CN101808097A - Method and equipment for preventing ARP attack - Google Patents

Method and equipment for preventing ARP attack Download PDF

Info

Publication number
CN101808097A
CN101808097A CN 201010132209 CN201010132209A CN101808097A CN 101808097 A CN101808097 A CN 101808097A CN 201010132209 CN201010132209 CN 201010132209 CN 201010132209 A CN201010132209 A CN 201010132209A CN 101808097 A CN101808097 A CN 101808097A
Authority
CN
China
Prior art keywords
authenticator
arp
transmitting terminal
response message
request message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 201010132209
Other languages
Chinese (zh)
Other versions
CN101808097B (en
Inventor
高凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN 201010132209 priority Critical patent/CN101808097B/en
Publication of CN101808097A publication Critical patent/CN101808097A/en
Application granted granted Critical
Publication of CN101808097B publication Critical patent/CN101808097B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a method for preventing ARP attack. The method comprises the following steps: a sending end generates a first verification word, and a receiving end generates a second verification word; and the sending end judges whether to accept the ARP response message or reject the ARP response message according to the first verification word and the second verification word. In the invention, the validity of the ARP response message is verified by verifying word exactness so as to prevent ARP attack in the wireless network.

Description

A kind of preventing ARP aggression method and apparatus
Technical field
The present invention relates to communication technical field, particularly relate to a kind of preventing ARP aggression method and apparatus.
Background technology
ARP (Address Resolution Protocol, address resolution protocol) be with IP (InternetProtocol, Internet Protocol) address resolution is the agreement with big net MAC (Media Access Control, medium access control, or title physical address) address.Wherein, the IP address is the address of terminal in network layer, if the packet in the network layer is sent to the purpose terminal, then needs to know the MAC Address of purpose terminal, promptly needs to use the ARP agreement that the IP address resolution is MAC Address.
ARP learning process as shown in Figure 1, suppose that terminal A and terminal B are at the same network segment, terminal A will be when terminal B sends information, concrete address resolution procedure is as follows: (1) terminal A checks the ARP table of self, determine whether to have in this ARP table the ARP list item of terminal B correspondence, promptly determine whether can find among this terminal A the MAC Address of terminal B correspondence, if found corresponding MAC Address, then terminal A directly utilizes the MAC Address in the ARP table, the IP packet is carried out the frame encapsulation, and packet is sent to terminal B.(2) if terminal A can not find corresponding MAC Address in the ARP table,, send an ARP request message with broadcast mode then then with this data message of buffer memory; Transmitting terminal IP address in this ARP request message and transmitting terminal MAC Address are IP address and the MAC Address of terminal A, and target ip address and destination-mac address are the IP address of terminal B and complete 0 MAC Address.Because the ARP request message sends with broadcast mode, all terminals on this network segment can receive this request, but have only requested terminal (being terminal B) to handle this request.(3) the terminal B target ip address in its own IP address and the ARP request message relatively is during the ARP that deposits the IP address and the MAC Address of the transmitting terminal in the ARP request message (terminal A) in oneself when both are identical shows; And send the arp response message to terminal A with mode of unicast, wherein comprised the MAC Address of self.(4) after terminal A receives the arp response message, the MAC Address of terminal B is joined in self the ARP table, send after simultaneously the IP packet being encapsulated to be used for the forwarding of subsequent packet.
WLAN (Wireless Local Area Networks, WLAN (wireless local area network)) provides a kind of wireless connections service of local area network (LAN), wireless data access at a high speed can be provided in small range, be present IT (Information Technology, information technology) one of relatively popular technology of industry also is popular wireless access way.Compare with traditional line access mode that has, WLAN (wireless local area network) makes the use of network freer, thoroughly broken away from the constraint of cable and port position, and WLAN (wireless local area network) has and is easy to carry, the advantage that is easy to move, removed or reduced numerous and diverse network layout from, only need lay one or more AP (Access Point, access point) equipment and just can set up the LAN that covers whole building or area.Wherein, the important composition equipment that this AP equipment is WLAN (wireless local area network), be a wireless transmitting-receiving equipments, the data transaction that receives from cable network (for example Internet) can be become wireless signal to send, the wireless signal that receives is converted to data and is forwarded to cable network.And the constructed WLAN (wireless local area network) of WLAN technology as replenishing of cable network, has been broken away from the constraint of ethernet line, provides conveniently network access mode to the terminal use; Therefore, wireless network has obtained increasing deployment, and for example, to wireless campus network, wireless network has all obtained using widely from the city focus to the wireless city net, from wireless enterprise network, and a large amount of AP equipment are mounted and use.
Under wireless network environment, router can be used as gateway, for terminal provides access service, router can also provide the function of wireless network card to connect wireless network simultaneously, at this moment, router is client (client), wireless access networking schematic diagram as shown in Figure 2, and concrete data exchange process comprises: (1) router-A is provided to the access service of wide area network as AP.(2) terminal C is linked into router-A as client, and in addition, router B is linked into router-A as client (its function class is similar to terminal), and this terminal C and router B are positioned at same local area network (LAN) A.(3) terminal A and terminal B be by being wiredly connected to gateway router B, and among the local area network (LAN) B that coexists; When terminal A need visit wide area network, need through router B and router-A, promptly, pass through wireless network then earlier through cable network; When terminal C need visit wide area network, need, promptly only through wireless network through router-A.
But, in existing ARP learning process,, causes distinguishing the ARP back message using that receives and whether be self desired ARP and respond, thereby condition has been created in the attack of cheating type for ARP not to the verification process of ARP message.
Especially in wireless network environment, terminal and router can be linked into as wireless client among the AP, insert quite flexible, thereby cause in the ARP learning process, it is very frequent that ARP attacks.For example, in wireless access networking shown in Figure 2, (1) when terminal C and router B are linked into router-A as wireless client, the IP address that router-A is wanted learning router B as FAT AP, terminal C may be assailant's (may be that terminal C poisons or malicious act).(2) router-A broadcast arp request in wireless network, the destination address of this ARP request is the address (being 192.168.2.2) of router B, at this moment, terminal C and router B can receive this request.(3) terminal C is after the ARP request that receives from router-A, counterfeit router B replys this ARP request, but the destination-mac address that in arp response, adds be wrong mac address information (for example, a non-existent MAC Address), thereby the ARP that causes router-A to be learnt is wrong, and finally causes router B and the router-A can't normal communication.
Summary of the invention
The invention provides a kind of preventing ARP aggression method and apparatus,, verify the legitimacy of ARP information, and avoid the ARP bogus attack by authenticator with in wireless network.
In order to achieve the above object, the present invention proposes a kind of preventing ARP aggression method, be applied to comprise in the Radio Network System of transmitting terminal and receiving terminal, disposed identical hash algorithm and had identical shared key in described transmitting terminal and the described receiving terminal, said method comprising the steps of:
Described transmitting terminal generates the random number and first authenticator, and sends the ARP request message to described receiving terminal, has carried described random number in the described ARP request message;
Described receiving terminal generates second authenticator according to the described random number of carrying in the described ARP request message, and sends the arp response message to described transmitting terminal, has carried described second authenticator in the described arp response message;
Described transmitting terminal is determined to accept described arp response message or refuse described arp response message according to described first authenticator and described second authenticator.
Described transmitting terminal generates first authenticator, specifically comprises: described transmitting terminal generates described first authenticator according to the Sender IP in shared key that disposes on described random number, the described transmitting terminal and the described ARP request message;
Described receiving terminal generates second authenticator according to the described random number of carrying in the described ARP request message, specifically comprises: described receiving terminal generates described second authenticator according to the Sender IP in shared key that disposes on the described random number of carrying in the described ARP request message, the described receiving terminal and the described ARP request message.
Described transmitting terminal sends the ARP request message to described receiving terminal, specifically comprises:
Described transmitting terminal is replaced destination media access control MAC addresses in the described ARP request message with described random number, and described ARP request message is sent to described receiving terminal.
Described receiving terminal sends the arp response message to described transmitting terminal, specifically comprises:
Described receiving terminal is replaced target ip address in the described arp response message with described second authenticator, and described arp response message is sent to described transmitting terminal.
Described transmitting terminal is determined to accept described arp response message or refuse described arp response message according to described first authenticator and described second authenticator, specifically comprises:
Described transmitting terminal judges whether described first authenticator is identical with described second authenticator; If the two is identical, then described transmitting terminal determines to accept described arp response message; If the two difference, then described transmitting terminal are determined the described arp response message of refusal.
A kind of preventing ARP aggression equipment, be applied to comprise in the Radio Network System of transmitting terminal and receiving terminal, disposed identical hash algorithm and had identical shared key in described transmitting terminal and the described receiving terminal, this equipment in described network system as described transmitting terminal or receiving terminal, this equipment further comprises: generation module, transceiver module and processing module, described generation module is connected respectively with described processing module with described transceiver module, and described transceiver module is connected with described processing module
When described equipment during as described transmitting terminal,
Described generation module is used to generate the random number and first authenticator;
Described transceiver module is used for sending the ARP request message to described receiving terminal, has carried described random number in the described ARP request message; And reception has been carried second authenticator that described receiving terminal generates according to described random number from the arp response message of described receiving terminal in the described arp response message;
Described processing module is used for determining to accept described arp response message or refuse described arp response message according to described first authenticator and described second authenticator;
When described equipment during as described receiving terminal,
Described transceiver module is used to receive the ARP request message from described transmitting terminal, has carried the random number that described transmitting terminal generates in the described ARP request message; And, carried second authenticator in the described arp response message to described transmitting terminal transmission arp response message;
Described generation module is used for generating second authenticator according to the described random number that described ARP request message carries.
Described generation module specifically is used for,
When described equipment during, generate described first authenticator according to the Sender IP in shared key that disposes on described random number, the described transmitting terminal and the described ARP request message as described transmitting terminal;
When described equipment during, generate described second authenticator according to the Sender IP in shared key that disposes on the described random number of carrying in the described ARP request message, the described receiving terminal and the described ARP request message as described receiving terminal.
Described transceiver module specifically is used for,
When described equipment during, described random number is replaced destination media access control MAC addresses in the described ARP request message, and described ARP request message is sent to described receiving terminal as described transmitting terminal.
Described transceiver module specifically is used for,
When described equipment during, described second authenticator is replaced target ip address in the described arp response message, and described arp response message is sent to described transmitting terminal as described receiving terminal.
Described processing module specifically is used for,
When described equipment during, judge whether described first authenticator is identical with described second authenticator as described transmitting terminal; If the two is identical, then determine to accept described arp response message; If the two difference is then determined the described arp response message of refusal.
Compared with prior art, the present invention has the following advantages: in wireless network, by introduce authenticator mechanism in ARP reciprocal process, after receiving the ARP response, the correctness of authentication word is verified the legitimacy of this ARP back message using, thereby prevents that the ARP in the wireless network from attacking.
Description of drawings
Fig. 1 is an ARP learning process schematic diagram of the prior art;
Fig. 2 is a wireless access networking schematic diagram of the prior art;
A kind of preventing ARP aggression method flow diagram that Fig. 3 proposes for the present invention;
A kind of concrete application scenarios schematic diagram that Fig. 4 proposes for the present invention;
A kind of preventing ARP aggression method flow diagram that Fig. 5 proposes down for a kind of application scenarios of the present invention;
Fig. 6 is the structure chart of a kind of preventing ARP aggression equipment of the present invention's proposition.
Embodiment
Among the present invention, by generate first authenticator at transmitting terminal, and generate second authenticator at receiving terminal, when the arp response message that receives from receiving terminal, whether identical by judging second authenticator that carries in this arp response message with first authenticator that self generates, judge whether this arp response message is legal, thereby prevent that the ARP in the wireless network from attacking.
Based on above-mentioned thought, a kind of preventing ARP aggression method is provided among the present invention, be applied to comprise in the Radio Network System of transmitting terminal and receiving terminal, disposed identical hash algorithm and had identical shared key in described transmitting terminal and the described receiving terminal, and described transmitting terminal is connected by wireless network with described receiving terminal.Wherein, before carrying out the ARP request, need confirm to use identical hash algorithm (this hash algorithm is used to generate authenticator) the mutual both sides (being the transmitting terminal and receiving terminal in the wireless network) of ARP message, and disposed identical shared key, just to carry out ARP between the transmitting terminal that uses identical hash algorithm and identical shared key is arranged and the receiving terminal mutual and have only.It should be noted that in actual applications this hash algorithm can be selected arbitrarily according to the actual needs, and the cryptographic Hash of this authenticator for obtaining according to the hash algorithm.For example, when this hash algorithm was the MD5 algorithm, the cryptographic Hash that then obtains was a message authentication code, and promptly this moment, this authenticator was a message authentication code.
Based on above-mentioned situation, as shown in Figure 3, this method further may further comprise the steps:
Step 301, described transmitting terminal generates the random number and first authenticator.
Concrete, before transmitting terminal sends the ARP request, need generate random number (for example, one 48 random number) in this locality, and generate first authenticator (for example, one 32 authenticator) simultaneously.Wherein, the input of this first authenticator is Sender (transmitting terminal) IP in this random number, shared key and the ARP request message.
As can be seen, the described transmitting terminal process that generates first authenticator is specially: described transmitting terminal generates described first authenticator according to the SenderIP in this random number, the shared key that disposes and the described ARP request message on described transmitting terminal.
Step 302, described transmitting terminal sends the ARP request message to described receiving terminal, has carried described random number in the described ARP request message.
Concrete, after having generated this random number in this locality, need add this random number in the ARP request message that sends, wherein, this random number can be placed on the position (position of Destination MAC is complete 0 mac address in existing the realization) of the Destination MAC of this ARP request message.Certainly, in actual applications, this random number also can be placed on other positions of ARP request message, gives unnecessary details no longer in detail among the present invention.
As can be seen, when random number is placed on the position of Destination MAC, be that described random number is replaced destination media access control MAC addresses in the described ARP request message.
Step 303, described receiving terminal generates second authenticator according to the described random number of carrying in the described ARP request message.
Concrete, after receiving terminal receives this ARP request message, need (for example to generate second authenticator, one 32 authenticator), among the present invention, distinguish for the authenticator that authenticator and receiving terminal with the transmitting terminal generation generate, the authenticator that transmitting terminal is generated is designated as first authenticator, and the authenticator that receiving terminal is generated is designated as second authenticator.
It should be noted that, when generating second authenticator, it is input as the Sender IP in the random number in the ARP request message, shared key and the ARP message, and promptly described receiving terminal generates described second authenticator according to the Sender IP in shared key that disposes on the described random number of carrying in the described ARP request message, the described receiving terminal and the described ARP request message.
In summary it can be seen, when transmitting terminal and receiving terminal have disposed identical shared key, the importation that then generates first authenticator is identical with the importation that generates second authenticator, and when transmitting terminal and receiving terminal use identical hash algorithm to generate authenticator, then according to above-mentioned identical importation, then first authenticator is identical with second authenticator.
Step 304, described receiving terminal sends the arp response message to described transmitting terminal, has carried described second authenticator in the described arp response message.
Concrete, after having generated second authenticator, need in the arp response message that sends, add this second authenticator, wherein, this second authenticator can be placed on the position of the target ip address in the arp response message.Certainly, in actual applications, this second authenticator also can be placed on other positions of arp response message, gives unnecessary details no longer in detail among the present invention.
As can be seen, when second authenticator is placed on the position of the target ip address in the arp response message, be that described second authenticator is replaced target ip address in the described arp response message.
Step 305, described transmitting terminal is determined to accept described arp response message or refuse described arp response message according to described first authenticator and described second authenticator.
Concrete, after receiving this arp response message, according to this second authenticator, this transmitting terminal need be determined to accept described arp response message or refuse described arp response message according to first authenticator that self generates and described second authenticator.This affirmation process is specially: described transmitting terminal judges whether described first authenticator is identical with described second authenticator; If the two is identical, then described transmitting terminal determines to accept described arp response message; If the two difference, then described transmitting terminal are determined the described arp response message of refusal.
Give unnecessary details in the superincumbent step, when transmitting terminal and receiving terminal have disposed identical shared key, and when using identical hash algorithm to generate authenticator, then first authenticator is identical with second authenticator, therefore, by judging whether first authenticator is identical with second authenticator, whether promptly can judge transmitting terminal has disposed identical shared key with receiving terminal and has used identical hash algorithm to generate authenticator, whether transmitting terminal can be judged the pairing receiving terminal of arp response message then legal, thereby determine to accept described arp response message or refuse described arp response message, guaranteed the fail safe of wireless network, and prevented that the ARP in the wireless network from attacking.
It should be noted that when receiving the arp response message transmitting terminal need at first be searched corresponding ARP request message, and search by the mode that the target ip address in the ARP request message equals Sender IP in the arp response message.
For technical scheme provided by the invention more clearly is described,, technical scheme provided by the invention is described in detail below in conjunction with a kind of concrete application scenarios.Should be with under the scene, with ARP learning process shown in Figure 4 is that example describes, in Fig. 4, be the ARP learning process between router-A and the router B, and router-A and router B are the different routers in the wireless network, be to connect by the use wireless network between router-A and the router B, wherein, enable the ARP based on authenticator of this programme at the interface of router-A and router B.
Based on above-mentioned application scenarios, as shown in Figure 5, should further comprise based on the preventing ARP aggression method of authenticator:
Step 501, the identical shared key test of configuration on router-A and router B, and use identical hash algorithm computation authenticator.
Step 502, router-A can't find the MAC Address of router B correspondence in the ARP table, then router-A generates random number, and sends an ARP request message with broadcast mode.
Concrete, when router-A need be when router B communicates by letter, under initial situation, router-A can't find the MAC Address of router B correspondence in the ARP table, then router-A need generate random number (for example, 181474976710655), and sends an ARP request message with broadcast mode.
Wherein, sender IP address in this ARP request message and sender MAC Address are the IP address and the MAC Address of router-A, and target IP address is the IP address of router B, and the target MAC Address is a random number 181474976710655.
In addition, this router-A also needs to use shared key test, 181474976710655 (random number that this machine generates) and 192.168.1.1 (the Sender IP in the ARP request message) as input, carry out hash and calculate, generate authenticator (for example, 3573563557).
It should be noted that when calculating authenticator used Sender IP and shared key in random number, the ARP request message simultaneously, wherein, random number is for randomness that guarantees authenticator and uniqueness; Sender Ip in the ARP request message is in order to guarantee that authenticator has identity information, and promptly whom the sender is; Shared key is in order to guarantee the privacy of authenticator.
In addition, use the input parameter of hash to expand among the present invention, for example, use information such as SenderMAC Address and Target IP address, give unnecessary details no longer in detail among the present invention, describe as example to use Sender IP and shared key in random number, the ARP request message.
In this step, this router-A also needs to set up ARP request list item, a kind of ARP request list item as shown in table 1.The content that comprises in this ARP request list item includes but not limited to: Sender IP, TargetIP, shared key, random number and authenticator.
Table 1
Sender?IP Target?IP Share key Random number Authenticator
192.168.1.1 192.168.1.2 Test 181474976710655 3573563557
Step 503, after router B received the ARP request message, relatively the target IP address in its own IP address and the ARP request message when both are identical, were determined and need be responded this ARP request message.And for other equipment, after receiving this ARP request message, the target IP address in its own IP address and the ARP request message relatively, the two difference then abandons this ARP request message.
In addition, after receiving the ARP request message, in the ARP table that this router B also needs to deposit the sender IP address in the ARP request message and MAC Address in self.
Step 504, router B generates authenticator according to the random number in the ARP request message.
Concrete, after the random number of in knowing this ARP request message, carrying, router B can use and share key test, 181474976710655 (random number in the ARP request message) and 192.168.1.1 (the Sender IP in the ARP request message) conduct input, carry out hash and calculate, calculate authenticator 3573563557.
Step 505, router B sends the arp response message to router-A with mode of unicast.Wherein, in this arp response message, target MAC is the MAC Address of self, and SenderIP is the authenticator 3573563557 that calculates.
After step 506, router-A receive the arp response message, in ARP request list item, search corresponding ARP request message.
Concrete, router-A will whether identical mode be searched by Sender IP in the target IP in the ARP request message and the arp response message, if find identical record (being that target IP is identical with Sender IP), then carries out subsequent step.
Step 507, router-A judge whether the authenticator in the arp response message is identical with the authenticator of this machine.If identical, then execution in step 508, otherwise, execution in step 509.
Step 508, router-A determine to accept this arp response message, and the target MAC in this arp response message is joined in the ARP table of oneself, to be used for the forwarding of subsequent packet.Wherein, the target MAC in this arp response message is the MAC Address of router B.
Step 509, router-A are determined this arp response message of refusal, the failure of ARP study this time.
Wherein, each step among the present invention can also be adjusted according to actual needs.
By above-mentioned steps, promptly can avoid ARP bogus attack in the wireless network by authenticator, be that example describes with wireless access networking shown in Figure 2.Wherein, router-A is provided to the access service of wide area network as AP; Terminal C is linked into router-A as client, and router B is linked into router-A as client (its function class is similar to terminal), and terminal C and router B are positioned at same local area network (LAN); Terminal A and terminal B are by being wiredly connected to router B.
Under above-mentioned application scenarios, receiving the ARP request message of router-A broadcasting as terminal C after, though the IP address of the target ip address of ARP request message and terminal C is inconsistent, but terminal C has still sent the arp response message of this ARP request, is used for illustrating that the IP address is that the host MAC address of 192.168.1.2 is the MAC Address of a mistake.At this moment, router-A by the comparatively validate word, finds that its value is inconsistent after receiving the arp response message of terminal C, then loses this ARP and responds, and reaches the effect that prevents the ARP bogus attack.
Based on the inventive concept same with said method, the invention allows for a kind of preventing ARP aggression equipment based on authenticator, be applied to comprise in the Radio Network System of transmitting terminal and receiving terminal, disposed identical hash algorithm and had identical shared key in described transmitting terminal and the described receiving terminal, this equipment in described network system as described transmitting terminal or receiving terminal, as shown in Figure 6, this equipment further comprises: generation module 10, transceiver module 20 and processing module 30, described generation module 10 is connected respectively with described processing module 30 with described transceiver module 20, described transceiver module 20 is connected with described processing module 30, wherein
When described equipment during as described transmitting terminal,
Described generation module 10 is used to generate the random number and first authenticator.Wherein, in the process that generates first authenticator, described generation module 10 specifically is used for generating described first authenticator according to the Sender IP of shared key that disposes on described random number, the described transmitting terminal and described ARP request message.
Described transceiver module 20 is used for sending the ARP request message to described receiving terminal, has carried described random number in the described ARP request message; And reception has been carried second authenticator that described receiving terminal generates according to described random number from the arp response message of described receiving terminal in the described arp response message.Wherein, sending in the process of ARP request message to described receiving terminal, described transceiver module 20 specifically is used for described random number is replaced the destination media access control MAC addresses of described ARP request message, and described ARP request message is sent to described receiving terminal.
Described processing module 30 is used for determining to accept described arp response message or refuse described arp response message according to described first authenticator and described second authenticator.Wherein, described processing module 30 is used to specifically judge whether described first authenticator is identical with described second authenticator; If the two is identical, then determine to accept described arp response message; If the two difference is then determined the described arp response message of refusal.
When described equipment during as described receiving terminal,
Described transceiver module 20 is used to receive the ARP request message from described transmitting terminal, has carried the random number that described transmitting terminal generates in the described ARP request message; And, carried second authenticator in the described arp response message to described transmitting terminal transmission arp response message.Wherein, sending in the process of arp response message to described transmitting terminal, described transceiver module 20 specifically is used for described second authenticator is replaced the target ip address of described arp response message, and described arp response message is sent to described transmitting terminal.
Described generation module 10 is used for generating second authenticator according to the described random number that described ARP request message carries.Wherein, in generating the process of second authenticator, described generation module 10 specifically is used for the shared key that disposes on the described random number of carrying according to described ARP request message, the described receiving terminal and the Sender IP in the described ARP request message generates described second authenticator.
Wherein, each module of apparatus of the present invention can be integrated in one, and also can separate deployment.Above-mentioned module can be merged into a module, also can further split into a plurality of submodules.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above sequence number is not represented the quality of embodiment just to description.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.

Claims (10)

1. anti-ARP attack method, be applied to comprise in the Radio Network System of transmitting terminal and receiving terminal, disposed identical hash algorithm and had identical shared key in described transmitting terminal and the described receiving terminal, it is characterized in that, said method comprising the steps of:
Described transmitting terminal generates the random number and first authenticator, and sends the ARP request message to described receiving terminal, has carried described random number in the described ARP request message;
Described receiving terminal generates second authenticator according to the described random number of carrying in the described ARP request message, and sends the arp response message to described transmitting terminal, has carried described second authenticator in the described arp response message;
Described transmitting terminal is determined to accept described arp response message or refuse described arp response message according to described first authenticator and described second authenticator.
2. the method for claim 1 is characterized in that,
Described transmitting terminal generates first authenticator, specifically comprises: described transmitting terminal generates described first authenticator according to the Sender IP in shared key that disposes on described random number, the described transmitting terminal and the described ARP request message;
Described receiving terminal generates second authenticator according to the described random number of carrying in the described ARP request message, specifically comprises: described receiving terminal generates described second authenticator according to the Sender IP in shared key that disposes on the described random number of carrying in the described ARP request message, the described receiving terminal and the described ARP request message.
3. the method for claim 1 is characterized in that, described transmitting terminal sends the ARP request message to described receiving terminal, specifically comprises:
Described transmitting terminal is replaced destination media access control MAC addresses in the described ARP request message with described random number, and described ARP request message is sent to described receiving terminal.
4. the method for claim 1 is characterized in that, described receiving terminal sends the arp response message to described transmitting terminal, specifically comprises:
Described receiving terminal is replaced target ip address in the described arp response message with described second authenticator, and described arp response message is sent to described transmitting terminal.
5. the method for claim 1 is characterized in that, described transmitting terminal is determined to accept described arp response message or refuse described arp response message according to described first authenticator and described second authenticator, specifically comprises:
Described transmitting terminal judges whether described first authenticator is identical with described second authenticator; If the two is identical, then described transmitting terminal determines to accept described arp response message; If the two difference, then described transmitting terminal are determined the described arp response message of refusal.
6. preventing ARP aggression equipment; Be applied to comprise in the Radio Network System of transmitting terminal and receiving terminal; Disposed identical hash algorithm and had identical shared key in described transmitting terminal and the described receiving terminal; It is characterized in that; This equipment in described network system as described transmitting terminal or receiving terminal; This equipment further comprises: generation module, transceiver module and processing module; Described generation module and described transceiver module be connected processing module and be connected respectively; Described transceiver module be connected processing module and connect
When described equipment during as described transmitting terminal,
Described generation module is used to generate the random number and first authenticator;
Described transceiver module is used for sending the ARP request message to described receiving terminal, has carried described random number in the described ARP request message; And reception has been carried second authenticator that described receiving terminal generates according to described random number from the arp response message of described receiving terminal in the described arp response message;
Described processing module is used for determining to accept described arp response message or refuse described arp response message according to described first authenticator and described second authenticator;
When described equipment during as described receiving terminal,
Described transceiver module is used to receive the ARP request message from described transmitting terminal, has carried the random number that described transmitting terminal generates in the described ARP request message; And, carried second authenticator in the described arp response message to described transmitting terminal transmission arp response message;
Described generation module is used for generating second authenticator according to the described random number that described ARP request message carries.
7. equipment as claimed in claim 6 is characterized in that described generation module specifically is used for,
When described equipment during, generate described first authenticator according to the Sender IP in shared key that disposes on described random number, the described transmitting terminal and the described ARP request message as described transmitting terminal;
When described equipment during, generate described second authenticator according to the Sender IP in shared key that disposes on the described random number of carrying in the described ARP request message, the described receiving terminal and the described ARP request message as described receiving terminal.
8. equipment as claimed in claim 6 is characterized in that described transceiver module specifically is used for,
When described equipment during, described random number is replaced destination media access control MAC addresses in the described ARP request message, and described ARP request message is sent to described receiving terminal as described transmitting terminal.
9. equipment as claimed in claim 6 is characterized in that described transceiver module specifically is used for,
When described equipment during, described second authenticator is replaced target ip address in the described arp response message, and described arp response message is sent to described transmitting terminal as described receiving terminal.
10. equipment as claimed in claim 6 is characterized in that described processing module specifically is used for,
When described equipment during, judge whether described first authenticator is identical with described second authenticator as described transmitting terminal; If the two is identical, then determine to accept described arp response message; If the two difference is then determined the described arp response message of refusal.
CN 201010132209 2010-03-25 2010-03-25 Method and equipment for preventing ARP attack Expired - Fee Related CN101808097B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010132209 CN101808097B (en) 2010-03-25 2010-03-25 Method and equipment for preventing ARP attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010132209 CN101808097B (en) 2010-03-25 2010-03-25 Method and equipment for preventing ARP attack

Publications (2)

Publication Number Publication Date
CN101808097A true CN101808097A (en) 2010-08-18
CN101808097B CN101808097B (en) 2013-07-10

Family

ID=42609717

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010132209 Expired - Fee Related CN101808097B (en) 2010-03-25 2010-03-25 Method and equipment for preventing ARP attack

Country Status (1)

Country Link
CN (1) CN101808097B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102158895A (en) * 2011-05-09 2011-08-17 北京傲天动联技术有限公司 Method for promoting station roaming speed in wireless network
CN102546580A (en) * 2011-01-04 2012-07-04 中国移动通信有限公司 Method, system and device for updating user password
CN103873478A (en) * 2014-03-28 2014-06-18 上海斐讯数据通信技术有限公司 Method for ensuring security of ARP message
CN105516105A (en) * 2015-12-01 2016-04-20 浙江宇视科技有限公司 Method and system for safely accessing to target device by changing hardware identifiers
CN108353084A (en) * 2015-11-11 2018-07-31 万事达卡国际股份有限公司 The method and system of hash data is verified by receiving frame
CN110519301A (en) * 2019-09-25 2019-11-29 新华三信息安全技术有限公司 A kind of attack detection method and device
CN111385278A (en) * 2018-12-29 2020-07-07 西安华为技术有限公司 Message forwarding method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002124952A (en) * 2000-10-12 2002-04-26 Furukawa Electric Co Ltd:The Approval method and system of wireless terminal in wireless network
US6513122B1 (en) * 2001-06-29 2003-01-28 Networks Associates Technology, Inc. Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities
CN1502186A (en) * 2001-04-12 2004-06-02 国际商业机器公司 Controlled distribution of application code and content data within a computer network
CN1665183A (en) * 2005-03-23 2005-09-07 西安电子科技大学 Key agreement method in WAPI authentication mechanism
CN101621795A (en) * 2009-07-17 2010-01-06 中兴通讯股份有限公司 Method, system and device for realizing private ownership of wireless data terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002124952A (en) * 2000-10-12 2002-04-26 Furukawa Electric Co Ltd:The Approval method and system of wireless terminal in wireless network
CN1502186A (en) * 2001-04-12 2004-06-02 国际商业机器公司 Controlled distribution of application code and content data within a computer network
US6513122B1 (en) * 2001-06-29 2003-01-28 Networks Associates Technology, Inc. Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities
CN1665183A (en) * 2005-03-23 2005-09-07 西安电子科技大学 Key agreement method in WAPI authentication mechanism
CN101621795A (en) * 2009-07-17 2010-01-06 中兴通讯股份有限公司 Method, system and device for realizing private ownership of wireless data terminal

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546580A (en) * 2011-01-04 2012-07-04 中国移动通信有限公司 Method, system and device for updating user password
CN102158895A (en) * 2011-05-09 2011-08-17 北京傲天动联技术有限公司 Method for promoting station roaming speed in wireless network
CN102158895B (en) * 2011-05-09 2014-04-02 北京傲天动联技术股份有限公司 Method for promoting station roaming speed in wireless network
CN103873478A (en) * 2014-03-28 2014-06-18 上海斐讯数据通信技术有限公司 Method for ensuring security of ARP message
CN108353084A (en) * 2015-11-11 2018-07-31 万事达卡国际股份有限公司 The method and system of hash data is verified by receiving frame
CN105516105A (en) * 2015-12-01 2016-04-20 浙江宇视科技有限公司 Method and system for safely accessing to target device by changing hardware identifiers
CN105516105B (en) * 2015-12-01 2019-08-02 浙江宇视科技有限公司 The secure accessing purpose equipment method and system of hardware identifier variation
CN111385278A (en) * 2018-12-29 2020-07-07 西安华为技术有限公司 Message forwarding method and device
CN111385278B (en) * 2018-12-29 2021-11-30 西安华为技术有限公司 Message forwarding method and device
CN110519301A (en) * 2019-09-25 2019-11-29 新华三信息安全技术有限公司 A kind of attack detection method and device

Also Published As

Publication number Publication date
CN101808097B (en) 2013-07-10

Similar Documents

Publication Publication Date Title
US20200195677A1 (en) Network addresses with encoded dns-level information
CN101808097B (en) Method and equipment for preventing ARP attack
US9860057B2 (en) Diffie-Hellman key agreement using an M-of-N threshold scheme
CN101651696B (en) Method and device for preventing neighbor discovery (ND) attack
US7436833B2 (en) Communication system, router, method of communication, method of routing, and computer program product
CN108881308B (en) User terminal and authentication method, system and medium thereof
CN103095861B (en) Determine whether equipment is in network internal
CN101997768B (en) Method and device for uploading address resolution protocol messages
CN101621525B (en) Method and equipment for treating legal entries
CN103701700A (en) Node discovering method and system in communication network
Hijazi et al. Address resolution protocol spoofing attacks and security approaches: A survey
CN113055176B (en) Terminal authentication method and system, terminal device, P2P verification platform and medium
WO2013020501A1 (en) Method and device for verifying address resolution protocol (arp) request message
CN102946385B (en) A kind of preventing forges the method and apparatus discharging message and carry out attacking
RU2690749C1 (en) Method of protecting computer networks
US8898737B2 (en) Authentication method for stateless address allocation in IPv6 networks
Shah A novel approach for securing IPv6 link local communication
KR100856918B1 (en) Method for IP address authentication in IPv6 network, and IPv6 network system
CN101945053A (en) Method and device for transmitting message
US9191361B2 (en) Authentication method for stateless address allocation in IPV6 networks
US11418481B2 (en) Network security from host and network impersonation
CN106506410B (en) Method and device for establishing safety table item
RU2686023C1 (en) Method of protecting computer networks
CN113676540B (en) Connection establishment method and device
US20240146538A1 (en) Systems and methods for verifying a route taken by a communication

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130710

Termination date: 20200325