CN102571579A - ARP (Address Resolution Protocol) message processing method and device - Google Patents

ARP (Address Resolution Protocol) message processing method and device Download PDF

Info

Publication number
CN102571579A
CN102571579A CN2011104576524A CN201110457652A CN102571579A CN 102571579 A CN102571579 A CN 102571579A CN 2011104576524 A CN2011104576524 A CN 2011104576524A CN 201110457652 A CN201110457652 A CN 201110457652A CN 102571579 A CN102571579 A CN 102571579A
Authority
CN
China
Prior art keywords
arp
gateway
bag
packet
switch
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011104576524A
Other languages
Chinese (zh)
Other versions
CN102571579B (en
Inventor
丁振
边陆
向明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qizhi Software Beijing Co Ltd filed Critical Qizhi Software Beijing Co Ltd
Priority to CN201110457652.4A priority Critical patent/CN102571579B/en
Publication of CN102571579A publication Critical patent/CN102571579A/en
Application granted granted Critical
Publication of CN102571579B publication Critical patent/CN102571579B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The invention provides an ARP (Address Resolution Protocol) message processing method and device. The ARP message processing method comprises the following steps of: acquiring an ARP message; judging the type of the ARP message; and processing the ARP message according to the type of the ARP message: if the type of the ARP message is a broadcast packet transmitted out from a local machine, judging whether the broadcast packet is the ARP broadcast packet transmitted from the local machine to a gateway; if the broadcast packet is the ARP broadcast packet transmitted from the local machine to the gateway, modifying the ARP request into an ARP echo packet and transmitting the ARP echo packet to the gateway; if the broadcast packet is not the ARP broadcast packet transmitted from the local machine to the gateway, discarding the broadcast packet; if the type of the ARP message is the ARP echo packet, judging whether the ARP echo packet is the ARP echo packet transmitted from the local machine to the gateway; if the ARP echo packet is the ARP echo packet transmitted from the local machine to the gateway, transmitting the ARP echo packet to the gateway; and if the ARP echo packet is not the ARP echo packet transmitted from the local machine to the gateway, discarding the ARP echo packet. Through the invention, ARP message spoofing defense is realized without affecting surfing condition, and the security of the local area network is guaranteed.

Description

ARP message processing method and device
Technical field
The application relates to networking technology area, particularly relates to a kind of ARP (Address Resolution Protocol, address resolution protocol) message processing method and device.
Background technology
The ARP agreement is TCP/IP (Transmission Control Protocol/Internet Protocol; Transmission control protocol/Internet protocol) one of agreement of lower level in the protocol stack; Its effect is to realize that the IP address is to Ethernet hardware address; It is the conversion of MAC (Media Access Control, medium access control) address.
The ARP agreement is carried out with assurance through the MAC Address of the IP address lookup target device of target device communicatedly smoothly.In local area network (LAN), network data is packaged into ethernet frame, and the MAC Address of destination host is arranged in every frame data.A main frame will carry out direct communication with another main frame, must know the MAC Address of destination host, and this destination-mac address obtains through the ARP agreement.And address resolution procedure is exactly a main frame before sending Frame, target ip address is converted to the process of destination-mac address.
When using the ARP agreement to realize communication, in every computer that ICP/IP protocol is installed, an arp cache table is arranged all, IP address and MAC Address in the table are one to one, and be as shown in table 1.
MAC IP
01-01-01-01-01-01 192.168.1.101
02-02-02-02-02-02 192.168.1.102
03-03-03-03-03-03 192.168.1.103
04-04-04-04-04-04 192.168.1.104
Send data instance with host A (192.168.1.100) to host B (192.168.1.101).When sending data, host A can seek whether target ip address is arranged in the arp cache table of oneself.If found, also just known destination-mac address, directly write the transmission of incoming frame the inside to destination-mac address and get final product.If in the arp cache table, do not find corresponding IP address; Host A will send an ARP Request bag on network; The destination-mac address of Request bag is " FF.FF.FF.FF.FF.FF "; This expression is broadcasted, the All hosts in the same network segment send inquiry " what the MAC Address of 192.168.1.101 is? ", other main frames do not respond ARPRequest on the network; When host B receives this frame, can make such response: " MAC Address of 192.168.1.101 is 02-02-02-02-02-02 " to host A.Like this, host A has just been known the MAC Address of host B, and it just can send information to host B.It has also upgraded the arp cache table of oneself simultaneously, and when host B sends information, directly search in the arp cache table next time again.Host B also can be noted the MAC Address of host A, and need not once more broadcast when sending information to host A next time.
Visible from the communication process of above ARP agreement, the communication of use arp cache table is efficient and be easy to maintenance, but simultaneously, also exists defective at secure context.At first, after host A is received the arp response message of host B, in the arp cache table of oneself, set up the IP address of host B and the corresponding relation of MAC Address, but host A is not safeguarded authenticity, validity and the consistency of this corresponding relation.Secondly, the arp response message that host A acquiescence task receives all is legal, even does not send under the situation of ARP request message at host A, also can rewrite its arp cache table according to the arp response message that receives; Equally, host A also can send the arp response message to other main frame under the situation that does not have the ARP request message.This just provides possibility for the ARP message aggression.
The ARP message aggression has utilized the intrinsic defective of ARP agreement itself just, carries out the ARP deception through the data of revising the ARP packet, and data are smelt to visit kidnap, such as, wooden horse can be kidnapped data through modification and hang the horse steal-number; The P2P instrument also can utilize ARP deception principle control area net network speed, and it is unbalanced to cause local area network (LAN) speed to be distributed, and upsets adverse consequencess such as LAN environment.
In a word, need the urgent technical problem that solves of those skilled in the art to be exactly: how can effectively defend the ARP packet cheating, to improve LAN safety property.
Summary of the invention
The application's technical problem to be solved provides a kind of ARP message processing method and device, can not effectively defend the ARP packet cheating to solve prior art, ensures the problem of LAN safety property.
In order to address the above problem, the application discloses a kind of ARP message processing method, comprising: obtain the ARP message, judge the type of said ARP message; Type according to said ARP message is handled said ARP message; Comprise: if the broadcast packet that the type of said ARP message is outwards sent for this machine; Judge then whether this broadcast packet is the ARP request package that said machine sends to gateway; If then said ARP request package is revised as ARP and responds bag, and said ARP response bag is sent to said gateway; If not, then abandon this broadcast packet; Type as if said ARP message is that ARP responds bag, judges then whether this ARP responds bag is the ARP response bag that said machine sends to said gateway, if then this ARP is responded bag and send to said gateway; If not, then abandon this ARP and respond bag.
Preferably; After said ARP message being carried out processed steps according to the type of said ARP message; Also comprise: said main frame is initiatively defendd bag to the switch transmission switch at said gateway place; Wherein, initiatively to defend to wrap the list item Refresh Data that is used for said machine of the Content Addressable Memory content-addressable memory of said switch be correct list item data to said switch.
Preferably; Said switch initiatively defends to comprise the information of ethernet source address and the information of Ethernet destination address; Said ethernet source address is the media interviews control MAC Address of said machine, and said Ethernet destination address is the MAC Address of said switch.
Preferably, said switch initiatively defends bag for the Ethernet bag, and the length that said switch is initiatively defendd to wrap is identical with the length of ARP request package, and ethernet type field and other data field during said switch is initiatively defendd to wrap all put 0.
Preferably, the ARP message processing method also comprises: when the said switch at said gateway place sends said switch and initiatively defends to wrap, also send standard A RP packet with setpoint frequency at said main frame.
Preferably, at the said ARP message that obtains, judge before the step of type of said ARP message, also comprise: said main frame sends standard A RP packet with different time intervals to said gateway; Respond bag according to the ARP that the standard A RP packet of said transmission is responded, confirm the real MAC address of said gateway.
Preferably, said main frame comprises to the step that said gateway sends standard A RP packet with different time intervals: said main frame is the time interval with T * 2n, sends said standard A RP packet to said gateway; Wherein, the time constant of T for setting, n is the sequence number of giving out a contract for a project of said standard A RP packet.
Preferably; Said main frame comprises to the step that said gateway sends standard A RP packet with different time intervals: said main frame sends the said standard A RP packet of set point number earlier at the same time to said gateway; After the time period that intermittently one is longer than said identical time interval, send the said standard A RP packet of said set point number again to said gateway with the said identical time interval.
Preferably; The ARP that said basis is responded the standard A RP packet of said transmission responds bag, confirms that the step of the real MAC address of said gateway comprises: obtain the said ARP response bag of responding the standard A RP packet of said transmission in said different time intervals; Respond the bag from the said ARP that obtains, confirm the real MAC address of said gateway.
Preferably, if respond the bag from the said ARP that obtains, the real MAC address of the said gateway of confirming comprises a plurality of, and then said method also comprises: each the MAC Address visit public network in a plurality of real MAC address of the said gateway that said main frame use is confirmed; If visit successfully,, confirm as the real MAC address of said gateway then with the MAC Address of the gateway of the said public network of visit of current use.
Preferably, after the said step of obtaining the ARP message, also comprise: judge that the corresponding relation in the arp cache table of corresponding relation and said machine of gateway ip address and gateway MAC Address in the said ARP message is inconsistent, forbid revising said arp cache table; Perhaps, judge that the corresponding relation in the arp cache table of corresponding relation and said machine of this machine IP address and this machine MAC Address in the said ARP message is inconsistent, forbid revising said arp cache table.
In order to address the above problem, disclosed herein as well is a kind of ARP message process device, comprising: obtain judge module, be used to obtain the ARP message, judge the type of said ARP message; Judge Executive Module; If be used for according to the type of said ARP message said ARP message being handled, comprise: first judges Executive Module, is used for the broadcast packet that the type of said ARP message is outwards sent for this machine; Judge then whether this broadcast packet is the ARP request package that said machine sends to gateway; If then said ARP request package is revised as ARP and responds bag, and said ARP response bag is sent to said gateway; If not, then abandon this broadcast packet; Second judges Executive Module, and the type that is used for as if said ARP message is that ARP responds bag, judges then whether this ARP responds bag is the ARP response bag that said machine sends to said gateway, if then this ARP is responded bag and send to said gateway; If not, then abandon this ARP and respond bag.
Preferably; The ARP message process device also comprises: first sending module; Be used for after said judgement Executive Module is handled said ARP message according to the type of said ARP message; Send switch to the switch at said gateway place and initiatively defend bag, wherein, it is correct list item data that said switch initiatively defends to wrap the list item Refresh Data that is used for said machine of the Content Addressable Memory content-addressable memory of said switch.
Preferably; Said switch initiatively defends to comprise the information of ethernet source address and the information of Ethernet destination address; Said ethernet source address is the media interviews control MAC Address of said machine, and said Ethernet destination address is the MAC Address of said switch.
Preferably, said switch initiatively defends bag for the Ethernet bag, and the length that said switch is initiatively defendd to wrap is identical with the length of ARP request package, and ethernet type field and other data field during said switch is initiatively defendd to wrap all put 0.
Preferably, said first sending module also is used for when the said switch to said gateway place sends said switch and initiatively defends to wrap, also sending standard A RP packet with setpoint frequency.
Preferably, the ARP message process device also comprises: second sending module, be used for obtaining the ARP message at the said judge module that obtains, and judge before the type of said ARP message, send standard A RP packet with different time intervals to said gateway; The gateway address acquisition module is used for responding bag according to the ARP that the standard A RP packet of said transmission is responded, and confirms the real MAC address of said gateway.
Preferably, said second sending module is used for T * 2 nBe the time interval, send standard A RP packet to said gateway; Wherein, the time constant of T for setting, n is the sequence number of giving out a contract for a project of said standard A RP packet.
Preferably; Said second sending module; Be used for sending to said gateway at the same time earlier the said standard A RP packet of set point number; After the time period that intermittently one is longer than said identical time interval, send the said standard A RP packet of said set point number again to said gateway with the said identical time interval.
Preferably, said gateway address acquisition module is used to obtain the said ARP response bag of responding the standard A RP packet of said transmission in said different time intervals; Respond the bag from the said ARP that obtains, confirm the real MAC address of said gateway.
Preferably; The ARP message process device also comprises: gateway address is selected module; Be used for if the real MAC address of the said gateway that said gateway address acquisition module is confirmed comprises a plurality ofly, then use each MAC Address visit public network in a plurality of real MAC address of the said gateway of confirming; If visit successfully,, confirm as the real MAC address of said gateway then with the MAC Address of the gateway of the said public network of visit of current use.
Preferably; The ARP message process device also comprises: filtering module; Be used for obtaining after judge module obtains the ARP message said; Judge that the corresponding relation in the arp cache table of corresponding relation and said machine of gateway ip address and gateway MAC Address in the said ARP message is inconsistent, forbid revising said arp cache table; Perhaps, judge that the corresponding relation in the arp cache table of corresponding relation and said machine of this machine IP address and this machine MAC Address in the said ARP message is inconsistent, forbid revising said arp cache table.
Compared with prior art, the application has the following advantages:
The application carries out different disposal according to the ARP type of message to the ARP message through judging the type of ARP message, the broadcasting packet that stops main frame to send to other main frame, and respond the ARP request message that other main frame sends; Let slip the ARP that sends to public attention and respond bag; And for the ARP request package of this machine to the gateway transmission, then be revised as and send again after ARP responds bag.Through the processing of above-mentioned ARP message, to kidnap this machine and send ARP to other main frame of local area network (LAN), this machine MAC Address of making is not scanned, and has realized that the local area network (LAN) of this machine is stealthy; This machine of abduction is to the broadcast packet of gateway and be revised as the directed bag of responding, and the data double-way between this machine and the gateway can be sent to, and guarantees that this machine can visit public network.Because of this machine MAC Address can not be scanned by other main frame, therefore, other main frame can't use the ARP message to pretend to be this machine, thereby has effectively avoided the ARP packet cheating, has ensured LAN safety.And the data double-way between this machine and the gateway can be sent to, and makes this machine can visit public network, has realized when having ensured LAN safety, also having improved user's experience in the ARP packet cheating defence that does not influence under the online situation.
Description of drawings
Fig. 1 is the flow chart of steps according to a kind of ARP message processing method of the application embodiment one;
Fig. 2 is the flow chart of steps according to a kind of ARP message processing method of the application embodiment two;
Fig. 3 is the flow chart of steps according to a kind of ARP message processing method of the application embodiment three;
Fig. 4 is that the main frame in the ARP message processing method shown in Figure 3 is realized the stealthy flow chart of steps of local area network (LAN);
Fig. 5 is the structured flowchart according to a kind of ARP message process device of the application embodiment four.
Embodiment
For above-mentioned purpose, the feature and advantage that make the application can be more obviously understandable, the application is done further detailed explanation below in conjunction with accompanying drawing and embodiment.
Embodiment one
With reference to Fig. 1, show flow chart of steps according to a kind of ARP message processing method of the application embodiment one.
The ARP message processing method of present embodiment may further comprise the steps:
Step S102: obtain the ARP message, judge the type of ARP message.
Step S104: the type as if the ARP message is the outside broadcast packet that sends of this machine, judges then whether this broadcast packet is the ARP request package that this machine sends to gateway, if then the ARP request package is revised as the ARP response and wraps, and ARP response bag is sent to gateway; If not, then abandon this broadcast packet.
The ARP request package is revised as ARP responds bag, make this packet-oriented gateway that sends to, and can not be broadcasted transmission, thereby the MAC Address of main frame can not scanned by other main frame, just can not pretended to be or use by malice; And, the ARP request package is revised as ARP responds bag and send to gateway, the data double-way between main frame and the gateway can be reached, guaranteed that main frame can visit public network.
Step S106: respond bag if the type of ARP message is ARP, judge that then this ARP responds bag whether for the ARP that this machine sends to gateway responds bag, if then this ARP is responded bag and send to gateway; If not, then abandon this ARP and respond bag.
Let slip the ARP that sends to gateway and respond bag, and stop main frame to respond the ARP request of other main frame in the net, also make the MAC Address of main frame can not scanned, and guaranteed that the data double-way between main frame and the gateway can reach, make main frame can visit public network by other main frame.
Through present embodiment, realized the ARP message being carried out different disposal according to the ARP type of message, the broadcasting packet that stops main frame to send to other main frame, and respond the ARP request message that other main frame sends; Let slip the ARP that sends to public attention and respond bag; And for the ARP request package of this machine to the gateway transmission, then be revised as and send again after ARP responds bag.Through the processing of above-mentioned ARP message, to kidnap this machine and send ARP to other main frame of local area network (LAN), this machine MAC Address of making is not scanned, and has realized that the local area network (LAN) of this machine is stealthy; This machine of abduction is to the broadcast packet of gateway and be revised as the directed bag of responding, and the data double-way between this machine and the gateway can be sent to, and guarantees that this machine can visit public network.Because of this machine MAC Address can not be scanned by other main frame, therefore, other main frame can't use the ARP message to pretend to be this machine, thereby has effectively avoided the ARP packet cheating, has ensured LAN safety.And the data double-way between this machine and the gateway can be sent to, and makes this machine can visit public network, has realized when having ensured LAN safety, also having improved user's experience in the ARP packet cheating defence that does not influence under the online situation.
Embodiment two
With reference to Fig. 2, show flow chart of steps according to a kind of ARP message processing method of the application embodiment two.
The ARP message processing method of present embodiment may further comprise the steps:
Step S202: carry out gateway and survey, obtain real gateway MAC Address.
Real gateway MAC Address is the basis of main frame and gateway proper communication, and when realizing, those skilled in the art can adopt any suitable mode to obtain real gateway MAC Address.
Preferably, present embodiment adopts with different time intervals and sends standard A RP packet to gateway, and then confirms real gateway MAC Address.
A kind of mode of preferably sending standard A RP packet with different time intervals to gateway is the frequency conversion method of giving out a contract for a project, that is: adopting blanking time is T * 2 nThe ARP packet of transmission standard, wherein, the time constant of T for setting; Be generally the minimum time interval that can satisfy the demands (blanking time is too short possibly can't accomplish packet capturing, and blanking time is oversize to cause the mutual time of system information long, and treatment effeciency is low); Like 10ms, n is the sequence number of giving out a contract for a project.After the switch that the mode of giving out a contract for a project with frequency conversion is sent some is initiatively defendd bag; As to set n be 5; Then can initiatively defend the ARP that wraps to respond the definite real gateway MAC Address of bag in response to switch according to what receive; That is, respond to take out the bag from ARP switch is initiatively defendd to wrap the MAC Address responded one by one as real gateway MAC Address.This is because the habitual mode of regularly giving out a contract for a project of ARP tricker is carried out the gateway deception, therefore, when the ARP tricker receives standard A RP packet when responding, can adopt the mode of regularly responding, and promptly whenever responds once at a distance from regular time (like 10ms).When adopting frequency conversion to give out a contract for a project method; To be respectively 10ms, 20ms and 40ms blanking time is example; Main frame sends three ARP packets to gateway respectively at these three time interval points; Real gateway can the same frequency conversion time interval in response to these three ARP packets, send three ARP to main frame respectively and respond bag; And the ARP tricker can be to respond two to main frame in the 20ms to respond bag second time interval because of adopting regularly response mode, is to respond four to main frame in the 40ms to respond bag the 3rd time interval.Through the response bag of collecting is judged, can make main frame accurately identify real gateway.Therefore, adopt the frequency conversion method of giving out a contract for a project, can guarantee need only three bags at most, can identify gateway that automatic regular polling sends and cheat and wrap, and then identify real gateway MAC.
Another kind of serves as the method for intermittently giving out a contract for a project with different time intervals to the mode that gateway sends standard A RP packet preferably; Promptly; Main frame sends the standard A RP packet of set point number earlier at the same time to gateway; Be longer than the time period in the identical time interval one of intermittence after, send the standard A RP packet of set point number more at the same time to gateway.For example, main frame is at interval to send 3 packets continuously to gateway with 10ms, and 30ms intermittently is to send 3 packets continuously to gateway at interval with 10ms, so repeatedly more then.Real gateway can not send it back and should wrap to main frame again in main frame 30ms intermittently, and the ARP tricker still can regularly send it back and should wrap to main frame, and in 30ms at interval, main frame can receive that still three of ARP tricker transmission are responded bag.Main frame is judged the response bag of collecting, and the gateway MAC Address in the response bag of different time intervals response is confirmed as the real MAC address of gateway.
It should be noted that if the technical staff is not provided with the IP address of a plurality of switches, and makes a plurality of switches use identical default ip address when the network initial setting up.At this moment, carrying out the definite real gateway MAC Address of gateway detection has a plurality of.At this moment; Main frame can attempt using this a plurality of gateway MAC Address visit public networks successively; And judge whether visit is successful; When using certain gateway MAC Address visit public network success, then this gateway MAC Address is confirmed as the real MAC address of gateway, do not attempt and do not re-use other gateway MAC Address.
Need to prove that the execution of this step and step S204 is order in no particular order.
Step S204: arp cache table protection strategy is set, prevents that correct arp cache indumentum from distorting.
Prevent that tampering methods (being arp cache table protection strategy) from having multiple; Adopted ingress filtering deception bag method in the present embodiment; Promptly; Judge whether the corresponding relation in the arp cache table of corresponding relation and this machine of gateway ip address and gateway MAC Address in the stacked ARP message is consistent, if inconsistent, forbid revising the arp cache table of this machine; Perhaps, judge whether the corresponding relation in the arp cache table of corresponding relation and this machine of this machine IP address and this machine MAC Address in the stacked ARP message is consistent, if inconsistent, forbid revising the arp cache table of this machine.Adopt the ingress filtering method, stop illegal ARP bag, allow legal ARP bag, owing to tackle from inlet, the ARP address table can't be cheated.Its advantage is, need not to forbid that the user can realize ARP address table defencive function to the operation of ARP address table.
Step S206: obtain the ARP message.
Step S208: the gateway ip address in the judgement ARP message and the corresponding relation of gateway MAC Address; Perhaps, the corresponding relation of this machine IP address and this machine MAC Address, whether with the arp cache table of this machine in corresponding relation consistent; If it is inconsistent; Then abandon this message, and alarm, this ARP message handling process finishes; If unanimity, then execution in step S210.
Step S210: judge the type of ARP message, if the broadcast packet that this machine outwards sends, execution in step S212; If ARP responds bag, execution in step S218 then.
Step S212: judge that whether this broadcast packet is the ARP request package that this machine sends to gateway, if, execution in step S214 then; If not, execution in step S216 then.
Step S214: this ARP request package is revised as ARP responds bag, gateway is sent this ARP respond bag, this ARP message processing finishes.
Step S216: abandon this broadcast packet, this ARP message processing finishes.
Step S218: judge whether this ARP responds bag is that this machine is responded bag to the ARP that gateway sends, if, execution in step S220 then; If not, execution in step S222 then.
Step S220: send this ARP to gateway and respond bag, this ARP message processing finishes.
Step S222: abandon this ARP and respond bag, this ARP message processing finishes.
Through present embodiment, use ingress filtering deception bag method to protect the arp cache table on the main frame, prevent that it is maliciously tampered; Use switch initiatively to defend bag and the frequency conversion method of giving out a contract for a project, guaranteed the correctness of the gateway MAC Address on the main frame; Use is carried out the mode of different disposal according to the type of ARP message to the ARP message, has realized that not only the local area network (LAN) of main frame is stealthy, and its MAC Address is not scanned by other main frame in the net, has also realized the proper communication of this machine with public network.It is thus clear that, through present embodiment, both effectively avoided the ARP packet cheating, ensured LAN safety, improved user's experience again.
Embodiment three
With reference to Fig. 3, show flow chart of steps according to a kind of ARP message processing method of the application embodiment three.
Present embodiment has been realized the defence of switch ports themselves deception on the basis of defence ARP packet cheating.
The switch ports themselves deception is to the exchange data exchange principle, to the deception of the generation of the content-addressable memory in the switch.Can carry out data through the switch ports themselves deception and smell the spy abduction; The same as the ARP deception in theory; Wooden horse can be hung the horse steal-number through revising the abduction data; The P2P instrument also can utilize switch ports themselves deception principle control area net network speed, and it is unbalanced to cause local area network (LAN) speed to be distributed, and upsets LAN environment.In security fields, do not have good technical solution and can defend this attack at present.And present embodiment has adopted the local area network (LAN) stealth technology, and switch active defense technique, thereby can effectively resist switch end deception mouthful attack.
Sum up the port deception principle of switch, and ARP protocol theory and use and can know, preventing the switch ports themselves deception, one side needs to guarantee that main frame " stealthy " make its MAC not detectable, the tricker can not get main frame MAC, can't implement to cheat; For cheated switch, need to initiate initiatively defend packet on the other hand, content-addressable memory is brushed back right value.And the prerequisite that realizes the deception of defence switch ports themselves is to guarantee that main frame has correctly obtained gateway MAC, and therefore, the preceding gateway of will accomplishing earlier of main frame " stealthy " is surveyed, and simultaneously, preferably can accomplish the gateway protection.In the present embodiment, adopted the frequency conversion method of giving out a contract for a project to realize the gateway detecting function; And the gateway defencive function has adopted the deception bag method of filtering.Realizing that the local area network (LAN) that carries out main frame is stealthy on the basis that gateway is surveyed and gateway is protected, thereby realizing the deception of defence switch ports themselves.And, if stealthy failure can also initiatively defend bag to refresh content-addressable memory through switch, to guarantee the correctness of switch content-addressable memory.
Particularly, the ARP message processing method of realization above-mentioned functions may further comprise the steps:
Step S302: main frame uses the frequency conversion method of giving out a contract for a project to send standard A RP packet, surveys true gateway.
Using frequency conversion to give out a contract for a project method when sending standard A RP packet, employing blanking time is T * 2 nSend switch and initiatively defend bag, wherein, the time constant of T for setting, n is the sequence number of giving out a contract for a project.The mode of regularly giving out a contract for a project is carried out the gateway deception because the ARP tricker is habitual, therefore adopts the frequency conversion of the present embodiment method of giving out a contract for a project, and can guarantee need only three bags at most, can identify gateway that automatic regular polling sends and cheat and wrap, and then identify real gateway MAC.
A kind of use frequency conversion to give out a contract for a project to survey the implementation of true gateway following for method:
Wherein, a kind of realization of ARP packet is following:
Figure BDA0000127494320000121
When sending above-mentioned ARP packet, use frequency frequency conversion formula T * 2 of giving out a contract for a project n, in the present embodiment, get T=10ms, n=0,1,2,3,4, then 5 groups of packet gap periods are respectively T1=10, T2=20, T3=40, T4=80.
For main frame, gateway is surveyed and is comprised a packet receiving process and the process of once giving out a contract for a project each time, and logic is following:
Opening the response ARP that receiving filtrations → transmissions constructed bag → wait Tn time → closed the gateway IP in the packet receiving filtration → extraction packet receiving buffering area wraps.
In the present embodiment, repeat 5 last time gateway control logics after, respond to take out the bag from the ARP that responds switch initiatively defendd to wrap the MAC that responds one by one as gateway MAC (being the MAC of the switch at gateway place), realize obtaining of true gateway MAC Address.
Step S304: main frame uses and filters this machine of deception bag method protection arp cache table, realizes the gateway defencive function.
Particularly, comprising: all stacked ARP bag _ arpPacket are tackled in driving (comprising driving of sending ARP and the driving of intercepting and capturing ARP); Analyze wherein _ arphdr::arp_spa is gateway IP, and _ ehhdr::eh_src or _ arphdr::arp_sha is not gateway MAC, then abandons this packet, and is attacked alert message to R3 (other Ring3 layer of the operating system Ring level) gateway of dishing out; Perhaps, analyze wherein _ arphdr::arp_spa is this machine IP, and _ ehhdr::eh_src or _ arphdr::arp_sha is not this machine MAC, then abandons this packet, and to the R3 IP address conflict alert message of dishing out.
Need to prove that the execution of step S302 and step S304 is order in no particular order.
Step S306: according to the ARP type of message ARP message is carried out different disposal, realize that the local area network (LAN) of main frame is stealthy.
Realize that the stealthy method of main frame local area network (LAN) is more, present embodiment adopts the ARP agreement to be redirected method and realizes that the local area network (LAN) of main frame is stealthy.
To carry out stealthy to local host machine A is example, and its implementation is following:
First; Stop host A externally to send broadcast packet:, deliver to each main frame in the local area network (LAN), and tricker's main frame can be through to be provided with network interface card promiscuous mode 1 because broadcast packet can be flooded by switch; Listen to the MAC of host A, thereby host A is found by other main frame in the local area network (LAN).
The second, stop host A to respond the ARP Request bag (ARP request package) in the local area network (LAN), prevent the ARP Request bag that host A response deception main frame sends.
The 3rd, let slip the ARP Reply bag (ARP responds bag) of issuing gateway; If this machine sends ARP Request bag to gateway, need interception and be revised as ARP Reply bag to send to gateway.Because must let slip ARP Replay, and revise ARP Request bag and wrap and send to gateway for ARP Reply and can guarantee that host A can visit wide area network.
Accomplish 3 above-mentioned stealthy functions of local area network (LAN) that can realize main frame.
A kind of as shown in Figure 4 through accomplishing the stealthy flow process of above-mentioned 3 realization local area network (LAN)s, comprising:
Step S3062: in R0 (other Ring0 layer of operating system Ring level) drives, intercept and capture this machine ARP bag of popping.
Step S3064: whether the Target IP of analyzing the bag of popping is gateway, then directly this ARP bag is abandoned if not gateway; If gateway execution in step S3066 then.
Step S3066:, and read the arp cache data through Event notice R3 with data pack buffer.
Step S3068:R3 reads arp cache data _ arpPacket after receiving Event.
Step S30610:R3 judges whether the Destination MAC of ARP bag is broadcast address, if, execution in step S30612 then; If not, execution in step S30614 then.
Particularly, comprising: R3 analyzes the ethernet packet header structure _ ehhdr that obtains, ARP packet structure _ arphdr; Through judging that eh_dst wherein is that broadcast address or arp_tha are that broadcast address judges whether the Destination MAC of ARP bag is broadcast address.
Wherein, ethernet packet header structure _ ehhdr is following:
Figure BDA0000127494320000141
Wherein, ARP packet structure _ arphdr is following:
Figure BDA0000127494320000142
Step S30612:R3 revises the ARP bag and is directed response packet.
In this step, R3 is judging that en_dst is after broadcast address or arp_tha are broadcast address, revises ARP and wraps package again, and comprising: modification eh_dst and arp_tha are gateway address on the legacy data package base, revise arp_op=0x0002; Again the interface of giving out a contract for a project that calls driving behind the package sends the ARP bag.
Step S30614: the interface of giving out a contract for a project that calls driving sends this ARP bag.
Step S308: if the stealthy failure of local area network (LAN) of main frame, main frame sends switch to switch and initiatively defends bag.
The local of main frame sees that the stealthy function of net has guaranteed main frame by the discovery of deception main frame, if by the discovery of deception main frame, can initiatively defend bag to refresh content-addressable memory through switch.
Wherein, It is to be exclusively used in to refresh switch CAM (Content-Addressable Memory that switch is initiatively defendd bag; Content Addressable Memory) packet of table; Main frame initiatively defends to wrap the data correctness that can guarantee list item relevant with this main frame in the switch content-addressable memory through sending switch, prevents that the switch at gateway and place thereof from being cheated.
Switch initiatively defends bag will carry out effective switch ports themselves deception defence; Must satisfy following condition: (1) switch initiatively defends the packet length can not be oversize; Initiatively defend the long meeting of packet length to cause the local area network (LAN) flow excessive; Influence the local area network (LAN) throughput, can be less than or equal to the length of standard A RP request package like length; (2) switch initiatively defend the bag can not be for ARP wraps, the ARP bag can cause gateway frequently to refresh the ARP address, influences gate performance; (3) switch initiatively defends bag not flooded by switch, if flood, might be found by the deception main frame.
For satisfying above-mentioned condition, constructed a special Ethernet bag among the application, adopt the form of pseudo-ARP bag; Comprise ethernet source address, Ethernet destination address, ethernet type and other data field; Wherein, ethernet source address is set to the MAC Address of this machine, and the Ethernet destination address is set to the MAC Address of switch; Preferably, other field all is set to 0.In the present embodiment, the length that the switch of structure is initiatively defendd to wrap equals the ARP packet length, and ethernet source address is this machine, and the Ethernet destination address is a gateway, and ethernet type is 0, and other data all fill out 0.For this type non-standard packet, exchange opportunity is got ethernet source address and is refreshed this machine content-addressable memory; This bag purpose MAC is that gateway (switch at gateway place) can not flooded yet.Switch initiatively defends bag except refreshing content-addressable memory, to have no function, and is minimum to the burden that the network equipment causes.
Consider that the switch ports themselves deception produces with the ARP deception together in the actual scene; Therefore present embodiment has preferably adopted and has mixed the method for giving out a contract for a project; Promptly when the transmission switch is initiatively defendd to wrap; Also send standard A RP packet (the anti-bag of cheating of ARP) with setpoint frequency, the setting of frequency can be regulated according to actual protection effect.Mixing the frequency of giving out a contract for a project can set according to laboratory test results, counter cheat respond well.
Preferably, can initiatively defend bag _ arpPacket according to above-mentioned ethernet packet header structure _ ehhdr and ARP packet structure _ arphdr structure switch.This switch initiatively defends to wrap _ and the structure of arpPacket can be as follows:
Wherein, _ ehhdr::eh_dst fills in gateway address, and ehhdr::eh_src fills in this machine address, and _ ehhdr::eh_type fills out 0; Structure _ arphdr all fills out 0.Then, call the driving of giving out a contract for a project, every 10ms sends a frame, and circulation is given out a contract for a project.
Through present embodiment, (1) has realized that the local area network (LAN) of main frame is stealthy, kidnaps this machine and sends ARP to other main frame of local area network (LAN), and host MAC address is not scanned; Kidnap main frame to the broadcast packet of gateway and be revised as the directed bag of responding, the data double-way between main frame and the gateway can be sent to, guarantee that main frame can visit public network.(2) the structure reciprocal cross is changed planes and is cheated bag, and promptly switch is initiatively defendd bag, is the empty Ethernet bag that has only Destination MAC and source MAC, refreshes the switch content-addressable memory, prevents that content-addressable memory from being cheated; (3) adopt frequency conversion (T * 2 n) method of giving out a contract for a project obtains the habitual mode of regularly giving out a contract for a project of true gateway MAC:ARP tricker and carry out the gateway deception, it is (T * 2 that present embodiment adopts blanking time n) method gives out a contract for a project, T is a minimum time interval, n is the sequence number of giving out a contract for a project.This method of giving out a contract for a project guarantees to need only at most three bags, gets final product the gateway deception bag that other automatic regular polling sends, and identifies real gateway MAC.(4) adopt filtration deception bag method to protect this machine ARP address table.
Embodiment four
With reference to Fig. 5, show structured flowchart according to a kind of ARP message process device of the application embodiment four.
The ARP message process device of present embodiment comprises: obtain judge module 502, be used to obtain the ARP message, judge the type of ARP message; Judge Executive Module 504; If be used for according to the type of ARP message the ARP message being handled, comprise: first judges Executive Module 5042, is used for the broadcast packet that the type of ARP message is outwards sent for this machine; Judge then whether this broadcast packet is the ARP request package that this machine sends to gateway; If then the ARP request package is revised as ARP and responds bag, and ARP response bag is sent to gateway; If not, then abandon this broadcast packet; Second judges Executive Module 5044, is used for responding bag if the type of ARP message is ARP, judges that then this ARP responds bag whether for the ARP that this machine sends to gateway responds bag, if then this ARP is responded bag and send to gateway; If not, then abandon this ARP and respond bag.
Preferably; The ARP message process device of present embodiment also comprises: first sending module 506; Be used for after judging that Executive Module 504 is handled the ARP message according to the type of ARP message; Send switch to the switch at gateway place and initiatively defend bag, wherein, it is correct list item data that switch initiatively defends to wrap the list item Refresh Data that is used for this machine of the Content Addressable Memory content-addressable memory of switch.
Preferably, switch initiatively defends to comprise the information of ethernet source address and the information of Ethernet destination address, and ethernet source address is the MAC Address of this machine, and the Ethernet destination address is the MAC Address of switch.
Preferably, switch initiatively defends bag for the Ethernet bag, and the length that switch is initiatively defendd to wrap is identical with the length of ARP request package, and ethernet type field and other data field during switch is initiatively defendd to wrap all put 0.
Preferably, first sending module 506 also is used for sending standard A RP packet when the switch transmission switch at gateway place is initiatively defendd to wrap with setpoint frequency.
Preferably, the ARP message process device of present embodiment also comprises: second sending module 508, be used for obtaining the ARP message obtaining judge module 502, and judge before the type of ARP message, send standard A RP packet with different time intervals to said gateway; Gateway address acquisition module 510 is used for responding bag according to the ARP that the standard A RP packet that sends is responded, and confirms the real MAC address of gateway.
Preferably, second sending module 508 is used for T * 2 nBe the time interval, send standard A RP packet to gateway; Wherein, the time constant of T for setting, n is the sequence number of giving out a contract for a project of standard A RP packet.
Preferably; Second sending module 508; Be used for sending to gateway at the same time earlier the standard A RP packet of set point number; After the time period that intermittently one is longer than said identical time interval, send the standard A RP packet of said set point number again to gateway with the said identical time interval.
Preferably, gateway address acquisition module 510 be used to obtain said different time intervals respond the standard A RP packet that sends ARP respond bag; Respond the bag from the ARP that obtains, confirm the real MAC address of gateway.
Preferably; The ARP message process device of present embodiment also comprises: gateway address is selected module 512; Be used for if the real MAC address of the gateway that gateway address acquisition module 510 is confirmed comprises a plurality ofly, then use each MAC Address visit public network in a plurality of real MAC address of the gateway of confirming; If visit successfully,, confirm as the real MAC address of gateway then with the MAC Address of the gateway of the visit public network of current use.
Preferably; The ARP message process device of present embodiment also comprises: filtering module 514; Be used for obtaining after judge module 502 obtains the ARP message; Corresponding relation in the arp cache table of the gateway ip address in the judgement ARP message and the corresponding relation of gateway MAC Address and this machine is inconsistent, forbids revising the arp cache table; Perhaps, the corresponding relation in the arp cache table of this machine IP address in the judgement ARP message and the corresponding relation of this machine MAC Address and this machine is inconsistent, forbids revising the arp cache table.
The ARP message process device of present embodiment is used for realizing the ARP message processing method of aforementioned a plurality of method embodiment, and has the beneficial effect of corresponding ARP message processing method, repeats no more at this.
The application's ARP message processing scheme is improved original ARP firewall technology, makes the ARP fire compartment wall have more perfect gateway and surveys, binds gateway, initiatively defends function such as ARP attacks, and then cheat through these functions realization reciprocal cross port of changing planes.
Wherein, (1) gateway detecting function is used for finding correct gateway, also can correctly bind even must accomplish to have in the local area network (LAN) under the ARP fraud scenario.And SendArp (Win32 API) can't discern the deception bag, can not be used for gateway and survey, and has adopted among the application to drive and has sent ARP Request bag, and program is accepted ARP Reply bag and carried out behavioural analysis, responds the real gateway MAC of identification the bag from true and false ARP.(2) gateway defencive function one is correct detection gateway MAC, the 2nd, and protect correct ARP address table to prevent to distort.It is multiple to prevent that tampering methods from having, and the application adopts the ingress filtering method, stops illegal ARP bag, allows legal ARP bag.Owing to tackle from inlet, the ARP address table can't be cheated.Its advantage is, need not to forbid that the user can realize ARP address table defencive function to the operation of ARP address table.(3) gateway detection and gateway defencive function are merely able to guarantee that main frame is not cheated, and can not guarantee that gateway is not cheated, and prevent that gateway from being cheated, and must prevent that gateway from being cheated through ARP active defense function.
Current local area network (LAN) is interior to be main with switch device, and the software of cheating based on switch is utilized by increasing people, and the limit others network speed is kidnapped his flow of the people, even steals other people network data.The application's local area network (LAN) protection is upgraded to the ARP fire compartment wall; Realized the change planes local area network (LAN) protection of port deception of reciprocal cross; Can prevent effectively that trojan horse from utilizing switch ports themselves deception harm network, effectively resisted the behavior of P2P instrument upset LAN environment simultaneously.
Need to prove that the application's scheme is not directed against the situation of static binding switch.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, and what each embodiment stressed all is and the difference of other embodiment that identical similar part is mutually referring to getting final product between each embodiment.For device embodiment, because it is similar basically with method embodiment, so description is fairly simple, relevant part gets final product referring to the part explanation of method embodiment.
More than a kind of ARP message processing method and device that the application provided have been carried out detailed introduction; Used concrete example among this paper the application's principle and execution mode are set forth, the explanation of above embodiment just is used to help to understand the application's method and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to the application's thought, the part that on embodiment and range of application, all can change, in sum, this description should not be construed as the restriction to the application.

Claims (22)

1. an ARP message processing method is characterized in that, comprising:
Obtain the ARP message, judge the type of said ARP message;
Type according to said ARP message is handled said ARP message; Comprise: if the broadcast packet that the type of said ARP message is outwards sent for this machine; Judge then whether this broadcast packet is the ARP request package that said machine sends to gateway; If then said ARP request package is revised as ARP and responds bag, and said ARP response bag is sent to said gateway; If not, then abandon this broadcast packet; Type as if said ARP message is that ARP responds bag, judges then whether this ARP responds bag is the ARP response bag that said machine sends to said gateway, if then this ARP is responded bag and send to said gateway; If not, then abandon this ARP and respond bag.
2. method according to claim 1 is characterized in that, after according to the type of said ARP message said ARP message being carried out processed steps, also comprises:
Said main frame sends switch to the switch at said gateway place and initiatively defends bag, and wherein, it is correct list item data that said switch initiatively defends to wrap the list item Refresh Data that is used for said machine of the Content Addressable Memory content-addressable memory of said switch.
3. method according to claim 2; It is characterized in that; Said switch initiatively defends to comprise the information of ethernet source address and the information of Ethernet destination address; Said ethernet source address is the media interviews control MAC Address of said machine, and said Ethernet destination address is the MAC Address of said switch.
4. method according to claim 3; It is characterized in that; Said switch initiatively defends bag for the Ethernet bag, and the length that said switch is initiatively defendd to wrap is identical with the length of ARP request package, and ethernet type field and other data field during said switch is initiatively defendd to wrap all put 0.
5. method according to claim 2 is characterized in that, also comprises:
When the said switch at said gateway place sends said switch and initiatively defends to wrap, also send standard A RP packet at said main frame with setpoint frequency.
6. method according to claim 1 is characterized in that, at the said ARP message that obtains, judges before the step of type of said ARP message, also comprises:
Said main frame sends standard A RP packet with different time intervals to said gateway;
Respond bag according to the ARP that the standard A RP packet of said transmission is responded, confirm the real MAC address of said gateway.
7. method according to claim 6 is characterized in that, said main frame comprises to the step that said gateway sends standard A RP packet with different time intervals:
Said main frame is with T * 2 nBe the time interval, send said standard A RP packet to said gateway;
Wherein, the time constant of T for setting, n is the sequence number of giving out a contract for a project of said standard A RP packet.
8. method according to claim 6 is characterized in that, said main frame comprises to the step that said gateway sends standard A RP packet with different time intervals:
Said main frame sends the said standard A RP packet of set point number earlier at the same time to said gateway; After the time period that intermittently one is longer than said identical time interval, send the said standard A RP packet of said set point number again to said gateway with the said identical time interval.
9. according to each described method of claim 6 to 8, it is characterized in that the ARP that said basis is responded the standard A RP packet of said transmission responds bag, confirms that the step of the real MAC address of said gateway comprises:
Obtain the said ARP response bag of responding the standard A RP packet of said transmission in said different time intervals;
Respond the bag from the said ARP that obtains, confirm the real MAC address of said gateway.
10. method according to claim 9 is characterized in that, if respond the bag from the said ARP that obtains, the real MAC address of the said gateway of confirming comprises a plurality of, and then said method also comprises:
Each MAC Address visit public network in a plurality of real MAC address of the said gateway that said main frame use is confirmed;
If visit successfully,, confirm as the real MAC address of said gateway then with the MAC Address of the gateway of the said public network of visit of current use.
11. method according to claim 1 is characterized in that, after the said step of obtaining the ARP message, also comprises:
Judge that the corresponding relation in the arp cache table of corresponding relation and said machine of gateway ip address and gateway MAC Address in the said ARP message is inconsistent, forbid revising said arp cache table;
Perhaps, judge that the corresponding relation in the arp cache table of corresponding relation and said machine of this machine IP address and this machine MAC Address in the said ARP message is inconsistent, forbid revising said arp cache table.
12. an ARP message processing unit is characterized in that, comprising:
Obtain judge module, be used to obtain the ARP message, judge the type of said ARP message;
Judge Executive Module; If be used for according to the type of said ARP message said ARP message being handled, comprise: first judges Executive Module, is used for the broadcast packet that the type of said ARP message is outwards sent for this machine; Judge then whether this broadcast packet is the ARP request package that said machine sends to gateway; If then said ARP request package is revised as ARP and responds bag, and said ARP response bag is sent to said gateway; If not, then abandon this broadcast packet; Second judges Executive Module, and the type that is used for as if said ARP message is that ARP responds bag, judges then whether this ARP responds bag is the ARP response bag that said machine sends to said gateway, if then this ARP is responded bag and send to said gateway; If not, then abandon this ARP and respond bag.
13. device according to claim 12 is characterized in that, also comprises:
First sending module; Be used for after said judgement Executive Module is handled said ARP message according to the type of said ARP message; Switch transmission switch to said gateway place is initiatively defendd bag; Wherein, initiatively to defend to wrap the list item Refresh Data that is used for said machine of the Content Addressable Memory content-addressable memory of said switch be correct list item data to said switch.
14. device according to claim 13; It is characterized in that; Said switch initiatively defends to comprise the information of ethernet source address and the information of Ethernet destination address; Said ethernet source address is the media interviews control MAC Address of said machine, and said Ethernet destination address is the MAC Address of said switch.
15. device according to claim 14; It is characterized in that; Said switch initiatively defends bag for the Ethernet bag, and the length that said switch is initiatively defendd to wrap is identical with the length of ARP request package, and ethernet type field and other data field during said switch is initiatively defendd to wrap all put 0.
16. device according to claim 13 is characterized in that, said first sending module also is used for when the said switch to said gateway place sends said switch and initiatively defends to wrap, also sending standard A RP packet with setpoint frequency.
17. device according to claim 12 is characterized in that, also comprises:
Second sending module is used for obtaining the ARP message at the said judge module that obtains, and judges before the type of said ARP message, sends standard A RP packet with different time intervals to said gateway;
The gateway address acquisition module is used for responding bag according to the ARP that the standard A RP packet of said transmission is responded, and confirms the real MAC address of said gateway.
18. device according to claim 17 is characterized in that, said second sending module is used for T * 2 nBe the time interval, send standard A RP packet to said gateway; Wherein, the time constant of T for setting, n is the sequence number of giving out a contract for a project of said standard A RP packet.
19. device according to claim 17; It is characterized in that; Said second sending module; Be used for sending to said gateway at the same time earlier the said standard A RP packet of set point number, after the time period that intermittently one is longer than said identical time interval, send the said standard A RP packet of said set point number again to said gateway with the said identical time interval.
20., it is characterized in that said gateway address acquisition module is used to obtain the said ARP response bag of responding the standard A RP packet of said transmission in said different time intervals according to each described device of claim 17 to 19; Respond the bag from the said ARP that obtains, confirm the real MAC address of said gateway.
21. device according to claim 20 is characterized in that, also comprises:
Gateway address is selected module, is used for if the real MAC address of the said gateway that said gateway address acquisition module is confirmed comprises a plurality ofly, then uses each MAC Address visit public network in a plurality of real MAC address of the said gateway of confirming; If visit successfully,, confirm as the real MAC address of said gateway then with the MAC Address of the gateway of the said public network of visit of current use.
22. device according to claim 12 is characterized in that, also comprises:
Filtering module; Be used for obtaining after judge module obtains the ARP message said; Judge that the corresponding relation in the arp cache table of corresponding relation and said machine of gateway ip address and gateway MAC Address in the said ARP message is inconsistent, forbid revising said arp cache table; Perhaps, judge that the corresponding relation in the arp cache table of corresponding relation and said machine of this machine IP address and this machine MAC Address in the said ARP message is inconsistent, forbid revising said arp cache table.
CN201110457652.4A 2011-12-30 2011-12-30 ARP (Address Resolution Protocol) message processing method and device Active CN102571579B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110457652.4A CN102571579B (en) 2011-12-30 2011-12-30 ARP (Address Resolution Protocol) message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110457652.4A CN102571579B (en) 2011-12-30 2011-12-30 ARP (Address Resolution Protocol) message processing method and device

Publications (2)

Publication Number Publication Date
CN102571579A true CN102571579A (en) 2012-07-11
CN102571579B CN102571579B (en) 2015-01-07

Family

ID=46416080

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110457652.4A Active CN102571579B (en) 2011-12-30 2011-12-30 ARP (Address Resolution Protocol) message processing method and device

Country Status (1)

Country Link
CN (1) CN102571579B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843362A (en) * 2012-08-08 2012-12-26 江苏华丽网络工程有限公司 Method for carrying out ARP (Address Resolution Protocol) defense by using TCAM (Ternary Content Addressable Memory)
CN106453308A (en) * 2016-10-10 2017-02-22 合肥红珊瑚软件服务有限公司 Method for preventing ARP cheating
CN103368941B (en) * 2013-04-22 2017-04-05 北京奇虎科技有限公司 A kind of method and apparatus of the protection based on subscriber network access scene
CN110868479A (en) * 2018-08-27 2020-03-06 北京淳中科技股份有限公司 Equipment addressing method, device and system
CN111835764A (en) * 2020-07-13 2020-10-27 中国联合网络通信集团有限公司 ARP anti-spoofing method, tunnel endpoint and electronic equipment
CN111917894A (en) * 2020-03-19 2020-11-10 北京融汇画方科技有限公司 Network card mixed mode detection technology
CN114157602A (en) * 2021-11-03 2022-03-08 杭州迪普科技股份有限公司 Method and device for processing message
CN114666300A (en) * 2022-05-20 2022-06-24 杭州海康威视数字技术股份有限公司 Multitask-based bidirectional connection blocking method and device and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1534933A (en) * 2003-03-28 2004-10-06 华为技术有限公司 Safety access control method for internet protocol
US20060088037A1 (en) * 2004-10-21 2006-04-27 International Business Machines Corporation Preventing asynchronous ARP cache poisoning of multiple hosts
WO2006126919A1 (en) * 2005-05-23 2006-11-30 Telefonaktiebolaget Lm Ericsson (Publ) Method and system for local peer-to-peer traffic
CN1925493A (en) * 2006-09-15 2007-03-07 杭州华为三康技术有限公司 Method and device for processing ARP message

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1534933A (en) * 2003-03-28 2004-10-06 华为技术有限公司 Safety access control method for internet protocol
US20060088037A1 (en) * 2004-10-21 2006-04-27 International Business Machines Corporation Preventing asynchronous ARP cache poisoning of multiple hosts
WO2006126919A1 (en) * 2005-05-23 2006-11-30 Telefonaktiebolaget Lm Ericsson (Publ) Method and system for local peer-to-peer traffic
CN1925493A (en) * 2006-09-15 2007-03-07 杭州华为三康技术有限公司 Method and device for processing ARP message

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张果: ""ARP地址欺骗给局域网带来的安全问题"", 《科技风》, 30 April 2009 (2009-04-30) *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843362A (en) * 2012-08-08 2012-12-26 江苏华丽网络工程有限公司 Method for carrying out ARP (Address Resolution Protocol) defense by using TCAM (Ternary Content Addressable Memory)
CN102843362B (en) * 2012-08-08 2016-05-04 唐稳杰 A kind of TCAM of use carries out the method for ARP defence
CN103368941B (en) * 2013-04-22 2017-04-05 北京奇虎科技有限公司 A kind of method and apparatus of the protection based on subscriber network access scene
CN106453308A (en) * 2016-10-10 2017-02-22 合肥红珊瑚软件服务有限公司 Method for preventing ARP cheating
CN110868479A (en) * 2018-08-27 2020-03-06 北京淳中科技股份有限公司 Equipment addressing method, device and system
CN111917894A (en) * 2020-03-19 2020-11-10 北京融汇画方科技有限公司 Network card mixed mode detection technology
CN111835764A (en) * 2020-07-13 2020-10-27 中国联合网络通信集团有限公司 ARP anti-spoofing method, tunnel endpoint and electronic equipment
CN111835764B (en) * 2020-07-13 2023-04-07 中国联合网络通信集团有限公司 ARP anti-spoofing method, tunnel endpoint and electronic equipment
CN114157602A (en) * 2021-11-03 2022-03-08 杭州迪普科技股份有限公司 Method and device for processing message
CN114157602B (en) * 2021-11-03 2023-08-25 杭州迪普科技股份有限公司 Method and device for processing message
CN114666300A (en) * 2022-05-20 2022-06-24 杭州海康威视数字技术股份有限公司 Multitask-based bidirectional connection blocking method and device and electronic equipment

Also Published As

Publication number Publication date
CN102571579B (en) 2015-01-07

Similar Documents

Publication Publication Date Title
CN102571579A (en) ARP (Address Resolution Protocol) message processing method and device
JP4174392B2 (en) Network unauthorized connection prevention system and network unauthorized connection prevention device
CN101729513B (en) Network authentication method and device
CN101180826B (en) Upper-level protocol authentication
CN110445770A (en) Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN108183886B (en) Safety enhancement equipment for safety gateway of rail transit signal system
CN107135187A (en) Preventing control method, the apparatus and system of network attack
JP2003527793A (en) Method for automatic intrusion detection and deflection in a network
US7404210B2 (en) Method and apparatus for defending against distributed denial of service attacks on TCP servers by TCP stateless hogs
CN103312689A (en) Network hiding method for computer and network hiding system based on method
KR20080028381A (en) Method for defending against denial of service attacks in ip networks by target victim self-identification and control
CN105610851A (en) Method and system for defending distributed denial of service (DDoS) attack
CN109474485A (en) Method, system and storage medium based on network traffic information detection Botnet
RU2690749C1 (en) Method of protecting computer networks
CN107360182A (en) One kind is used for Embedded Active Networks system of defense and its defence method
CN101330409B (en) Method and system for detecting network loophole
CN105429975B (en) A kind of data safety system of defense, method and cloud terminal security system based on cloud terminal
CN112688900A (en) Local area network safety protection system and method for preventing ARP spoofing and network scanning
CN106487790A (en) Cleaning method and system that a kind of ACK FLOOD is attacked
CN114244801B (en) ARP spoofing prevention method and system based on government enterprise gateway
Dakhane et al. Active warden for TCP sequence number base covert channel
KR101593897B1 (en) Network scan method for circumventing firewall, IDS or IPS
Doshi et al. Game theoretic modeling of gray hole attacks in wireless ad hoc networks
JP2018073397A (en) Communication device
RU2686023C1 (en) Method of protecting computer networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20151022

Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee after: Qizhi software (Beijing) Co.,Ltd.

Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C

Patentee before: Qizhi software (Beijing) Co.,Ltd.

TR01 Transfer of patent right

Effective date of registration: 20220725

Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

TR01 Transfer of patent right