Embodiment
Describe anti-attack method below with reference to accompanying drawings in detail based on thin AP architecture according to the embodiment of the invention.In whole accompanying drawing, identical label is used to represent same or analogous part.For clarity and conciseness, can omit the detailed description of known function and structure to avoid making theme of the present invention fuzzy.
Fig. 1 is the schematic diagram that the structural model of the wireless controller (AC) according to the embodiment of the invention is shown.Generally can be according to AC of the present invention based on switch or router architectures.As shown in Figure 1, the structure based on the AC of exchange board structure comprises five layers from top to bottom: application layer, OS protocol stack layers, Drive Layer, packet receiving interrupting layer and exchange chip layer.Message successively reports from the bottom.If embedded system, then application layer can incorporate in the OS protocol stack.Based on the AC of router architectures with respect to the exchange chip that has just lacked the bottom based on exchange board structure.
Handle for certain protocol, the structure of AC can be reduced to structural representation as shown in Figure 2.As shown in Figure 2, the AC based on exchange board structure comprises protocol processing unit, agreement attack protection unit and hardware access control tabulation (ACL) unit.Wherein, the function of hardware ACL unit is finished by exchange chip.Agreement attack protection unit is realized in the packet receiving interrupting layer.Protocol processing unit (being designated hereinafter simply as the attack protection unit) realizes in application layer or OS protocol stack layers.With respect to AC, can not comprise hardware ACL unit based on the AC of router architectures based on exchange board structure.In the present invention, the network construction form of WLAN can comprise two kinds of models: unit model and cluster model.Each model all can comprise based on the framework of switch with based on the framework of router.To introduce respectively below based on the attack protection system of the unit model of switch and router and based on the attack protection system of the cluster model of switch and router.
Shown in Fig. 3 be according to the embodiment of the invention based on the attack protection system of router architectures and the schematic diagram of operating procedure thereof.The attack protection system of Fig. 3 comprises AP and AC.In the following description, adopt the CAPWAP agreement to communicate between AP and the AC.Be described as example with the CAPWAP agreement though should be understood that the present invention, one skilled in the art should appreciate that the present invention can be applicable to AP and the AC framework that uses other wireless communication protocols to communicate.
As shown in Figure 3, the AC according to the embodiment of the invention comprises protocol processing unit and attack protection unit.Wherein, protocol processing unit is used for the communication data according to predetermined CAPWAP protocol processes and AP exchange.The legitimacy of AP is verified by password (challenge) mechanism in the attack protection unit, upgrades to be used to write down the attack protection table of AP legitimacy state, and gives protocol processing unit on the communication request with legal AP.That is to say, only after the communication request of AP has been passed through the checking of attack protection unit, just will give protocol processing unit on the register requirement and handle according to agreement.To introduce operation below in detail based on the attack protection system of router architectures according to the embodiment of the invention.
At first, in step 110, AP finds request (capwapdiscovery request) to the capwap that AC initiates to be used to register.
Next, in step 120, the attack protection unit of AC uses password mechanism to verify that the capwap of this AP finds the legitimacy of request, and upgrades the attack protection table.To introduce password mechanism and attack protection table below particularly according to the embodiment of the invention.
Preserved an attack protection table (Table A) on the attack protection unit, this form is initially sky, and contents in table comprises requestor IP address, requestor's password (challenge) and authentication state.Requestor IP indication sends the IP address that capwap finds request to AC.In the present embodiment, requestor's password is that AC is the random digit that the requestor distributes.Certainly, one skilled in the art will understand that the legitimacy that can adopt other password mechanism to verify the requestor.That authentication state indication request person's authentication state, its value can be represented is unverified, the authentication neutralization authenticates.
Table A
The attack protection unit receives capwap and finds to check whether carried password in this request after the request,, whether has carried random number that is.If the attack protection unit determines that capwap finds not carry password in the request, then the attack protection unit uses capwap to find that the source IP address of request comes look-up table A.If do not find the list item corresponding with this source IP address, then generate the list item corresponding with the source IP of this request, its authentication state is set to unverified, and a time-out time (for example, 3 seconds) is set.The attack protection unit generates a random number at random as password, and replys capwap in step 130 to requestor AP and find response (capwap discovery response), wherein, comprises this random number in this response.If AP does not resend the capwap discovery request of carrying password after surpassing the time that is provided with, that is, the authentication state of this list item does not become " in the authentication ", then this list item of attack protection element deletion.If the corresponding list item of the source IP address that the attack protection unit is checked through and asks is then carried out following operation:
(1) if the state of this list item is " unverified " or " in the authentication ", then according to strategy, the attack protection unit can be selected to abandon this capwap and find to ask maybe should ask to give protocol processing unit.Owing to had the list item corresponding in the attack protection table with this source IP address, prove that then this IP address had sent request, this request may be the request of the overtime repeating transmission of AP, also might be assailant's request that AP sends that disguises oneself as.Therefore, can abandon according to keeper's policy selection or on give this request.
(2) if the state of this list item is " authenticating ", then the attack protection unit abandons this capwap and finds request (this moment, the AP corresponding with this source IP address passed through authentication, can think that this request is illegal).
Password has been carried in request if the attack protection unit is checked through capwap, and then the attack protection unit uses the source IP look-up table A that sends the requestor.If do not find the list item corresponding with requestor IP in the attack protection table, then the attack protection unit abandons this capwap and finds request.If found the corresponding list item with this source IP in Table A, then the operation corresponding with following table carried out in the attack protection unit.
Table B
As can be seen from the above table, when the state of list item was " unverified ", the attack protection unit checked whether password mates.If coupling then proceeds to step 150, the attack protection unit is found that capwap send protocol processing unit in the request, and revising authentication state is " in the authentication ", and sets a time-out time (for example, 30 seconds).Do not communicate by letter if notify the attack protection unit to set up with AP above protocol processing unit after this time-out time, that is, authentication state does not become " authenticating ", then this list item of protocol processing unit notice attack protection element deletion.If do not match, then abandon capwap and find request.And when the state of list item is not " unverified " (, when being in " in the authentication " and " authenticating "), the attack protection unit does not check whether password mates, and directly abandons this capwap and finds request.
By above processing, can resist the assailant and simulate the capwap discovery request dos attack of carrying out the AP address.
Next, receive after the capwap that carries password finds response, resolve this response and extract wherein random number, and find to ask AC at the capwap that step 140 resends the random number of carrying at AP.
Then, the proof procedure in the attack protection unit repeating step 120, and find to deliver to protocol processing unit in the request at the capwap that step 150 will have been passed through password authentication.
The protocol processing unit of AC receives capwap and finds to carry out normal protocol interaction according to capwap agreement (RFC5415) with AP after the request.At this moment, after AP entered run (operation) state, in step 160, the protocol processing unit of AC sent instructions under the attack protection unit, the authentication state of list item corresponding with AP in the attack protection table was revised as authenticating.
At last, if AC detects the AP abnormal off-line, perhaps behind the AC indication ap reboot, in step 170, the protocol processing unit of AC sends instructions under the attack protection unit with the list item corresponding with AP in the deletion attack protection table.
Shown in Fig. 4 be according to the embodiment of the invention based on the attack protection system of switch and the schematic diagram of operating procedure thereof.
Different with the WLAN structure of Fig. 3, the WLAN of the thin AP architecture among Fig. 4 comprises AP, Dynamic Host Configuration Protocol server and AC.AC also comprises hardware ACL unit except protocol processing unit shown in Figure 3 and attack protection unit.Hardware ACL unit is used for obtaining from Dynamic Host Configuration Protocol server the IP address of legal AP, and allows legal AP to initiate register requirement.Dynamic Host Configuration Protocol server can be positioned on the same physical entity with AC.Dynamic Host Configuration Protocol server is in the AC address mapping table of configuration in its appropriate address pond shown in table C, and wherein, keyword is DHCP option 60 information.Generally speaking, AP and AC are same producer, and the AC of a producer can only manage the AP of own producer.By as the AC address mapping table of table shown in the C, can guarantee AP when same producer after the success of Dynamic Host Configuration Protocol server applied address, Dynamic Host Configuration Protocol server can be applied for the AC of the successful same producer of message informing.
Table C
DHCP option 60 information |
The AC address list |
DHCP option 60 information 1 |
AC address list 1 |
DHCP option 60 information 2 |
AC address list 2 |
??...... |
??...... |
DHCP option 60 information n |
AC address list n |
Under normal conditions, the protocol processing unit of AC issues an ACL to hardware ACL unit, and the indication hardware ACL unit abandons capwap and finds request message.Such purpose is to guarantee that AC receives only the capwap discovery request message of predetermined origin address, carries out the attack that source address changes thereby can resist the assailant.Below with reference to of attack protection system and the operation thereof based on switch of Fig. 4 detailed description according to the embodiment of the invention.
At first, in step 210, AP finds that with DHCP request (DHCP discovery request) sends to Dynamic Host Configuration Protocol server.In this request, carried DHCP option 60.According to the RFC21329.13 standard, DHCP option 60 can be used for discerning as the compatibility of identification supplier and dhcp client by dhcp client.
After Dynamic Host Configuration Protocol server received that DHCP finds request, in step 215, Dynamic Host Configuration Protocol server was replied DHCP offer (DHCP offer) to AP.
After receiving the DHCP offer, in step 220, it is its distributing IP address with the request Dynamic Host Configuration Protocol server that AP sends the DHCPrequest request to Dynamic Host Configuration Protocol server, carried DHCPoption 60 in this request, the content of DHCP option 60 herein is consistent with the content of the DHCP option 60 that the DHCP discovery request in the step 210 is carried.
After Dynamic Host Configuration Protocol server is received DHCP request, parse the information among the DHCP option 60, use the information searching AC address mapping table of DHCP option 60.If find the AC address list corresponding with DHCP option 60, then this AC address list is encapsulated among the DHCP option 43 with privately owned form, be AP distributing IP address (being designated as AP-IP), respond DHCP ACK and enter step 230 to AP at next step in step 225; If do not find, a distributing IP address and do not carry DHCP option43 then, and respond DHCP ACK in step 225, next step enters step 240.
In step 230, Dynamic Host Configuration Protocol server each AC in the AC address list sends the notice of AP applied address success, and content of announcement comprises MAC Address and the IP address of AP.The present invention does not specifically limit the mode that notice is used.For example, if Dynamic Host Configuration Protocol server and AC on a physical entity, advice method can be modes such as function call, interprocess communication; If the two is on different physical entities, advice method can be remote procedure call (RPC), custom protocol etc.
In step 235, after the protocol processing unit of AC is received the notice of Dynamic Host Configuration Protocol server, issue an ACL to hardware ACL unit, allowing the reception sources address is the capwap discovery request message of AP-IP.
In step 240, AP initiates capwap to AC and finds request.Notice that AP can obtain the AC address by the DHCP option 43 in the analyzing step 225, also can obtain the AC address by alternate manner, does not do qualification here.In step 245, hardware ACL unit checks that capwap finds request, if should find the IP address and the MAC Address coupling of DHCP notice in the IP address of request and MAC Address and the step 230, then this capwap is found to ask to deliver to the attack protection unit.
By above processing, AC can allow AP to initiate register requirement from the IP address that DHCP has obtained legal AP.That is, the capwap that receives only this AP finds request, and the capwap of other source address finds that request message all is dropped, and carries out the capwap discovery request dos attack that source address changes thereby can resist the assailant.
Next, the attack protection unit is further verified AP according to similarly handling with Fig. 3.The attack protection unit is by carrying out the legitimacy that password mechanism is verified AP with AP, and the capwap of AP that only will be by checking finds to give protocol processing unit in the request, and upgrades the attack protection table according to the checking result of WAP (wireless access point).Different with Fig. 3 is that each capwap finds that request also must be by the inspection of hardware ACL unit.
Particularly, in step 250, the attack protection unit according to the authentication state of AP and capwap find password that request carries whether with the attack protection table in password match determine whether to abandon capwap and find request, and upgrade the attack protection table.If do not carry password in the capwap request, then in step 255, the attack protection unit determines whether to abandon this request according to the authentication state that whether has list item corresponding with the source IP address of this request and list item in the attack protection table, perhaps replys the capwap that has comprised the password that distributes to requestor AP and finds response.
Then, in step 260, AP receives the capwap that carries password and finds after the response, resolves this response and extracts wherein password, and the capwap of the password that carries is found that request resends AC.
Then, in step 265, hardware ACL unit checks that once more capwap finds request, and capwap is found to deliver to the attack protection unit in the request.
In step 270, attack protection unit repeating step 250 will be finding by the capwap of checking to give protocol processing unit in the request.
The protocol processing unit of AC receives capwap and finds to carry out normal protocol interaction according to capwap agreement (RFC5415) with AP after the request.Therefore step 160 among treatment step 275,280 subsequently and the embodiment of Fig. 3,170 identical will no longer be described.
With reference to Fig. 5 and Fig. 6 attack protection system and operating process thereof according to the cluster model of the embodiment of the invention are described below.Wherein, Fig. 5 be illustrate according to the embodiment of the invention based on the attack protection system of the cluster model of switch and the schematic diagram of operation thereof, Fig. 6 be illustrate according to the embodiment of the invention based on the attack protection system of the cluster model of router and the schematic diagram of operation thereof.
As shown in Figure 5, comprise two types according to the AC equipment of the cluster model of the embodiment of the invention, a kind of is attack protection AC, and another kind is common AC.Attack protection AC comprises attack protection unit and hardware ACL unit.Usually, an attack protection AC can be corresponding with a plurality of common AC.That is to say, the attack protection function of a plurality of AC is concentrated on the AC, thereby make the networking cost of WLAN reduce.Attack protection AC only makes the capwap by the AP of checking find that request sends to common AC.Common AC is initially set to and does not allow any AP to insert.In Fig. 5, only show a common AC.But one skilled in the art will understand that attack protection AC can with a plurality of common AC co-ordinations.
At first, at step 310-325, AP and Dynamic Host Configuration Protocol server are carried out the step 210-225 identical operations with Fig. 4.Different with the unit model among Fig. 4 is that in the present embodiment, what the AC address mapping table in the Dynamic Host Configuration Protocol server was preserved is the address list of attack protection AC rather than the address list of common AC.
In step 310, AP finds that with DHCP request sends to Dynamic Host Configuration Protocol server.In this request, carried DHCP option 60.In step 315, Dynamic Host Configuration Protocol server is replied the DHCP offer to AP.After receiving the DHCP offer, in step 320, it is its distributing IP address with the request Dynamic Host Configuration Protocol server that AP sends DHCP request request to Dynamic Host Configuration Protocol server, has carried the DHCP option 60 identical with step 310 in this request.
After Dynamic Host Configuration Protocol server is received DHCP request, parse the information among the DHCP option 60, use the information searching AC address mapping table of DHCP option 60.If find the AC address list corresponding with DHCP option 60, then this AC address list is encapsulated among the DHCP option 43 with privately owned form, be AP distributing IP address (being designated as AP-IP), respond DHCP ACK and enter step 325 to AP at next step in step 320; If do not find, a distributing IP address and do not carry DHCP option43 then, and respond DHCPACK in step 320, and next step AP execution in step 340.
In step 330, Dynamic Host Configuration Protocol server sends the notice of AP applied address success to attack protection AC, comprises information such as the IP address of AP and MAC Address in this notice.
In step 335, attack protection AC issues an ACL to its attack protection unit, and allowing the reception sources address be the capwap discovery request message of the AP corresponding with the IP address of Dynamic Host Configuration Protocol server notice.
Next, in step 340, AP initiates capwap to attack protection AC and finds request.
In step 345, the hardware ACL unit of attack protection AC checks that capwap finds request, if should find the IP address and the MAC Address coupling of DHCP notice in the IP address of request and MAC Address and the step 330, and then this capwap be found to ask deliver to the attack protection unit.
The attack protection unit receives capwap and finds after the request, and the attack protection unit uses chanllenge mechanism to verify the legitimacy of AP, and legal AP is notified to common AC, and upgrades the attack protection table.
Particularly, in step 350, the attack protection unit receives capwap and finds to carry out the action corresponding with following table D after the request.
Table D
At first, the attack protection unit determines whether this request has carried password.If do not carry password, then the attack protection unit determines whether to abandon this request according to the authentication state that whether has list item corresponding with the source IP address of this request and list item in the attack protection table, perhaps replys the capwap that has comprised the password that distributes in step 355 to requestor AP and finds response.
If carried password, then the attack protection unit uses the source IP address of this request to search the attack protection table.If in the attack protection table, do not find this IP address, then abandon this capwap and find request.
If having found the list item of this IP address and the authentication state of this list item in the attack protection table is " unverified ", determine then whether password mates; If coupling, then the attack protection unit is replied capwap to the AP of this IP address and is found response, notice AP is again to common AC registration, authentication state is revised as " in the authentication ", and time-out time is set, do not become " authenticating " yet if surpass this time-out time authentication state, then the list item of this AP of deletion from the attack protection table notifies common AC to forbid that this AP inserts; If do not match, then abandon capwap and find request.Can usually notify AP by capwap message element or private message unit, thereby AP initiates register requirement again to common AC after receiving this response.
Next, in step 360, AP receives the capwap that carries password and finds after the response, resolves this response and extracts wherein password, and the capwap of the password that carries is found that request resends attack protection AC.
Then, in step 365, hardware ACL unit checks that capwap finds request, and capwap is found to deliver to the attack protection unit in the request.Attack protection unit repeating step 350 is verified the legitimacy of AP, and will find that in step 370 request sends to common AC and notifies AP again to common AC registration by the capwap of checking.
Common AC receives capwap and finds to finish registration process in step 375 with AP after the request.Next, in step 380, common AC and AP carry out normal protocol interaction according to capwap agreement (RFC5415).
Subsequently, after AP entered running status, in step 385, send instructions under attack protection AC authentication state value with list item corresponding with AP in the attack protection table of common AC was revised as and authenticates.
At last, if AC detects the AP abnormal off-line, perhaps behind the AC indication ap reboot, in step 390, common AC sends instructions under attack protection AC with the list item corresponding with AP in the deletion attack protection table.
Shown in Fig. 6 is attack protection system and operation thereof based on the cluster model of router according to the embodiment of the invention according to the embodiment of the invention.Different with the unit model shown in Fig. 3, comprise attack protection AC and common AC according to the AC based in the attack protection system of the cluster model of router of the embodiment of the invention.Comprise the attack protection unit among the attack protection AC, the attack protection unit similar operation among its execution and Fig. 3, different is that this attack protection unit will find that request send to the protocol processing unit among the common AC by the capwap of checking.Common AC initially is set to not allow any AP to insert.
In step 410, AP sends capwap to attack protection AC and finds request.
Next, in step 415, attack protection AC uses password mechanism to verify that the capwap of this AP finds the legitimacy of request, and upgrades the attack protection table.
Attack protection AC receives capwap and finds to check whether carried password in this request after the request,, whether has carried random number that is.If attack protection AC determines that capwap finds not carry password in the request, then attack protection AC determines whether to abandon this request according to the authentication state that whether has list item corresponding with the source IP address of this request and list item in the attack protection table, perhaps replys the capwap that has comprised the password that distributes to requestor AP and finds response.If AP does not resend the capwap discovery request of carrying password after surpassing the time that is provided with, that is, the authentication state of this list item does not become " in the authentication ", then this list item of attack protection element deletion.
If password has been carried in request, then attack protection AC uses the source IP look-up table A that sends the requestor.If do not find the list item corresponding with requestor IP in the attack protection table, then attack protection AC abandons this capwap and finds request.If found the corresponding list item with this source IP in Table A, then attack protection AC carries out the corresponding operation with table D:
When the state of list item was " unverified ", attack protection AC checked whether password mates.If coupling, then attack protection AC replys capwap to the AP of this IP address and finds response, notice AP is again to common AC registration, authentication state is revised as " in the authentication ", and time-out time is set, do not become " authenticating " yet if surpass this time-out time authentication state, then the list item of this AP of deletion from the attack protection table notifies common AC to forbid that this AP inserts; If do not match, then abandon capwap and find request.
When the state of list item is not " unverified " (, when being in " in the authentication " and " authenticating "), the attack protection unit does not check whether password mates, and directly abandons this capwap and finds request.
Receive after the capwap that carries password finds response at AP, resolve this response and extract wherein random number, and find to ask AC at the capwap that step 430 resends the random number of carrying.
Then, the proof procedure in the attack protection AC repeating step 415, the information that will pass through the AP of password authentication in step 440 is notified to common AC.
Next, in step 450, AP initiates register requirement again to common AC, finishes registration process.In step 460, AP and common AC carry out normal protocol interaction according to the capwap agreement.After AP entered running status, in step 470, send instructions under attack protection AC authentication state value with list item corresponding with AP in the attack protection table of common AC was revised as and authenticates.At last, if AC detects the AP abnormal off-line, perhaps behind the AC indication ap reboot, in step 480, common AC sends instructions under attack protection AC with the list item corresponding with AP in the deletion attack protection table.
Though illustrate and described the present invention with reference to some exemplary embodiments of the present invention, but it should be appreciated by those skilled in the art that, under the situation of the spirit and scope of the present invention that do not break away from the qualification of claim and equivalent thereof, can make various changes in form and details.