CN102137073B - Method and access equipment for preventing imitating internet protocol (IP) address to attack - Google Patents
Method and access equipment for preventing imitating internet protocol (IP) address to attack Download PDFInfo
- Publication number
- CN102137073B CN102137073B CN 201010103859 CN201010103859A CN102137073B CN 102137073 B CN102137073 B CN 102137073B CN 201010103859 CN201010103859 CN 201010103859 CN 201010103859 A CN201010103859 A CN 201010103859A CN 102137073 B CN102137073 B CN 102137073B
- Authority
- CN
- China
- Prior art keywords
- message
- list item
- binding list
- address
- access device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a method and access equipment for preventing imitating an internet protocol (IP) address to attack. The access equipment receives a duplication address detection neighbor request (DAD NS) message carrying the IP address to be detected or an address confirm (Confirm) message from a user side port, generates a binding table item containing the IP address to be detected and sends the DAD NS message carrying the IP address to be detected through a network side port; and if the access equipment receives an NA message carrying the IP address to be detected from the network side port in a set network side port detection time, the access equipment authenticates authentication information attached in the NA message, if the authentication passes, the binding table item containing the IP address to be detected is deleted, wherein the authentication information is attached in the NA message when other access equipment in the same link with the access equipment receives the NA message carrying the IP address to be detected from the user side port. By the method and through the access equipment, attack of an illegal user imitating the IP address can be effectively prevented.
Description
Technical field
The present invention relates to the network security technology field, particularly a kind of method and access device that prevents that counterfeit IP address from being attacked.
Background technology
IPv6 neighbours find Internet Control Message Protocol (ICMPv6) message of five types of (ND) agreement uses: neighbor request (NS) message, neighbor advertisement (NA) message, router solicitation (RS) message, carried router notification message (RA) and redirected (Redirect) message.The ICMPv6 packets of above-mentioned five types can be for realizing the functions such as whether address resolution, checking neighbours can reach, duplicate address detection, router are found, address configures automatically and be redirected.
Because message transmitting party formula in the ND agreement is expressly to send, so for example, in same link (same VLAN), thereby the problem that possible existentially forgeable is used the message of counterfeit IP address to be attacked.In order to address this problem, can adopt access device to intercept the DHCPv6 address allocation procedure or intercept ND stateless address configuration process, generate the mode of safe list item, be specially: on each access device, the DHCPv6 address allocation procedure of listen for user terminal or ND stateless address configuration process, generate the binding list item that comprises IP address, link address and access interface according to intercepted result, carry out the forwarding of subsequent control message or data message according to this binding list item.Only have message complete and the binding list item coupling just can be forwarded, unmatched message abandons.
Yet in said process when many access devices are arranged in same link, can carry out list item between each access device synchronous, make on each access device to have safeguarded in this link that, for the binding list item of all user terminals, this must take a large amount of device resources.Therefore, a kind of method that prevents that counterfeit IP address from being attacked is provided again in prior art, each access device only, for the user terminal generating binding table entry of access this equipment self, is specially: only utilize the message generating binding table entry listened to by user-side port.But, in this mode, also can produce the leak that counterfeit IP address is attacked.
As shown in Figure 1, accessed user terminal PC1 on access device (NAS) 1, the IP address of supposing PC1 is IP Address1, link address is LA1, access interface is user-side port 1, on access device NAS1, has the binding list item that comprises IP Address1, LA1 and user-side port 1.NAS1 and NAS2 are in same link, if the now counterfeit IP Address1 access of illegitimate user equipment PC2 NAS2, generate the binding list item that comprises IP Address1, VPN1 and user-side port 2 on NAS2, even if PC1 listens to the IP address that someone uses oneself, the NA message that response comprises this IP Address1, PC2 only needs this NA packet loss can be continued to use this IP address online, even carries out illegal operation.And from NAS1 moves to NAS2, NAS2 listens to the access of PC1 as PC1, but, owing to there being the binding list item that comprises this IP Address1 in NAS2, therefore, PC1 just can not be used this IP Address1 by the NAS2 access network.
Summary of the invention
In view of this, the invention provides a kind of method and access device that prevents that counterfeit IP address from being attacked, so that effectively prevent that the counterfeit IP of disabled user address from being attacked.
A kind of method that prevents that counterfeit IP address from being attacked, the method comprises:
When described access device receives the duplicate address detection neighbor request DAD NS message that carries IP to be detected address or address and determines the Confirm message from user-side port, the binding list item that generation comprises described IP to be detected address, and send the DAD NS message that carries described IP to be detected address by network-side port;
If described access device receives from network-side port the NA message that carries described IP to be detected address at setting DAD in detection time, additional authentication information in this NA message is authenticated, if authentication is passed through, delete the binding list item that comprises described IP to be detected address;
Wherein, described authentication information is that other access device in same link adds when user-side port is received the NA message that carries described IP to be detected address this NA message with described access device.
A kind of access device, this access device comprises: list item generation unit, message process unit, authentication processing unit and list item processing unit;
Described list item generation unit, for when this access device receives the DAD NS message of IP to be detected address or Confirm message from user-side port, generate the binding list item that comprises described IP to be detected address, and send the first notice to message process unit;
Described message process unit, when receiving the first notice, send the DAD NS message that carries described IP to be detected address by network-side port;
Described authentication processing unit, be used for this access device when setting DAD receives from network-side port the NA message that carries described IP to be detected address in detection time, additional authentication information in this NA message is authenticated, if authentication is passed through, to described list item processing unit, send and delete notice; When this access device receives from user-side port the NA message that carries IP to be detected address, Additional Verification information in this NA message;
Described list item processing unit, after receiving the deletion notice, delete the binding list item that comprises described IP to be detected address.
As can be seen from the above technical solutions, in the present invention by Additional Verification information the NA message receiving from user-side port, make access device to be authenticated the authentication information the NA that carries IP to be detected address received from network-side port, authentication by the time determine that IP address to be detected has had on validated user other access device at same link and use, the corresponding binding list item of this IP to be detected address institute generated by DAD NS message or Confirm message in this locality may be for the attack user, the binding list item that this locality is comprised to this IP to be detected address is deleted, thereby only for the user terminal of this access device of access, set up under the scene of binding list item at access device, the attack of effectively avoiding the counterfeit IP of disabled user address to carry out.
The accompanying drawing explanation
The schematic diagram that Fig. 1 is attacked for the counterfeit IP of disabled user address;
The method flow diagram that Fig. 2 provides for the embodiment of the present invention one;
Fig. 3 is the Option field format figure that carries authentication information;
The method flow diagram that Fig. 4 provides for the embodiment of the present invention two;
The structural representation that Fig. 5 is access device provided by the invention.
Embodiment
In order to make the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with the drawings and specific embodiments, describe the present invention.
Method provided by the invention mainly comprises: when access device receives the DAD NS message that carries IP to be detected address or address and determines (Confirm) message from user-side port, the binding list item that generation comprises described IP to be detected address, and send the DAD NS message that carries IP to be detected address by network-side port; If DAD receives from network-side port the NA message that carries this IP to be detected address in detection time in setting, additional authentication information in this NA message is authenticated, if authentication is passed through, delete the binding list item that comprises above-mentioned IP to be detected address; Wherein, authentication information is that other access device in same link adds when user-side port is received the NA message that carries described IP to be detected address this NA message with this access device.
The same link related in said method can be same VLAN (VLAN), also can same non-multicast multiple-access network (NBMA) etc.
Wherein, above-mentioned DAD NS message is the message in the ND agreement, and the Confirm message is the message in the DHCPv6 agreement, below by specific embodiment, for these two kinds of protocol massages, said method is described in detail.
Embodiment mono-, still take structure shown in Fig. 1 as example, suppose the validated user that user terminal PC1 is IP Address1, its link address is LA1, and PC1 accesses NAS1, now, generated the binding list item that comprises this IP Address1, LA1 and user-side port 1 in NAS1.If now, disabled user PC2 access NAS2 also pretends to be IP Address1 to send DAD NS message, according to method provided by the present invention, can as shown in Figure 2, comprise the following steps:
Step 201:NAS2 receives from user-side port 2 the DAD NS message that carries IP Address1 that PC2 sends, and generates the binding list item of the link address that comprises this IP Address1, user-side port 2 and PC2, and forwards this DAD NS message.
In fact, after NAS2 receives DAD NS message, at first whether judgement this locality has generated the binding list item that comprises this IP Address1, if so, further judge this DAD NS message whether with NAS2 this locality in comprise IP Address1 binding list item mate fully, that is to say, whether the link address that judges PC2 is consistent with the content in this binding list item with user-side port 2, if so, illustrate that this PC2 is and the user terminal of binding list item coupling, forwards this DAD NS message; Otherwise, other user terminal that has access NAS2 and use this IP Address 1 is described, abandon this DAD NS message.In the present embodiment, still do not comprise the binding list item of this IP Address1 in NAS2, therefore, NAS2 generates the binding list item of the link address that comprises this IP Address1, user-side port 2 and PC2.
The link address of PC2 can obtain from the source link address of DAD NS message, and link address can be MAC Address, permanent virtual link (PVC) address etc., corresponding with concrete Linktype.
Step 202:NAS1, from network-side port receives the DAD NS message that carries IP Address1, forwards this DAD NS message.
In this step, at first NAS1, from network-side port receives DAD NS message, can judge that whether this locality has generated the binding list item that comprises IP Address1, if not, forwards this DAD NS message; If, the binding list item coupling whether the source link address that further this DAD NS of coupling carries comprises IP Address1 with this locality, if coupling and this binding list item have started ager process, NAS1 thinks that migration has occurred the validated user terminal PC 1 that originally accesses NAS1, for example moved to NAS2, the binding list item that now NAS1 comprises IP Address1 by this locality is deleted.If do not mate, or coupling but this binding list item is not activated ager process, forward this DAD NS message, continue to intercept the NA message, in the present embodiment to should unmatched situation.Wherein, the startup for ager process will be specifically described follow-up.
Step 203:NAS1 is from user-side port 1 receives the NA message that carries IP Address1 that PC1 returns, and Additional Verification information in this NA message, then forward this NA message by network-side port.
Due to after PC1 receives the DAD NS message that carries IP Address1, determine and self used this IP Address1, therefore can clean culture reply the NA message that carries IP Address1.
NAS1 additional authentication information in the NA message can be the authentication information that the mode according to NAS1 and NAS2 place link agreement generates, this authentication information can be notified the NAS2 legitimacy of this NA message, and the upper corresponding binding list item of NAS2 is deleted, to avoid disabled user's bogus attack.
This authentication information can be attached in option (Option) field in the NA message, and its form can be as shown in Figure 3.Wherein, type (Type) field is used to indicate this Option and carries authentication information, and length (Length) field is used to indicate the length of this Option, and value (value) field is for carrying concrete authentication information.
Step 204:NAS2, from network-side port receives the NA message that carries IP Address1, is authenticated the authentication information carried in this NA message, if authentication success is deleted in NAS2 the binding list item that comprises this IP Address1.
After receiving at NAS2 the NA message that carries IP Address1, can at first judge in this NA message whether carry authentication information, if do not carry authentication information, abandon this NA message; If carry authentication information, this authentication information is authenticated, if authentification failure abandons this NA message; Authentication success in the present embodiment, illustrate and in same link, had the user to use IPAddress1, the PC2 that this NAS2 of access is described is the illegal user of this IP Address1, therefore, the binding list item that this locality is comprised to IP Address1 is deleted, and to forbid PC2, uses IP Address1 access network.In addition, after authentication success, can also be by the binding list item information reporting webmaster of deleting, so that webmaster is determined the assailant according to the information in binding list item.
Embodiment bis-,
Move to another access device at user terminal from an access device, while perhaps from a user-side port of access device, moving to another user-side port, can send the Confirm message carry IP to be detected address to the access device after migration, whether can continue to use to detect this IP address.And illegal user also can use counterfeit IP address access network by sending the Confirm message on other access device in same link, for this situation, be described in the present embodiment.Still take structure shown in Fig. 1 as example, suppose the validated user that user terminal PCI is IP Address1, its link address is LA1, and PC1 accesses NAS1, now, has generated the binding list item that comprises this IP Address1, LA1 and user-side port 1 in NAS1.If now, disabled user PC2 access NAS2 also pretends to be IP Address1 to send the confirm message, according to method provided by the present invention, can as shown in Figure 4, comprise the following steps:
Step 401:NAS2 receives from user-side port 2 the Confirm message that carries IP Address1 that PC2 sends, generate the binding list item of the link address comprise this IP Address1, user-side port 2 and PC2, and generate the DAD NS message that carries IP Address1 and sent.
In this step, after NAS2 receives the Confirm message, at first whether judgement this locality has generated the binding list item that comprises this IP Address1, if, the source link address that further judge this user-side port 2 and Confirm message whether with NAS2 this locality in comprise IP Address1 binding list item mate, if do not mate, user-side port in existing binding list item sends probe messages, whether survey original user terminal still exists, if still exist, reply this IP Address1 of PC2 unavailable, if do not exist, PC2 may be original validated user and move to another user-side port from the user-side port of NAS2, now, to utilize this Confirm message to upgrade the binding list item that comprises IPAddress1.In the present embodiment, still do not comprise the binding list item of this IP Address1 in NAS2, NAS2 generates the binding list item of the link address that comprises this IP Address1, user-side port 2 and PC2.
In addition, after the NAS2 generating binding table entry, need the further legitimacy of this binding list item of checking, therefore, can construct in this locality a DAD NS message that carries IP Address1, and send by network-side port.
In above-mentioned two embodiment, for binding list item, there is a set of aging mechanism, specifically comprise: if the user-side port Down of access device, perhaps in setting-up time, from user-side port, do not receive the ND message mated fully with this binding list item, illustrate that migration may occur the subscriber equipment by this user-side port access, starts the ager process of corresponding binding list item.If access device receives the ND message mated fully with local binding list item by user-side port, illustrate that the subscriber equipment that this binding list item is corresponding still exists, and cancels the ager process of this binding list item.If binding list item arrives ageing time after entering ager process, delete this binding list item.If access device from network-side port receive with binding list item the IP address and the DAD NS message of link address coupling, and binding list item has started ager process, illustrate that migration has occurred the subscriber equipment that this binding list item is corresponding really, deletes this binding list item.
It should be noted that, above-mentioned network-side port can be the port that access device is connected with the upper level switching equipment, can be also the port be connected with other access device.
Be more than the detailed description that method provided by the present invention is carried out, below access device provided by the present invention be described in detail.As shown in Figure 5, this access device can comprise: list item generation unit 501, message process unit 502, authentication processing unit 503 and list item processing unit 504.
List item generation unit 501, for when this access device receives the DAD NS message of IP to be detected address or Confirm message from user-side port, generate the binding list item that comprises IP to be detected address, and send the first notice to message process unit 502.
List item processing unit 504, after receiving the deletion notice, delete the binding list item that comprises IP to be detected address.
Wherein, above-mentioned authentication information is that the access device in same link arranges to produce jointly, and only the access device in same link can be known.
Receive the situation of DAD NS message from user-side port for access device, this access device can also comprise: the first judging unit 505, for when this access device receives the DAD NS message of IP to be detected address from user-side port, judge whether this access device this locality has existed the binding list item that comprises IP to be detected address, if not, allow list item generation unit 501 to generate the binding list item that comprises IP to be detected address; If, further whether the source link address of the user-side port of judgement reception DAD NS message and DAD NS message mates with the binding list item that comprises IP to be detected address existed, if coupling, notice message process unit 502 forwards the DAD NS message received, and forbids that list item generation unit 501 generates the binding list item that comprises IP to be detected address; If do not mate, notice message process unit 502 abandons the DAD NS message received, and forbids that list item generation unit 501 generates the binding list item that comprises IP to be detected address.
Receive the situation of DAD NS message from user-side port for access device, this access device can also comprise: the second judging unit 506 and end-probing unit 507.
The second judging unit 506, for when this access device receives the Confirm message of IP to be detected address from user-side port, judge whether this access device this locality has existed the binding list item that comprises IP to be detected address, if not, allow list item generation unit 501 to generate the binding list item that comprises IP to be detected address; If, further whether the source link address of the user side interface of judgement reception Confirm message and Confirm message mates with the binding list item that comprises IP to be detected address existed, if do not mate, to the end-probing unit, notice is surveyed in 507 transmissions, and forbids that list item generation unit 501 generates the binding list item that comprises IP to be detected address.
End-probing unit 507, after receiving the detection notice, the binding list item that utilization comprises IP to be detected address sends probe messages, detect user terminal corresponding to binding list item existed and still exist, by the user-side port that receives the Confirm message, reply IP to be detected address unavailable; Do not exist if detect user terminal corresponding to binding list item existed, notify list item processing unit 504 to utilize the Confirm message to upgrade the local binding list item that comprises IP to be detected address existed.
Now, when message process unit 502 receives the first notice, carry the DAD NS message of IP to be detected address local generation of access device, and send this DAD NS message by network-side port.
Because access device also may receive the DAD NS message that other access device sends from network-side port, therefore this access device can also comprise: the 3rd judging unit 508, for receive the DAD NS message that carries IP to be detected address from network-side port at this access device, judge whether this access device this locality has existed the binding list item that comprises IP to be detected address, if not, notify message process unit 502 to forward DAD NS message.
Further, this access device can also comprise: the 4th judging unit 509, be used for this access device when setting DAD receives from network-side port the NA message that carries IP to be detected address in detection time, judge in the NA message and whether carry authentication information, if not, notice message process unit 502 abandons the NA message; If so, in 503 pairs of these NA messages of notification authentication processing unit, additional authentication information is authenticated.
If authentication processing unit 503, to authentication information authentification failure additional in the NA message, notifies message process unit 502 to abandon the NA message.
In addition, the aging mechanism of binding list item is embodied in: list item processing unit 504, if user-side port Down corresponding to binding list item described in this access device, perhaps this access device does not receive from user-side port the ND message mated fully with described binding list item in setting-up time, starts the ager process of described binding list item; If this access device receives the ND message mated fully with described binding list item by user-side port, cancel the ager process of described binding list item; If described binding list item arrives ageing time after entering ager process, delete described binding list item; If this access device by network-side port receive with described binding list item in the IP address and the DAD NS message of link address coupling, and described binding list item started ager process, deletes described binding list item.
By above description, can be found out, in the present invention by Additional Verification information the NA message receiving from user-side port, make access device to be authenticated the authentication information the NA that carries IP to be detected address received from network-side port, authentication by the time determine that IP address to be detected has had on validated user other access device at same link and use, the corresponding binding list item of this IP to be detected address institute generated by DAD NS message or Confirm message in this locality may be for the attack user, the binding list item that this locality is comprised to this IP to be detected address is deleted, thereby only for the user terminal of this access device of access, set up under the scene of binding list item at access device, the attack of effectively avoiding the counterfeit IP of disabled user address to carry out.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, be equal to replacement, improvement etc., within all should being included in the scope of protection of the invention.
Claims (12)
1. a method that prevents that counterfeit IP address from being attacked, is characterized in that, the method comprises:
When access device receives the duplicate address detection neighbor request DAD NS message that carries IP to be detected address or address and determines the Confirm message from user-side port, the binding list item that generation comprises described IP to be detected address, and send the DAD NS message that carries described IP to be detected address by network-side port;
If described access device receives from network-side port the NA message that carries described IP to be detected address at setting DAD in detection time, additional authentication information in this NA message is authenticated, if authentication is passed through, delete the binding list item that comprises described IP to be detected address;
Wherein, described authentication information is that other access device in same link adds when user-side port is received the NA message that carries described IP to be detected address this NA message with described access device.
2. method according to claim 1, it is characterized in that, when described access device receives from user-side port the DAD NS message that carries IP to be detected address, before the binding list item that comprises described IP to be detected address in generation, also comprise: the local binding list item that comprises described IP to be detected address that whether existed of described access device judgement, if not, continue to carry out the binding list item that described generation comprises described IP to be detected address; If, further whether the source link address of the user-side port of this DAD NS message of judgement reception and DAD NS message mates with the binding list item that comprises described IP to be detected address existed, if coupling, forward the DAD NS message received, process ends; If do not mate, abandon the DAD NS message received, process ends.
3. method according to claim 1, it is characterized in that, when described access device receives from user-side port the Confirm message that carries IP to be detected address, before the binding list item that comprises described IP to be detected address in generation, also comprise: the local binding list item that comprises described IP to be detected address that whether existed of described access device judgement, if not, continue to carry out the binding list item that described generation comprises described IP to be detected address;
If, further whether the source link address of the user-side port of this Confirm message of judgement reception and Confirm message mates with the binding list item that comprises described IP to be detected address existed, if do not mate, utilize the binding list item that comprises described IP to be detected address to send probe messages, detecting user terminal corresponding to binding list item existed still exists, unavailable by the user-side port reply described IP to be detected address that receives described Confirm message, process ends; Do not exist if detect user terminal corresponding to binding list item existed, utilize described Confirm message to upgrade the local binding list item that comprises described IP to be detected address existed;
Describedly send by network-side port the DAD NS message that carries described IP to be detected address and specifically comprise: described access device generates and carries the DAD NS message of described IP to be detected address, and sends this DAD NS message by network-side port.
4. according to the described method of the arbitrary claim of claims 1 to 3, it is characterized in that, the method also comprises: described other access device is from network-side port receives the DAD NS message that carries described IP to be detected address, the local binding list item that comprises described IP to be detected address that whether existed of judgement, if not, forward described DAD NS message.
5. according to the described method of the arbitrary claim of claims 1 to 3, it is characterized in that,, also comprise: judge in described NA message whether carry authentication information, if not, abandon described NA message before additional authentication information authenticated in to this NA message described; If so, the continuation execution is described is authenticated additional authentication information in this NA message;
If to authentication information authentification failure additional in described NA message, abandon described NA message.
6. according to the described method of the arbitrary claim of claims 1 to 3, it is characterized in that, the method also comprises:
If the user-side port Down that binding list item described in access device is corresponding, or from user-side port, do not receive the ND message mated fully with described binding list item in setting-up time, start the ager process of described binding list item;
If access device receives the ND message mated fully with described binding list item by user-side port, cancel the ager process of described binding list item;
If described binding list item arrives ageing time after entering ager process, delete described binding list item;
If from network-side port receive with described binding list item the IP address and the DAD NS message of link address coupling, and described binding list item started ager process, deletes described binding list item.
7. an access device, is characterized in that, this access device comprises: list item generation unit, message process unit, authentication processing unit and list item processing unit;
Described list item generation unit, for when this access device receives the DAD NS message of IP to be detected address or Confirm message from user-side port, generate the binding list item that comprises described IP to be detected address, and send the first notice to message process unit;
Described message process unit, when receiving the first notice, send the DAD NS message that carries described IP to be detected address by network-side port;
Described authentication processing unit, be used for this access device when setting DAD receives from network-side port the NA message that carries described IP to be detected address in detection time, additional authentication information in this NA message is authenticated, if authentication is passed through, to described list item processing unit, send and delete notice; When this access device receives from user-side port the NA message that carries IP to be detected address, Additional Verification information in this NA message;
Described list item processing unit, after receiving the deletion notice, delete the binding list item that comprises described IP to be detected address.
8. access device according to claim 7, it is characterized in that, this access device also comprises: the first judging unit, for when this access device receives the DAD NS message of IP to be detected address from user-side port, judge whether this access device this locality has existed the binding list item that comprises described IP to be detected address, if not, allow described list item generation unit to generate the binding list item that comprises described IP to be detected address; If, further whether the source link address of the user-side port of judgement reception DAD NS message and DAD NS message mates with the binding list item that comprises described IP to be detected address existed, if coupling, notify described message process unit to forward the DAD NS message received, and forbid that described list item generation unit generates the binding list item that comprises described IP to be detected address; If do not mate, notify described message process unit to abandon the described DAD NS message received, and forbid that described list item generation unit generates the binding list item that comprises described IP to be detected address.
9. access device according to claim 7, is characterized in that, this access device comprises: the second judging unit and end-probing unit;
Described the second judging unit, for when this access device receives the Confirm message of IP to be detected address from user-side port, judge whether this access device this locality has existed the binding list item that comprises described IP to be detected address, if not, allow described list item generation unit to generate the binding list item that comprises described IP to be detected address; If, further whether the source link address of the user side interface of the described Confirm message of judgement reception and Confirm message mates with the binding list item that comprises described IP to be detected address existed, if do not mate, to described end-probing unit, send and survey notice, and forbid that described list item generation unit generates the binding list item that comprises described IP to be detected address;
Described end-probing unit, after receiving described detection notice, the binding list item that utilization comprises described IP to be detected address sends probe messages, detect user terminal corresponding to binding list item existed and still exist, unavailable by the user-side port reply described IP to be detected address that receives described Confirm message; Do not exist if detect user terminal corresponding to binding list item existed, notify described list item processing unit to utilize described Confirm message to upgrade the local binding list item that comprises described IP to be detected address existed;
When described message process unit receives described the first notice, generate and carry the DAD NS message of described IP to be detected address, and send this DAD NS message by network-side port.
10. according to the described access device of the arbitrary claim of claim 7 to 9, it is characterized in that, this access device also comprises: the 3rd judging unit, for receive the DAD NS message that carries described IP to be detected address from network-side port at this access device, judge whether this access device this locality has existed the binding list item that comprises described IP to be detected address, if not, notify described message process unit to forward described DAD NS message.
11. according to the described access device of the arbitrary claim of claim 7 to 9, it is characterized in that, this access device also comprises: the 4th judging unit, be used for this access device when setting DAD receives from network-side port the NA message that carries described IP to be detected address in detection time, judge in described NA message and whether carry authentication information, if not, notify described message process unit to abandon described NA message; If so, notify described authentication processing unit to be authenticated additional authentication information in this NA message;
If described authentication processing unit to authentication information authentification failure additional in described NA message, notifies described message process unit to abandon described NA message.
12. according to the described access device of the arbitrary claim of claim 7 to 9, it is characterized in that, described list item processing unit, if user-side port Down corresponding to binding list item described in this access device, perhaps this access device does not receive from user-side port the ND message mated fully with described binding list item in setting-up time, starts the ager process of described binding list item; If this access device receives the ND message mated fully with described binding list item by user-side port, cancel the ager process of described binding list item; If described binding list item arrives ageing time after entering ager process, delete described binding list item; If this access device by network-side port receive with described binding list item in the IP address and the DAD NS message of link address coupling, and described binding list item started ager process, deletes described binding list item.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010103859 CN102137073B (en) | 2010-01-22 | 2010-01-22 | Method and access equipment for preventing imitating internet protocol (IP) address to attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010103859 CN102137073B (en) | 2010-01-22 | 2010-01-22 | Method and access equipment for preventing imitating internet protocol (IP) address to attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102137073A CN102137073A (en) | 2011-07-27 |
| CN102137073B true CN102137073B (en) | 2013-12-25 |
Family
ID=44296731
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010103859 Active CN102137073B (en) | 2010-01-22 | 2010-01-22 | Method and access equipment for preventing imitating internet protocol (IP) address to attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102137073B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102291441B (en) * | 2011-08-02 | 2015-01-28 | 杭州迪普科技有限公司 | Method and security agent device for protecting against attack of synchronize (SYN) Flood |
| CN106230781A (en) * | 2016-07-18 | 2016-12-14 | 杭州迪普科技有限公司 | The method and device preventing network attack of sing on web authentication techniques |
| CN106254245A (en) * | 2016-07-29 | 2016-12-21 | 杭州迪普科技有限公司 | A kind of method and device managing list item |
| CN108848087B (en) * | 2018-06-06 | 2020-11-27 | 浙江农林大学暨阳学院 | DAD process malicious NA message suppression method suitable for SEND protocol |
| CN110611678B (en) * | 2019-09-24 | 2022-05-20 | 锐捷网络股份有限公司 | Method for identifying message and access network equipment |
| CN111064824B (en) * | 2019-12-29 | 2022-05-13 | 苏州浪潮智能科技有限公司 | Method, device, equipment and medium for verifying addition and deletion of IP address of port of switch |
| CN114629689B (en) * | 2022-02-24 | 2023-10-03 | 广东电网有限责任公司 | IP address fraud recognition method, device, computer equipment and storage medium |
| CN115225612B (en) * | 2022-06-29 | 2023-11-14 | 济南浪潮数据技术有限公司 | Management method, device, equipment and medium for K8S cluster reserved IP |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006042392A1 (en) * | 2004-10-18 | 2006-04-27 | Entrust Limited | Method and apparatus for providing mutual authentication between a sending unit and a recipient |
| CN101052015A (en) * | 2007-05-22 | 2007-10-10 | 中兴通讯股份有限公司 | User access method for IP network |
| CN101552783A (en) * | 2009-05-20 | 2009-10-07 | 杭州华三通信技术有限公司 | Method and apparatus for preventing counterfeit message attack |
| CN101572712A (en) * | 2009-06-09 | 2009-11-04 | 杭州华三通信技术有限公司 | Method for preventing attack of counterfeit message and repeater equipment thereof |
-
2010
- 2010-01-22 CN CN 201010103859 patent/CN102137073B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006042392A1 (en) * | 2004-10-18 | 2006-04-27 | Entrust Limited | Method and apparatus for providing mutual authentication between a sending unit and a recipient |
| CN101052015A (en) * | 2007-05-22 | 2007-10-10 | 中兴通讯股份有限公司 | User access method for IP network |
| CN101552783A (en) * | 2009-05-20 | 2009-10-07 | 杭州华三通信技术有限公司 | Method and apparatus for preventing counterfeit message attack |
| CN101572712A (en) * | 2009-06-09 | 2009-11-04 | 杭州华三通信技术有限公司 | Method for preventing attack of counterfeit message and repeater equipment thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102137073A (en) | 2011-07-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102137073B (en) | Method and access equipment for preventing imitating internet protocol (IP) address to attack | |
| CN101022394B (en) | Method for realizing virtual local network aggregating and converging exchanger | |
| US8875233B2 (en) | Isolation VLAN for layer two access networks | |
| CN109450841B (en) | Large-scale DDoS attack resisting defense method based on cloud + end equipment on-demand linkage mode | |
| CN100586106C (en) | Message processing method, system and equipment | |
| CN101340293B (en) | Packet safety detection method and device | |
| CN101674306B (en) | Address resolution protocol message processing method and switch | |
| CN103856436B (en) | Method, home gateway and the Internet of selecting network by user equipment layer protocol | |
| CN101635713A (en) | Method and system for preventing local area network ARP defection attacks | |
| CN101764734A (en) | Method for improving neighbor discovery safety in IPv6 (Internet Protocol Version 6) environment and broadband access equipment | |
| CN103491076B (en) | The prevention method and system of a kind of network attack | |
| CN101834870A (en) | Method and device for preventing deceptive attack of MAC (Medium Access Control) address | |
| CN101453495A (en) | Method, system and equipment for preventing authentication address resolution protocol information loss | |
| CN101321102A (en) | Detection method and access equipment of DHCP server | |
| CN100589434C (en) | Method for implementing anti-spurious business server address under access mode | |
| CN110493366A (en) | The method and device of network management is added in a kind of access point | |
| CN102025734A (en) | Method, system and switch for preventing MAC address spoofing | |
| JPWO2015174100A1 (en) | Packet transfer device, packet transfer system, and packet transfer method | |
| CN105812318A (en) | Method, controller and system for preventing attack in network | |
| CN102347903B (en) | Data message forwarding method as well as device and system | |
| CN101141396B (en) | Packet processing method and network appliance | |
| CN101330409A (en) | Method and system for detecting network loophole | |
| US11082309B2 (en) | Dynamic and interactive control of a residential gateway connected to a communication network | |
| CN104683500B (en) | A kind of safe list item generation method and device | |
| KR101088867B1 (en) | Network switch and security notification method therein |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |