CN101345643A - Method and device for early warning of network appliance - Google Patents
Method and device for early warning of network appliance Download PDFInfo
- Publication number
- CN101345643A CN101345643A CNA2007100290856A CN200710029085A CN101345643A CN 101345643 A CN101345643 A CN 101345643A CN A2007100290856 A CNA2007100290856 A CN A2007100290856A CN 200710029085 A CN200710029085 A CN 200710029085A CN 101345643 A CN101345643 A CN 101345643A
- Authority
- CN
- China
- Prior art keywords
- arp
- address
- network equipment
- packet
- judgment condition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a method of processing pre-warning on network equipment, comprising first transmitting at least a primary address resolution protocol ARP request packet to the network equipment in a detecting range, receiving an ARP answering packet in scheduled time; storing a mapping relation between Internet protocol IP address of the ARP answering packet and the medium access control (MAC) address satisfying a first judging condition, which at least includes the ARP answering packet is consistent with the number of the ARP request packet; monitoring the ARP data packet which includes the ARP request packet and the ARP answering packet, when satisfying a second judging condition, emitting pre-warning information, wherein the second judging condition at least includes that the source IP address in the ARP data packet and the source MAC address are not consistent with the stored mapping relation. The invention also provides a pre-warning device, network equipment and corresponding storage medium. The invention generates pre-warning inform when finding illusory ARP answering packet, thereby causing the user timely to be positioned to the equipment with illusory network address.
Description
Technical field
The present invention relates to computer network security, relate in particular to the method and the device that the network equipment are carried out early warning.
Background technology
In Ethernet, network layer can be come each equipment in the recognition network by the IP address of packet.Data link layer can be controlled (MAC) address by media interviews and come each equipment in the recognition network.The network equipment can be safeguarded a ARP(Address Resolution Protocol) table, the one or more mapping relations between IP address and MAC Address have been comprised in this table, the network equipment is by the mapping relations in this ARP table of inquiry, obtain with packet in the MAC Address of IP address correlation, thereby with data packet delivery to this MAC Address corresponding equipment.
If the network equipment does not inquire the MAC Address of the IP address correspondence in the packet in this APR table, then in the broadcast domain of this network equipment, send the ARP request package with the forms of broadcasting, the IP address network equipment identical with the IP address in this ARP request package will be made and being replied, and its MAC Address be fed back to the network equipment of this ARP request package by response packet.The mapping relations of described IP address and described MAC Address will be stored in this ARP table, for using in the future.The network equipment with data packet delivery to this MAC Address.
Malicious user can carry out the ARP attack by forging the network address, and the network equipment is write illegal mapping relations in the described ARP table.For example, the user who carries out the ARP attack can send the ARP packet to the network equipment that desire is attacked, and described ARP packet comprises that the MAC Address of this user's the network equipment reaches stored IP address in the ARP table.When the network equipment is received this ARP packet, will the list item of this IP address correspondence in the ARP table be upgraded, should issue another user's data bag thereby cause malicious user to receive.After this, the network equipment sent to the equipment transmission to malicious user of mistake all packets of the IP address that is forged originally.
In addition, malicious user can use same technology to attack default gateway.The IP address that malicious user is forged gateway in the Ethernet by said method makes all terminal equipments that are connected with this gateway to carry out communication by correct gateway, thereby causes the fail safe of network and privacy to come to harm.
Attack at above malicious user, normally because in the ARP table mapping relations of wrong IP address and MAC Address cause, at present get rid of the attack source by setting up the correct IP address and the mapping relations of MAC Address usually, perhaps early warning is carried out to the user in possible attack source, present a kind of way is to import the correct IP address and the mapping relations of MAC Address by Dynamic Host Configuration Protocol server, in addition, for the network that does not have configuration DHCP mechanism or IP address static allocation, the common at present mode by static configuration ARP disposes the correct IP address and the mapping relations of MAC Address.
Because the mac address information of validated user is easily collecting not, and the workload of manual configuration is big in the more network of number of users, Operating Complexity is higher.
Summary of the invention
Embodiments of the invention provide a kind of method and prior-warning device that the network equipment is carried out early warning, can the user in time be positioned to unusual equipment from trend user early warning.
One aspect of the present invention provides a kind of method that the network equipment is carried out early warning, and at first the network equipment in detection range sends primary address analysis protocol ARP request package at least, receives the arp reply bag in the given time; Store satisfying the Internet Protocol IP address of described arp reply bag of first judgment condition and the mapping relations between the media access control address MAC Address, described first judgment condition comprises at least: described arp reply bag is consistent with the quantity of described ARP request package; Monitor the ARP packet then, described ARP packet comprises ARP request package and arp reply bag, when satisfying second judgment condition, send the early warning notice, described second judgment condition comprises at least: source IP address in the described ARP packet and source MAC and the mapping relations of being stored are inconsistent.
The present invention provides a kind of prior-warning device on the other hand, comprising: Transmit-Receive Unit, and the network equipment that is used in detection range sends primary address analysis protocol ARP request package at least, receives the arp reply bag in the given time; Analytic unit, be used for satisfying the Internet Protocol IP address of described arp reply bag of first judgment condition and the mapping relations between the media access control address MAC Address and store, described first judgment condition comprises at least: described arp reply bag is consistent with the quantity of described ARP request package; And monitoring ARP packet, described ARP packet comprises ARP request package and arp reply bag, when satisfying second judgment condition, send the early warning notice, described second judgment condition comprises at least: source IP address in the described ARP packet and source MAC and the mapping relations of being stored are inconsistent; Also comprise communication unit in addition, be used to realize the communication between described Transmit-Receive Unit and the described analytic unit.
In the technique scheme, embodiments of the invention are by initiatively sending the ARP request package, automatically obtain the network address information of the network equipment in the detection range, and store, simultaneously, because the correctness to the arp reply bag has been carried out certain check when storing, thereby realize to set up the higher mapping relations table of correctness automatically.
In addition, owing to set up the higher mapping relations table of correctness, therefore, when utilizing network address information in the ARP packet that receives in this mapping relations table and the detection range to compare, can in time detect the unusual equipment in the network address, send the early warning notice, make things convenient for the user in time to locate.
Description of drawings
Fig. 1 is the flow chart that among the embodiment network equipment is carried out the method for early warning;
Fig. 2 is a flow chart of checking the network address in the arp reply bag among the embodiment;
Fig. 3 is the flow chart that utilizes mapping relations table look-up ARP packet among the embodiment;
Fig. 4 is the theory diagram of prior-warning device among the embodiment.
Embodiment
One aspect of the present invention provides a kind of method that the network equipment is carried out early warning, can set up the higher mapping relations table of correctness automatically, utilizes this mapping relations table to carry out early warning to the unusual network equipment in the network address.
As shown in Figure 1, an embodiment of this invention is when carrying out early warning, the process of setting up the higher mapping relations table of correctness at first is provided, detailed process is as described below: in one embodiment of the present of invention, for the network address information (comprising IP address and MAC Address) of obtaining the network equipment, at first the network equipment in detection range sends request package (S101), wait for a period of time then and receive the arp reply bag (S102) that each network equipment returns, in order to set up the higher mapping relations table of correctness, be provided with the first whether correct judgment condition of network address information in the arp reply bag that returns of check in the embodiments of the invention, when satisfying first judgment condition, (S103) stored in the IP address of arp reply bag and the mapping relations between the MAC Address.For the supervising network address information whether the first correct judgment condition combination of multiple condition can be set, first judgment condition described in the embodiments of the invention comprises that at least the described arp reply bag that receives is consistent with the quantity of the described ARP request package of transmission.
When the network equipment being carried out early warning by above-mentioned mapping relations table, monitor the ARP packet, the ARP packet of this moment can be the ARP request package that the network equipment sends, it also can be the arp reply bag that the network equipment sends, in the embodiments of the invention, be provided with the second whether correct judgment condition of network address information in the ARP packet that receives of check, if satisfy second judgment condition, show that then the network address information in this ARP packet may take place unusually, then send early warning notice (S104).Second judgment condition in one embodiment of the present of invention can be the combination of one or more judgment condition, and described second judgment condition can comprise at least that source IP address in the described ARP packet and source MAC and the mapping relations of being stored are inconsistent.
In the technique scheme, because the normal network equipment is usually when receiving the ARP request package, the IP address network equipment identical with the IP address in this ARP request package will be made and being replied, and therefore correct response packet should be consistent with the quantity of the ARP request package that has sent; And since malicious user when carrying out network attack, can be under the situation of not receiving the ARP request package by the network equipment, initiatively send the arp reply bag, therefore check one of condition that whether unusual whether consistent the quantity of the arp reply bag received and the described ARP request package network address that can be used as the network equipment of judging that this arp reply bag is corresponding, thereby the network address correctness in the mapping relations table of feasible foundation is higher.
As stated in the Background Art, it is structure false IP address or MAC Address that malicious user is attacked method commonly used to the network equipment, change the correct IP address and the corresponding relation of MAC Address by ARP packet (request package or response packet), therefore, after setting up correct mapping relations table according to the method described above, can be by monitoring the ARP packet in the detection range, automatically to the unusual network equipment in the network address to user's early warning, make things convenient for the user in time to find malicious user, in time get rid of the attack source.
An optimization as step S101 in the said method, in one embodiment of the present of invention, when setting up the mapping relations table, send repeatedly ARP request package in one embodiment of the present of invention, at the ARP request package that sends each time, all in certain time of reception, receive the arp reply bag,, then not think and satisfy first judgment condition if the ARP request package quantity of certain arp reply bag quantity that once receives and transmission is inconsistent.The frequency that sends the ARP request package in this embodiment can be the same or different, and in addition, the receive frequency that receives the arp reply bag can be the same or different.
After the ARP request package is sent, if only send the ARP request package one time, just the unusual arp reply bag in what a network address arrives, the respond packet that perhaps exists a plurality of network equipments to return is consistent with ARP request package quantity, then needing to get rid of the unusual equipment in the possible network address by said method also stores the correct network address, because the transmission frequency in the present embodiment can be determined as required, thereby make malicious user be difficult to learn definite transmission frequency, and the frequency that the network equipment of the common forgery network address initiatively sends the arp reply bag is normally fixing, therefore can further get rid of the unusual network equipment in the network address.In addition, as can be seen, by also can in time find to take place the network equipment of IP conflict (network equipment that promptly has a plurality of use identical ip addresses) with upper type.
For the judgment condition that determines whether in the step 103 to satisfy in first judgment condition: whether consistent process can realize by number of ways the quantity of the arp reply bag of receiving and the ARP request package of transmission, one embodiment of the present of invention provide following process: after the network equipment in examination scope sends certain ARP request package, in a period of time, wait for the arp reply bag, if do not write down IP address in this arp reply bag and the mapping relations between the media access control address MAC as yet, then these mapping relations are carried out record, if these mapping relations are recorded, then show for same ARP request package, the a certain network equipment has fed back repeatedly arp reply bag, judges that thus the quantity of this arp reply bag and described ARP request package is inconsistent.Can realize above-mentioned recording process by setting up temporary storage table, also can directly be stored in the mapping relations table and realize said process.
Owing to receiving that at every turn arp reply Bao Shijun can check the correctness of response packet, correct IP address and MAC Address mapping relations information in the network address information that can obtain thus to be write down.As describing in the background technology, it is by the forgery network address that malicious user is attacked method commonly used to the network equipment, constructs false IP address or MAC Address, and the mapping relations of IP address and MAC Address are carried out malicious attack in the change ARP table.Because such scheme checks that whether certain once sends the arp reply bag received after the ARP request package for repeatedly, therefore, can judge by the way whether described arp reply bag is consistent with the quantity of described ARP request package.
In addition, for the whether consistent approach of the ARP request package quantity of the arp reply bag of determining in the step 103 to receive and transmission, as shown in Figure 2, one embodiment of the present of invention also provide following step: after the network equipment in examination scope sends certain ARP request package (S201), in a period of time, wait for arp reply bag (S202), different with the mode of the foregoing description, in the present embodiment register can be set, if do not write down IP address in this arp reply bag and the mapping relations between the media access control address MAC as yet, then these mapping relations are write down (S203, S204), if these mapping relations are recorded, then register is added one (S205), when the number of times that sends the ARP request package has reached predefined number of times (S206), if the numerical value of register is identical with the numerical value of the request package of transmission, the ARP request package quantity consistent (S207) of the arp reply bag received of expression and transmission then.Can realize above-mentioned steps by record in temporary storage table, also can in the permanent storage table, realize above-mentioned steps.
For step 103 above, one embodiment of the present of invention will be described in detail the process of how the mapping relation table being upgraded hereinafter, with further optimization the solution of the present invention.
In one embodiment of the invention, as the further optimization that above-mentioned steps 103 is stored the IP address and the mapping relations between the MAC Address of arp reply bag, consider when sending the ARP request package, may there be the network equipment that does not start in the network that needs to detect or the network equipment of changing the IP address is arranged, owing to when the network equipment starts or changes the IP address, corresponding ARP informing mechanism will be arranged, by sending the purpose ARP packet identical network equipment that current IP address notification is relevant with source IP address, therefore in the present embodiment, when finding that network equipment state changes, described state can comprise that the network equipment starts, network address information change etc., if listen to the ARP packet that satisfies the ARP informing mechanism, the network address in this ARP packet does not produce with the mapping relations of MAC Address with IP address in being stored in the mapping relations table and conflicts simultaneously, then upgrade the mapping relations table of having stored, renewal process can comprise following several situation: when this IP address in detection range, and when the mapping relations of this IP address and MAC Address are not stored in the mapping relations table, the mapping relations of this IP address and MAC Address are stored in the mapping relations table, if the IP address in this ARP packet is not stored, when MAC Address has been stored simultaneously, then IP address in the described ARP packet and the mapping relations between the described MAC Address are stored, the mapping relations of stored IP address and MAC Address can continue to keep, and also can delete.As can be seen, if the IP address that the continuation reservation has been write down and the mapping relations of MAC Address, then this mapping table can be supported the situation of same a plurality of IP of network equipment address.
For the process of the network equipment being carried out early warning by above-mentioned mapping relations table in the step 104 above, second judgment condition that judges whether to send the early warning notice in the embodiments of the invention can be the combination of one or more judgment condition, below enumerate the combination of several second judgment condition, and the corresponding process that realizes sending the early warning notice.
As shown in Figure 3, the detailed process of sending the early warning notice can be: when monitoring the ARP packet (S301), the mapping relations of stored IP address and MAC Address in the combination of IP address and MAC Address in the ARP packet and the mapping relations table are compared (S302), described second judgment condition can comprise that the mapping relations of storing in network address combination and the mapping relations table in this ARP packet are inconsistent, if satisfy this condition, then generate the early warning notice, in addition, described second judgment condition can also comprise that the MAC Address in the described ARP packet is stored, promptly before generating notice, can also check further whether MAC Address has been stored in the described mapping relations table (S303), if store, illustrate that then the MAC Address in this ARP packet is real MAC Address, because what store in the mapping relations table is the correct MAC Address and the mapping relations of IP address, therefore the network equipment that sends this ARP packet may be for forging the network equipment of the network address, generate early warning notice (S305) this moment, in time notifies the user.In addition, second judgment condition described in one embodiment of the present of invention can also comprise that the MAC Address in the described ARP packet is not stored, and the transmission frequency of described ARP packet and request scope surpass predetermined value, if there is not the MAC Address in this ARP packet in the promptly described mapping relations table, may this MAC Address be the false MAC Address that sends the network equipment of ARP packet then, judge in order further to increase whether this network equipment is the accuracy of the network equipment of the unusual network address this moment, one embodiment of the present of invention provide step: detect transmission frequency and request scope (S304) that this network equipment sends the ARP packet, when transmission frequency and request scope surpass predetermined value, then generate notice (S305).
It more than is the processing of when the mapping relations of storing in combination of the network address in this ARP packet and the mapping relations table are inconsistent, carrying out, when the mapping relations of storing in the network address in this ARP packet combination and the mapping relations table are consistent, judge in order further to increase whether this network equipment is the accuracy of the network equipment of the unusual network address, in one embodiment of the present of invention, for second judgment condition, can also comprise that the source IP address in the described packet is consistent with the mapping relations of source MAC and institute's stored IP address and MAC Address, and the transmission frequency of described ARP packet and request scope surpass predetermined value.That is to say, when the mapping relations of storing in the network address in this ARP packet combination and the mapping relations table are consistent, need further to detect transmission frequency and the request scope (S304) that the network equipment sends the ARP packet, when transmission frequency and request scope surpass predetermined value, then generate early warning notice (S305).
Below be in one embodiment of the present of invention, in above-mentioned steps S304, detect this network equipment and send the transmission frequency of ARP packet and the specific implementation process of request scope: when obtaining the ARP packet of network equipment transmission, can can obtain the scope that this network equipment sends the ARP packet according to the source network address information in this ARP packet (comprising IP address and MAC Address) and the purpose network address, in addition, can recorder to time of this ARP packet, calculate the transmission frequency that this network equipment sends the ARP packet.Surpass certain numerical value for transmission frequency and can generate notice,, simultaneously, also can refresh according to transmission frequency and time of reception request scope to the network equipment that sends the ARP packet so that the user in time navigates to the network equipment of the unusual network address.
By the foregoing description as can be seen; MAC Address in the ARP packet of receiving and IP address are the situation of the unusual network address; utilize the mapping relations table can't detect the network equipment that to forge the network address; but; owing to need usually when malicious user carries out network attack by the IP address in the transmission ARP packet change APR table and the mapping relations of MAC Address; therefore a large amount of ARP packets can appear in network usually, and the scope and the frequency of the transmission ARP packet by detecting the network equipment in the network can further detect the network equipment of forging the network address.
For step 101 when 103 set up the mapping relations table, owing to there is step 104, if therefore find the unusual network equipment in the network address, can not send the early warning notice, can certainly send the early warning notice, promptly second judgment condition also comprises: in setting up mapping relations table process, the quantity of the arp reply bag of receiving and the ARP request package of transmission is inconsistent.When finding that arp reply bag and ARP request package quantity are inconsistent, send the early warning notice.
In addition, if find the unusual network equipment in the network address for the process of upgrading at the mapping relations table, equally also can send the early warning notice, this moment, second judgment condition can also comprise: when the state of the network equipment changes, network address information in the ARP packet of receiving is conflicted with the mapping relations generation of MAC Address with the IP address in being stored in the mapping relations table, the IP address is stored in the ARP packet of promptly receiving, and the corresponding relation of this IP address and MAC Address is not stored.Produce in the conflict situations, a kind of situation can be to produce IP address conflict, another kind of situation can be to have the network equipment of forging the network address, the total feature of both of these case all is that the IP address is stored in the ARP packet of receiving, and the corresponding relation of this IP address and MAC Address is not stored, and therefore can in time learn the network equipment that produces the IP conflict and the network equipment of forging the network address by the mode that generates notice.
In addition, in one embodiment of the present of invention, if detect the network equipment of the network interface card of opening promiscuous mode, then send the early warning notice, promptly second judgment condition also comprises the network interface card that has the unlatching promiscuous mode.Testing process can be: at first construct an ARP packet, target MAC (Media Access Control) address can be FF:FF:FF:FF:FF:FE, and All hosts in netting is sent this ARP request package.If do not open the network interface card of promiscuous mode, because different, can not receive this packet with the self MAC address, the network interface card that is in promiscuous mode then can receive packet, can judge thus which platform main frame whether opened the promiscuous mode of network interface card.
Owing to open the network interface card of promiscuous mode all data in the network are all received, therefore might cause the leakage of information of other network equipment, as password, important fileinfo can in time detect the network interface card of opening promiscuous mode by the foregoing description.
In addition, the embodiment that above detect to open the network equipment of promiscuous mode also can be used as when MAC Address in the ARP packet of receiving and IP address are the network address of falseness, and whether detection a kind of approach of a large amount of ARP packets occurs.
At the method for in the various embodiments described above network equipment of forging the network address being carried out early warning, one embodiment of the present of invention provide corresponding prior-warning device, be used for the equipment of the unusual network address is carried out early warning, as shown in Figure 4, this device comprises: Transmit-Receive Unit 401, analytic unit 402 and communication unit 403.
When needs were set up the mapping relations table, this Transmit-Receive Unit 401 need send primary address analysis protocol ARP request package at least by the network equipment in detection range, receives the arp reply bag then in the given time; When utilizing the mapping relations table of setting up to carry out early warning, need to monitor in the detection range whether have the ARP packet; Analytic unit 402 is stored satisfying the IP address of described arp reply bag of first judgment condition and the mapping relations between the MAC Address when setting up the mapping relations table; When utilizing this mapping relations table to carry out early warning, whether the ARP packet that analysis Transmit-Receive Unit 401 receives satisfies second judgment condition, when satisfying second judgment condition, sends the early warning notice; Communication unit 403, realize the communication between described Transmit-Receive Unit 401 and the described analytic unit 402, communication unit 403 can obtain the ARP packet that receives from Transmit-Receive Unit 401, be sent to analytic unit 402, so that mapping relations between analytic unit 402 timely storing IP addresses and the MAC Address and in time send early warning notice; Communication unit 403 also can only send a notification message to analytic unit 402 in addition, and notification analysis unit 402 obtains the ARP packet from Transmit-Receive Unit 401, as shown in phantom in FIG..
Further, described analytic unit 402 is when the network equipment state variation in the detection range, if the IP address from the ARP packet of the network equipment is not stored, and MAC Address is stored, then the IP address of described arp reply bag and the mapping relations between the MAC Address stored.
The network equipment to the unusual network address among each embodiment mentioned above carries out that each step can realize by one or more instruction in the method for early warning, described instruction can be configured in the network equipment that comprises processor, there is this processor to carry out, simultaneously, described instruction can be stored in the storage medium.The described network equipment can be the network equipments such as computer.
Above-listed detailed description is at the specifying of one of the present invention possible embodiments, and this embodiment is not in order to limiting claim of the present invention, and the equivalence that all the present invention of disengaging do is implemented or change, all should be contained in the claim of this case.
Claims (12)
1, a kind of method that the network equipment is carried out early warning is characterized in that, comprises step:
The network equipment in detection range sends primary address analysis protocol ARP request package at least, receives the arp reply bag in the given time;
Store satisfying the Internet Protocol IP address of described arp reply bag of first judgment condition and the mapping relations between the media access control address MAC Address, described first judgment condition comprises at least: described arp reply bag is consistent with the quantity of described ARP request package;
Receive the ARP packet, described ARP packet comprises ARP request package and arp reply bag, when satisfying second judgment condition, send the early warning notice, described second judgment condition comprises at least: source IP address in the described ARP packet and source MAC and the mapping relations of being stored are inconsistent.
2, method according to claim 1 is characterized in that, described step also comprises:
When the network equipment state variation in the detection range, if be not stored from the IP address of the ARP packet of the network equipment, and MAC Address is stored, then the IP address of described arp reply bag and the mapping relations between the MAC Address stored.
3, method according to claim 1 is characterized in that, described second judgment condition also comprises:
MAC Address in the described ARP packet is stored.
4, method according to claim 1 is characterized in that, described second judgment condition also comprises:
MAC Address in the described ARP packet is not stored, and the transmission frequency of described ARP packet and request scope surpass predetermined value.
5, method according to claim 1 is characterized in that, described second judgment condition also comprises:
Source IP address in the described packet is consistent with the mapping relations of source MAC and institute's stored IP address and MAC Address, and the transmission frequency of described ARP packet and request scope surpass predetermined value.
6, method according to claim 1 is characterized in that, described second judgment condition also comprises:
There is the network equipment of opening promiscuous mode.
7, method according to claim 1 is characterized in that, described second judgment condition also comprises:
The quantity of described arp reply bag and described ARP request package is inconsistent.
8, method according to claim 2 is characterized in that, described second judgment condition also comprises:
When the network equipment state variation in the detection range, be stored from the IP address of the ARP packet of the network equipment.
9, a kind of enforcement of rights requires the prior-warning device of 1 to 8 described method, is used for the network equipment is carried out early warning, it is characterized in that, comprising:
Transmit-Receive Unit, the network equipment that is used in detection range sends primary address analysis protocol ARP request package at least, and the described ARP request package according to sending receives the arp reply bag in the given time; And
Receive the ARP packet, described ARP packet comprises ARP request package and arp reply bag;
Analytic unit, be used for satisfying the Internet Protocol IP address of described arp reply bag of first judgment condition and the mapping relations between the media access control address MAC Address and store, described first judgment condition comprises at least: described arp reply bag is consistent with the quantity of described ARP request package; And
When the ARP packet that receives when described Transmit-Receive Unit satisfies second judgment condition, send the early warning notice, described second judgment condition comprises at least: source IP address in the described ARP packet and source MAC and the mapping relations of being stored are inconsistent;
Communication unit is used to realize the communication between described Transmit-Receive Unit and the described analytic unit.
10, prior-warning device according to claim 9, it is characterized in that, described analytic unit also is used for when the network equipment state variation in the detection range, if the IP address from the ARP packet of the network equipment is not stored, and MAC Address is stored, then the IP address of described arp reply bag and the mapping relations between the MAC Address is stored.
11, a kind of network equipment is characterized in that, comprising: when described instruction is carried out in one or more instructions that processor and processor are performed, described processor, be used to realize following steps:
The network equipment in detection range sends primary address analysis protocol ARP request package at least, receives the arp reply bag in the given time;
Store satisfying the Internet Protocol IP address of described arp reply bag of first judgment condition and the mapping relations between the media access control address MAC Address, described first judgment condition comprises at least: described arp reply bag is consistent with the quantity of described ARP request package;
Receive the ARP packet, described ARP packet comprises ARP request package and arp reply bag, when satisfying second judgment condition, send the early warning notice, described second judgment condition comprises at least: source IP address in the described ARP packet and source MAC and the mapping relations of being stored are inconsistent.
12, a kind of storage medium is characterized in that, is used to store one or more instructions that are used for the network equipment is carried out early warning, and described instruction is used to finish following steps when being performed:
The network equipment in detection range sends primary address analysis protocol ARP request package at least, receives the arp reply bag in the given time;
Store satisfying the Internet Protocol IP address of described arp reply bag of first judgment condition and the mapping relations between the media access control address MAC Address, described first judgment condition comprises at least: described arp reply bag is consistent with the quantity of described ARP request package;
Receive the ARP packet, described ARP packet comprises ARP request package and arp reply bag, when satisfying second judgment condition, send the early warning notice, described second judgment condition comprises at least: source IP address in the described ARP packet and source MAC and the mapping relations of being stored are inconsistent.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100290856A CN101345643B (en) | 2007-07-09 | 2007-07-09 | Method and device for early warning of network appliance |
| JP2008176773A JP5390798B2 (en) | 2007-07-09 | 2008-07-07 | Method and apparatus for early warning of network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100290856A CN101345643B (en) | 2007-07-09 | 2007-07-09 | Method and device for early warning of network appliance |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101345643A true CN101345643A (en) | 2009-01-14 |
| CN101345643B CN101345643B (en) | 2011-09-21 |
Family
ID=40247539
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007100290856A Active CN101345643B (en) | 2007-07-09 | 2007-07-09 | Method and device for early warning of network appliance |
Country Status (2)
| Country | Link |
|---|---|
| JP (1) | JP5390798B2 (en) |
| CN (1) | CN101345643B (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102196054A (en) * | 2010-03-11 | 2011-09-21 | 正文科技股份有限公司 | Routing device and related control circuit |
| CN102427460A (en) * | 2011-12-29 | 2012-04-25 | 深信服网络科技(深圳)有限公司 | Multistage detection and defense method to ARP spoof |
| CN102546658A (en) * | 2012-02-20 | 2012-07-04 | 神州数码网络(北京)有限公司 | Method and system for preventing address resolution protocol (ARP) gateway spoofing |
| CN102694771A (en) * | 2011-03-22 | 2012-09-26 | 上海艾泰科技有限公司 | A method for binding IP-MAC to gateway DHCP server side and gateway DHCP server side |
| CN103259732A (en) * | 2013-04-03 | 2013-08-21 | 北京邮电大学 | SDN broadcast processing method triggering agent based on ARP event |
| CN104869553A (en) * | 2015-05-22 | 2015-08-26 | 上海斐讯数据通信技术有限公司 | Electronic equipment discovery method and apparatus, and router |
| TWI506472B (en) * | 2014-03-12 | 2015-11-01 | Hon Hai Prec Ind Co Ltd | Network device and method for avoiding arp attacks |
| CN105790902A (en) * | 2014-12-22 | 2016-07-20 | 研祥智能科技股份有限公司 | Redundant network card switching realization method and system |
| CN105897464A (en) * | 2016-03-30 | 2016-08-24 | 国网福建省电力有限公司 | Power internal network remote application program monitoring technology based on MAC address control |
| CN105939402A (en) * | 2016-03-03 | 2016-09-14 | 杭州迪普科技有限公司 | MAC table entry obtaining method and device |
| CN106888217A (en) * | 2017-03-27 | 2017-06-23 | 上海斐讯数据通信技术有限公司 | A kind of management-control method attacked for ARP and system |
| CN107257393A (en) * | 2017-06-29 | 2017-10-17 | 捷开通讯(深圳)有限公司 | Acquisition methods, device and the computer-readable recording medium of internet protocol address |
| CN107579881A (en) * | 2017-10-23 | 2018-01-12 | 上海斐讯数据通信技术有限公司 | A kind of method of testing and system of router address analysis protocol |
| CN109067751A (en) * | 2018-08-14 | 2018-12-21 | 腾讯科技(深圳)有限公司 | ARP cheat detecting method, device and terminal under a kind of non-Root environment |
| CN109937564A (en) * | 2016-10-28 | 2019-06-25 | 微软技术许可有限责任公司 | The fraudulent account detected in distributed computing system uses |
| CN110661799A (en) * | 2019-09-24 | 2020-01-07 | 北京安信天行科技有限公司 | ARP (Address resolution protocol) deception behavior detection method and system |
| CN111917894A (en) * | 2020-03-19 | 2020-11-10 | 北京融汇画方科技有限公司 | Network card mixed mode detection technology |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111726429B (en) * | 2020-06-12 | 2023-04-25 | 海信视像科技股份有限公司 | Communication method, device, equipment and medium |
| CN115242669B (en) * | 2022-06-30 | 2023-10-03 | 北京华顺信安科技有限公司 | Network quality monitoring method |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2000312211A (en) * | 1999-04-27 | 2000-11-07 | Soriton Syst:Kk | Communication unit |
| JP2002084306A (en) * | 2000-06-29 | 2002-03-22 | Hitachi Ltd | Packet communication apparatus and network system |
| US6513122B1 (en) * | 2001-06-29 | 2003-01-28 | Networks Associates Technology, Inc. | Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities |
| JP4084317B2 (en) * | 2004-02-16 | 2008-04-30 | 日本電信電話株式会社 | Worm detection method |
| JP2005244273A (en) * | 2004-02-24 | 2005-09-08 | Matsushita Electric Ind Co Ltd | Data communication control apparatus |
| CN100563245C (en) * | 2005-04-27 | 2009-11-25 | 华为技术有限公司 | A kind of prevention method at the ARP overflowing attack |
| JP2007067515A (en) * | 2005-08-29 | 2007-03-15 | Nec Corp | Lan switch, mac address learning method, and program |
| JP4510751B2 (en) * | 2005-12-02 | 2010-07-28 | 富士通株式会社 | Network failure detection device |
-
2007
- 2007-07-09 CN CN2007100290856A patent/CN101345643B/en active Active
-
2008
- 2008-07-07 JP JP2008176773A patent/JP5390798B2/en active Active
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102196054A (en) * | 2010-03-11 | 2011-09-21 | 正文科技股份有限公司 | Routing device and related control circuit |
| CN102694771A (en) * | 2011-03-22 | 2012-09-26 | 上海艾泰科技有限公司 | A method for binding IP-MAC to gateway DHCP server side and gateway DHCP server side |
| CN102427460A (en) * | 2011-12-29 | 2012-04-25 | 深信服网络科技(深圳)有限公司 | Multistage detection and defense method to ARP spoof |
| CN102427460B (en) * | 2011-12-29 | 2015-03-11 | 深信服网络科技(深圳)有限公司 | Multistage detection and defense method to ARP spoof |
| CN102546658A (en) * | 2012-02-20 | 2012-07-04 | 神州数码网络(北京)有限公司 | Method and system for preventing address resolution protocol (ARP) gateway spoofing |
| CN103259732B (en) * | 2013-04-03 | 2016-09-28 | 北京邮电大学 | A kind of SDN broadcast processing method triggering agency based on ARP event |
| CN103259732A (en) * | 2013-04-03 | 2013-08-21 | 北京邮电大学 | SDN broadcast processing method triggering agent based on ARP event |
| TWI506472B (en) * | 2014-03-12 | 2015-11-01 | Hon Hai Prec Ind Co Ltd | Network device and method for avoiding arp attacks |
| US9398045B2 (en) | 2014-03-12 | 2016-07-19 | Hon Hai Precision Industry Co., Ltd. | Network device and method for avoiding address resolution protocol attack |
| CN105790902A (en) * | 2014-12-22 | 2016-07-20 | 研祥智能科技股份有限公司 | Redundant network card switching realization method and system |
| CN105790902B (en) * | 2014-12-22 | 2020-06-09 | 研祥智能科技股份有限公司 | Method and system for realizing redundant network card switching |
| CN104869553A (en) * | 2015-05-22 | 2015-08-26 | 上海斐讯数据通信技术有限公司 | Electronic equipment discovery method and apparatus, and router |
| CN105939402A (en) * | 2016-03-03 | 2016-09-14 | 杭州迪普科技有限公司 | MAC table entry obtaining method and device |
| CN105897464B (en) * | 2016-03-30 | 2019-08-23 | 国网福建省电力有限公司 | Electric power Intranet remote application monitoring method based on MAC Address control |
| CN105897464A (en) * | 2016-03-30 | 2016-08-24 | 国网福建省电力有限公司 | Power internal network remote application program monitoring technology based on MAC address control |
| CN109937564A (en) * | 2016-10-28 | 2019-06-25 | 微软技术许可有限责任公司 | The fraudulent account detected in distributed computing system uses |
| CN109937564B (en) * | 2016-10-28 | 2021-09-14 | 微软技术许可有限责任公司 | Method and apparatus for detecting fraudulent account usage in a distributed computing system |
| CN106888217A (en) * | 2017-03-27 | 2017-06-23 | 上海斐讯数据通信技术有限公司 | A kind of management-control method attacked for ARP and system |
| CN107257393A (en) * | 2017-06-29 | 2017-10-17 | 捷开通讯(深圳)有限公司 | Acquisition methods, device and the computer-readable recording medium of internet protocol address |
| CN107579881A (en) * | 2017-10-23 | 2018-01-12 | 上海斐讯数据通信技术有限公司 | A kind of method of testing and system of router address analysis protocol |
| CN109067751A (en) * | 2018-08-14 | 2018-12-21 | 腾讯科技(深圳)有限公司 | ARP cheat detecting method, device and terminal under a kind of non-Root environment |
| CN110661799A (en) * | 2019-09-24 | 2020-01-07 | 北京安信天行科技有限公司 | ARP (Address resolution protocol) deception behavior detection method and system |
| CN110661799B (en) * | 2019-09-24 | 2020-11-20 | 北京安信天行科技有限公司 | ARP (Address resolution protocol) deception behavior detection method and system |
| CN111917894A (en) * | 2020-03-19 | 2020-11-10 | 北京融汇画方科技有限公司 | Network card mixed mode detection technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101345643B (en) | 2011-09-21 |
| JP2009017562A (en) | 2009-01-22 |
| JP5390798B2 (en) | 2014-01-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101345643B (en) | Method and device for early warning of network appliance | |
| CN101247396B (en) | Method, device and system for distributing IP address | |
| US8972571B2 (en) | System and method for correlating network identities and addresses | |
| CN108881211B (en) | Illegal external connection detection method and device | |
| US8650567B2 (en) | Virtual machine monitoring method, system and computer readable storage medium | |
| JP2008516308A (en) | Method and apparatus for querying a plurality of computerized devices | |
| CN101465756B (en) | Method and device for making automatic avoidance of illegal DHCP service and DHCP server | |
| CN103916490B (en) | DNS tamper-proof method and device | |
| CN103095675A (en) | System and method for detecting arp spoofing | |
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| CN105897947A (en) | Network access method and device for mobile terminal | |
| JP4257238B2 (en) | Automatic IP address assignment method / program / recording medium / device / system, chassis management device, control card | |
| CN109040039A (en) | A kind of leak detection method, apparatus and system | |
| CN102685812A (en) | Access point (AP) associated terminal control method, device and system | |
| CN105162763B (en) | Communication data processing method and device | |
| US9654491B2 (en) | Network filtering apparatus and filtering method | |
| CN106470203B (en) | Information acquisition method and device | |
| CN102291239B (en) | Remote authentication method, system, agent component and authentication servers | |
| CN101896917B (en) | Method for moving rights object and method for managing rights of issuing rights object and system thereof | |
| CN117056920A (en) | Information acquisition method and device, electronic equipment and storage medium | |
| US8149723B2 (en) | Systems and methods for discovering machines | |
| Olivero | Asset Discovery Tools Supporting Cybersecurity Inventory | |
| KR101070522B1 (en) | System and method for monitoring and blocking of spoofing attack | |
| KR20090001812A (en) | System and method for environmental managing as to the multiple monitoring areas | |
| CN101383735A (en) | Server checking method, equipment and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20090114 Assignee: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. Assignor: Zhuhai Kingsoft Software Co.,Ltd. Contract record no.: 2014990000718 Denomination of invention: Method and device for early warning of network appliance Granted publication date: 20110921 License type: Common License Record date: 20140826 |
|
| LICC | Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model |