CN102316034B - Method for preventing manual Internet protocol (IP) address specification in local area network and device - Google Patents

Method for preventing manual Internet protocol (IP) address specification in local area network and device Download PDF

Info

Publication number
CN102316034B
CN102316034B CN201110261830.6A CN201110261830A CN102316034B CN 102316034 B CN102316034 B CN 102316034B CN 201110261830 A CN201110261830 A CN 201110261830A CN 102316034 B CN102316034 B CN 102316034B
Authority
CN
China
Prior art keywords
message
address
main frame
filtering rule
manually
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110261830.6A
Other languages
Chinese (zh)
Other versions
CN102316034A (en
Inventor
刘威
郑玉婷
马小亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201110261830.6A priority Critical patent/CN102316034B/en
Priority to PCT/CN2011/082553 priority patent/WO2012151927A1/en
Publication of CN102316034A publication Critical patent/CN102316034A/en
Application granted granted Critical
Publication of CN102316034B publication Critical patent/CN102316034B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5046Resolving address allocation conflicts; Testing of addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a method for preventing manual Internet protocol (IP) address specification in a local area network and a device. The method comprises the following steps of: receiving messages sent by a terminal, and determining whether the messages are sent by a manual IP address specification host or not according to a preset message filter rule table and a mapping table of media access control (MAC) addresses and IP addresses; and allowing the messages to pass under the condition of judging that the messages are sent by a non-manual IP address specification host, and forbidding the messages to pass under the condition of judging that the messages are sent by the manual IP address specification host. Through the technical scheme, the data service of the manual IP address specification host can be forbidden, and the conflict generating probability of the IP addresses in the local area network is reduced.

Description

Prevent from specifying the method and device of IP address manually in LAN
Technical field
The present invention relates to field of mobile communication, the method for preventing from specifying IP address manually in more particularly to a kind of LAN And device.
Background technology
At present, local area network building application is more and more extensive.During local area network building, typically all set using DynamicHost Put agreement (Dynamic Host Configuration Protocol, referred to as DHCP) server and come dynamically distributes and management Procotol (Internet Protocol, referred to as IP) address.In the prior art, for IP collision problems are solved, can be with Using the binding of fixed static IP and medium education (Media Access Control, referred to as MAC) address, or Using detection address resolution protocol (Address Resolution Protocol, referred to as ARP) message etc..
But, when there is user to specify IP address manually, Dynamic Host Configuration Protocol server then cannot be managed.Manually specified IP address is held very much IP conflicts in LAN are easily caused, to the normal users that IP address is obtained from Dynamic Host Configuration Protocol server puzzlement is brought.Network manager It is difficult to detect and investigate IP collision problems.For this purpose, being badly in need of at present a kind of for preventing user from specifying the side of IP manually in LAN Method.
The content of the invention
The present invention is provided to be prevented from specifying the method and device of IP address manually in a kind of LAN, to solve prior art in Manually specified IP address easily causes the problem of IP conflicts in LAN.
The present invention provides a kind of method for preventing specifying IP address manually in LAN, including:
The message that receiving terminal sends, according to the packet filtering rule list and media access control MAC ground for pre-setting Location determines whether message is to be sent by the main frame for specifying IP address manually with the mapping table of IP address;
In the case where judging that message is the main frame transmission by non-manual specified IP address, it is allowed to which message passes through, and is judging Message is, by the case of the main frame transmission for specifying IP address manually, to forbid message to pass through.
Present invention also offers prevent from specifying the device of IP address manually in a kind of LAN, including:
Determining module, for the message that receiving terminal sends, according to the packet filtering rule list and media that pre-set Access control MAC address determines whether message is to be sent by the main frame for specifying IP address manually with the mapping table of IP address;
Processing module, in the case where judging that message is the main frame transmission by non-manual specified IP address, it is allowed to report Text passes through, and in the case where judging that message is the main frame transmission by specified IP address manually, forbids message to pass through.
The present invention has the beneficial effect that:
By means of the technical scheme of the embodiment of the present invention, by parsing to the message that terminal sends, the message is determined Whether sent by the main frame for specifying IP address manually, and the message to being sent by the main frame for specifying IP address manually is forbidden leading to Cross, solve the problems, such as that manually specified IP address easily causes IP conflicts in LAN in prior art, can forbid referring to manually Determine the data service of the main frame of IP address, reduce the probability that IP address is clashed in LAN.
Description of the drawings
Fig. 1 is the flow chart of the method for preventing from specifying IP address manually in the LAN of the embodiment of the present invention;
Fig. 2 is the flow chart of the mapping table of the renewal MAC and IP of the present invention;
Fig. 3 is the flow chart of the renewal packet filtering rule list of the embodiment of the present invention;
Fig. 4 is the process chart filtered to message of the embodiment of the present invention;
Fig. 5 is to prevent from specifying the method detailed process figure of IP address manually in the LAN of the embodiment of the present invention;
Fig. 6 is the structural representation of the device for preventing from specifying IP address manually in the LAN of the embodiment of the present invention;
Fig. 7 is the preferred structure schematic diagram of the device for preventing from specifying IP address manually in the LAN of the embodiment of the present invention.
Specific embodiment
Manually specified IP address easily causes IP conflicts in LAN in order to solve the problems, such as prior art, and the present invention is carried The method and device for preventing from specifying IP address manually in a kind of LAN is supplied, IP has been specified using manual when there is user in LAN During address, the user is forbidden to carry out the data service request such as surf the Net.Below in conjunction with accompanying drawing and embodiment, the present invention is entered to advance One step is described in detail.It should be appreciated that specific embodiment described herein only limits this to explain the present invention, not It is bright.
Embodiment of the method
Embodiments in accordance with the present invention, there is provided a kind of method for preventing from specifying IP address manually in LAN, Fig. 1 is this The flow chart of the method for preventing from specifying IP address manually in the LAN of inventive embodiments, as shown in figure 1, according to present invention enforcement Prevent from specifying manually the method for IP address to include following process in the LAN of example:
Step 101, the message that receiving terminal sends, according to the packet filtering rule list and MAC Address that pre-set with The mapping table of IP address determines whether message is to be sent by the main frame for specifying IP address manually;Wherein, the message that terminal sends Including:Set up transmission control protocol (Transmission Control Protocol, referred to as TCP) connection message, number of users According to packet protocol (User Datagram Protocol, referred to as UDP) message and ARP messages;
In a step 101, the mapping table and packet filtering rule list of MAC and IP is the unique foundation for carrying out packet check.
Specifically, in a step 101, it is handled as follows:
1st, the filtering rule in packet filtering list of rules is matched with message, wherein, filtering rule includes:Allow The main frame of non-manual specified IP address carries out the first filtering rule of data service, and forbids specifying the main frame of IP address manually Carry out the second filtering rule of data service;
If the 2, with the first filter rule match success, it is determined that message is sent by the main frame of non-manual specified IP address , if with the second filter rule match success, it is determined that message be by manually specify IP address main frame send;
3rd, in the case where the match is successful with the first filtering rule and the second filtering rule, then extract in message MAC Address and IP address, and judge that MAC Address and IP address whether there is in mapping table, if it is present determining that message is Sent by the main frame of non-manual specified IP address, if it does not exist, then determining that message is by the main frame for specifying IP address manually Send.
Preferably, in the case of being that the match is successful in the MAC Address and IP address of message and the matching result of mapping table, wound The main frame that building allows to send the message carries out the filtering rule of data service, and updates packet filtering rule list;In the MAC of message In the case that the matching result of address and IP address and mapping table is for it fails to match, establishment forbids the main frame for sending the message to carry out The filtering rule of data service, and update packet filtering rule list.
Additionally, create the main frame for forbidding sending the message carrying out after the filtering rule of data service, in addition it is also necessary to which judging should The internetwork connection mode of the main frame for forbidding carrying out data service in filtering rule, if the internetwork connection mode of the main frame is wireless Connection, then disconnect the wireless connection of main frame and network.
Step 102, in the case where judging that message is the main frame transmission by non-manual specified IP address, it is allowed to which message leads to Cross, in the case where judging that message is the main frame transmission by specified IP address manually, forbid message to pass through.
Preferably, in a step 102, in the case where judging that message is the main frame transmission by specified IP address manually, such as Retribution text then re-establishes TCP connection messages to set up TCP connection messages to terminal replies.
Preferably, it is to prevent malicious user from first passing through Dynamic Host Configuration Protocol server to obtain IP address, then specifies IP address manually to take advantage of Deceiving carries out the router of packet check, therefore, in embodiments of the present invention, need periodically to empty packet filtering list of rules, That is, packet filtering rule list is emptied with predetermined period;
Additionally, in embodiments of the present invention, the new information and graphical user that can be sent according to Dynamic Host Configuration Protocol server connects The manual configuration of the administration interface of mouth (Graphical User Interface, referred to as GUI) updates mapping table.
Fig. 2 is the flow chart of the mapping table of the renewal MAC and IP of the present invention, as shown in Fig. 2 the mapping table of MAC and IP Renewal has two trigger conditions:Dynamic Host Configuration Protocol server and gui management interface.When there is new dhcp client to add, Dhcp client to Dynamic Host Configuration Protocol server sends DHCDiscover messages, and Dynamic Host Configuration Protocol server to dhcp client responds DHC Offer Message, to the dhcp client dynamic IP address allocation in LAN, subsequently, Dynamic Host Configuration Protocol server sends new information, with synchronization Update the mapping table of MAC and IP.Manager can also carry out manual configuration by gui management interface, by it is newly-built, edit, delete Except etc. operation the mapping table of MAC and IP is carried out custom-configuring management.
In sum, the technical scheme of the embodiment of the present invention to tri- kinds of messages of TCP, UDP, ARP by detecting, and root According to testing result dynamic creation packet filtering rule;When the main frame that message is specified IP manually sends, if it is wirelessly to connect Connect, then disconnection of wireless connection;If wired connection, then forbid its data outgoing request.
Below in conjunction with accompanying drawing, the above-mentioned technical proposal of the embodiment of the present invention is described in detail.
Fig. 3 is the flow chart of the renewal packet filtering rule list of the embodiment of the present invention, as shown in figure 3, including following process:
Step 301, receives the message that client sends, according to the mapping table of packet filtering rule list and MAC and IP to this Message is matched, and obtains matching result;
Step 302, judges whether message is legal according to matching result, if legal, execution step 303 otherwise, performs step Rapid 304;
Step 303, creates filtering rule, it is allowed to which sending the main frame of the message carries out normal data service, i.e. follow-up next Allow to pass through from the message of same main frame, execution step 306;
Step 304, creates filtering rule, does not allow the main frame for sending the message to carry out data service, i.e. follow-up from same No thoroughfare for the message of one main frame, execution step 305 and step 306;
Step 305, judgement does not allow whether the main frame for carrying out data service connects network by the way of wireless connection, such as Fruit is judged as YES, then disconnect the wireless connection of the main frame;
Step 306, according to the filtering rule for creating packet filtering rule list is updated, and the packet filtering rule list is carried out Periodically empty, the time interval in the cycle is defaulted as 5 minutes, can be adjusted as needed.
Fig. 4 is the process chart filtered to message of the embodiment of the present invention, according to packet filtering rule list and Tri- kinds of messages of TCP SYN, UDP, ARP are detected by MAC-IP mapping tables, and export testing result, and according to this detection As a result, synchronized update MAC-IP mapping tables and packet filtering list of rules, as shown in figure 4, including following process:
Step 401, load packet filtering rule list, according to packet filtering rule list to TCP SYN messages, UDP messages, ARP messages carry out message matching;
Step 402, if it is determined that being legal message, then allows to pass through, and flow process terminates;
Step 403, if it is determined that being invalid packet, then forbids message to pass through, if TCP SYN messages, then reply TCP RESET messages, to terminate TCP handshake procedures, terminate flow process;
Step 404, if if without any rule match, determining that the message is unknown message;
Step 405, extracts the MAC and IP address of the unknown message;
Step 406, loads MAC-IP mapping tables, judges the MAC and IP address of the unknown message whether in the mapping table, Matching result is obtained, if the match is successful, it is determined that the message is legal message, it is allowed to which message passes through, if matching is unsuccessful, Then determine that the message is invalid packet, forbid message to pass through, if TCP SYN messages, then reply TCP RESET messages;
Step 407, according to matching result packet filtering rule list is updated.
Fig. 5 is to prevent from specifying the method detailed process figure of IP address manually in the LAN of the embodiment of the present invention, such as Shown in Fig. 5, including following process:
Step 501, terminal initiates data service request;
Step 502, loads packet filtering rule list, according to packet filtering rule list to tri- kinds of forms of TCP, UDP, ARP Message carries out message matching;
Step 503, if it is determined that being legal message, then allows to pass through, and flow process terminates;
Step 504, if it is determined that being invalid packet, then forbids message to pass through, if TCP SYN messages, then reply TCP RESET messages, to terminate TCP handshake procedures, terminate flow process;
Step 505, if if without any rule match, determining that the message is unknown message;
Step 506, extracts the MAC and IP address of the unknown message;
Step 507, loads MAC-IP mapping tables, judges the MAC and IP address of the unknown message whether in the mapping table, Matching result is obtained, if matching result is to exist, execution step 510, if matching result is not to exist, execution step 508;
Step 508, forbids message to pass through, if TCP SYN messages, then replys TCP RESET messages, and judges not permit Whether the main frame for being permitted to carry out data service connects network by the way of wireless connection, if the judgment is Yes, then execution step 509, otherwise, execution step 510;
Step 509, disconnects the wireless connection of the main frame, execution step 510;
Step 510, according to matching result packet filtering rule is created, and according to the filtering rule for creating packet filtering rule are updated Then table, and the packet filtering rule list is carried out periodically to empty.
By means of the technical scheme of the embodiment of the present invention, by parsing to the message that terminal sends, the message is determined Whether sent by the main frame for specifying IP address manually, and the message to being sent by the main frame for specifying IP address manually is forbidden leading to Cross, solve the problems, such as that manually specified IP address easily causes IP conflicts in LAN in prior art, can forbid referring to manually Determine the data service of the main frame of IP address, reduce the probability that IP address is clashed in LAN.
Device embodiment
Embodiments in accordance with the present invention, there is provided prevent from specifying the device of IP address manually in a kind of LAN, positioned at road By device, Fig. 6 is the structural representation of the device for preventing from specifying IP address manually in the LAN of the embodiment of the present invention, such as Fig. 6 institutes Show, prevent from specifying the device of IP address to include manually in LAN according to embodiments of the present invention:Determining module 60, processing module 62, the modules of the embodiment of the present invention are described in detail below.
Determining module 60, for the message that receiving terminal sends, according to the packet filtering rule list and matchmaker that pre-set Body access control MAC address determines whether message is to be sent by the main frame for specifying IP address manually with the mapping table of IP address; Wherein, the message that terminal sends includes:Set up transmission control protocol (Transmission Control Protocol, referred to as TCP message, User Datagram Protocol (User Datagram Protocol, referred to as UDP) message and ARP report) is connected Text;The mapping table and packet filtering rule list of MAC and IP is the unique foundation for carrying out packet check.
Determining module 60 specifically for:1st, the filtering rule in packet filtering list of rules is matched with message, its In, filtering rule includes:Allowing the main frame of non-manual specified IP address carries out the first filtering rule of data service, and forbids Manually the main frame of specified IP address carries out the second filtering rule of data service;If the 2nd, with the first filter rule match success, Then determine message be by non-manual specified IP address main frame send, if with the second filter rule match success, it is determined that Message is sent by the main frame for specifying IP address manually;3rd, do not matching into the first filtering rule and the second filtering rule In the case of work(, then the MAC Address and IP address in message is extracted, and judge that MAC Address and IP address whether there is in mapping In table, if it is present determine that message is sent by the main frame of non-manual specified IP address, if it does not exist, then determining report Text is sent by the main frame for specifying IP address manually.
Processing module 62, in the case where judging that message is the main frame transmission by non-manual specified IP address, it is allowed to Message passes through, and in the case where judging that message is the main frame transmission by specified IP address manually, forbids message to pass through.
Processing module 62 specifically for:In the case where judging that message is the main frame transmission by specified IP address manually, such as Retribution text then re-establishes TCP connection messages to set up TCP connection messages to terminal replies.
Preferably, prevent from specifying the device of IP address also to include manually in LAN according to embodiments of the present invention:
Creation module, for being the feelings that the match is successful in the MAC Address and IP address of message and the matching result of mapping table Under condition, the main frame that creating allows to send the message carries out the filtering rule of data service, and updates packet filtering rule list;In report In the case that the MAC Address and IP address of text and the matching result of mapping table are for it fails to match, establishment is forbidden sending the message Main frame carries out the filtering rule of data service, and updates packet filtering rule list.
Module is disconnected, for creating the filtering rule for forbidding the main frame for sending the message to carry out data service in creation module Afterwards, the internetwork connection mode of main frame for forbidding carrying out data service in the filtering rule is judged, if the network of the main frame connects Mode is connect for wireless connection, the then wireless connection of disconnection main frame and network;
Module is emptied, for emptying packet filtering rule list with predetermined period;
Specifically, it is to prevent malicious user from first passing through Dynamic Host Configuration Protocol server to obtain IP address, then specifies IP address manually to take advantage of Deceiving carries out the router of packet check, therefore, in embodiments of the present invention, need to empty module and periodically empty packet filtering rule Then list.
Update module, for the new information that sent according to Dynamic Host Configuration Protocol server and gui management interface manual configuration more New mappings table.
Specifically, in embodiments of the present invention, the management of the new information and GUI that can be sent according to Dynamic Host Configuration Protocol server The manual configuration at interface updates mapping table.As shown in Fig. 2 the renewal of the mapping table of MAC and IP has two trigger conditions:DHCP takes Business device and gui management interface.When there is new dhcp client to add, dhcp client to Dynamic Host Configuration Protocol server sends DHC Discover messages, Dynamic Host Configuration Protocol server to dhcp client responds DHC Offer messages, to the DHCP client in LAN End dynamic IP address allocation, subsequently, Dynamic Host Configuration Protocol server sends new information, the mapping table of update module synchronized update MAC and IP. Manager can also carry out manual configuration by gui management interface, and MAC and IP are reflected by operations such as newly-built, editor, deletions Firing table carries out custom-configuring management.
In sum, the technical scheme of the embodiment of the present invention to tri- kinds of messages of TCP, UDP, ARP by detecting, and root According to testing result dynamic creation packet filtering rule;When the main frame that message is specified IP manually sends, if it is wirelessly to connect Connect, then disconnection of wireless connection;If wired connection, then forbid its data outgoing request.
Above-mentioned technical proposal of the present invention is illustrated below in conjunction with example.
Fig. 7 is the preferred structure schematic diagram of the device for preventing from specifying IP address manually in the LAN of the embodiment of the present invention, As shown in fig. 7, in the router, Access Control module and packet check module are provided with, wherein, Access Control module has two big Function:The management and the management of packet filtering rule list of the mapping table of MAC and IP, and according to the matching result of packet check module Dynamic creation packet filtering rule, whether the internetwork connection mode for judging the main frame of specified IP address manually is wireless access (example Such as wi-fi), if it is, notifying that wireless module disconnects its wireless connection.Additionally, Access Control module can periodically empty report Literary filter rule list.Packet check module is mainly used in entering the message that terminal sends according to mapping table and packet filtering rule list Row matching, if legal, allows unconventional, if illegally, no thoroughfare, and matching result is sent to into Access Control mould Block.
That is, this example is in router Access Control module and packet check module, Access Control module is responsible for The management of MAC-IP mapping tables and packet filtering list of rules, the two tables as packet check module carry out packet check according to According to.Meanwhile, Access Control module also can be according to the testing result of packet check module, synchronized update MAC-IP mapping tables and message Filtering rule.
Below in conjunction with accompanying drawing, the above-mentioned technical proposal of the embodiment of the present invention is described in detail.
Fig. 3 is the flow chart of the renewal packet filtering rule list of the embodiment of the present invention, as shown in figure 3, including following process:
Step 301, receives the message that client sends, according to the mapping table of packet filtering rule list and MAC and IP to this Message is matched, and obtains matching result;
Step 302, judges whether message is legal according to matching result, if legal, execution step 303 otherwise, performs step Rapid 304;
Step 303, creates filtering rule, it is allowed to which sending the main frame of the message carries out normal data service, i.e. follow-up next Allow to pass through from the message of same main frame, execution step 306;
Step 304, creates filtering rule, does not allow the main frame for sending the message to carry out data service, i.e. follow-up from same No thoroughfare for the message of one main frame, execution step 305 and step 306;
Step 305, judgement does not allow whether the main frame for carrying out data service connects network by the way of wireless connection, such as Fruit is judged as YES, then disconnect the wireless connection of the main frame;
Step 306, according to the filtering rule for creating packet filtering rule list is updated, and the packet filtering rule list is carried out Periodically empty, the time interval in the cycle is defaulted as 5 minutes, can be adjusted as needed.
Fig. 4 is the process chart filtered to message of the embodiment of the present invention, according to packet filtering rule list and Tri- kinds of messages of TCP SYN, UDP, ARP are detected by MAC-IP mapping tables, and export testing result, and according to this detection As a result, synchronized update MAC-IP mapping tables and packet filtering list of rules, as shown in figure 4, including following process:
Step 401, load packet filtering rule list, according to packet filtering rule list to TCP SYN messages, UDP messages, ARP messages carry out message matching;
Step 402, if it is determined that being legal message, then allows to pass through, and flow process terminates;
Step 403, if it is determined that being invalid packet, then forbids message to pass through, if TCP SYN messages, then reply TCP RESET messages, to terminate TCP handshake procedures, terminate flow process;
Step 404, if if without any rule match, determining that the message is unknown message;
Step 405, extracts the MAC and IP address of the unknown message;
Step 406, loads MAC-IP mapping tables, judges the MAC and IP address of the unknown message whether in the mapping table, Matching result is obtained, if the match is successful, it is determined that the message is legal message, it is allowed to which message passes through, if matching is unsuccessful, Then determine that the message is invalid packet, forbid message to pass through, if TCP SYN messages, then reply TCP RESET messages;
Step 407, according to matching result packet filtering rule list is updated.
Fig. 5 is to prevent from specifying the method detailed process figure of IP address manually in the LAN of the embodiment of the present invention, such as Shown in Fig. 5, including following process:
Step 501, terminal initiates data service request;
Step 502, loads packet filtering rule list, according to packet filtering rule list to tri- kinds of forms of TCP, UDP, ARP Message carries out message matching;
Step 503, if it is determined that being legal message, then allows to pass through, and flow process terminates;
Step 504, if it is determined that being invalid packet, then forbids message to pass through, if TCP SYN messages, then reply TCP RESET messages, to terminate TCP handshake procedures, terminate flow process;
Step 505, if if without any rule match, determining that the message is unknown message;
Step 506, extracts the MAC and IP address of the unknown message;
Step 507, loads MAC-IP mapping tables, judges the MAC and IP address of the unknown message whether in the mapping table, Matching result is obtained, if matching result is to exist, execution step 510, if matching result is not to exist, execution step 508;
Step 508, forbids message to pass through, if TCP SYN messages, then replys TCP RESET messages, and judges not permit Whether the main frame for being permitted to carry out data service connects network by the way of wireless connection, if the judgment is Yes, then execution step 509, otherwise, execution step 510;
Step 509, disconnects the wireless connection of the main frame, execution step 510;
Step 510, according to matching result packet filtering rule is created, and according to the filtering rule for creating packet filtering rule are updated Then table, and the packet filtering rule list is carried out periodically to empty.
By means of the technical scheme of the embodiment of the present invention, by parsing to the message that terminal sends, the message is determined Whether sent by the main frame for specifying IP address manually, and the message to being sent by the main frame for specifying IP address manually is forbidden leading to Cross, solve the problems, such as that manually specified IP address easily causes IP conflicts in LAN in prior art, can forbid referring to manually Determine the data service of the main frame of IP address, reduce the probability that IP address is clashed in LAN.
Although being example purpose, the preferred embodiments of the present invention are had been disclosed for, those skilled in the art will recognize Various improvement, increase and replacement are also possible, therefore, the scope of the present invention should be not limited to above-described embodiment.

Claims (8)

1. a kind of method that manual specified network protocol IP address is prevented in LAN, it is characterised in that include:
The message that receiving terminal sends, according to the packet filtering rule list and MAC address that pre-set with The mapping table of IP address determines whether the message is to be sent by the main frame for specifying IP address manually;
In the case where judging that the message is the main frame transmission by non-manual specified IP address, it is allowed to which the message passes through, Judge that the message is, by the case of the main frame transmission for specifying IP address manually, to forbid the message to pass through;
Wherein, the packet filtering rule list and mapping table that the basis pre-sets determines that whether the message is by referring to manually Determine IP address main frame send specifically include:
Filtering rule in the packet filtering list of rules is matched with the message, wherein, the filtering rule bag Include:Allowing the main frame of non-manual specified IP address carries out the first filtering rule of data service, and forbids specifying IP ground manually The main frame of location carries out the second filtering rule of data service;
If with the first filter rule match success, it is determined that the message is sent out by the main frame of non-manual specified IP address Send, if with the second filter rule match success, it is determined that the message be by manually specify IP address main frame send out Send;
In the case where the match is successful with first filtering rule and second filtering rule, then the message is extracted In MAC Address and IP address, and judge that the MAC Address and the IP address whether there is in the mapping table, if Exist, it is determined that the message is sent by the main frame of non-manual specified IP address, if it does not exist, then determining the message It is to be sent by the main frame for specifying IP address manually.
2. the method for claim 1, it is characterised in that methods described also includes:
In the case of being that the match is successful in the MAC Address and IP address of the message and the matching result of the mapping table, create Allow the main frame for sending the message to carry out the filtering rule of data service, and update the packet filtering rule list;
In the case of being that it fails to match in the MAC Address and IP address of the message and the matching result of the mapping table, create Forbid the main frame for sending the message to carry out the filtering rule of data service, and update the packet filtering rule list.
3. method as claimed in claim 2, it is characterised in that establishment forbids the main frame for sending the message to carry out data service After filtering rule, methods described also includes:
The internetwork connection mode of main frame for forbidding carrying out data service in the filtering rule is judged, if the network connection of the main frame Mode is wireless connection, then disconnect the wireless connection of the main frame and network.
4. the method for claim 1, it is characterised in that the message includes:Set up transmission control protocol TCP connection report Text, user datagram protocol UDP message and ARP message;
In the case where judging that the message is the main frame transmission by specified IP address manually, the message is forbidden to pass through concrete bag Include:
In the case where judging that the message is the main frame transmission by specified IP address manually, if the message is the foundation TCP connects message, then re-establish TCP connection messages to the terminal replies.
5. the method for claim 1, it is characterised in that methods described also includes:
The packet filtering rule list is emptied with predetermined period;
The new information of protocol DHCP server transmission and the administration interface of graphical user interface GUI are set according to DynamicHost Manual configuration update the mapping table.
6. the device of manual specified network protocol IP address is prevented in a kind of LAN, it is characterised in that included:
Determining module, for the message that receiving terminal sends, accesses according to the packet filtering rule list and media that pre-set Control MAC Address determines whether the message is to be sent by the main frame for specifying IP address manually with the mapping table of IP address;
Processing module, in the case where judging that the message is the main frame transmission by non-manual specified IP address, it is allowed to institute State message to pass through, in the case where judging that the message is the main frame transmission by specified IP address manually, forbid the message to lead to Cross;
Wherein, the determining module specifically for:
Filtering rule in the packet filtering list of rules is matched with the message, wherein, the filtering rule bag Include:Allowing the main frame of non-manual specified IP address carries out the first filtering rule of data service, and forbids specifying IP ground manually The main frame of location carries out the second filtering rule of data service;
If with the first filter rule match success, it is determined that the message is sent out by the main frame of non-manual specified IP address Send, if with the second filter rule match success, it is determined that the message be by manually specify IP address main frame send out Send;
In the case where the match is successful with first filtering rule and second filtering rule, then the message is extracted In MAC Address and IP address, and judge that the MAC Address and the IP address whether there is in the mapping table, if Exist, it is determined that the message is sent by the main frame of non-manual specified IP address, if it does not exist, then determining the message It is to be sent by the main frame for specifying IP address manually.
7. device as claimed in claim 6, it is characterised in that described device also includes:
Creation module, in the matching result of the MAC Address and IP address of the message and the mapping table for the match is successful In the case of, creating allows the main frame for sending the message to carry out the filtering rule of data service, and updates the packet filtering rule Then table;In the case of being that it fails to match in the MAC Address and IP address of the message and the matching result of the mapping table, create Forbid the main frame for sending the message to carry out the filtering rule of data service, and update the packet filtering rule list;
Disconnect module, for judging the filtering rule in the internetwork connection mode of main frame forbidding carrying out data service, if should The internetwork connection mode of main frame is wireless connection, then disconnect the wireless connection of the main frame and network;
Module is emptied, for emptying the packet filtering rule list with predetermined period;
Update module, the manual configuration for the new information that sent according to Dynamic Host Configuration Protocol server and gui management interface updates institute State mapping table.
8. device as claimed in claim 6, it is characterised in that the message includes:Set up transmission control protocol TCP connection report Text, user datagram protocol UDP message and ARP message;
The processing module specifically for:In the case where judging that the message is the main frame transmission by specified IP address manually, If the message sets up TCP connection messages for described, to the terminal replies TCP connection messages are re-established.
CN201110261830.6A 2011-09-06 2011-09-06 Method for preventing manual Internet protocol (IP) address specification in local area network and device Active CN102316034B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110261830.6A CN102316034B (en) 2011-09-06 2011-09-06 Method for preventing manual Internet protocol (IP) address specification in local area network and device
PCT/CN2011/082553 WO2012151927A1 (en) 2011-09-06 2011-11-21 Method and device for preventing manually designating ip address within local area network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110261830.6A CN102316034B (en) 2011-09-06 2011-09-06 Method for preventing manual Internet protocol (IP) address specification in local area network and device

Publications (2)

Publication Number Publication Date
CN102316034A CN102316034A (en) 2012-01-11
CN102316034B true CN102316034B (en) 2017-05-10

Family

ID=45428866

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110261830.6A Active CN102316034B (en) 2011-09-06 2011-09-06 Method for preventing manual Internet protocol (IP) address specification in local area network and device

Country Status (2)

Country Link
CN (1) CN102316034B (en)
WO (1) WO2012151927A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152255B (en) * 2013-02-20 2016-06-29 神州数码网络(北京)有限公司 The method and apparatus that a kind of data forward
CN105978844A (en) * 2015-06-04 2016-09-28 乐视致新电子科技(天津)有限公司 Network access control method, router and system based on router
CN106131235A (en) * 2016-06-28 2016-11-16 上海斐讯数据通信技术有限公司 A kind of IP address configuration method
CN114237141A (en) * 2021-12-22 2022-03-25 徐州徐工挖掘机械有限公司 Remote control system of excavator
CN115514555A (en) * 2022-09-20 2022-12-23 南京中孚信息技术有限公司 Network information processing method and device, electronic equipment and readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1571374A (en) * 2003-07-23 2005-01-26 华为技术有限公司 A method for controlling access right of private network user
CN101378350A (en) * 2007-08-27 2009-03-04 上海市闵行中学 Solution method for usurpation of LAN IP address

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7213047B2 (en) * 2002-10-31 2007-05-01 Sun Microsystems, Inc. Peer trust evaluation using mobile agents in peer-to-peer networks
CN101641933A (en) * 2006-12-22 2010-02-03 艾利森电话股份有限公司 Preventing of electronic deception
CN101022340B (en) * 2007-03-30 2010-11-24 武汉烽火网络有限责任公司 Intelligent control method for realizing city Ethernet exchanger switch-in security
CN101834864B (en) * 2010-04-30 2015-06-10 中兴通讯股份有限公司 Method and device for preventing attack in three-layer virtual private network
CN101895587B (en) * 2010-07-06 2015-09-16 中兴通讯股份有限公司 Prevent the methods, devices and systems of users from modifying IP addresses privately
CN102170484B (en) * 2011-04-08 2013-10-09 北京华为数字技术有限公司 A detection method and a detection device of IP address conflict
CN102185840B (en) * 2011-04-22 2015-08-19 上海华为技术有限公司 A kind of authentication method, equipment and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1571374A (en) * 2003-07-23 2005-01-26 华为技术有限公司 A method for controlling access right of private network user
CN101378350A (en) * 2007-08-27 2009-03-04 上海市闵行中学 Solution method for usurpation of LAN IP address

Also Published As

Publication number Publication date
WO2012151927A1 (en) 2012-11-15
CN102316034A (en) 2012-01-11

Similar Documents

Publication Publication Date Title
CN102316034B (en) Method for preventing manual Internet protocol (IP) address specification in local area network and device
CN102932785B (en) Rapid authentication method, system and equipment of wireless local area network
CN106060900A (en) Method and apparatus for controlling access to network slicing, terminal small cell and SDN controller
CN107204938B (en) Method and apparatus for transmitting low priority data, and method and apparatus for processing the same
CN102685270B (en) Method and equipment for distributing dynamic addresses
CN105262738A (en) Router and method for preventing ARP attacks thereof
CN101795449B (en) Wireless network terminal access control method and device thereof
CN101834870A (en) Method and device for preventing deceptive attack of MAC (Medium Access Control) address
CN102480729A (en) Method for preventing faked users and access point in radio access network
CN101217482A (en) A method traversing NAT sending down strategy and a communication device
CN101645907A (en) Method and system for processing abnormal off-line of Web authenticated user
CN106465161B (en) The method and computer-readable medium of access point and operation access point
CN101895587A (en) Method, device and system for preventing users from modifying IP addresses privately
CN103166960A (en) Access control method and access control device
CN104618522B (en) The method and Ethernet access equipment that IP address of terminal automatically updates
CN109246762A (en) A kind of local service shunt method and device
CN108200128A (en) A kind of remote meter reading method and system based on eLTE-IoT technologies
EP2677716A1 (en) Access control method, access device and system
CN108696546A (en) A kind of method and device of the user terminal access public network of Enterprise Mobile private network
CN101783819A (en) System and method for supporting peer-to-peer network address translation (NAT) by adopting IPv6 transition protocol
CN102255874A (en) Secure access method and gathering device
CN106713287A (en) Method, apparatus and system for automatically registering wireless access point
CN103179222B (en) Method and device for distributing double-stack addresses
CN104683326A (en) Method for preventing hostile exhausting of DHCP (dynamic host configuration protocol) server address pool
CN107360574A (en) A kind of terminal equipment managing method, a kind of cloud controller and a kind of WAP

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant