CN101841813A - Anti-attack wireless control system - Google Patents
Anti-attack wireless control system Download PDFInfo
- Publication number
- CN101841813A CN101841813A CN201010140743.0A CN201010140743A CN101841813A CN 101841813 A CN101841813 A CN 101841813A CN 201010140743 A CN201010140743 A CN 201010140743A CN 101841813 A CN101841813 A CN 101841813A
- Authority
- CN
- China
- Prior art keywords
- attack protection
- wireless controller
- address
- password
- register requirement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides an anti-attack wireless control system which comprises a DHCP (Dynamic Host Configuration Protocol) server, a wireless controller and a hardware ACL (Access Control List) unit, wherein the DHCP server is used for allocating an IP (Internet Protocol) address to an AP (Access Point), informing the wireless controller corresponding to the AP of the information of the AP after allocating the IP address to the AP and informing the AP to send a login request to the wireless controller; the wireless controller is used for verifying the validity of the login request of the AP through a password mechanism, updating an anti-attack list for recording the validity state of the AP and sending the legal login request of the AP up to a protocol processing unit; and the hardware ACL unit obtains the information of the AP with the IP address allocated by the DHCP server from the DHCP server and only permits sending the login request initiated by the AP up to an anti-attack unit.
Description
Technical field
The present invention relates to the wireless lan (wlan) field, more particularly, relate among a kind of WLAN attack protection wireless control system based on thin WAP (wireless access point) (AP) framework.
Background technology
WAP (wireless access point) (AP, Access Point) also claim wireless bridge, radio network gateway.The transmission mechanism of so-called " thin " AP is equivalent to the hub in the cable network, ceaselessly receives and transmit data in WLAN (wireless local area network), and any PC that wireless network card is housed all can share the resource of wired local area network even Wide Area Network by AP.In theory, after increasing a wireless aps in the network, the extended network covering diameter also can make and hold the more network equipment in the network exponentially.Each wireless aps all has an Ethernet interface basically, is used to realize wireless with wired being connected.So-called " fat " AP is different with pure AP, except that wireless access function, generally also possesses two interfaces of WAN, LAN, and most of fat AP also support safety functions such as Dynamic Host Configuration Protocol server, DNS and MAC Address clone, VPN access, fire compartment wall.
The product architecture of WLAN evolves to by wireless controller (AC) and the common centralized control system that constitutes of AP (thin AP) from the AP (fat AP) of single autonomy.The purpose of this evolution be with access control with access control, comprise that discriminating, secure communication, mobile management, Radio Frequency Management etc. separate from single AP, by AC centralized control in addition.
The CAPWAP agreement is Internet engineering duty group (IETF, Internet Engineering Task Force) a kind of WLAN centralized control architecture frame agreement of Ti Chuing, this agreement makes the AC can centralized control AP, and can unify control and management to channel/power/roaming/security strategy etc. of AP.This Architecture characteristic is that cost is low, and management is simple, the internet security height.
In the WLAN based on thin AP architecture of existing employing CAPWAP agreement, AC finds that to capwap request (capwap discovery request) message carries out speed limit and handles, the capwap that only handles fixed number in the set time finds request message, guarantee can not find that request strengthens AC performance pressure, influences other business module and normally moves owing to handling a large amount of capwap.
But the WLAN of this framework can't resist and find the request dos attack.For example, malicious attacker can send a large amount of capwap to AC and find request.AC must handle every one by one and find request, thus cause AC can't normal process from the discovery request of AP, the mis-behave that causes AC is until working.
Summary of the invention
The shortcoming that exemplary embodiment of the present invention has overcome above-mentioned shortcoming and do not had above other to describe.Similarly, the present invention need not to overcome above-mentioned shortcoming, and exemplary embodiment of the present invention can not overcome above-mentioned any problem.
According to an aspect of the present invention, provide a kind of attack protection wireless controller that is used for thin AP architecture, comprising: protocol processing unit communicates according to predetermined protocol with wireless access point AP; The attack protection unit, verify the legitimacy of the register requirement of AP by password mechanism, upgrade the attack protection table, and give protocol processing unit on the register requirement with legal AP, wherein, write down in the described attack protection table AP the IP address, be password that AP distributes and the authentication state of AP.
According to an aspect of the present invention, a kind of attack protection wireless control system that is used for thin AP architecture also is provided, comprise: Dynamic Host Configuration Protocol server, be AP distributing IP address, information with AP after being AP distributing IP address is notified to the wireless controller corresponding with AP, and notice AP sends register requirement to wireless controller; Wireless controller comprises: protocol processing unit communicates according to predetermined protocol with wireless access point AP; The attack protection unit, verify the legitimacy of the register requirement of AP by password mechanism, renewal is used to write down the attack protection table of AP legitimacy state, and give protocol processing unit on the register requirement with legal AP, wherein, write down in the described attack protection table AP the IP address, be password that AP distributes and the authentication state of AP, the attack protection unit verifies according to the password and the authentication state of register requirement whether register requirement legal; Hardware ACL unit obtains the information of having distributed the AP of IP address by Dynamic Host Configuration Protocol server from Dynamic Host Configuration Protocol server, and only allows and will give the attack protection unit on the register requirement that this AP initiated.
According to a further aspect in the invention, a kind of wireless control system of attack protection also is provided, comprise: Dynamic Host Configuration Protocol server, be wireless access point AP distributing IP address, will be for the information of AP being notified to first wireless controller corresponding with AP behind the AP distributing IP address, notice AP sends register requirement to first wireless controller of described correspondence; Second wireless controller is used for communicating according to predetermined protocol with the AP that verifies by first wireless controller; First wireless controller, comprise: the attack protection unit, verify the legitimacy of the register requirement of AP by password mechanism, renewal is used to write down the attack protection table of AP legitimacy state, and give second wireless controller on the register requirement with legal AP, wherein, write down in the described attack protection table AP the IP address, be password that AP distributes and the authentication state of AP; Hardware ACL unit obtains the information of having distributed the AP of IP address by Dynamic Host Configuration Protocol server from Dynamic Host Configuration Protocol server, and only allows and will give the attack protection unit on the register requirement that this AP initiated.
According to a further aspect in the invention, also provide a kind of wireless control system of attack protection, having comprised: second wireless controller is used for communicating according to predetermined protocol with the AP that verifies by first wireless controller; First wireless controller, comprise: the attack protection unit, verify the legitimacy of the register requirement of wireless access point AP by password mechanism, renewal is used to write down the attack protection table of AP legitimacy state, and the register requirement of legal AP sent to second wireless controller, wherein, write down in the described attack protection table AP the IP address, be password that AP distributes and the authentication state of AP.
Description of drawings
By below in conjunction with the detailed description of accompanying drawing to embodiment, above-mentioned and/or other aspects of the present invention will become clear and be more readily understood, wherein:
Fig. 1 is the schematic diagram that the structural model of the wireless controller (AC) according to the embodiment of the invention is shown.
Fig. 2 is another schematic diagram according to the structural model of the wireless controller of the embodiment of the invention.
Shown in Fig. 3 be according to the embodiment of the invention based on the attack protection system of router architectures and the schematic diagram of operating procedure thereof.
Shown in Fig. 4 be according to the embodiment of the invention based on the attack protection system of switch and the schematic diagram of operating procedure thereof.
Fig. 5 be illustrate according to the embodiment of the invention based on the attack protection system of the cluster model of switch and the schematic diagram of operation thereof.
Fig. 6 be illustrate according to the embodiment of the invention based on the attack protection system of the cluster model of router and the schematic diagram of operation thereof.
Embodiment
Describe anti-attack method below with reference to accompanying drawings in detail based on thin AP architecture according to the embodiment of the invention.In whole accompanying drawing, identical label is used to represent same or analogous part.For clarity and conciseness, can omit the detailed description of known function and structure to avoid making theme of the present invention fuzzy.
Fig. 1 is the schematic diagram that the structural model of the wireless controller (AC) according to the embodiment of the invention is shown.Generally can be according to AC of the present invention based on switch or router architectures.As shown in Figure 1, the structure based on the AC of exchange board structure comprises five layers from top to bottom: application layer, OS protocol stack layers, Drive Layer, packet receiving interrupting layer and exchange chip layer.Message successively reports from the bottom.If embedded system, then application layer can incorporate in the OS protocol stack.Based on the AC of router architectures with respect to the exchange chip that has just lacked the bottom based on exchange board structure.
Handle for certain protocol, the structure of AC can be reduced to structural representation as shown in Figure 2.As shown in Figure 2, the AC based on exchange board structure comprises protocol processing unit, agreement attack protection unit and hardware access control tabulation (ACL) unit.Wherein, the function of hardware ACL unit is finished by exchange chip.Agreement attack protection unit is realized in the packet receiving interrupting layer.Protocol processing unit (being designated hereinafter simply as the attack protection unit) realizes in application layer or OS protocol stack layers.With respect to AC, can not comprise hardware ACL unit based on the AC of router architectures based on exchange board structure.In the present invention, the network construction form of WLAN can comprise two kinds of models: unit model and cluster model.Each model all can comprise based on the framework of switch with based on the framework of router.To introduce respectively below based on the attack protection system of the unit model of switch and router and based on the attack protection system of the cluster model of switch and router.
Shown in Fig. 3 be according to the embodiment of the invention based on the attack protection system of router architectures and the schematic diagram of operating procedure thereof.The attack protection system of Fig. 3 comprises AP and AC.In the following description, adopt the CAPWAP agreement to communicate between AP and the AC.Be described as example with the CAPWAP agreement though should be understood that the present invention, one skilled in the art should appreciate that the present invention can be applicable to AP and the AC framework that uses other wireless communication protocols to communicate.
As shown in Figure 3, the AC according to the embodiment of the invention comprises protocol processing unit and attack protection unit.Wherein, protocol processing unit is used for the communication data according to predetermined CAPWAP protocol processes and AP exchange.The legitimacy of AP is verified by password (challenge) mechanism in the attack protection unit, upgrades to be used to write down the attack protection table of AP legitimacy state, and gives protocol processing unit on the communication request with legal AP.That is to say, only after the communication request of AP has been passed through the checking of attack protection unit, just will give protocol processing unit on the register requirement and handle according to agreement.To introduce operation below in detail based on the attack protection system of router architectures according to the embodiment of the invention.
At first, in step 110, AP finds request (capwapdiscovery request) to the capwap that AC initiates to be used to register.
Next, in step 120, the attack protection unit of AC uses password mechanism to verify that the capwap of this AP finds the legitimacy of request, and upgrades the attack protection table.To introduce password mechanism and attack protection table below particularly according to the embodiment of the invention.
Preserved an attack protection table (Table A) on the attack protection unit, this form is initially sky, and contents in table comprises requestor IP address, requestor's password (challenge) and authentication state.Requestor IP indication sends the IP address that capwap finds request to AC.In the present embodiment, requestor's password is that AC is the random digit that the requestor distributes.Certainly, one skilled in the art will understand that the legitimacy that can adopt other password mechanism to verify the requestor.That authentication state indication request person's authentication state, its value can be represented is unverified, the authentication neutralization authenticates.
Table A
The attack protection unit receives capwap and finds to check whether carried password in this request after the request,, whether has carried random number that is.If the attack protection unit determines that capwap finds not carry password in the request, then the attack protection unit uses capwap to find that the source IP address of request comes look-up table A.If do not find the list item corresponding with this source IP address, then generate the list item corresponding with the source IP of this request, its authentication state is set to unverified, and a time-out time (for example, 3 seconds) is set.The attack protection unit generates a random number at random as password, and replys capwap in step 130 to requestor AP and find response (capwap discovery response), wherein, comprises this random number in this response.If AP does not resend the capwap discovery request of carrying password after surpassing the time that is provided with, that is, the authentication state of this list item does not become " in the authentication ", then this list item of attack protection element deletion.If the corresponding list item of the source IP address that the attack protection unit is checked through and asks is then carried out following operation:
(1) if the state of this list item is " unverified " or " in the authentication ", then according to strategy, the attack protection unit can be selected to abandon this capwap and find to ask maybe should ask to give protocol processing unit.Owing to had the list item corresponding in the attack protection table with this source IP address, prove that then this IP address had sent request, this request may be the request of the overtime repeating transmission of AP, also might be assailant's request that AP sends that disguises oneself as.Therefore, can abandon according to keeper's policy selection or on give this request.
(2) if the state of this list item is " authenticating ", then the attack protection unit abandons this capwap and finds request (this moment, the AP corresponding with this source IP address passed through authentication, can think that this request is illegal).
Password has been carried in request if the attack protection unit is checked through capwap, and then the attack protection unit uses the source IP look-up table A that sends the requestor.If do not find the list item corresponding with requestor IP in the attack protection table, then the attack protection unit abandons this capwap and finds request.If found the corresponding list item with this source IP in Table A, then the operation corresponding with following table carried out in the attack protection unit.
Table B
As can be seen from the above table, when the state of list item was " unverified ", the attack protection unit checked whether password mates.If coupling then proceeds to step 150, the attack protection unit is found that capwap send protocol processing unit in the request, and revising authentication state is " in the authentication ", and sets a time-out time (for example, 30 seconds).Do not communicate by letter if notify the attack protection unit to set up with AP above protocol processing unit after this time-out time, that is, authentication state does not become " authenticating ", then this list item of protocol processing unit notice attack protection element deletion.If do not match, then abandon capwap and find request.And when the state of list item is not " unverified " (, when being in " in the authentication " and " authenticating "), the attack protection unit does not check whether password mates, and directly abandons this capwap and finds request.
By above processing, can resist the assailant and simulate the capwap discovery request dos attack of carrying out the AP address.
Next, receive after the capwap that carries password finds response, resolve this response and extract wherein random number, and find to ask AC at the capwap that step 140 resends the random number of carrying at AP.
Then, the proof procedure in the attack protection unit repeating step 120, and find to deliver to protocol processing unit in the request at the capwap that step 150 will have been passed through password authentication.
The protocol processing unit of AC receives capwap and finds to carry out normal protocol interaction according to capwap agreement (RFC5415) with AP after the request.At this moment, after AP entered run (operation) state, in step 160, the protocol processing unit of AC sent instructions under the attack protection unit, the authentication state of list item corresponding with AP in the attack protection table was revised as authenticating.
At last, if AC detects the AP abnormal off-line, perhaps behind the AC indication ap reboot, in step 170, the protocol processing unit of AC sends instructions under the attack protection unit with the list item corresponding with AP in the deletion attack protection table.
Shown in Fig. 4 be according to the embodiment of the invention based on the attack protection system of switch and the schematic diagram of operating procedure thereof.
Different with the WLAN structure of Fig. 3, the WLAN of the thin AP architecture among Fig. 4 comprises AP, Dynamic Host Configuration Protocol server and AC.AC also comprises hardware ACL unit except protocol processing unit shown in Figure 3 and attack protection unit.Hardware ACL unit is used for obtaining from Dynamic Host Configuration Protocol server the IP address of legal AP, and allows legal AP to initiate register requirement.Dynamic Host Configuration Protocol server can be positioned on the same physical entity with AC.Dynamic Host Configuration Protocol server is in the AC address mapping table of configuration in its appropriate address pond shown in table C, and wherein, keyword is DHCP option 60 information.Generally speaking, AP and AC are same producer, and the AC of a producer can only manage the AP of own producer.By as the AC address mapping table of table shown in the C, can guarantee AP when same producer after the success of Dynamic Host Configuration Protocol server applied address, Dynamic Host Configuration Protocol server can be applied for the AC of the successful same producer of message informing.
Table C
| DHCP option 60 information | The AC address list |
| DHCP option 60 information 1 | AC address list 1 |
| DHCP option 60 information 2 | AC address list 2 |
| ??...... | ??...... |
| DHCP option 60 information n | AC address list n |
Under normal conditions, the protocol processing unit of AC issues an ACL to hardware ACL unit, and the indication hardware ACL unit abandons capwap and finds request message.Such purpose is to guarantee that AC receives only the capwap discovery request message of predetermined origin address, carries out the attack that source address changes thereby can resist the assailant.Below with reference to of attack protection system and the operation thereof based on switch of Fig. 4 detailed description according to the embodiment of the invention.
At first, in step 210, AP finds that with DHCP request (DHCP discovery request) sends to Dynamic Host Configuration Protocol server.In this request, carried DHCP option 60.According to the RFC21329.13 standard, DHCP option 60 can be used for discerning as the compatibility of identification supplier and dhcp client by dhcp client.
After Dynamic Host Configuration Protocol server received that DHCP finds request, in step 215, Dynamic Host Configuration Protocol server was replied DHCP offer (DHCP offer) to AP.
After receiving the DHCP offer, in step 220, it is its distributing IP address with the request Dynamic Host Configuration Protocol server that AP sends the DHCPrequest request to Dynamic Host Configuration Protocol server, carried DHCPoption 60 in this request, the content of DHCP option 60 herein is consistent with the content of the DHCP option 60 that the DHCP discovery request in the step 210 is carried.
After Dynamic Host Configuration Protocol server is received DHCP request, parse the information among the DHCP option 60, use the information searching AC address mapping table of DHCP option 60.If find the AC address list corresponding with DHCP option 60, then this AC address list is encapsulated among the DHCP option 43 with privately owned form, be AP distributing IP address (being designated as AP-IP), respond DHCP ACK and enter step 230 to AP at next step in step 225; If do not find, a distributing IP address and do not carry DHCP option43 then, and respond DHCP ACK in step 225, next step enters step 240.
In step 230, Dynamic Host Configuration Protocol server each AC in the AC address list sends the notice of AP applied address success, and content of announcement comprises MAC Address and the IP address of AP.The present invention does not specifically limit the mode that notice is used.For example, if Dynamic Host Configuration Protocol server and AC on a physical entity, advice method can be modes such as function call, interprocess communication; If the two is on different physical entities, advice method can be remote procedure call (RPC), custom protocol etc.
In step 235, after the protocol processing unit of AC is received the notice of Dynamic Host Configuration Protocol server, issue an ACL to hardware ACL unit, allowing the reception sources address is the capwap discovery request message of AP-IP.
In step 240, AP initiates capwap to AC and finds request.Notice that AP can obtain the AC address by the DHCP option 43 in the analyzing step 225, also can obtain the AC address by alternate manner, does not do qualification here.In step 245, hardware ACL unit checks that capwap finds request, if should find the IP address and the MAC Address coupling of DHCP notice in the IP address of request and MAC Address and the step 230, then this capwap is found to ask to deliver to the attack protection unit.
By above processing, AC can allow AP to initiate register requirement from the IP address that DHCP has obtained legal AP.That is, the capwap that receives only this AP finds request, and the capwap of other source address finds that request message all is dropped, and carries out the capwap discovery request dos attack that source address changes thereby can resist the assailant.
Next, the attack protection unit is further verified AP according to similarly handling with Fig. 3.The attack protection unit is by carrying out the legitimacy that password mechanism is verified AP with AP, and the capwap of AP that only will be by checking finds to give protocol processing unit in the request, and upgrades the attack protection table according to the checking result of WAP (wireless access point).Different with Fig. 3 is that each capwap finds that request also must be by the inspection of hardware ACL unit.
Particularly, in step 250, the attack protection unit according to the authentication state of AP and capwap find password that request carries whether with the attack protection table in password match determine whether to abandon capwap and find request, and upgrade the attack protection table.If do not carry password in the capwap request, then in step 255, the attack protection unit determines whether to abandon this request according to the authentication state that whether has list item corresponding with the source IP address of this request and list item in the attack protection table, perhaps replys the capwap that has comprised the password that distributes to requestor AP and finds response.
Then, in step 260, AP receives the capwap that carries password and finds after the response, resolves this response and extracts wherein password, and the capwap of the password that carries is found that request resends AC.
Then, in step 265, hardware ACL unit checks that once more capwap finds request, and capwap is found to deliver to the attack protection unit in the request.
In step 270, attack protection unit repeating step 250 will be finding by the capwap of checking to give protocol processing unit in the request.
The protocol processing unit of AC receives capwap and finds to carry out normal protocol interaction according to capwap agreement (RFC5415) with AP after the request.Therefore step 160 among treatment step 275,280 subsequently and the embodiment of Fig. 3,170 identical will no longer be described.
With reference to Fig. 5 and Fig. 6 attack protection system and operating process thereof according to the cluster model of the embodiment of the invention are described below.Wherein, Fig. 5 be illustrate according to the embodiment of the invention based on the attack protection system of the cluster model of switch and the schematic diagram of operation thereof, Fig. 6 be illustrate according to the embodiment of the invention based on the attack protection system of the cluster model of router and the schematic diagram of operation thereof.
As shown in Figure 5, comprise two types according to the AC equipment of the cluster model of the embodiment of the invention, a kind of is attack protection AC, and another kind is common AC.Attack protection AC comprises attack protection unit and hardware ACL unit.Usually, an attack protection AC can be corresponding with a plurality of common AC.That is to say, the attack protection function of a plurality of AC is concentrated on the AC, thereby make the networking cost of WLAN reduce.Attack protection AC only makes the capwap by the AP of checking find that request sends to common AC.Common AC is initially set to and does not allow any AP to insert.In Fig. 5, only show a common AC.But one skilled in the art will understand that attack protection AC can with a plurality of common AC co-ordinations.
At first, at step 310-325, AP and Dynamic Host Configuration Protocol server are carried out the step 210-225 identical operations with Fig. 4.Different with the unit model among Fig. 4 is that in the present embodiment, what the AC address mapping table in the Dynamic Host Configuration Protocol server was preserved is the address list of attack protection AC rather than the address list of common AC.
In step 310, AP finds that with DHCP request sends to Dynamic Host Configuration Protocol server.In this request, carried DHCP option 60.In step 315, Dynamic Host Configuration Protocol server is replied the DHCP offer to AP.After receiving the DHCP offer, in step 320, it is its distributing IP address with the request Dynamic Host Configuration Protocol server that AP sends DHCP request request to Dynamic Host Configuration Protocol server, has carried the DHCP option 60 identical with step 310 in this request.
After Dynamic Host Configuration Protocol server is received DHCP request, parse the information among the DHCP option 60, use the information searching AC address mapping table of DHCP option 60.If find the AC address list corresponding with DHCP option 60, then this AC address list is encapsulated among the DHCP option 43 with privately owned form, be AP distributing IP address (being designated as AP-IP), respond DHCP ACK and enter step 325 to AP at next step in step 320; If do not find, a distributing IP address and do not carry DHCP option43 then, and respond DHCPACK in step 320, and next step AP execution in step 340.
In step 330, Dynamic Host Configuration Protocol server sends the notice of AP applied address success to attack protection AC, comprises information such as the IP address of AP and MAC Address in this notice.
In step 335, attack protection AC issues an ACL to its attack protection unit, and allowing the reception sources address be the capwap discovery request message of the AP corresponding with the IP address of Dynamic Host Configuration Protocol server notice.
Next, in step 340, AP initiates capwap to attack protection AC and finds request.
In step 345, the hardware ACL unit of attack protection AC checks that capwap finds request, if should find the IP address and the MAC Address coupling of DHCP notice in the IP address of request and MAC Address and the step 330, and then this capwap be found to ask deliver to the attack protection unit.
The attack protection unit receives capwap and finds after the request, and the attack protection unit uses chanllenge mechanism to verify the legitimacy of AP, and legal AP is notified to common AC, and upgrades the attack protection table.
Particularly, in step 350, the attack protection unit receives capwap and finds to carry out the action corresponding with following table D after the request.
Table D
At first, the attack protection unit determines whether this request has carried password.If do not carry password, then the attack protection unit determines whether to abandon this request according to the authentication state that whether has list item corresponding with the source IP address of this request and list item in the attack protection table, perhaps replys the capwap that has comprised the password that distributes in step 355 to requestor AP and finds response.
If carried password, then the attack protection unit uses the source IP address of this request to search the attack protection table.If in the attack protection table, do not find this IP address, then abandon this capwap and find request.
If having found the list item of this IP address and the authentication state of this list item in the attack protection table is " unverified ", determine then whether password mates; If coupling, then the attack protection unit is replied capwap to the AP of this IP address and is found response, notice AP is again to common AC registration, authentication state is revised as " in the authentication ", and time-out time is set, do not become " authenticating " yet if surpass this time-out time authentication state, then the list item of this AP of deletion from the attack protection table notifies common AC to forbid that this AP inserts; If do not match, then abandon capwap and find request.Can usually notify AP by capwap message element or private message unit, thereby AP initiates register requirement again to common AC after receiving this response.
Next, in step 360, AP receives the capwap that carries password and finds after the response, resolves this response and extracts wherein password, and the capwap of the password that carries is found that request resends attack protection AC.
Then, in step 365, hardware ACL unit checks that capwap finds request, and capwap is found to deliver to the attack protection unit in the request.Attack protection unit repeating step 350 is verified the legitimacy of AP, and will find that in step 370 request sends to common AC and notifies AP again to common AC registration by the capwap of checking.
Common AC receives capwap and finds to finish registration process in step 375 with AP after the request.Next, in step 380, common AC and AP carry out normal protocol interaction according to capwap agreement (RFC5415).
Subsequently, after AP entered running status, in step 385, send instructions under attack protection AC authentication state value with list item corresponding with AP in the attack protection table of common AC was revised as and authenticates.
At last, if AC detects the AP abnormal off-line, perhaps behind the AC indication ap reboot, in step 390, common AC sends instructions under attack protection AC with the list item corresponding with AP in the deletion attack protection table.
Shown in Fig. 6 is attack protection system and operation thereof based on the cluster model of router according to the embodiment of the invention according to the embodiment of the invention.Different with the unit model shown in Fig. 3, comprise attack protection AC and common AC according to the AC based in the attack protection system of the cluster model of router of the embodiment of the invention.Comprise the attack protection unit among the attack protection AC, the attack protection unit similar operation among its execution and Fig. 3, different is that this attack protection unit will find that request send to the protocol processing unit among the common AC by the capwap of checking.Common AC initially is set to not allow any AP to insert.
In step 410, AP sends capwap to attack protection AC and finds request.
Next, in step 415, attack protection AC uses password mechanism to verify that the capwap of this AP finds the legitimacy of request, and upgrades the attack protection table.
Attack protection AC receives capwap and finds to check whether carried password in this request after the request,, whether has carried random number that is.If attack protection AC determines that capwap finds not carry password in the request, then attack protection AC determines whether to abandon this request according to the authentication state that whether has list item corresponding with the source IP address of this request and list item in the attack protection table, perhaps replys the capwap that has comprised the password that distributes to requestor AP and finds response.If AP does not resend the capwap discovery request of carrying password after surpassing the time that is provided with, that is, the authentication state of this list item does not become " in the authentication ", then this list item of attack protection element deletion.
If password has been carried in request, then attack protection AC uses the source IP look-up table A that sends the requestor.If do not find the list item corresponding with requestor IP in the attack protection table, then attack protection AC abandons this capwap and finds request.If found the corresponding list item with this source IP in Table A, then attack protection AC carries out the corresponding operation with table D:
When the state of list item was " unverified ", attack protection AC checked whether password mates.If coupling, then attack protection AC replys capwap to the AP of this IP address and finds response, notice AP is again to common AC registration, authentication state is revised as " in the authentication ", and time-out time is set, do not become " authenticating " yet if surpass this time-out time authentication state, then the list item of this AP of deletion from the attack protection table notifies common AC to forbid that this AP inserts; If do not match, then abandon capwap and find request.
When the state of list item is not " unverified " (, when being in " in the authentication " and " authenticating "), the attack protection unit does not check whether password mates, and directly abandons this capwap and finds request.
Receive after the capwap that carries password finds response at AP, resolve this response and extract wherein random number, and find to ask AC at the capwap that step 430 resends the random number of carrying.
Then, the proof procedure in the attack protection AC repeating step 415, the information that will pass through the AP of password authentication in step 440 is notified to common AC.
Next, in step 450, AP initiates register requirement again to common AC, finishes registration process.In step 460, AP and common AC carry out normal protocol interaction according to the capwap agreement.After AP entered running status, in step 470, send instructions under attack protection AC authentication state value with list item corresponding with AP in the attack protection table of common AC was revised as and authenticates.At last, if AC detects the AP abnormal off-line, perhaps behind the AC indication ap reboot, in step 480, common AC sends instructions under attack protection AC with the list item corresponding with AP in the deletion attack protection table.
Though illustrate and described the present invention with reference to some exemplary embodiments of the present invention, but it should be appreciated by those skilled in the art that, under the situation of the spirit and scope of the present invention that do not break away from the qualification of claim and equivalent thereof, can make various changes in form and details.
Claims (14)
1. the wireless controller of an attack protection comprises:
Protocol processing unit communicates according to predetermined protocol with wireless access point AP;
The legitimacy of the register requirement of AP is verified by password mechanism in the attack protection unit, upgrades the attack protection table, and gives protocol processing unit on the register requirement with legal AP,
Wherein, write down in the described attack protection table AP the IP address, be password that AP distributes and the authentication state of AP.
2. wireless controller as claimed in claim 1, wherein, described password is the random number that is generated by the attack protection unit.
3. wireless controller as claimed in claim 1, wherein, that the authentication state of AP comprises is unverified, the authentication neutralization authenticates, the attack protection unit is only verified the register requirement of having carried password and being in un-authenticated state.
4. wireless controller as claimed in claim 3, wherein, if do not carry in the register requirement of AP and do not have the list item corresponding in password and the attack protection table with this AP, then the attack protection unit is that this AP distributes password, and the response that will comprise this password sends back to AP and resends register requirement with notice AP.
5. wireless controller as claimed in claim 4, wherein, if the attack protection unit does not receive the register requirement that AP resends after the scheduled time that has sent described response, then the list item relevant with this AP deleted in the attack protection unit from the attack protection table.
6. wireless controller as claimed in claim 1, wherein, after on the register requirement quilt of AP, giving protocol processing unit, the attack protection unit is revised as the authentication state of AP in the authentication, if the authentication state of this AP is not changed into and is authenticated at the fixed time, then the list item corresponding with this AP in the attack protection element deletion attack protection table.
7. wireless controller as claimed in claim 6, wherein, AP and wireless controller set up communicate by letter after, if wireless controller detects the AP abnormal off-line, perhaps behind the wireless controller indication ap reboot, protocol processing unit sends instructions under the attack protection unit with the list item corresponding with AP in the deletion attack protection table.
8. wireless controller as claimed in claim 1 also comprises:
Hardware ACL unit obtains the information of having distributed the AP of IP address by Dynamic Host Configuration Protocol server from Dynamic Host Configuration Protocol server, and only allows and will give the attack protection unit on the register requirement that this AP initiated.
9. the wireless control system of an attack protection comprises:
Dynamic Host Configuration Protocol server is AP distributing IP address, and the information with AP after being AP distributing IP address is notified to the wireless controller corresponding with AP, and notice AP sends register requirement to wireless controller;
Wireless controller comprises:
Protocol processing unit communicates according to predetermined protocol with wireless access point AP;
The attack protection unit, verify the legitimacy of the register requirement of AP by password mechanism, renewal is used to write down the attack protection table of AP legitimacy state, and give protocol processing unit on the register requirement with legal AP, wherein, write down in the described attack protection table AP the IP address, be password that AP distributes and the authentication state of AP;
Hardware ACL unit obtains the information of having distributed the AP of IP address by Dynamic Host Configuration Protocol server from Dynamic Host Configuration Protocol server, and only allows and will give the attack protection unit on the register requirement that this AP initiated.
10. wireless control system as claimed in claim 9, wherein, option 60 message that Dynamic Host Configuration Protocol server carries by AP are searched the address list of the wireless controller corresponding with AP.
11. the wireless control system of an attack protection comprises:
Dynamic Host Configuration Protocol server is wireless access point AP distributing IP address, will be for the information of AP being notified to first wireless controller corresponding with AP behind the AP distributing IP address, and notice AP sends register requirement to first wireless controller of described correspondence;
First wireless controller comprises:
The attack protection unit, verify the legitimacy of the register requirement of AP by password mechanism, renewal is used to write down the attack protection table of AP legitimacy state, and give second wireless controller on the register requirement with legal AP, wherein, write down in the described attack protection table AP the IP address, be password that AP distributes and the authentication state of AP;
Hardware ACL unit obtains the information of having distributed the AP of IP address by Dynamic Host Configuration Protocol server from Dynamic Host Configuration Protocol server, and only allows and will give the attack protection unit on the register requirement that this AP initiated;
Second wireless controller is used for communicating according to predetermined protocol with the AP that verifies by first wireless controller.
12. wireless control system as claimed in claim 11, wherein, option 60 message that Dynamic Host Configuration Protocol server carries by AP are searched the address list of first wireless controller corresponding with AP, the address that obtains first wireless controller corresponding with AP.
13. the wireless control system of an attack protection comprises:
First wireless controller comprises:
The attack protection unit, verify the legitimacy of the register requirement of wireless access point AP by password mechanism, renewal is used to write down the attack protection table of AP legitimacy state, and the register requirement of legal AP sent to second wireless controller, wherein, write down in the described attack protection table AP the IP address, be password that AP distributes and the authentication state of AP;
Second wireless controller is used for communicating according to predetermined protocol with the AP that verifies by first wireless controller.
14. wireless control system as claimed in claim 13, wherein, option 60 message that Dynamic Host Configuration Protocol server carries by AP are searched the address list of first wireless controller corresponding with AP, the address that obtains first wireless controller corresponding with AP.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010140743.0A CN101841813B (en) | 2010-04-07 | 2010-04-07 | Anti-attack wireless control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010140743.0A CN101841813B (en) | 2010-04-07 | 2010-04-07 | Anti-attack wireless control system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101841813A true CN101841813A (en) | 2010-09-22 |
| CN101841813B CN101841813B (en) | 2013-08-21 |
Family
ID=42744855
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010140743.0A Active CN101841813B (en) | 2010-04-07 | 2010-04-07 | Anti-attack wireless control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101841813B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102036248A (en) * | 2010-12-23 | 2011-04-27 | 北京星网锐捷网络技术有限公司 | Method and system for defending denial of service attack, wireless access point and wireless controller |
| CN102394948A (en) * | 2011-11-04 | 2012-03-28 | 杭州华三通信技术有限公司 | DHCP (dynamic host configuration protocol) address distribution method and DHCP server |
| CN102394949A (en) * | 2011-11-14 | 2012-03-28 | 杭州华三通信技术有限公司 | Method for enabling AP to be accessed to AC in WLAN, DHCP server, and AP |
| CN103188662A (en) * | 2011-12-30 | 2013-07-03 | 中国移动通信集团广西有限公司 | Method and device for verifying wireless access point |
| CN103259837A (en) * | 2012-11-19 | 2013-08-21 | 北京新岸线移动多媒体技术有限公司 | Method, system and device for access of road side unit |
| CN106131245A (en) * | 2016-08-31 | 2016-11-16 | 迈普通信技术股份有限公司 | The collocation method of a kind of AP, configuration service device, AP and system |
| CN106454826A (en) * | 2016-09-30 | 2017-02-22 | 杭州华三通信技术有限公司 | Method and apparatus of AP to access AC |
| CN116016430A (en) * | 2022-12-23 | 2023-04-25 | 赛尔网络有限公司 | Mining protection method and device based on source address verification, electronic equipment and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1494258A (en) * | 2002-11-01 | 2004-05-05 | 华为技术有限公司 | Safety management method of network comprehensive switch on equipment |
| CN1571407A (en) * | 2003-07-14 | 2005-01-26 | 华为技术有限公司 | A safety authentication method based on media gateway control protocol |
| CN1842085A (en) * | 2005-04-01 | 2006-10-04 | 株式会社日立制作所 | Access control service and control server |
| US20070291945A1 (en) * | 2006-06-15 | 2007-12-20 | Che-Ming Chuang | Distributed wireless security system |
| US20080052779A1 (en) * | 2006-08-11 | 2008-02-28 | Airdefense, Inc. | Methods and Systems For Wired Equivalent Privacy and Wi-Fi Protected Access Protection |
| CN101651696A (en) * | 2009-09-17 | 2010-02-17 | 杭州华三通信技术有限公司 | Method and device for preventing neighbor discovery (ND) attack |
-
2010
- 2010-04-07 CN CN201010140743.0A patent/CN101841813B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1494258A (en) * | 2002-11-01 | 2004-05-05 | 华为技术有限公司 | Safety management method of network comprehensive switch on equipment |
| CN1571407A (en) * | 2003-07-14 | 2005-01-26 | 华为技术有限公司 | A safety authentication method based on media gateway control protocol |
| CN1842085A (en) * | 2005-04-01 | 2006-10-04 | 株式会社日立制作所 | Access control service and control server |
| US20070291945A1 (en) * | 2006-06-15 | 2007-12-20 | Che-Ming Chuang | Distributed wireless security system |
| US20080052779A1 (en) * | 2006-08-11 | 2008-02-28 | Airdefense, Inc. | Methods and Systems For Wired Equivalent Privacy and Wi-Fi Protected Access Protection |
| CN101651696A (en) * | 2009-09-17 | 2010-02-17 | 杭州华三通信技术有限公司 | Method and device for preventing neighbor discovery (ND) attack |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102036248B (en) * | 2010-12-23 | 2013-07-24 | 北京星网锐捷网络技术有限公司 | Method and system for defending denial of service attack, wireless access point and wireless controller |
| CN102036248A (en) * | 2010-12-23 | 2011-04-27 | 北京星网锐捷网络技术有限公司 | Method and system for defending denial of service attack, wireless access point and wireless controller |
| CN102394948A (en) * | 2011-11-04 | 2012-03-28 | 杭州华三通信技术有限公司 | DHCP (dynamic host configuration protocol) address distribution method and DHCP server |
| CN102394948B (en) * | 2011-11-04 | 2014-10-29 | 杭州华三通信技术有限公司 | DHCP (dynamic host configuration protocol) address distribution method and DHCP server |
| CN102394949A (en) * | 2011-11-14 | 2012-03-28 | 杭州华三通信技术有限公司 | Method for enabling AP to be accessed to AC in WLAN, DHCP server, and AP |
| WO2013071803A1 (en) * | 2011-11-14 | 2013-05-23 | Hangzhou H3C Technologies Co., Ltd. | Vendor information of wireless network devices |
| CN103188662B (en) * | 2011-12-30 | 2015-07-29 | 中国移动通信集团广西有限公司 | A kind of method and device verifying WAP (wireless access point) |
| CN103188662A (en) * | 2011-12-30 | 2013-07-03 | 中国移动通信集团广西有限公司 | Method and device for verifying wireless access point |
| CN103259837A (en) * | 2012-11-19 | 2013-08-21 | 北京新岸线移动多媒体技术有限公司 | Method, system and device for access of road side unit |
| CN103259837B (en) * | 2012-11-19 | 2018-11-09 | 北京新岸线移动多媒体技术有限公司 | Roadside unit cut-in method, system and device |
| CN106131245A (en) * | 2016-08-31 | 2016-11-16 | 迈普通信技术股份有限公司 | The collocation method of a kind of AP, configuration service device, AP and system |
| CN106131245B (en) * | 2016-08-31 | 2019-07-19 | 迈普通信技术股份有限公司 | A kind of configuration method of AP, configuration server, AP and system |
| CN106454826A (en) * | 2016-09-30 | 2017-02-22 | 杭州华三通信技术有限公司 | Method and apparatus of AP to access AC |
| CN106454826B (en) * | 2016-09-30 | 2020-04-07 | 新华三技术有限公司 | Method and device for AP to access AC |
| CN116016430A (en) * | 2022-12-23 | 2023-04-25 | 赛尔网络有限公司 | Mining protection method and device based on source address verification, electronic equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101841813B (en) | 2013-08-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101841813B (en) | Anti-attack wireless control system | |
| US9763094B2 (en) | Methods, devices and systems for dynamic network access administration | |
| US9215234B2 (en) | Security actions based on client identity databases | |
| US7720464B2 (en) | System and method for providing differentiated service levels to wireless devices in a wireless network | |
| US8812704B2 (en) | Method, apparatus and system for platform identity binding in a network node | |
| US8139521B2 (en) | Wireless nodes with active authentication and associated methods | |
| US7590873B2 (en) | Power control method and system wherein a management server does not transmit a second power control request to an identified blade server when a management information indicates that a failure is detected in the identified blade server | |
| US10257161B2 (en) | Using neighbor discovery to create trust information for other applications | |
| US20180198786A1 (en) | Associating layer 2 and layer 3 sessions for access control | |
| US20110055361A1 (en) | Systems and methods for generating management agent installations | |
| US20100122338A1 (en) | Network system, dhcp server device, and dhcp client device | |
| CN101455041A (en) | Detection of network environment | |
| US20140373112A1 (en) | Apparatus and system effectively using a plurality of authentication servers | |
| US20060161770A1 (en) | Network apparatus and program | |
| CN101379795A (en) | address assignment by a DHCP server while client credentials are checked by an authentication server | |
| CN103179100A (en) | Method and device for preventing the attack on a domain name system tunnel | |
| WO2017219748A1 (en) | Method and device for access permission determination and page access | |
| CN112333214B (en) | Safe user authentication method and system for Internet of things equipment management | |
| US9877200B2 (en) | System and method for wireless handheld device security in a data center environment | |
| US20050188063A1 (en) | Modifying a DHCP configuration for one system according to a request from another system | |
| US20130263213A1 (en) | Techniques for identity and policy based routing | |
| JP2008244765A (en) | Dynamic host configuration protocol server, and ip address assignment method | |
| CN113556337A (en) | Terminal address identification method, network system, electronic device and storage medium | |
| KR101787404B1 (en) | Method for allocating network address with security based on dhcp | |
| US11979321B1 (en) | Enabling partial access to a local area network via a meshnet device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 100193 Beijing city Haidian District Dongbeiwang West Road No. 8 Zhongguancun Software Park Building 5 Building 2 layer Hanvon Technology Applicant after: BEIJING AUTELAN TECHNOLOGY Co.,Ltd. Address before: 100085 Beijing City, Haidian District information industry base on the north power creative building D Building 8 layer Applicant before: Beijing AUTELAN Technology Co.,Ltd. |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: APPLICANT; FROM: AUTELAN TECHNOLOGY INC. TO: BEIJING AUTELAN TECHNOLOGY CO., LTD. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| C56 | Change in the name or address of the patentee | ||
| CP03 | Change of name, title or address |
Address after: 100193, No. 1, building three, zone 9, Zhongguancun Software Park, 8 West Wang Xi Road, Beijing, Haidian District Patentee after: Beijing AUTELAN Technology Co.,Ltd. Address before: Beijing City, Haidian District China Dongbeiwang West Road No. 8 Zhongguancun Software Park Building 5 Building 2 layer Hanvon Technology Patentee before: BEIJING AUTELAN TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20151117 Address after: 100085 Beijing, East Road, No. 1, building on the north side of the building, room 313, room 3 Patentee after: Beijing Hua Xinaotian network technology Co.,Ltd. Address before: 100193, No. 1, building three, zone 9, Zhongguancun Software Park, 8 West Wang Xi Road, Beijing, Haidian District Patentee before: Beijing AUTELAN Technology Co.,Ltd. |