CN101415012B - Method and system for defending address analysis protocol message aggression - Google Patents
Method and system for defending address analysis protocol message aggression Download PDFInfo
- Publication number
- CN101415012B CN101415012B CN2008102255917A CN200810225591A CN101415012B CN 101415012 B CN101415012 B CN 101415012B CN 2008102255917 A CN2008102255917 A CN 2008102255917A CN 200810225591 A CN200810225591 A CN 200810225591A CN 101415012 B CN101415012 B CN 101415012B
- Authority
- CN
- China
- Prior art keywords
- mac address
- arp message
- validated user
- inbound port
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention discloses a method used for defending address resolution protocol message attack, comprising the steps as follows: media access control MAC address of legal user is configured in advance; network equipment receives the address resolution protocol ARP message coming from the user; the field content of the MAC address of the sender is extracted out of the received ARP message; whether the extracted MAC address of the sender is the MAC address of the legal user configured in advance or not is judged; if not, the received ARP message is abandoned. The invention also discloses a system which can defend the address resolution protocol message attack. The method and the system are suitable for the users which adopt all types and do not need to modify the network equipment greatly.
Description
Technical field
The present invention relates to address resolution protocol (ARP, Address Resolution Protocol) technology, be specifically related to the method for preventing ARP packet attack and the system of preventing ARP packet attack.
Background technology
ARP is as transmission control protocol (TCP/IP, Transmission Control Protocol) one of agreement of lower level in the protocol stack, its effect is that the conversion such as the data-link layer address of medium access control (MAC, Media Access Control) address is arrived in realization IP address.Communication between the network equipment is to use MAC Address to come addressing, and come addressing with the IP address based on the various application of TCP/IP, finally all need to be encapsulated in the ethernet frame based on the MAC Address addressing based on the various packets of IP addressing of address and transmit.Therefore, the network equipment need be known the MAC Address of the purpose network equipment when communicating.And the IP address resolution that the ARP agreement has been born the purpose network equipment is the task of purpose network equipment MAC Address.
When utilizing the ARP agreement to carry out address resolution, the network equipment is by the mapping relations between list structure buffer memory IP address and the MAC Address, and this table is called the ARP table.The list item of ARP table can dynamically generate according to the ARP message, and promptly the network equipment can be learnt the mapping relations of IP address and MAC Address from ARP request message or arp response message, and is saved in the ARP table.
For example, as shown in Figure 1, to send message to host B as user's host A, if host A and host B at the same network segment, host A adopts the ARP list item of the host B of record in the own ARP table so, obtain the MAC Address of host B, and encapsulated message sends.If host A does not have the MAC Address of host B, buffer memory message to be sent then, and send an ARP request message with broadcast mode.Transmitting terminal IP in the ARP request message (Sender IP) address and transmitting terminal MAC (Sender MAC) address are respectively the IP address 192.168.1.1 and the MAC Address 0002-6779-014c of host A, and Target IP (Target IP) address and Destination MAC (Target MAC) address are respectively the IP address 192.168.1.2 of host B and complete 0 MAC Address.
Host B is the IP address of oneself and the target ip address in the ARP request message relatively, carries out following processing when both are identical: with the transmitting terminal address in the ARP request message, promptly in the ARP table that the IP address of host A and MAC Address deposit oneself in.Send the arp response message to host A with mode of unicast afterwards, the Sender MAC Address of this arp response message is the MAC Address of oneself.After host A is received the arp response message, the MAC Address of host B is joined in the ARP table of oneself, and will before the message of buffer memory send after encapsulating.
If host A and host B be at the same network segment, network configuration as shown in Figure 2, host A adopts own ARP table to obtain the MAC Address of gateway under it so, with the message encapsulation and send to gateway.If gateway has had the ARP list item of host B, then gateway is directly issued host B to message.If gateway does not have the ARP list item of host B, then gateway can be learnt MAC Address to host B by the broadcast arp request message, then message is sent to host B.But if host A does not have the ARP list item of gateway, then host A elder generation gateway under it sends the ARP request, and the Target IP in the ARP request message is the IP address of gateway.Gateway returns the MAC Address of self according to the ARP request message that receives.After obtaining the MAC Address of gateway the arp response message that host A returns from gateway, just can and issue gateway with message encapsulation to be sent.
As seen, the ARP list item is the guarantee of proper communication between subscriber's main station.If the ARP list item is unusual, just can't proper communication between two users' main frame.And the ARP agreement does not have the validity checking means at the ARP message, so the assailant can be by sending the purpose that the ARP message of forging reach illegal modifications ARP list item.Assailant's main attack means is: the assailant sends forgery ARP message to subscriber's main station or gateway, forge the ARP message and mainly show the SenderIP address and/or the Sender MAC Address of forging the ARP message, so not only order receives the subscriber's main station of this forgery ARP message or the ARP list item that gateway is learnt mistake, causing can't proper communication, can also make the gateway that receives a large amount of forgery ARP messages learn a large amount of new ARP list items at short notice, make that the ARP table of gateway is taken rapidly, the ARP list item of other validated users can not be learnt, and causes validated user can not visit outer net.
Therefore, the main means of preventing ARP packet attack are exactly the legitimacy in checking ARP message source.Present common defense schemes comprises:
On access switch, utilize the DHCP (DHCP that preserves, Dynamic Host Configuration Protocol) deception (Snooping) safe list item or 802.1x safety list item judges whether inbound port, the VLAN ID of MAC Address, IP address and message of ARP message be legal.As long as the content of these information and safe list item record misfits, judge that then this ARP message is an attack message, carries out subsequent operations such as packet loss, alarm.
On gateway, the safe list item that lease that the Dynamic Host Configuration Protocol server of utilize preserving generates or DHCP relay generate judges whether inbound port, the VLAN ID of MAC Address, IP address and message of ARP message be legal.
But all there is a problem in above two kinds of defense schemes: access switch and gateway will obtain the lease of above-mentioned Snooping safety list item, 802.1x safety list item, Dynamic Host Configuration Protocol server generation or the safe list item that DHCP relay generates before receiving the ARP message, so subscriber's main station must adopt DHCP mode or the online of 802.1X authentication mode.If the user adopts the fixed ip address online, any one more than access switch and gateway can't obtain before receiving the ARP message so in the safe list item causes above-mentioned two kinds of defense schemes can't be applicable to the subscriber's main station that adopts the fixed ip address online.
Existing defence ARP attack option also has at adopting fixed ip address online situation, but generally all requires the new function of chip support of access switch and gateway, requires subscriber's main station that special client software is installed simultaneously.
Therefore, press for a kind of scheme of effective preventing ARP packet attack at present, be not only applicable to the subscriber's main station that adopts DHCP and 802.1X mode to surf the Net, also be applicable to the subscriber's main station that adopts the fixed ip address online; And dispose conveniently, need not existing access switch, gateway and subscriber's main station are carried out bigger modification.
Summary of the invention
In view of this, the invention provides a kind of method and system of preventing ARP packet attack, be applicable to the user who adopts the variety of way online, and need not the network equipment of using this method is carried out bigger modification.
Wherein, the method for defending address analysis protocol message aggression may further comprise the steps:
The media access control MAC address of pre-configured validated user;
The network equipment receives the ARP message from the user, extracts the field contents of transmit leg MAC Address from the ARP message that receives; Judge that whether the transmit leg MAC Address be extracted is the MAC Address of pre-configured validated user; If not, then abandon the ARP message of described reception,
This method further comprises: record has authenticated the MAC Address of the validated user of reaching the standard grade;
Whether the transmit leg MAC Address that described judgement is extracted is that the MAC Address of pre-configured validated user comprises:
The network equipment judges whether the described transmit leg MAC Address that is extracted is one of MAC Address that has authenticated the validated user of reaching the standard grade; If not, then the described transmit leg MAC Address that is extracted is carried out MAC address authentication according to the MAC Address of pre-configured validated user, if authentication is passed through, judge that then the transmit leg MAC Address be extracted is the MAC Address of pre-configured validated user, and the described transmit leg MAC Address that is extracted is recorded as the MAC Address that authenticates the validated user of reaching the standard grade, otherwise judge that the described transmit leg MAC Address that is extracted is not the MAC Address of pre-configured validated user
This method also comprises: write down the inbound port that the described MAC Address that has authenticated the validated user of reaching the standard grade is used;
When the described transmit leg MAC Address that is extracted is when having authenticated the MAC Address of the validated user of reaching the standard grade, determine the current inbound port of the ARP message of described reception, the reception of more current inbound port and record has the inbound port of the ARP message of same sender MAC Address, if inbound port changes, and the lasting service time of the inbound port of record is less than the Preset Time value, then determine to detect the attack of counterfeit validated user, abandon described ARP message; If inbound port changes, but the lasting service time of the inbound port of record more than or equal to described Preset Time value, then adopt current inbound port to upgrade the inbound port of described record.
The system of defending address analysis protocol message aggression provided by the invention comprises authentication service unit and defensive attack unit; Described defensive attack unit comprises the message analysis module and first judge module;
Described authentication service unit, the MAC Address that is used to store pre-configured validated user;
Described message analysis module is used to receive the ARP message from the user, extracts the field contents of transmit leg MAC Address from the ARP message that receives, and the transmit leg MAC Address that is extracted is sent to first judge module;
Described first judge module is used to receive the described transmit leg MAC Address that is extracted, and whether the transmit leg MAC Address that judge to receive is the MAC Address of the validated user of described authentication service unit storage, if not, then abandon the ARP message of described reception,
Wherein, described authentication service unit is further used for writing down the MAC Address that has authenticated the validated user of reaching the standard grade;
Described first judge module comprises judges submodule and authentication operation submodule;
Described judgement submodule is used to receive the described transmit leg MAC Address that is extracted, and judges whether the transmit leg MAC Address that receives is the MAC Address that has authenticated the validated user of reaching the standard grade; If not, then notify described authentication operation submodule;
Described authentication operation submodule is used for after receiving described notice, and the described transmit leg MAC Address that is extracted is sent to described authentication service unit so that authentication service unit is carried out MAC address authentication according to pre-configured to described transmit leg MAC Address; When the authentication service unit return authentication pass through as a result the time, the ARP message of described reception is carried out ARP handles; When the authentication service unit return authentication do not pass through as a result the time, abandon described ARP message,
Described authentication service unit also is used to write down the inbound port of the MAC Address use that authenticates the validated user of reaching the standard grade;
This system further comprises second judge module, judging the transmit leg MAC Address when described judgement submodule is when having authenticated the MAC Address of the validated user of reaching the standard grade, determine the current inbound port of the ARP message of described reception, the reception of more described current inbound port and described authentication service unit record has the inbound port of the ARP message of same sender MAC Address, if inbound port changes, and the lasting service time of the inbound port of record is less than the Preset Time value, then determine to detect the attack of counterfeit validated user, abandon described ARP message; If inbound port changes, but the lasting service time of the inbound port of record more than or equal to described Preset Time value, then adopt described current inbound port to upgrade record in the described authentication service unit.
According to above technical scheme as seen, the present invention has following beneficial effect:
At first, this scheme is considered effectively interception ARP message aggression from the angle of Sender MAC Address, abandon ARP message from non-validated user, can effectively tackle Sender MAC Address field forged and be the ARP message aggression of MAC value or gateway MAC Address at random, realize the defence of ARP message aggression.
Simultaneously, this programme is only verified the Sender MAC Address, does not need the IP address information, therefore is not only applicable to the user that adopts DHCP and 802.1X mode to surf the Net, also is applicable to the user who adopts fixing IP mode to surf the Net.
And proof procedure is by existing MAC authentication processing, because the authentication of existing two layer MAC address is widely used, therefore need not that the network equipment is carried out bigger modification can be deployed in the existing networking in a large number, has reduced enforcement difficulty and upgrade cost.
In addition, this scheme is applied to the network equipment, this network equipment can be a gateway, it also can be access switch, because need not subscriber's main station, implementation cooperates, therefore only need make amendment, needn't make amendment, further reduced the deployment difficulty that this scheme is applied to existing network subscriber's main station to the network equipment.
Description of drawings
Fig. 1 is the process schematic diagram of exchange ARP message between host A and the host B in the prior art.
Fig. 2 is the structural representation of a kind of typical networking in the prior art.
Fig. 3 is the method flow diagram of preventing ARP packet attack in the embodiment of the invention one.
Fig. 4 is the method flow diagram of preventing ARP packet attack in the embodiment of the invention two.
Fig. 5 is the structural representation of preventing ARP packet attack system in the embodiment of the invention.
Embodiment
Usually, the Sender IP and the Sender MAC that show as message as the ARP message of attack message forge, and this scheme is considered interception ARP message aggression from the angle of Sender MAC Address.For the Sender MAC that forges, the Sender MAC Address of ARP message may be assailant's MAC Address, MAC value or gateway MAC Address at random usually.But, forgery is equivalent to identify oneself for assailant's MAC Address, potential safety hazard is also arranged for the assailant, therefore in most cases, the assailant can not use the MAC Address structure ARP message of this machine, and more common attack method is when structure ARP message, and Sender MAC field is configured to MAC value or gateway MAC Address at random, thereby avoids the identity that sticks one's chin out.
At Sender MAC field is the ARP message of MAC value and gateway MAC Address at random, and the basic thought of the defence method that the embodiment of the invention proposes is: the MAC Address of pre-configured validated user; Gateway or access switch as the network equipment utilize the MAC address authentication function, ARP message from user side is carried out MAC address authentication, the target of authentication is the field contents of " Sender MAC Address " in the ARP message, but not two layer MAC address, if the Sender MAC Address in the ARP message that is received for the MAC Address of pre-configured validated user, does not then abandon the ARP message that is received.Wherein, the MAC Address of validated user is exactly the MAC Address of legal users main frame.
This scheme is considered effectively interception ARP message aggression from the angle of Sender MAC Address, abandon ARP message from non-validated user, can effectively tackle Sender MAC Address field forged and be the ARP message aggression of MAC value or gateway MAC value at random, realize the defence of ARP message aggression.Owing to only the Sender MAC Address is verified, do not need the IP address information, therefore be not only applicable to the user that adopts DHCP and 802.1X mode to surf the Net, also be applicable to the user who adopts fixing IP mode to surf the Net.
Simultaneously, the mac authentication process is by existing MAC authentication processing, because existing two layer MAC address authentication is widely used, therefore need not that the network equipment is carried out bigger modification can be deployed in the existing networking in a large number, has reduced enforcement difficulty and upgrade cost.
In addition, this scheme is applied to the network equipment, this network equipment can be a gateway, it also can be access switch, because need not subscriber's main station, implementation cooperates, therefore only need make amendment, needn't make amendment, further reduced the deployment difficulty that this scheme is applied to existing network subscriber's main station to the network equipment.
Below in conjunction with specific embodiment is that the present invention is described in detail.
Fig. 3 is the method flow diagram of preventing ARP packet attack in the embodiment of the invention one.It is example that this flow process is applied on the gateway with the embodiment of the invention, and as shown in Figure 3, this method may further comprise the steps:
Step 301: configuration is carried out MAC address authentication to the ARP message that receives personal family on gateway, and configuration allows the MAC Address of the validated user of reaching the standard grade.
Wherein, two layers MAC address authentication is widely used, and its original usage is to utilize the two layer MAC address that receives message that user's network access authority is controlled.In the present embodiment, the user can adopt existing MAC address verification client software, and is configured to carrying out MAC address authentication from the Sender MAC field in user's the ARP message.
In the present embodiment, the MAC Address of the validated user that allows to reach the standard grade is configured in Home Network shuts, belong to the local authentication mode.In practice, if adopt the Radius authentication mode, then the MAC Address of the validated user that allows to reach the standard grade can be configured in the certificate server.Under latter instance, below the MAC address authentication step of step 304 cooperate to carry out by certificate server.
Step 302: gateway receives the ARP message from the user, therefrom extracts the field contents of Sender MAC Address.
Step 303: gateway judges whether the Sender MAC Address that is extracted is the MAC Address that has authenticated the validated user of reaching the standard grade; If then execution in step 306; Otherwise, execution in step 304.
Wherein, the MAC Address that has authenticated the validated user of reaching the standard grade is recorded in the gateway, to record after detected MAC address authentication passes through first.If adopt the Radius authentication mode, the MAC Address that has then authenticated the validated user of reaching the standard grade is recorded in the certificate server.
Step 304:, MAC address authentication is carried out in the SenderMAC address that is extracted according to the MAC Address of pre-configured validated user; If authentication is passed through, then execution in step 305; Otherwise, execution in step 307.
MAC address authentication process in this step is: whether the Sender MAC Address that relatively is extracted is one of MAC Address of pre-configured validated user; If then authentication is passed through; Otherwise authentication is not passed through.
Step 305: confirm that the ARP message source received is normal, to the processing of reaching the standard grade of Sender MAC Address.Reach the standard grade to handle and comprise: in gateway Sender MAC is recorded as the MAC Address that authenticates the validated user of reaching the standard grade, this record is as judging in the abovementioned steps 303 whether the Sender MAC Address that is extracted is the foundation that has authenticated the MAC Address of reaching the standard grade.Further, can also write down on-line time and inbound port.
Step 306: the ARP message that is received is carried out ARP handle.This flow process finishes.
In the present embodiment, gateway is carried out ARP and is treated to: carry out the operations such as modification of ARP table according to the ARP message.If technical solution of the present invention is applied in the access switch, then access switch execution ARP is treated to: allow the ARP message by self.
Step 307: abandon the ARP message that is received.This flow process finishes.
In practice, the defence policies that can also enable to preset limits the message of no longer handling in a period of time behind the authentification failure from same user.
So far, this flow process finishes.
According to above-mentioned flow process, adopt the processing method of Fig. 3, can effectively tackle and forge the ARP message aggression of MAC value and forgery gateway MAC Address at random.But sometimes, the assailant at first obtains the validated user MAC Address that exists in the same broadcast domain, adopts the MAC Address structure ARP message of this validated user subsequently, forges the ARP message aggression of validated user MAC Address.
In this case,, then can't effectively discern, so the Sender MAC Address is the MAC Address of validated user really if still adopt the defense schemes shown in Fig. 3.Therefore, whether the present invention further judges to receive identical authenticate the inbound port that the user that reaches the standard grade sends the ARP message and change when judging Sender MAC Address legitimacy.Usually, if inbound port changes, can think that then the ARP list item that has authenticated user's correspondence of reaching the standard grade is modified, be assailant's malicious modification in order to distinguish, and still normal port switches, the embodiment of the invention further judge port change before lasting service time of the port that uses whether less than the Preset Time value, if then think assailant's malicious modification, so, the ARP message that receives is an attack message, gives discard processing.In practice, can adopt reaches the standard grade keeps timer to write down time between twice modification of port, if clocking value surpasses the Preset Time value, then think and do not arrive the Preset Time value the lasting service time that changes the preceding port that uses, determine inbound port victim malicious modification.Reaching the standard grade for one keeps timer corresponding with a user.
Adopt above scheme, though can be the ARP packet loss of gateway MAC Address with the Sender MAC Address, but can't distinguish the message that is dropped is the attack message of forging the gateway MAC Address, still forge the attack message of MAC value at random, in order to distinguish, so that issue defence policies targetedly, preferably, gateway is further judged the inbound port that receives the ARP message, if receiving the inbound port of ARP message is user port, and the Sender MAC Address that is received in the ARP message is identical with the MAC Address of this gateway, then is defined as forging the gateway MAC Address and attacks, and the ARP message that is received is given discard processing.If being applied on the access switch, this scheme needs to carry out the pre-configured of gateway MAC Address.
The embodiment of the invention two has increased port and has changed judgement and gateway MAC Address discriminating step on the basis of embodiment one.Fig. 4 is the method flow diagram of preventing ARP packet attack in the embodiment of the invention two, and it is example that this flow process still is applied on the gateway with the embodiment of the invention, and as shown in Figure 4, this method may further comprise the steps:
Step 401: configuration is carried out MAC address authentication to the ARP message that receives personal family on gateway, and configuration allows the MAC Address of the validated user of reaching the standard grade.
Step 402: gateway receives the ARP message from the user, therefrom extracts the field contents of Sender MAC Address.
Step 403: judge whether the Sender MAC Address that is extracted is the MAC Address that has authenticated the validated user of reaching the standard grade; If then execution in step 408; Otherwise, execution in step 404.
Step 404: the inbound port that judges whether the ARP message that receives is a user port, and the Sender MAC Address of extracting from this ARP message is this gateway MAC Address; If then determine to detect the attack of counterfeit gateway, execution in step 411; Otherwise, execution in step 405.
In the present embodiment, user port is on gateway, connects the port of access switch.For access switch, user port is for connecting the port of subscriber's main station.
Step 405:, the Sender MAC Address that is extracted is carried out MAC address authentication according to the MAC Address of pre-configured validated user; If authentication is passed through, then execution in step 406; Otherwise, execution in step 411.
Step 406: confirm that the ARP message source received is normal, to the processing of reaching the standard grade of Sender MAC Address.This is reached the standard grade to handle and comprises: in gateway, the Sender MAC Address is recorded as the MAC Address that authenticates the validated user of reaching the standard grade, and the inbound port that uses when reaching the standard grade of corresponding record.Preferably, can also write down on-line time.
Step 407: the ARP message that is received is carried out ARP handle.This flow process finishes.
Step 408: determine the current inbound port of the ARP message received, relatively this current inbound port and the reception of record have the inbound port of the ARP message of identical Sender MAC Address, judge whether unanimity of two inbound ports; If, confirm that then port does not change, determine that the ARP message source that is received is normal, execution in step 407; Otherwise, confirm that port changes, but also need further to judge, so execution in step 409.
Usually, the inbound port of record is record when reaching the standard grade processing, and generally can not change.If inbound port changed before, then Ji Lu inbound port is the inbound port behind last the change.
Step 409: whether the clocking value that judging reaches the standard grade keeps timer surpasses the Preset Time value; If, think that then the normal port of changing into of inbound port switches, determine that the ARP message source that is received is normal this moment, execution in step 410; Otherwise, execution in step 411.
The mode of the lasting service time of employed inbound port is a lot of before determining in practice to change, and on-line time and the difference of current time that for example can also utilizing reaches the standard grade writes down when handling are determined.
Step 410: will reach the standard grade keeps the timer zero clearing; Adopt the more inbound port of new record of current inbound port, the inbound port that is about to the Sender MAC Address correspondence in the ARP message that receives of record is updated to the actual inbound port of this ARP message that receives.Execution in step 407.
Step 411: abandon the ARP message that is received.This flow process finishes.
So far, this flow process finishes.
In practice, whether the step 404 among Fig. 4 can also be arranged between step 402 and the step 403, be user's the judgement of reaching the standard grade to avoid the ARP message of forging the gateway MAC Address, perhaps, step 404 can also be arranged between step 405 and the step 411, be used for determining attack type.
Flow process shown in Fig. 4 is that to be applied to gateway with the present invention program be the explanation that example is carried out.When this scheme is applied to access switch, need in advance the MAC Address of the coupled gateway of on access switch static configuration.In practice, except adopting the mode of static configuration gateway MAC Address, can also adopt other modes to obtain the gateway MAC Address.
For example, the mode that can adopt RFC4562 to stipulate is obtained the MAC Address of gateway from DHCP Snooping table or ARPSnooping table.Again for example, access switch can be intercepted response message after gateway MAC sends counterfeit message, dynamically obtain the gateway MAC Address according to response message.Wherein, response message can be PPPoE/DHCP (PPP over Ethernet/Dynamic Host Configuration Protocol, peer-peer protocol/DHCP based on Ethernet) response message and IGMP/MLD (Internet Group Management Protocol/Multicast Listener Discovery, IGMP/multicast monitoring discovery) general polling response message.
In order to realize preventing ARP packet attack method of the invention process, the present invention also provides a kind of system of preventing ARP packet attack.Fig. 5 is the structural representation of preventing ARP packet attack system in the embodiment of the invention.As shown in Figure 5, this system comprises authentication service unit 51 and defensive attack unit 52; Authentication service unit 51 can be co-located in the network equipment of preventing ARP packet attack demand with defensive attack unit 52, and perhaps authentication service unit 51 is arranged in the certificate server, and defensive attack unit 52 is arranged in the network equipment.Wherein,
Specifically, first judge module 522 specifically comprises judgement submodule 62 and authentication operation submodule 63; Wherein,
Preferably, when above-mentioned judgement submodule 62 judges that the Sender MAC Address is for after authenticating the validated user MAC Address of reaching the standard grade, for the source of distinguishing the ARP message is real validated user, or the validated user of assailant's camouflage, authentication service unit 51 in the embodiment of the invention is further used for writing down the inbound port of the MAC Address use that has authenticated the validated user of reaching the standard grade, and this system further comprises second judge module 523 simultaneously.
As shown in Figure 5, second judge module 523 links to each other with judgement submodule 62 in first judge module 522, determine that when judging submodule 62 the Sender MAC Address is when having authenticated the validated user MAC Address of reaching the standard grade, notify second judge module 523, second judge module 523 determines to receive the current inbound port of the ARP message with this Sender MAC Address this moment, the reception of more current inbound port and authentication service unit 51 records has the inbound port of the ARP message of identical Sender MAC Address, if inbound port changes, and the lasting service time of the inbound port of record, then the ARP message to current reception gave discard processing less than the Preset Time value.If inbound port changes, and the lasting service time of the inbound port of record more than or equal to the Preset Time value, then adopt current inbound port to upgrade record in the authentication service unit 51, and confirm that the ARP message source that is received is normal.If inbound port does not change, confirm that then the ARP message source that is received is normal.
In practice, second judge module 523 can adopt to reach the standard grade and keep timer to realize the record that continues service time, adopts authentication to be recorded into the judgement that port realizes that port changes when reaching the standard grade.Specifically referring to aforementioned specific descriptions in method embodiment.
Preferably, this system further comprises the 3rd judge module 524 (not shown among Fig. 5).The 3rd judge module 524 can be arranged between the message analysis module 521 and first judge module 522, perhaps is arranged on to judge between submodule 62 and the authentication operation submodule 63.The 3rd judge module 524 is known the MAC Address of gateway, it detects the inbound port of the ARP message of defensive attack unit, place 52 receptions, if this inbound port is the user port of user oriented side, and the SenderMAC address in the ARP message of this reception is the gateway MAC Address, and then the ARP message to this reception gives discard processing.
By the above as can be seen, the scheme of preventing ARP packet attack provided by the present invention is enabled high efficiency MAC address authentication to the Sender MAC Address in the ARP message, effectively defends the ARP message aggression of any configuration Sender MAC Address;
In addition, this programme has further write down the reach the standard grade inbound port of user's correspondence of authentication, and in conjunction with user's maintenance timer of reaching the standard grade, can effectively defend the ARP message aggression of counterfeit validated user;
In addition, this programme judges further whether the MAC Address from the ARP message that user port receives is gateway MAC, important MAC is avoided in the Sender MAC of ARP message authentication automatically, and gateway device MAC for example can effectively defend and discern the ARP message aggression of counterfeit gateway.
In sum, more than be preferred embodiment of the present invention only, be not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (6)
1. the method for a defending address analysis protocol message aggression is characterized in that, this method comprises:
The media access control MAC address of pre-configured validated user;
The network equipment receives the ARP message from the user, extracts the field contents of transmit leg MAC Address from the ARP message that receives; Judge that whether the transmit leg MAC Address be extracted is the MAC Address of pre-configured validated user; If not, then abandon the ARP message of described reception,
This method further comprises: record has authenticated the MAC Address of the validated user of reaching the standard grade;
Whether the transmit leg MAC Address that described judgement is extracted is that the MAC Address of pre-configured validated user comprises:
The network equipment judges whether the described transmit leg MAC Address that is extracted is one of MAC Address that has authenticated the validated user of reaching the standard grade; If not, then the described transmit leg MAC Address that is extracted is carried out MAC address authentication according to the MAC Address of pre-configured validated user, if authentication is passed through, judge that then the transmit leg MAC Address be extracted is the MAC Address of pre-configured validated user, and the described transmit leg MAC Address that is extracted is recorded as the MAC Address that authenticates the validated user of reaching the standard grade, otherwise judge that the described transmit leg MAC Address that is extracted is not the MAC Address of pre-configured validated user
This method also comprises: write down the inbound port that the described MAC Address that has authenticated the validated user of reaching the standard grade is used;
When the described transmit leg MAC Address that is extracted is when having authenticated the MAC Address of the validated user of reaching the standard grade, determine the current inbound port of the ARP message of described reception, the reception of more current inbound port and record has the inbound port of the ARP message of same sender MAC Address, if inbound port changes, and the lasting service time of the inbound port of record is less than the Preset Time value, then determine to detect the attack of counterfeit validated user, abandon described ARP message; If inbound port changes, but the lasting service time of the inbound port of record more than or equal to described Preset Time value, then adopt current inbound port to upgrade the inbound port of described record.
2. the method for claim 1 is characterized in that, the MAC Address of described validated user is pre-configured on the described network equipment, or is pre-configured in to the described network equipment and provides on the server of MAC address authentication service.
3. method as claimed in claim 1 or 2, it is characterized in that, after the described field contents that from the ARP message that receives, extracts the transmit leg MAC Address, this method further comprises: if the ARP message of described reception is received from user port, and the transmit leg MAC Address that is extracted is identical with the gateway MAC Address, then determine to detect the attack of counterfeit gateway, abandon described ARP message.
4. method as claimed in claim 3 is characterized in that, the described network equipment is gateway or access switch;
When the described network equipment was access switch, described gateway MAC Address was the MAC Address of the gateway that links to each other with access switch; Described gateway MAC Address is that access switch dynamically obtains, perhaps in advance static configuration in access switch.
5. the system of a defending address analysis protocol message aggression is characterized in that, this system comprises authentication service unit and defensive attack unit; Described defensive attack unit comprises the message analysis module and first judge module;
Described authentication service unit, the MAC Address that is used to store pre-configured validated user;
Described message analysis module is used to receive the ARP message from the user, extracts the field contents of transmit leg MAC Address from the ARP message that receives, and the transmit leg MAC Address that is extracted is sent to first judge module;
Described first judge module is used to receive the described transmit leg MAC Address that is extracted, and whether the transmit leg MAC Address that judge to receive is the MAC Address of the validated user of described authentication service unit storage, if not, then abandon the ARP message of described reception,
Wherein, described authentication service unit is further used for writing down the MAC Address that has authenticated the validated user of reaching the standard grade;
Described first judge module comprises judges submodule and authentication operation submodule;
Described judgement submodule is used to receive the described transmit leg MAC Address that is extracted, and judges whether the transmit leg MAC Address that receives is the MAC Address that has authenticated the validated user of reaching the standard grade; If not, then notify described authentication operation submodule;
Described authentication operation submodule is used for after receiving described notice, and the described transmit leg MAC Address that is extracted is sent to described authentication service unit so that authentication service unit is carried out MAC address authentication according to pre-configured to described transmit leg MAC Address; When the authentication service unit return authentication pass through as a result the time, the ARP message of described reception is carried out ARP handles; When the authentication service unit return authentication do not pass through as a result the time, abandon described ARP message,
Described authentication service unit also is used to write down the inbound port of the MAC Address use that authenticates the validated user of reaching the standard grade;
This system further comprises second judge module, judging the transmit leg MAC Address when described judgement submodule is when having authenticated the MAC Address of the validated user of reaching the standard grade, determine the current inbound port of the ARP message of described reception, the reception of more described current inbound port and described authentication service unit record has the inbound port of the ARP message of same sender MAC Address, if inbound port changes, and the lasting service time of the inbound port of record is less than the Preset Time value, then determine to detect the attack of counterfeit validated user, abandon described ARP message; If inbound port changes, but the lasting service time of the inbound port of record more than or equal to described Preset Time value, then adopt described current inbound port to upgrade record in the described authentication service unit.
6. system as claimed in claim 5, it is characterized in that, this system further comprises the 3rd judge module, the inbound port that is used at the ARP message that detects described reception is a user port, and when the transmit leg MAC Address in the ARP message that receives is the gateway MAC Address, determine to detect the attack of counterfeit gateway, abandon described ARP message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102255917A CN101415012B (en) | 2008-11-06 | 2008-11-06 | Method and system for defending address analysis protocol message aggression |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102255917A CN101415012B (en) | 2008-11-06 | 2008-11-06 | Method and system for defending address analysis protocol message aggression |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101415012A CN101415012A (en) | 2009-04-22 |
| CN101415012B true CN101415012B (en) | 2011-09-28 |
Family
ID=40595324
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008102255917A Expired - Fee Related CN101415012B (en) | 2008-11-06 | 2008-11-06 | Method and system for defending address analysis protocol message aggression |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101415012B (en) |
Families Citing this family (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101834870A (en) * | 2010-05-13 | 2010-09-15 | 中兴通讯股份有限公司 | Method and device for preventing deceptive attack of MAC (Medium Access Control) address |
| CN102404288B (en) * | 2010-09-14 | 2014-10-22 | 中国电信股份有限公司 | Monitor device, address buffering maintenance method and system for internet protocol (IP) v6 network |
| CN102035851A (en) * | 2010-12-28 | 2011-04-27 | 汉柏科技有限公司 | Method for preventing address resolution protocol (ARP) attack |
| CN102857584B (en) * | 2011-06-28 | 2019-05-31 | 中兴通讯股份有限公司 | A kind of arp cache entry update method and equipment |
| CN104012162B (en) * | 2011-10-31 | 2018-03-27 | 诺基亚技术有限公司 | The method and device of location privacy in communication network |
| CN102438028B (en) * | 2012-01-19 | 2016-06-15 | 神州数码网络(北京)有限公司 | A kind of prevent Dynamic Host Configuration Protocol server from cheating method, Apparatus and system |
| CN102904902B (en) * | 2012-10-31 | 2015-08-19 | 北京锐安科技有限公司 | A kind of based on DHCP method for blocking bypass by |
| TWI474668B (en) * | 2012-11-26 | 2015-02-21 | Method for distinguishing and blocking off network node | |
| CN103856443B (en) * | 2012-11-29 | 2018-05-15 | 台众计算机股份有限公司 | Method of the judgement of site with stopping |
| CN103001968A (en) * | 2012-12-14 | 2013-03-27 | 温州电力局 | Network monitoring system and method |
| CN104754070A (en) * | 2013-12-31 | 2015-07-01 | 华为技术有限公司 | Method and device for learning address resolution protocol table entries and network device |
| CN104219339A (en) * | 2014-09-17 | 2014-12-17 | 北京金山安全软件有限公司 | Method and device for detecting address resolution protocol attack in local area network |
| CN106211163B (en) * | 2016-07-29 | 2019-08-16 | Oppo广东移动通信有限公司 | The method and apparatus of safe networking |
| CN106488458B (en) * | 2016-12-21 | 2020-04-24 | 锐捷网络股份有限公司 | Method and device for detecting gateway ARP spoofing |
| CN108574672A (en) * | 2017-03-10 | 2018-09-25 | 武汉安天信息技术有限责任公司 | The method and device of ARP attack perception applied to mobile terminal |
| CN108574674A (en) * | 2017-03-10 | 2018-09-25 | 武汉安天信息技术有限责任公司 | A kind of ARP message aggressions detection method and device |
| CN108574673A (en) * | 2017-03-10 | 2018-09-25 | 武汉安天信息技术有限责任公司 | ARP message aggression detection method and device applied to gateway |
| CN107241313B (en) * | 2017-05-18 | 2020-07-07 | 杭州迪普科技股份有限公司 | Method and device for preventing MAC flooding attack |
| CN107707486A (en) * | 2017-10-26 | 2018-02-16 | 锐捷网络股份有限公司 | A kind of message processing method and device based on openflow passages |
| CN109347841B (en) * | 2018-10-26 | 2021-08-10 | 深圳市元征科技股份有限公司 | MAC address authentication method, device, terminal, server and storage medium |
| CN109327465B (en) * | 2018-11-15 | 2021-11-05 | 珠海莲鸿科技有限公司 | Method for safely resisting network hijacking |
| CN110278123B (en) * | 2019-05-10 | 2021-04-06 | 新华三技术有限公司 | Checking method, checking device, electronic equipment and readable storage medium |
| CN112637105B (en) * | 2019-09-24 | 2022-08-02 | 中国电信股份有限公司 | Method, system, device and computer readable storage medium for switching firewall |
| CN112165483B (en) * | 2020-09-24 | 2022-09-09 | Oppo(重庆)智能科技有限公司 | ARP attack defense method, device, equipment and storage medium |
| CN112995220A (en) * | 2021-05-06 | 2021-06-18 | 广东电网有限责任公司佛山供电局 | Security data security system for computer network |
| CN114363041B (en) * | 2021-12-31 | 2023-08-11 | 河南信大网御科技有限公司 | Intranet protection method and system based on dynamic operating system fingerprint and protocol fingerprint |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1612537A (en) * | 2003-10-29 | 2005-05-04 | 华为技术有限公司 | Method for preventing main computer from being counterfeited in IP ethernet |
| CN101170515A (en) * | 2007-12-04 | 2008-04-30 | 华为技术有限公司 | A method, system and gateway device for processing packets |
-
2008
- 2008-11-06 CN CN2008102255917A patent/CN101415012B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1612537A (en) * | 2003-10-29 | 2005-05-04 | 华为技术有限公司 | Method for preventing main computer from being counterfeited in IP ethernet |
| CN101170515A (en) * | 2007-12-04 | 2008-04-30 | 华为技术有限公司 | A method, system and gateway device for processing packets |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101415012A (en) | 2009-04-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101415012B (en) | Method and system for defending address analysis protocol message aggression | |
| CN101345743B (en) | Method and system for preventing network attack by utilizing address analysis protocol | |
| CN101378395B (en) | Method and apparatus for preventing reject access aggression | |
| CN101651696B (en) | Method and device for preventing neighbor discovery (ND) attack | |
| US20090144806A1 (en) | Handling of DDoS attacks from NAT or proxy devices | |
| Arote et al. | Detection and prevention against ARP poisoning attack using modified ICMP and voting | |
| CN101459653B (en) | Method for preventing DHCP packet attack based on Snooping technique | |
| CN104601566B (en) | authentication method and device | |
| Hijazi et al. | Address resolution protocol spoofing attacks and security approaches: A survey | |
| WO2015174100A1 (en) | Packet transfer device, packet transfer system, and packet transfer method | |
| CN102438028A (en) | Method, device and system for preventing fraud of dynamic host configuration protocol (DHCP) server | |
| Tripathi et al. | Analysis of various ARP poisoning mitigation techniques: A comparison | |
| CN101888329A (en) | Address resolution protocol (ARP) message processing method, device and access equipment | |
| CN101715009A (en) | Safe address allocation method, detecting device, detecting equipment and detecting system | |
| CN105207778A (en) | Method of realizing package identity identification and digital signature on access gateway equipment | |
| Rohatgi et al. | A detailed survey for detection and mitigation techniques against ARP spoofing | |
| CN102137073A (en) | Method and access equipment for preventing imitating internet protocol (IP) address to attack | |
| CN104796423A (en) | ARP (address resolution protocol) bidirectional active defense method | |
| CN101094235B (en) | Method for preventing attack of address resolution protocol | |
| Rupal et al. | Detection and prevention of ARP poisoning in dynamic IP configuration | |
| CN101141396A (en) | Packet processing method and network appliance | |
| KR100856918B1 (en) | Method for IP address authentication in IPv6 network, and IPv6 network system | |
| Salim et al. | Preventing ARP spoofing attacks through gratuitous decision packet | |
| Wang et al. | Hijacking spoofing attack and defense strategy based on Internet TCP sessions | |
| Singh et al. | A detailed survey of ARP poisoning detection and mitigation techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110928 Termination date: 20191106 |