CN102196054A - Routing device and related control circuit - Google Patents
Routing device and related control circuit Download PDFInfo
- Publication number
- CN102196054A CN102196054A CN2010101305460A CN201010130546A CN102196054A CN 102196054 A CN102196054 A CN 102196054A CN 2010101305460 A CN2010101305460 A CN 2010101305460A CN 201010130546 A CN201010130546 A CN 201010130546A CN 102196054 A CN102196054 A CN 102196054A
- Authority
- CN
- China
- Prior art keywords
- network
- internet protocol
- address
- protocol address
- package
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a control circuit for a routing device, which comprises an output/input interface and a processor, wherein the processor is coupled to the output/input interface; and when a network protocol address of a first network section has accessed other network sections many times and a preset condition is satisfied, the processor can set network address analysis information of the network protocol address as unchangeable. The control circuit can effectively improve the capacity of the routing device for identifying a forged network address analysis packet, thereby enhancing the defense power and warning capacity for an ARP (Address Resolution Protocol) attack.
Description
Technical field
Related network communication device of the present invention refers to route device and the relevant control circuit that higher defence capability is arranged attacked in the network address translation especially.
Background technology
Network address translation agreement (Address Resolution Protocol, ARP) information is played an important role in the communication of Ethernet, but the terminal installation in the known Local Area Network or the network address translation information of route device but are easy to victim or rogue program and utilize so-called ARP deception (ARPSpoofing) means to be destroyed.
Because route device is a key equipment of being responsible for the data contact between processing region network and other network segments, in case the network address translation information in the route device is damaged because of ARP attacks, the serious problems that will cause the terminal installation in the Local Area Network to carry out communication with other network segments (for example world-wide web).
Avoid the network address translation information in the route device to be subjected to the destruction that ARP attacks, known a kind of solution is that network manager is set each network address translation information in the route device in person.Yet this method is for many network environments and impracticable.For example, for the network environment of dynamic assignment internet protocol address, terminal installation often for the wireless network environment or the network environment that terminal installation quantity is huge or framework is complicated of shift position, requiring network manager to set the network address translation information that quantity in the route device is huge and may change at any time one by one, obviously is unpractical mode.
Summary of the invention
In view of this, how to promote the defence capability that route device is attacked ARP, there is problem to be solved in real system.
This specification provides a kind of embodiment that is used for the control circuit of route device, and it includes: an output/input interface; An and processor, be coupled to this output/input interface, when this processor receives a network address translation package, and the network address translation information of an internet protocol address of one first network segment that this network address translation package is comprised and the record in this route device are not simultaneously, if this internet protocol address is other network segments of primary access at least once, and meet a predetermined condition, then this processor can not upgrade the network address translation information of this internet protocol address.
This specification provides a kind of embodiment that is used for the control circuit of route device, and it includes: an output/input interface; And a processor, be coupled to this output/input interface, when an internet protocol address of one first network segment other network segments of access repeatedly once, and when meeting a predetermined condition, this processor can be set as the network address translation information of this internet protocol address immutable.
This specification provides a kind of embodiment of route device in addition, it includes: a control circuit, when receiving one first network package, if the source internet protocol address of this network package is positioned at one first network segment, the purpose internet protocol address is pointed to one second network segment, the target physical address is different with the physical address of this route device, and this source internet protocol address meets a predetermined condition, then can to produce the purpose internet protocol address identical with the purpose internet protocol address of this first network package for this processor, and come source physical address one second network package identical with the physical address of this route device; Wherein this predetermined condition is selected from a group that is made up of following situation: (a) from the time of previous other network segments of access of this source internet protocol address, less than a scheduled time length; (b) frequency of these other network segments of source internet protocol address access reaches a preset frequency; (c) these other network segments of source internet protocol address access once reach a pre-determined number; And the physical communication port of (d) using during other network segments of the previous access of this source internet protocol address, identical with the physical communication port of receiving this network package.
One of advantage of the present invention is, can effectively improve the identification capability of route device for the network address translation package of forging, and then promotes phylactic power defensive power and/or the alarm ability of attacking for ARP.
Another advantage of the present invention is, route device can be according to the situation of each other network segment of internet protocol address access, dynamically whether decision allows to change the network address translation information of individual networks protocol address, need not the interventional procedure of network manager, so be applicable in the variety of network environments.
Another advantage of the present invention is, route device only need be analyzed the relevant line record of other network segments of source internet protocol address access of a network package, just can judge automatically apace whether this network package is effective and need not to expend the carrying data content that extra operational capability goes to read this network package, and determine follow-up processing action, can effectively promote the message safety of network.
Another advantage of the present invention is, even if the network address translation information in the terminal installation in the Local Area Network is subjected to the destruction that ARP attacks, route device still can be kept the communication of this terminal installation and world-wide web or other network segments, has significantly reduced the threat of ARP attack for network communication.
Description of drawings
Fig. 1 is the schematic diagram after an embodiment of network system of the present invention simplifies.
Fig. 2 is an embodiment functional block diagram of control circuit of the present invention.
Fig. 3 is the first embodiment flow chart of network address translation information management method of the present invention.
Fig. 4 is an embodiment schematic diagram of the relevant line record of specific network protocols of the present invention address.
Fig. 5 is the schematic diagram of specific network protocols address with other network segments of TCP transmission means access.
Fig. 6 is the schematic diagram of specific network protocols address with other network segments of UDP transmission means access.
Fig. 7 is the second embodiment flow chart of network address translation information management method of the present invention.
Fig. 8 is an embodiment flow chart of network package processing method of the present invention.
[main element symbol description]
100 network systems
110 route devices
112 control circuits
114,116 network interfaces
118 Storage Medias
120 Local Area Networks
122,124,126 terminal installations
128 hubs
130 other network segments
210 processors
220 output/input interfaces
400 line record sheets
410,420,430,440,450,460 hurdles
402,404,406 row
Embodiment
Below will cooperate correlative type that embodiments of the invention are described.In these were graphic, identical label was represented identical or similar elements or process step.
In the middle of specification and follow-up claim, used some vocabulary to censure specific element.Those skilled in the art should understand, and same element may be called with different nouns by manufacturer.This specification and follow-up claims are not used as distinguishing the mode of element with the difference of title, but the benchmark that is used as distinguishing with the difference of element on function.Be an open term mentioned " comprising " in the middle of specification and the follow-up claim in the whole text, so should be construed to " comprise but be not limited to ... ".In addition, " couple " speech and comprise any indirect connection means that directly reach at this.Therefore, be coupled to one second device if describe one first device in the literary composition, then represent this first device directly (to comprise) to be connected in this second device by signal connected modes such as electric connection or wireless transmission, optical delivery, or by other devices or connection means indirectly electrically or signal be connected to this and second install.
Fig. 1 illustrate is the schematic diagram of the network system 100 of one embodiment of the invention after simplifying.In network system 100, route device (being called the gateway road again) the 110th, the communication bridge between Local Area Network 120 and other network segments (for example world-wide web) 130.Route device 110 in the present embodiment comprises a control circuit 112, be used for Local Area Network 120 carry out communication a network interface 114, be used for carrying out a network interface 116 and a Storage Media 118 of communication with other network segments 130.On real the work, route device 110 can be the special-purpose network equipment, also can be erected on the general computer and realizes having the software of package transmission ability or operation procedure.
120 of route device 110 and Local Area Networks, and the communication of 130 of route device 110 and other network segments all can utilize wire transmission or wireless transmission method to reach.Therefore, network interface 114 and network interface 116 can be traditional wired network interfaces, also can be wireless communication interfaces.118 of Storage Medias are route information and network address translation information (Address Resolution Information) required when being used for storing route device 110 runnings.Storage Media 118 is built in storage device in the route device 110, external storage device in can being, also can is above both combination.
Shown in the 1st figure, include a plurality of terminal installations (illustrate terminal installation 122,124 and 126 among the figure and be example) in the Local Area Network 120.These terminal installations can be that box on mobile phone, computer, PDA, the machine, game machine or any other have the equipment of network access function.On real the work, a plurality of terminal installations in the Local Area Network 120 can be interconnected in wired or wireless mode by one or more hubs (or interchanger) 128, be construed as complicated or relatively large Local Area Network environment, and be coupled to the network interface 114 of route device 110.
Below will arrange in pairs or groups Fig. 2 and Fig. 3 further specifies the function mode of route device 110 of the present invention.
Fig. 2 is an embodiment functional block diagram of control circuit 112 of the present invention.In the present embodiment, control circuit 112 comprises a processor 210 and an output/input interface 220.Output/input interface 220 is coupled to network interface 114, network interface 116 and the Storage Media 118 of route device 110, is used for carrying out the transfer of data of 118 of processor 210 and network interface 114,116 and Storage Medias.
Fig. 3 is an embodiment flow chart 300 of the network address translation information management method of route device 110 of the present invention.
In step 310, when route device 110 has just begun to set up line and concern with Local Area Network 120, the network address translation package (for example ARP inquiry package or ARP answer package) that processor 210 meetings of control circuit 112 are sent by indivedual terminal installations in the Local Area Network 120 is obtained the physical address (for example MAC Address) of indivedual terminal installations and the paired data of internet protocol address (for example IPv4 address or IPv6 address).Below the physical address of hypothesis route device 110 is that MAC_110, internet protocol address are IP_110; The physical address of terminal installation 122 is that MAC_122, internet protocol address are IP_122; The physical address of terminal installation 124 is that MAC_124, internet protocol address are IP_124.The physical address of terminal installation 126 is that MAC_126, internet protocol address are IP_126.Generally speaking, IP_122, IP_124 and IP_126 belong to the same network segment.
For convenience of description, below the hypothesis network manager is that the network address translation information of route device 110 setting terminal devices 122 is the pairing of IP_122 and MAC_122 in person, and processor 210 receives that in step 310 terminal installation 124 transmits the network address translation package ARP_124 and the terminal installation 126 that comprise MAC_124 and IP_124 pairing and transmits a network address translation package ARP_126 who comprises MAC_126 and IP_126 pairing.
Then, processor 210 can carry out step 320, network address translation package ARP_124 and ARP_126 the internet protocol address that does not comprise and the paired data of physical address are recorded in the Storage Media 118, to set up the preliminary network address translation information of route device 110.
As previously mentioned, assailant, invador or rogue program are easy to forge network address translation package and attack the stored network address translation information of route device.Known route device is attacked so can not keep out ARP effectively owing to be difficult to the true and false of decision network address resolution package.
In order to promote the defence capability that 110 couples of ARP of route device attack, after the preliminary network address translation information of route device 110 is set up, the processor 210 of control circuit 112 can carry out step 330, the situation of other network segments of individual networks protocol address access (for example world-wide web) in the monitor area network 120.
During other network segments of internet protocol address access (for example successfully setting up network connectivity) in processor 210 is found Local Area Networks 120 with other network segments 130, just can carry out step 340, the relevant line record of this internet protocol address is stored in the Storage Media 118, with foundation as the follow-up network address translation package validity of receiving of judgement.
For example, the line record sheet 400 that Fig. 4 illustrated is embodiment that are stored in the relevant line record in the Storage Media 118.In the present embodiment, the internet protocol address that processor 210 can will be received in step 310 and the paired data (for example pairing of IP_124 and MAC_124) of physical address are recorded in respectively in the hurdle 410 and hurdle 420 of line record sheet 400.As shown in Figure 4, the stored data of line record sheet 400 each row are the relevant line record of specific network protocols address.For example, row 402 are to be used for relevant line record between storage network protocol address IP_122 (should be the internet protocol address of terminal installation 122 under the normal condition) and other network segments, and row 404 are to be used for relevant line record between storage network protocol address IP_124 (should be the internet protocol address of terminal installation 124 under the normal condition) and other network segments.
For each row of line record sheet 400, when hurdle 430 is used for writing down other network segments of specific network protocols address access (if any), the physical communication port number on the employed network interface 114.Hurdle 440 is used for the time point of these other network segments of specific network protocols address access (if any).Hurdle 450 is used for writing down the number of times that this specific network protocols address and other network segments (wanting the same network segment but do not limit) are set up line (Session/Socket), for example successfully sets up the cumulative number of network connectivity with other network segments 130.
On real the work, processor 210 can have multiple choices when judging the time point of other network segments 130 of specific network protocols address access, will be that example further specifies with Fig. 5 and Fig. 6 below.
Fig. 5 is the schematic diagram 500 of specific network protocols address with other network segments 130 of TCP transmission means access.As shown in Figure 5, when the specific network protocols address will be with a certain destination device in other network segments 130 of TCP transmission means access, meeting hold (Three-Way Handshaking) program by three parts's friendship earlier and this destination device is set up line (Session), then just can enter data transfer phase.In one embodiment, processor 210 can recorders be handed over the time point 510 of the line affirmation package of holding in the program to be sent to the specific network protocols address in the three parts, and with the time point as other network segments 130 of specific network protocols address access.
In another embodiment, processor 210 meeting these specific network protocols addresses of record and this destination device carry out the N data transfer in data transfer phase time point (for example receives the time point 520 of N the data package that is sent the specific network protocols address, or receive the time point 530 that N data that this destination device sends are confirmed package), and with the time point as other network segments 130 of specific network protocols address access, wherein the numerical value of N can according to the design needs and adjust.In addition, processor 210 also can use this specific network protocols address instead and this destination device is confirmed the time point that end data is transmitted, and is used as the time point of other network segments 130 of specific network protocols address access.
Fig. 6 is the schematic diagram 600 of specific network protocols address with other network segments 130 of UDP transmission means access.Because the UDP transmission means is not a kind of transmission mechanism of line guiding, when so line (Socket) will be set up with a certain destination device in other network segments 130 in the specific network protocols address, can't carry out earlier tripartite handing over the program of holding, and the receiving terminal of data can not replied the affirmation message after receiving data packet yet.In the case, processor 210 can be recorded in after the specific network protocols address sends data packet, receive for the first time the time point 610 of the corresponding data packet of this destination device passback, and with the time point as other network segments 130 of specific network protocols address access.On real the work, when the data packet that processor 210 can send in the port, source in the data packet that this destination device sends (Source Port) and the content and the specific network protocols address of purpose port (Destination Port) was identical, the data packet that this destination device is sent judged that becoming is that the data packet that sends with the specific network protocols address is corresponding.
In other embodiments, the also available time point 620 of receiving M the data package that this specific network protocols address is sent of processor 210, or receive the time point 630 of P the corresponding data packet that this destination device sends, be used as the time point of other network segments 130 of specific network protocols address access.
Each processor 210 detects specific network protocols address and other network segments when successfully setting up line (Session/Socket), just can will add one with the numerical value on this corresponding hurdle 450, specific network protocols address in the line record sheet 400, successfully set up the cumulative number of line with record specific network protocols address and other network segments (do not limit will the same network segment).
Some the time or use, network manager may be the network address translation information of route device 110 some internet protocol address of setting (for example IP_122) in person.Therefore, processor 210 also can be set a designation data (Indicator) in the hurdle 460 of line record sheet 400, and for example whether a flag is that network manager sets with the network address translation information of representing this specific network protocols address.In one embodiment, processor 210 can be made as 1 with the value in the pairing hurdle 460 of internet protocol address IP_122, represents that the network address translation information about internet protocol address IP_122 is that network manager is set in person in the route device 110.In addition, 210 of processors can be made as 0 with the value in internet protocol address IP_124 and the pairing hurdle 460 of IP_126, representing their network address translation information, is to obtain via the network address translation package that route device 110 is received, is not that network manager is set in person.
On real the work, carry out to processor 210 sustainabilities the flow process of step 330 and step 340, to upgrade the content of line record sheet 400.
On the other hand, route device 110 may be received other network address translation package in the process of follow-up running, but the network address translation information of the specific network protocols address that the is comprised situation (step 350) different with the record in the Storage Media 118.For example, suppose that route device 110 receives network address translation package ARP_N in step 350, its transmission end internet protocol address is IP_124, and the transmission end physical address is MAC_N, that is the IP_124 that the network address translation information of the internet protocol address IP_124 that network address translation package ARP_N is comprised (IP_124 with MAC_N pairing) and route device 110 are write down is different with the pairing of MAC_124.Run into this situation, processor 210 can carry out step 360.
The inventor finds that the most of users in many network environments have a kind of common network usage behavior aspect, that exactly can be because of work, study, amusement, be engaged in doings or a variety of causes such as kill time merely, and is wired to the tendency that world-wide web or other network segments carry out webpage or data access action continually.Therefore, in step 360, the relevant line that processor 210 can be analyzed internet protocol address IP_124 stored in the line record sheet 400 writes down the corresponding predetermined condition of network usage behavior aspect that whether meets with normal user.
In one embodiment, the corresponding condition of network usage behavior aspect with normal user, the line frequency that is internet protocol address IP_124 and other network segments 130 (for example world-wide web) can reach a preset frequency, for example 10 minutes 1 time, 1 hour 3 times or 3 hours 2 times and so on.The height of preset frequency also can be adjusted according to the network application environment of reality by network manager.Therefore, processor 210 can phase-split network protocol address IP_124 in step 360 and the line frequency of other network segments 130 (for example world-wide web) whether reach this preset frequency.On real the work, processor 210 can be the fields that line record sheet 400 increases a record line frequency computation part result in step 340, and whether the direct value of judging this line frequency field reaches or greater than this preset frequency value in step 360.If, the user's of processor 210 meeting decision network protocol address IP_124 network usage behavior aspect meets normal user's behavior aspect, therefore, the network address translation information that comprised can be judged into invalid package with the inconsistent network address translation package of record ARP_N in the Storage Media 118.
Perhaps, processor 210 also can will receive network address translation package ARP_N system time at that time, deduct in the line record sheet 400 the access time that hurdle 440 write down some Ta corresponding to internet protocol address IP_122, in the hope of receiving the time of network address translation package ARP_N, how long the time point Ta of other network segments 130 of primary access has before internet protocol address IP_122.Calculate the time span of gained, its inverse just can be regarded a kind of expression way of line frequency as.For example, suppose that result calculated is 10 minutes, the time that network address translation package ARP_N is received in expression, time point Ta apart from other network segments of internet protocol address IP_122 access last time has had 10 minutes, and it is that the nearest line frequency of internet protocol address IP_122 is 10 minutes 1 time that processor 210 also can be interpreted to it.Therefore, processor 210 also can be put Ta according to the access time that hurdle 440 write down corresponding to internet protocol address IP_122 in step 360, judge the time receive network address translation package ARP_N, from time of previous other network segments of access of internet protocol address IP_122 whether less than a scheduled time length.If, then represent the user's of internet protocol address IP_124 network usage behavior aspect to meet normal user's behavior aspect, therefore, then processor 210 can be judged into invalid package with network address translation package ARP_N.
In addition, in some network environment, being connected of terminal installation and 110 of route devices be to realize, and the annexation at the physical communication port on the network interface 114 of indivedual terminal installation and route device 110 is changeless by fixing grid line.In the case, the corresponding condition of network usage behavior aspect with normal user, be the physical communication port that internet protocol address IP_124 is previous and other network segments are set up line, used when transmitting data, can receive that the physical communication port of the proper network address resolution package that internet protocol address IP_124 is sent is identical with route device 110.Therefore, processor 210 can be judged the communication port of receiving network address translation package ARP_N in step 360, and the physical communication port Port_1 that uses during whether with other network segments of the previous access of internet protocol address IP_122 is identical.If inequality, then representing network address translation package ARP_N may be the network address translation package of forging, and therefore, processor 210 can be judged into invalid package with network address translation package ARP_N.
In another embodiment, with normal user's the corresponding condition of network usage behavior aspect, be that internet protocol address IP_124 and other network segments 130 (for example world-wide web) are set up the line number of times and can be reached a pre-determined number, for example 5 times, 10 inferior.The number of pre-determined number can be adjusted according to the network application environment of reality by network manager.Therefore, processor 210 can judge in step 360 that hurdle 450 corresponding to internet protocol address IP_122 write down sets up line number of times Count_122 and whether reaches this pre-determined number.If the value of Count_122 does not reach this pre-determined number, then represent the user's of internet protocol address IP_124 network usage behavior aspect not meet normal user's behavior aspect, so processor 210 is understood network address translation package ARP_N is judged into invalid package.
In addition, be that the network address translation information of this specific network protocols address should be able to not change just right voluntarily in the network application of route device 110 network address translation information of setting some specific network protocols address in person at network manager.Therefore, processor 210 also can be in step 360 according to the content on the hurdle 460 of line record sheet 400, judge whether a network address translation package of being received effective.Suppose that route device 110 receives network address translation package ARP_Y in step 350, its transmission end internet protocol address is IP_122, and the transmission end physical address is MAC_Y, that is the IP_122 that the network address translation information of the internet protocol address IP_122 that network address translation package ARP_Y is comprised (IP_122 with MAC_Y pairing) and route device 110 are write down is different with the pairing of MAC_122.In step 360, processor 210 can be a value (being 1 in the present embodiment) in the pairing hurdle 460 of IP_122 according to internet protocol address, learns that the network address translation information about internet protocol address IP_122 is that network manager is set in person in the route device 110.Because the network address translation information of the internet protocol address IP_122 that network address translation package ARP_Y is comprised, processor 210 conflicts with the existing record generation that sets by network manager in the route device 110, so can be judged into invalid package with network address translation package ARP_Y.
On real the work, also processor 210 designs can be formed in step 360 and carry out above-described analyses and comparison more than two or two, to promote the accuracy that network address translation package validity is judged.
If processor 210 is that the network address translation package of being received is judged into invalid package in the analysis result of step 360, then processor 210 can not upgrade the network address translation information (step 370) that is write down in the Storage Media 118.In one embodiment, processor also can carry out step 380 210 this moments, initiatively sends in the caution message informing network manager Local Area Network 120 to have ARP attack generation, and network manager can be taked as early as possible in response to measure, enlarges to avoid harm.
Otherwise, if processor 210 is that the network address translation package of being received is judged into effective package in the analysis result of step 360, then can carry out step 390, upgrade the network address translation information that is write down in the Storage Media 118 according to the network address translation package received, and upgrade the content on hurdle 410 and hurdle 420 in the line record sheet 400 in the lump.
Please refer to Fig. 7, its illustrate is another embodiment flow chart 700 of the network address translation information management method of route device 110 of the present invention.Step 310 in the flow chart 700~340 are identical with step 310~340 in the aforementioned flow chart 300, so do not repeat them here.
In step 710, the relevant line that the processor 210 of control circuit 112 can be analyzed each stored in the line record sheet 400 internet protocol address writes down the corresponding predetermined condition of network usage behavior aspect that whether meets with normal user.The content of step 710 and aforesaid step 360 are very similar, but discrepancy is that the time point that both carry out is different.In aforesaid flow chart 300, processor 210 is the network address translation information that comprised in the network address translation package that receives and the existing record in the route device 110 when inconsistent, just carry out step 360.But in flow chart 700,210 of processors are periodically carry out step 710, no matter and whether received any network address translation package at that time.As previously mentioned, carry out to processor 210 sustainabilities step 330 and 340, to upgrade the content of line record sheet 400, so the processor 210 in the present embodiment can regularly be analyzed and inspect each data in the line record sheet 400, write down the corresponding predetermined condition of network usage behavior aspect that whether meets with normal user with the relevant line of judging each internet protocol address.
If processor 210 finds that in the analysis of step 710 the relevant line record of a certain specific network protocols address meets the corresponding predetermined condition of network usage behavior aspect with normal user, then processor 210 can carry out step 720.
In step 720, the network address translation information that processor 210 is understood this specific network protocols address of will be write down in the Storage Media 118 is set as immutable (unchangeable) to avoid being subjected to the destruction that ARP attacks.For example, in some operating system, processor 210 can be set as static state (Static) with the type of the network address translation information of this specific network protocols address, so that this network address translation information can not be routed other modification of program of device 110.In other words, the relevant line record of specific network protocols address can be by step 710 validity check during in, any ARP attack all can't destroy in the route device 110 the existing record about the network address translation information of this specific network protocols address.
In one embodiment, if processor 210 is found the relevant line record of a certain specific network protocols address in the analysis of step 710, do not meet the corresponding predetermined condition of network usage behavior aspect with normal user, and the network address translation information of this specific network protocols address is to be set as unmodifiable situation, then processor 210 can carry out step 720, and the network address translation information about this specific network protocols address in the route device 110 is set as and can changes.For example, in some operating system, processor 210 can be set as dynamically (Dynamic) with the type of the network address translation information of this specific network protocols address, so that processor 210 can be resolved package according to the follow-up relevant network address received, upgrade in the Storage Media 118 existing record about the network address translation information of this specific network protocols address.
On real the work, two kinds of network address translation information management methods that flow chart 300 and flow chart 700 are disclosed utilization that can walk abreast.For example, processor 210 can carry out step 360 when receiving network address translation package, to judge the validity of the network address translation package of being received, periodically carry out step 710 again on the other hand, to bring in constant renewal in the setting of the ARP table in the Storage Media 118.
As shown in the above description, one of advantage of the present invention is, can effectively improve the identification capability of route device 110 for the network address translation package of forging, and then promotes phylactic power defensive power and the alarm ability of attacking for ARP.
Another advantage of the present invention is, route device can be according to the situation of each other network segment of internet protocol address access, dynamically whether decision allows to change the network address translation information of individual networks protocol address, need not the interventional procedure of network manager, so applicable in the variety of network environments.
Please refer to Fig. 8, its illustrate is an embodiment flow chart 800 of network package processing method of the present invention.
Receive a network package (step 810) when the network interface 114 of route device 110, the processor 210 of control circuit 112 can carry out step 820.
The content of step 820 and aforesaid step 360 are very similar, but discrepancy is that the time point that both carry out is different.In aforesaid flow chart 300, processor 210 is the network address translation information that comprised in the network address translation package that receives and the existing record in the route device 110 when inconsistent, just carry out step 360.But in flow chart 800,210 of processors are carry out step 820 when receiving a network package.
Suppose the network package that route device 110 is received in step 810, be that the source internet protocol address is the network package A of IP_126, then whether the processor 210 relevant line record that can analyze internet protocol address IP_126 stored in the line record sheet 400 in step 820 meets the corresponding predetermined condition of network usage behavior aspect with normal user, with as judging whether network package A is the foundation of active block package.
If processor 210 is found in the analysis of step 820, the relevant line record of the source internet protocol address IP_126 of network package A does not meet the corresponding predetermined condition of network usage behavior aspect with normal user, then processor 210 can carry out step 830, network package A is judged into invalid network package, and abandoned.
If the relevant line record of the source internet protocol address IP_126 of network package A meets the corresponding predetermined condition of network usage behavior aspect with normal user, then processor 210 can further process network package A.For example, in one embodiment, processor 210 can carry out step 840 and follow-up flow process to network package A.
In step 840, processor 210 can read the value in the purpose internet protocol address field of network package A, is in the network segment scopes that route device 110 is responsible for handling with the destination of judging network package A, still belongs to other network segments 130.
If the purpose internet protocol address of network package A is to point to other internet protocol addresses (supposing it is internet protocol address IP_122) in the same network segment in the Local Area Network 120, then processor 210 can carry out step 850.
In step 850, control circuit 112 can be sent to the pairing destination device of physical address MAC_122 with network package A by network interface 114, that is the terminal installation in the Local Area Network 120 122.In certain embodiments, processing of malice formula, filtering packets or other application layers or the like for example be wiped out drugs, be tackled to processor 210 also can to the processing that the carrying data among the network package A are scheduled to, before carry out step 850.
In one embodiment, if processor 210 is found the purpose internet protocol address of network package A in step 840 be to point to the destination device (supposing that its internet protocol address is IP_WAN) that belongs to other network segments 130, no matter the value of the target physical address field of network package A then, whether is the physical address MAC_110 of route device 110, processor 122 all can carry out step 860.If it is not to point to the physical address MAC_110 of route device 110 that processor 210 is found the value of the target physical address field of network package A, then processor 210 can infer that the original device (should be terminal installation 126 under the normal condition) of network package A has been subjected to the ARP attack, and can whether will send alert news informing network manager according to the preset rules decision of control circuit 112.
In step 860, processor can be modified to the address that the target physical address field of this network package A is filled out the physical address MAC_110 of route device 110, to produce a go-between package A '.
In step 870, processor 210 can find out with internet protocol address IP_WAN corresponding routing rule in the route information that Storage Media 118 is write down, and this routing rule transmits point (next hop) pairing time.
In step 880, processor 210 can produce a SCN Space Cable Network package B to be passed according to go-between package A '.On real the work, processor 210 can be directly with the carrying data (the carrying data with network package A are identical in the present embodiment) of go-between package A ' carrying data as SCN Space Cable Network package B to be passed, the also processing that can be scheduled to the carrying data among the middle network package A ', for example wipe out drugs, tackle processing of rogue program, filtering packets or other application layers or the like, and with the data that obtain after the handling carrying data as network package B.In addition, it is identical with the purpose internet protocol address IP_WAN (that is purpose internet protocol address of network package A) of go-between package A ' that processor 210 also can be set as the purpose internet protocol address of network package B, and insert the physical address MAC_110 of route device 110 at the source physical address field that comes of network package B.In other words, processor 210 can produce the purpose internet protocol address in step 880 identical with the purpose internet protocol address IP_WAN of network package A, and come the source physical address network package B identical with the physical address MAC_110 of route device 110.
Then, processor 210 can carry out step 890, by network interface 116 the previous transmission point of this network package B is transmitted.
The enforcement order that note that each step in the flow chart 800 is an embodiment only, makes mode but not limit to reality of the present invention.For example, the order of step 820 and step 840 can be exchanged or be carried out simultaneously.In addition, also the flow process of step 860 can be omitted.
By above explanation as can be known, when route device 110 finds that the purpose internet protocol address of network package A is pointed to other network segments (for example world-wide web), as long as the relevant line record of the source internet protocol address IP_126 of network package A meets the corresponding predetermined condition of network usage behavior aspect with normal user, even the target physical address field of network package A is filled out mistake because of terminal installation 126 is subjected to the ARP attack, the processor 210 of route device 110 of the present invention just can not given up this network package A, handle but can continue that it is carried out route, convert network package A to network package B, and send toward correct routed path, so that the communication of terminal installation 126 and other network segments (for example world-wide web) can not attacked and not interrupt because of being subjected to ARP.
Another advantage of route device 110 is, it only need analyze the relevant line record of other network segments of source internet protocol address access of a network package, and need not to expend the carrying data content that extra operational capability goes to read this network package, just can judge automatically apace whether this network package is effective, and determine follow-up processing action, can effectively promote the message safety of network.
The another advantage of route device 110 is, even if the network address translation information in the terminal installation in the Local Area Network is subjected to the destruction that ARP attacks, route device 110 still can be kept the communication of this terminal installation and world-wide web or other network segments, has significantly reduced the threat of ARP attack for network communication.
The above only is preferred embodiment of the present invention, and all equalizations of doing according to claim of the present invention change and modify, and all should belong to covering scope of the present invention.
Claims (10)
1. control circuit that is used for route device, it includes:
One output/input interface; And
One processor, be coupled to this output/input interface, when this processor receives a network address translation package, and the network address translation information of an internet protocol address of one first network segment that this network address translation package is comprised and the record in this route device are not simultaneously, if this internet protocol address is other network segments of primary access at least once, and meet a predetermined condition, then this processor can not upgrade the network address translation information of this internet protocol address.
2. control circuit as claimed in claim 1, wherein if this internet protocol address meets this predetermined condition, then this processor also can send a notification message, and the situation that has the network address translation to attack with indication takes place.
3. control circuit as claimed in claim 1, wherein this predetermined condition is selected from a group that is made up of following situation:
(a) from the time of previous other network segments of access of this internet protocol address, less than a scheduled time length;
(b) frequency of these other network segments of internet protocol address access reaches a preset frequency; And
(c) the physical communication port of using during other network segments of the previous access of this internet protocol address is identical with the physical communication port of receiving this network address translation package.
4. control circuit as claimed in claim 1, wherein these other network segments refer to world-wide web.
5. control circuit as claimed in claim 1, wherein when this internet protocol address met this predetermined condition, this processor can be set as the network address translation information of this internet protocol address immutable.
6. control circuit that is used for route device, it includes:
One output/input interface; And
One processor, be coupled to this output/input interface, when an internet protocol address of one first network segment other network segments of access repeatedly once, and when meeting a predetermined condition, this processor can be set as the network address translation information of this internet protocol address immutable (unchangeable).
7. control circuit as claimed in claim 6, wherein if this internet protocol address does not meet this predetermined condition, this processor can be set as the network address translation information of this internet protocol address and can change.
8. control circuit as claimed in claim 6, wherein this predetermined condition is selected from a group that is made up of following situation:
(a) from other network segment times of the previous access of this internet protocol address, less than a scheduled time length;
(b) frequency of these other network segments of internet protocol address access reaches a preset frequency;
(c) number of times of these other network segments of source internet protocol address access reaches a pre-determined number; And
(d) the physical communication port of using during other network segments of the previous access of this internet protocol address is identical with the physical communication port of receiving this network address translation package.
9. control circuit as claimed in claim 6, wherein when this processor receives one first network package, if the source internet protocol address of this first network package is that this internet protocol address, purpose internet protocol address are pointed to one second network segment and this internet protocol address meets this predetermined condition, then can to produce the purpose internet protocol address identical with the purpose internet protocol address of this first network package for this processor, and come source physical address one second network package identical with the physical address of this route device.
10. route device, it includes:
One control circuit, when receiving one first network package, one first network segment, purpose internet protocol address point to one second network segment, the target physical address is different with the physical address of this route device and this source internet protocol address meets a predetermined condition if the source internet protocol address of this network package is positioned at, then can to produce the purpose internet protocol address identical with the purpose internet protocol address of this first network package for this processor, and come source physical address one second network package identical with the physical address of this route device;
Wherein this predetermined condition is selected from a group that is made up of following situation:
(a) from the time of previous other network segments of access of this source internet protocol address, less than a scheduled time length;
(b) frequency of these other network segments of source internet protocol address access reaches a preset frequency;
(c) these other network segments of source internet protocol address access once reach a pre-determined number; And
(d) the physical communication port of using during other network segments of the previous access of this source internet protocol address is identical with the physical communication port of receiving this network package.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101305460A CN102196054B (en) | 2010-03-11 | 2010-03-11 | Routing device and related control circuit |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101305460A CN102196054B (en) | 2010-03-11 | 2010-03-11 | Routing device and related control circuit |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102196054A true CN102196054A (en) | 2011-09-21 |
| CN102196054B CN102196054B (en) | 2013-08-28 |
Family
ID=44603418
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010101305460A Active CN102196054B (en) | 2010-03-11 | 2010-03-11 | Routing device and related control circuit |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102196054B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978618A (en) * | 2022-05-06 | 2022-08-30 | 国网湖北省电力有限公司信息通信公司 | Network disguise method, device and medium for randomly adding false information into real information |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6128294A (en) * | 1996-04-05 | 2000-10-03 | Hitachi, Ltd. | Network connecting apparatus |
| CN1604586A (en) * | 2003-09-29 | 2005-04-06 | 华为技术有限公司 | A method for preventing counterfeit host in IP Ethernet |
| CN1780286A (en) * | 2004-11-18 | 2006-05-31 | 中兴通讯股份有限公司 | Method for strengthening address analytic protocol table safety |
| US20060209818A1 (en) * | 2005-03-18 | 2006-09-21 | Purser Jimmy R | Methods and devices for preventing ARP cache poisoning |
| CN1925493A (en) * | 2006-09-15 | 2007-03-07 | 杭州华为三康技术有限公司 | Method and device for processing ARP message |
| CN101345643A (en) * | 2007-07-09 | 2009-01-14 | 珠海金山软件股份有限公司 | Method and device for early warning of network appliance |
| US20090265785A1 (en) * | 2003-05-21 | 2009-10-22 | Foundry Networks, Inc. | System and method for arp anti-spoofing security |
-
2010
- 2010-03-11 CN CN2010101305460A patent/CN102196054B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6128294A (en) * | 1996-04-05 | 2000-10-03 | Hitachi, Ltd. | Network connecting apparatus |
| US20090265785A1 (en) * | 2003-05-21 | 2009-10-22 | Foundry Networks, Inc. | System and method for arp anti-spoofing security |
| CN1604586A (en) * | 2003-09-29 | 2005-04-06 | 华为技术有限公司 | A method for preventing counterfeit host in IP Ethernet |
| CN1780286A (en) * | 2004-11-18 | 2006-05-31 | 中兴通讯股份有限公司 | Method for strengthening address analytic protocol table safety |
| US20060209818A1 (en) * | 2005-03-18 | 2006-09-21 | Purser Jimmy R | Methods and devices for preventing ARP cache poisoning |
| CN1925493A (en) * | 2006-09-15 | 2007-03-07 | 杭州华为三康技术有限公司 | Method and device for processing ARP message |
| CN101345643A (en) * | 2007-07-09 | 2009-01-14 | 珠海金山软件股份有限公司 | Method and device for early warning of network appliance |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978618A (en) * | 2022-05-06 | 2022-08-30 | 国网湖北省电力有限公司信息通信公司 | Network disguise method, device and medium for randomly adding false information into real information |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102196054B (en) | 2013-08-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9369434B2 (en) | Whitelist-based network switch | |
| US8997202B2 (en) | System for secure transfer of information from an industrial control system network | |
| CN101803305B (en) | Network monitoring device, network monitoring method, and network monitoring program | |
| CN108259425A (en) | The determining method, apparatus and server of query-attack | |
| JP5050781B2 (en) | Malware detection device, monitoring device, malware detection program, and malware detection method | |
| CN107835149A (en) | Network based on DNS flow analyses is stolen secret information behavioral value method and device | |
| CN104272656A (en) | Network feedback in software-defined networks | |
| CN101841442A (en) | Method for detecting network anomaly in name-address separated network | |
| CN104468554A (en) | Attack detection method and device based on IP and HOST | |
| JPWO2016042587A1 (en) | Attack observation device and attack observation method | |
| CN111343176B (en) | Network attack countering device, method, storage medium and computer equipment | |
| US20210058411A1 (en) | Threat information extraction device and threat information extraction system | |
| CN110740144B (en) | Method, device, equipment and storage medium for determining attack target | |
| CN113746810B (en) | Network attack inducing method, device, equipment and storage medium | |
| CN113612783A (en) | Honeypot protection system | |
| Ovaz Akpinar et al. | Development of the ECAT preprocessor with the trust communication approach | |
| WO2015182873A1 (en) | Dns server selective block and dns address modification method using proxy | |
| CN102196054B (en) | Routing device and related control circuit | |
| CN105323128A (en) | Method, device and system for connecting front-end device to server | |
| US20190222578A1 (en) | Communication apparatus and non-transitory computer readable storage medium | |
| CN103297480A (en) | System and method for automatically detecting application service | |
| JP6063340B2 (en) | Command source specifying device, command source specifying method, and command source specifying program | |
| US20230269236A1 (en) | Automatic proxy system, automatic proxy method and non-transitory computer readable medium | |
| CN116886445B (en) | Processing method and device of filtering result, storage medium and electronic equipment | |
| CN102195862A (en) | Routing device and related packet processing circuit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |