHCP报文向用户终端发送。 The message sending module 15, for the packet generating module 13 generates a DHCP message sent to the user terminal.

具体地,网关设备20包括: Specifically, the gateway device 20 comprising:

才艮文监听模块21 ,用于监听DHCP服务器向用户终端发送的DHCP ACK报文,当该DHCP才艮文中携带有用户终端的IP地址-MAC地址对时,解析该用户终端的IP地址-MAC地址对并通知表项维护模块22更新ARP表项。 When the packet monitoring module 21 only Burgundy, listens for DHCP ACK messages sent by DHCP server to the user terminal, when the DHCP message carries only Gen user terminal IP address -MAC address, resolve the IP address of the user terminal -MAC address for entry and notify maintenance module 22 updates the ARP entry.

表项维护模块22,用于根据报文监听模块21获取的用户终端的IP地址-MAC地址对,将其配置为不可被动态改写的ARP表项,该包括用户终端IP地址-MAC地址对的ARP表项为静态ARP表项或优先级高于动态ARP表项的ARP表项。 Entry maintenance module 22, according to the IP address of the user terminal packets of a monitoring module 21 acquires -MAC address, configure it to dynamically ARP entry can not be rewritten, which includes a user terminal IP address pair -MAC ARP entries to static ARP entry or a higher priority than the dynamic ARP entries ARP entries.

表项更新模块23,用于根据预先设定的机制对表项维护模块22中的ARP 表项进行老化和更新。 Entry update module 23 for maintaining the ARP entry aging module 22 and update entries according to the mechanism set in advance. 对于优先级高于动态ARP表项的新ARP表项,在如下情况应考虑删除:(1 )在收到用户终端向DHCP服务器发送的Release净艮文,请求释放IP地址资源时,应删除用户终端对应的这类新ARP表项。 For a higher priority than new ARP entry dynamic ARP entries, in a case should consider deleting: (1) Upon receipt of the net Gen Release message transmitted from the user terminal to the DHCP server, the IP address of the request to release resources, the user should be deleted corresponding to the terminal such new ARP entry. (2)在满足DHCP中继老化DHCP安全表项的时候,应考虑删除用户终端对应的这类新ARP表项。 (2) When satisfied DHCP relay aging DHCP security entries should consider removing such new ARP entry corresponding to the user terminal. (3 )在满足DHCP - Snooping老化其监听表项的时候,应考虑删除用户终端对应的这类新ARP表项。 (3) meet the DHCP - Snooping aging when its listening entries, should consider deleting these new ARP entry corresponding to the user terminal.

具体地,用户终端30包括: Specifically, the user terminal 30 comprises:

报文解析模块31 ,用于解析DHCP服务器向本用户终端发送的DHCP报文, 当该DHCP报文中携带有网关设备等网络设备的IP地址-MAC地址对时,解析该网络设备的IP地址-MAC地址对并通知终端表项模块22更新ARP表项。 31 packet time parsing module configured to parse DHCP packets sent by the DHCP server to present the user terminal, when the DHCP message carries the IP address of the gateway equipment -MAC address of a network device, resolve the IP address of the network device -MAC address entry module and notifies the terminal 22 updates the ARP entry.

终端表项模块32,用于根据报文解析模块21获取的网关设备等网络设备的IP地址-MAC地址对,将其配置为不可被动态改写的ARP表项,该包括网关设备等网络设备的IP地址-MAC地址对的ARP表项为静态ARP表项或优先级高于动态ARP表项的ARP表项。 Entry terminal module 32, according to the packet address to resolve the IP address -MAC gateway equipment module 21 acquires the network device, which is configured as a dynamic ARP entry can not be rewritten, which includes a gateway device and other network devices ARP entry for the IP address -MAC address is static ARP entry or a higher priority than the dynamic ARP entries ARP entries.

终端表项更新模块33,用于根据预先设定的机制对终端表项模块32中的ARP表项进行老化和更新。 Terminal entry update module 33, for performing aging and updates the ARP table entry terminal entry module 32 according to a predetermined mechanism. 对于优先级高于动态ARP表项的新ARP表项,可以 For a higher priority than new dynamic ARP entries ARP entries, you can

者重新获得IP的时候,此类新ARP表项的内容和老化时间也随之更新;在用户终端发生释放IP地址资源,以及网络接口DOWN或复位等事件,此类新表项应随之删除。 Time to regain the IP, these new content and aging time of ARP entries also will be updated; release the IP address resource, and a network interface such as DOWN or reset event occurs in the user terminal, such new entry should also be deleted .

除了实施例三中所描述的组网形式外,在应用中还可能包括其他组网结构。 In addition to the network in the form of three embodiments described embodiments, the application may also include other networking structure. 如用户终端与DHCP服务器直接连接,该请况下本发明的实施方式与实施例三所描述的类似,都是由DHCP服务器在DHCP报文中添加IP地址-MAC地址对,通知用户终端网络中重要设备的IP地址-MAC地址对,以及通知网络中其他设备该用户终端的IP地址-MAC地址对。 The user terminal directly connected to the DHCP server, a similar embodiment of the present invention in this embodiment, please state the third embodiment described, the IP address are added -MAC address in the DHCP packet from the DHCP server, the network notifies the user terminal -MAC IP address of the address of another device on the IP address of the user terminal address -MAC important equipment, and informing the network. 对于此情况在此不做重复描述。 For this case it will not be further described.

通过使用上述实施例所描述的基于DHCP协议的防止ARP报文攻击的系统,提供了一套简单有效的ARP攻击报文防御解决方案。 By using the above-described embodiments based ARP attack prevention system of the DHCP protocol, it provides a simple and effective ARP attack prevention solution. 使得网络中的网关设备以及用户终端能够有效的防御接收到的ARP攻击报文。 Such that a user terminal and a gateway device in the network can effectively attack defense received ARP packet. 另外,通过DHCP 服务器上对网络中用户终端的重要ARP表项进行统一配置,便于集中管理。 Further, for the unified configuration ARP entry important network user terminal by the DHCP server, facilitates centralized management.

以上公开的仅为本发明的几个具体实施例,但是,本发明并非局限于此, 任何本领域的技术人员能思之的变化都应落入本发明的保护范围。 While the invention has several specific embodiments disclosed above, but the present invention is not limited thereto, anyone skilled in the art can think of variations shall fall within the scope of the present invention.

Claims (15)

  1. 1、一种防止地址解析协议ARP报文攻击的方法,其特征在于,包括以下步骤: 动态主机配置协议DHCP服务器在DHCP报文中添加IP地址-MAC地址对并向用户终端发送; 所述用户终端接收所述DHCP报文,解析所述DHCP报文中包括的IP地址-MAC地址对并将其配置为本地不可被动态改写的ARP表项,以防止攻击报文通过更改用户终端的ARP表项对网络进行攻击。 1. A method of address resolution protocol ARP attack prevention, characterized in that it comprises the steps of: Dynamic Host Configuration Protocol DHCP server adds the IP address in the DHCP address -MAC terminal transmits packets to a user; the user the terminal receives a DHCP packet -MAC resolve the IP address of the DHCP address included in the packet and can not be dynamically configured as a local ARP entries rewritten, to prevent attacks by changing the user terminal packets of the ARP items to attack the network.
  2. 2、 如权利要求1所述防止ARP报文攻击的方法,其特征在于,网络中特定网络设备的IP地址-MAC地址对,所述特定网络设备至少包括与所述用户终端连接的网关设备;不同的网络设备分别选择对应的IP地址-MAC地址对并将其配置为本地不可^皮动态改写的ARP表项。 2. A method as claimed in claim 1 of the ARP attack preventing, characterized in that the network address of a specific IP address -MAC network device of the particular network device comprising at least a gateway device connected to the user terminal; were selected different network devices corresponding to IP address -MAC address is not available locally and configured to transdermal ^ ARP entries dynamically rewritten.
  3. 3 、如权利要求2所述防止ARP冲艮文攻击的方法,其特征在于,所述DHCP 服务器在DHCP报文中添加IP地址-MAC地址对并向用户终端发送的步骤后还包括:网关设备接收所述DHCP服务器向用户终端发送的DHCP报文;对配置为本地不可^皮动态改写的ARP表项;所述网关设备向用户终端发送所述DHCP报文。 3, A method as claimed in Burgundy red ARP packets to prevent the attack of claim 2, wherein the step of -MAC IP address to the user terminal address transmitted from the DHCP server adds the DHCP packet further comprises: a gateway device receiving said DHCP message transmits the DHCP server to the user terminal; ^ to the skin is not configured to dynamically rewrite the local ARP entries; the gateway device sends the DHCP message to the user terminal.
  4. 4、 如权利要求1至3中任一项所述防止ARP报文攻击的方法,其特征在于,所述不可被动态改写的ARP表项为静态ARP表项,或优先级高于动态ARP表项的ARP表项。 4, as set forth in any one of claims 1 to 3, the method of the ARP attack preventing, characterized in that the non-dynamically rewritten static ARP entries ARP entry, or a higher priority than the dynamic ARP ARP entry entry.
  5. 5、 如权利要求4所述防止ARP报文攻击的方法,其特征在于,所述用户终端在本地配置的为优先级高于动态ARP表项的ARP表项时,所述用户终端解析DHCP报文中包括的IP地址-MAC地址对并将其配置为本地不可被动态改写的ARP表项后还包括步骤: 5, A method as claimed in ARP packets to prevent the attack in claim 4, wherein the user terminal is disposed above the local ARP table entry is ARP entries dynamic priority, the user terminal parses DHCP messages -MAC IP address included in the address after the text and is not configured as a local ARP table entry is rewritten dynamically further comprising the step of:
  6. 6、 如权利要求5所述防止ARP报文攻击的方法,其特征在于,所述用.'项:停所述ARP表项的老化时间《 在续约或者重新获得IP的时候,更新所述ARP表项和老化时间;或在释放IP地址资源或复位时,删除所述ARP表项;或重新通过DHCP服务器获得IP时,刷新所述ARP表项; 中的一种或多种。 6. A method as claimed in claim ARP packet attacks prevented 5, characterized in that, with the 'key: Aging time "to stop the ARP entry when the renewal or regain IP updating the one or more of; ARP entry, and aging time; or when released or reset the IP address resource, deleting the ARP entry; or re-obtained by the DHCP server IP, refreshing the ARP entries.
  7. 7、 如权利要求4所述防止ARP报文攻击的方法,其特征在于,所述网关设备在本地配置的为优先级高于动态ARP表项的ARP表项时,所述网关设备向用户终端发送DHCP报文后还包括步骤: 7, A method as claimed in ARP packets to prevent the attack in claim 4, characterized in that the gateway device is disposed above the local ARP table entry is ARP entries dynamic priority, the gateway device to the user terminal after sending a DHCP packet further comprises the step of:
  8. 8、 如权利要求7所述防止ARP报文攻击的方法,其特征在于,所述网接收到用户终端向DHCP服务器发送的IP地址释放请求时,删除所述用户乡冬端对应的ARP表项;或在满足DHCP中继老化DHCP安全表项时,删除用户终端对应的ARP表项;或在满足DHCP Snooping老化其监听表项的时候,删除用户终端对应的ARP表项;或监听到用户终端的DHCP报文时,更新所述用户终端对应的ARP表项; 中的一种或多种。 8. A method as claimed in the ARP attack prevented in claim 7, wherein said network release request ARP entry, deleting the winter rural user end receives the IP address corresponding to the user terminal transmits the DHCP server ; or aging is satisfied DHCP relay DHCP security entries, remove an ARP entry corresponding to the user terminal; DHCP snooping or aging meet its listening time entry, remove an ARP entry corresponding to the user terminal; or listening to the user terminal DHCP packet when updating the ARP entry corresponding to the user terminal; one or more of the.
  9. 9、 如权利要求1至3中任一项所述防止ARP报文攻击的方法,其特征在于,所述IP地址-MAC地址对包含在DHCP报文中的Option域;所述DHCP报文为DHCP OFFER报文、和/或DHCP ACK报文。 9, as claimed in any one of claims 1 to 3, the method of the ARP attack preventing, characterized in that, the IP address -MAC address contained in the DHCP Option field of the packet; packet is the DHCP DHCP OFFER packet, and / or DHCP ACK messages.
  10. 10、 一种防止AIO^艮文攻击的系统,包括DHCP服务器和用户终端,其特征在于,所述DHCP服务器,用于在DHCP报文中添加IP地址-MAC地址对并向所述用户终端发送;所述用户终端,用于解析所述DHCP服务器发送的DHCP报文中包括的IP地址-MAC地址对并将其配置为本地不可被动态改写的ARP表项。 10. A system AIO ^ Gen preventing attack packets, including the DHCP server and user terminal, wherein the DHCP server is configured to add the address in the IP address -MAC DHCP packets to said user terminal transmits ; the user terminal is configured to resolve the IP address -MAC address of the DHCP packets sent by the DHCP server and included in the non-configured local ARP entries is dynamically rewritten.
  11. 11、 如权利要求10所述防止ARP报文攻击的系统,其特征在于,所述DHCP服务器,除包括寺艮文发送模块外,还包括:报文生成模块,用于将IP地址-MAC地址对添加到向用户终端发送的DHCP报文中,并通过所述报文发送模块向所述用户终端发送。 11, 10 as claimed in the ARP attack prevention system claims, wherein the DHCP server, in addition to sending module comprising an outer Gen Temple, further comprising: a message generation module, the IP address for the address -MAC to add to the DHCP packets sent by the user terminal, through the sending module sends the message to the user terminal. 对应关系生成模块,用于根据向用户终端分配的IP地址、以及用户终端的MAC地址,生成用户终端的IP地址_ MAC地址对,并提供给所述报文生成模块;对应关系存储模块,用于存储网络中特定网络设备的IP地址-MAC地址对,并提供给所述报文生成模块。 Correspondence relation generating module, according to the MAC address assigned to a user terminal IP address and the user terminal, the user terminal generates an IP address _ MAC address, and supplies the message generating module; correspondence relationship storage module, with storing a network address in the IP address of a specific network device -MAC for and provided to the packet generating module.
  12. 12、 如权利要求10所述防止ARP报文攻击的系统,其特征在于,所述用户终端包括:报文解析模块,用于解析DHCP服务器向本用户终端发送的DHCP报文, 解析所述DHCP报文中携带的特定网络设备的IP地址-MAC地址对,并通知终端表项模块;终端表项模块,用于根据所述报文解析模块获取的特定网络设备的IP地址- MAC地址对,将其配置为本地不可被动态改写的ARP表项。 12. The system of claim 10 to prevent ARP attack claims, characterized in that, the user terminal comprising: a message parsing module configured to parse DHCP message to the DHCP server terminal transmits the present user, parses the DHCP -MAC address the IP address of a particular network device carried in the packet, and notifies the terminal block entry; entry terminal module, according to the specific IP address resolution packet network device obtaining module - MAC address of pairs, configured to be non-local ARP table entry is rewritten dynamically.
  13. 13、 如权利要求12所述防止ARP报文攻击的系统,其特征在于,所述用户终端还包括:终端表项更新模块,用于根据预先设定的机制对所述终端表项模块中的ARP表项进4于老4b和更新。 13. The system as claimed in claim 12 prevents ARP attack claims, wherein the user terminal further comprises: a terminal entry update module, according to the mechanism set in advance for the terminal entry module 4 ARP entry into the old and updated 4b.
  14. 14、 如4又利要求10所述防止ARP t艮文攻击的系统,其特征在于,还包括网关设备,用于将所述DHCP服务器发送的DHCP报文中包括的IP地址-MAC地址对配置为本地不可被动态改写的ARP表项;其中,所述网关设备包括:报文监听模块,用于监听DHCP服务器向用户终端发送的DHCP报文,解析所述DHCP报文中携带的用户终端的IP地址-MAC地址对,并通知表项维护模块;表项维护模块,用于根据所述报文监听模块获取的用户终端的IP地址-MAC地址对,将其配置为本地不可被动态改写的ARP表项。 14, as claims 4 and 10 prevent the ARP t gen file system attack, characterized by further comprising a gateway device, the IP address for the DHCP packet -MAC address sent by the DHCP server is included in configuration local ARP entry is not dynamically rewritten; wherein said gateway apparatus comprising: a packet monitoring module, listening for DHCP packets sent by the DHCP server to the user terminal, the user terminal parses the DHCP message carrying the -MAC address IP address, and notifies the maintenance module entry; entry maintenance module for IP address -MAC address of the user terminal acquires the packet monitoring module will not be configured to dynamically rewrite the local ARP entries.
  15. 15、如权利要求14所述防止ARP才艮文攻击的系统,其特征在于,所述网关设备还包括:表项更新模块,用于根据预先设定的机制对所述表项维护模块中的ARP 表项进行老化和更新。 15, as claimed in claim 14 prevents the ARP packet before Gen attack system, wherein the gateway device further comprises: an entry update module, according to the mechanism set in advance in the service module entry ARP entry aging and updated.
CN 200710129801 2007-07-26 2007-07-26 Method and system for preventing ARP message attack CN101175080A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200710129801 CN101175080A (en) 2007-07-26 2007-07-26 Method and system for preventing ARP message attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200710129801 CN101175080A (en) 2007-07-26 2007-07-26 Method and system for preventing ARP message attack

Publications (1)

Publication Number Publication Date
CN101175080A true true CN101175080A (en) 2008-05-07

Family

ID=39423337

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200710129801 CN101175080A (en) 2007-07-26 2007-07-26 Method and system for preventing ARP message attack

Country Status (1)

Country Link
CN (1) CN101175080A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101540733B (en) 2009-05-08 2011-01-05 深圳市维信联合科技有限公司 ARP message processing method and network side apparatus
CN102014174A (en) * 2010-11-16 2011-04-13 中兴通讯股份有限公司 A network access method and a network device
CN101453495B (en) 2008-12-30 2011-06-15 杭州华三通信技术有限公司 Method, system and equipment for preventing authentication address resolution protocol information loss
CN102420748A (en) * 2011-11-23 2012-04-18 杭州华三通信技术有限公司 Method and router for avoiding attack of ARP (address resolution protocol) report
CN101567886B (en) 2009-06-03 2012-04-25 杭州华三通信技术有限公司 Method and equipment for list item safety management
CN102595250A (en) * 2012-03-05 2012-07-18 山东泰信电子有限公司 Method for digital television front end equipment to resist ARP attack
CN102946385A (en) * 2012-10-30 2013-02-27 杭州华三通信技术有限公司 Method and equipment for preventing falsifying Release message for attack
CN104219338A (en) * 2014-09-15 2014-12-17 杭州华三通信技术有限公司 Method and device for generating authorized address resolution protocol safety table entry
WO2017054526A1 (en) * 2015-09-28 2017-04-06 中兴通讯股份有限公司 Arp entry generation method and device

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101453495B (en) 2008-12-30 2011-06-15 杭州华三通信技术有限公司 Method, system and equipment for preventing authentication address resolution protocol information loss
CN101540733B (en) 2009-05-08 2011-01-05 深圳市维信联合科技有限公司 ARP message processing method and network side apparatus
CN101567886B (en) 2009-06-03 2012-04-25 杭州华三通信技术有限公司 Method and equipment for list item safety management
CN102014174B (en) 2010-11-16 2014-09-10 中兴通讯股份有限公司 A network access method and a network device
CN102014174A (en) * 2010-11-16 2011-04-13 中兴通讯股份有限公司 A network access method and a network device
CN102420748A (en) * 2011-11-23 2012-04-18 杭州华三通信技术有限公司 Method and router for avoiding attack of ARP (address resolution protocol) report
CN102420748B (en) 2011-11-23 2014-07-23 杭州华三通信技术有限公司 Method and router for avoiding attack of ARP (address resolution protocol) report
CN102595250A (en) * 2012-03-05 2012-07-18 山东泰信电子有限公司 Method for digital television front end equipment to resist ARP attack
CN102595250B (en) 2012-03-05 2013-11-06 山东泰信电子股份有限公司 Method for digital television front end equipment to resist ARP attack
CN102946385A (en) * 2012-10-30 2013-02-27 杭州华三通信技术有限公司 Method and equipment for preventing falsifying Release message for attack
CN102946385B (en) * 2012-10-30 2015-09-23 杭州华三通信技术有限公司 A method of preventing forgery release packet attack method and apparatus
CN104219338A (en) * 2014-09-15 2014-12-17 杭州华三通信技术有限公司 Method and device for generating authorized address resolution protocol safety table entry
CN104219338B (en) * 2014-09-15 2017-12-15 新华三技术有限公司 Generating an authorization ARP entries and safe means
WO2017054526A1 (en) * 2015-09-28 2017-04-06 中兴通讯股份有限公司 Arp entry generation method and device

Similar Documents

Publication Publication Date Title
US6603758B1 (en) System for supporting multiple internet service providers on a single network
US20050204162A1 (en) Isolation approach for network users associated with elevated risk
US20100191839A1 (en) Synchronizing resource bindings within computer network
US20120131097A1 (en) Isolation vlan for layer two access networks
US20100191813A1 (en) Automatically releasing resources reserved for subscriber devices within a broadband access network
CN101330531A (en) Method for processing DHCP address allocation and DHCP relay
CN101692674A (en) Method and equipment for double stack access
WO2007133786A2 (en) Dynamic vlan ip network entry
CN1901551A (en) Repeat address detecting method and its device for supporting IPv6 two layer access net
CN101179566A (en) Method and apparatus for preventing ARP packet attack
US20030142684A1 (en) LAN type internet access network and subscriber line accommodation method for use in the same network
CN1925493A (en) Method and device for processing ARP message
CN101651696A (en) Method and device for preventing neighbor discovery (ND) attack
CN101534329A (en) IP address assignment method and system
CN101662511A (en) Network address distributing method, DHCP server, access system and method thereof
JP2006013732A (en) Routing device and authentication method of information processor
CN101656725A (en) Method for implementing safety access and access equipment
CN101674288A (en) Method, device and system for managing address prefix distribution
CN101572712A (en) Method for preventing attack of counterfeit message and repeater equipment thereof
CN101471966A (en) Method for preventing IP address from leakage
CN101217482A (en) A method traversing NAT sending down strategy and a communication device
JP2009246957A (en) Security policy control system, security policy control method, and program
US20070195804A1 (en) Ppp gateway apparatus for connecting ppp clients to l2sw
CN102088391A (en) Processing method, equipment and system for Internet protocol version 6 (IPv6) message
JP2002084306A (en) Packet communication apparatus and network system

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C12 Rejection of an application for a patent