CN102594810B - The method and apparatus that a kind of IPv6 network prevents PMTU from attacking - Google Patents
The method and apparatus that a kind of IPv6 network prevents PMTU from attacking Download PDFInfo
- Publication number
- CN102594810B CN102594810B CN201210027389.XA CN201210027389A CN102594810B CN 102594810 B CN102594810 B CN 102594810B CN 201210027389 A CN201210027389 A CN 201210027389A CN 102594810 B CN102594810 B CN 102594810B
- Authority
- CN
- China
- Prior art keywords
- message
- port
- icmpv6
- ipv6
- switch
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 15
- 230000002776 aggregation Effects 0.000 claims description 4
- 238000004220 aggregation Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000002265 prevention Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000013467 fragmentation Methods 0.000 description 2
- 238000006062 fragmentation reaction Methods 0.000 description 2
- 230000015556 catabolic process Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses the method and apparatus that a kind of IPv6 network prevents PMTU from attacking, switch opens the excessive message safety function of ICMPv6 packets, is switch configuration trusted port; Receive the excessive message packet of ICMPv6 packets; Judge whether the receiving port of the excessive message packet of ICMPv6 packets belongs to the trusted port of configuration, if belong to, be then forwarded to IPv6 main frame, if do not belong to, then abandon this message.Adopt technical scheme of the present invention, ensure that the safe handling of the excessive message of ICMPv6 packets, prevent the forwarding of the excessive message of malice ICMPv6 packets, guarantee the normal work of network.
Description
Technical Field
The invention relates to the field of computer data communication, in particular to a method and a device for preventing PMTU attack in an IPv6 network.
Background
Since the IPv6 router does not perform fragmentation of forwarding packets, the packet source node is notified of reasonableness fragmentation with an internet control message protocol version six (ICMPv6) message using a Path Maximum Transmission Unit (PMTU) Discovery (Discovery) mechanism instead. However, the ICMPv6 protocol does not perform reliability verification on ICMP packet oversize messages sent by the intermediate router at present, and an attacker can forge an oversize PMTU and send a PMTU message to a source node, so that the node always sends an undersize message to the destination address afterwards, thereby causing network performance degradation. An attacker can forge an overlarge PMTU and send the PMTU to a packet sending node, the packet sending node adjusts the MTU value and sends an overlarge message, so that an intermediate router discards the message to cause the loss of the message, and the attack is a Denial-of-Service (Denial-of-Service) attack in fact. Therefore, the validity of the ICMPv6 message oversize is ensured, the attack of malicious users using the ICMPv6 message oversize is prevented, and the method is an important factor for ensuring the normal operation of the IPv6 network.
Disclosure of Invention
The invention aims to provide a method and a device for preventing PMTU attack by an IPv6 network, which ensure the legality of an ICMPv6 message oversize message and prevent a malicious attacker from implementing denial of service attack by using the ICMPv6 message oversize message.
In order to achieve the purpose, the invention adopts the following technical scheme:
a method for preventing PMTU attack by IPv6 network includes the following steps:
A. the switch starts the function of preventing IPv6 network PMTU attack and configures a trust port for the switch;
B. receiving an ICMPv6 message overlarge message;
C. judging whether a receiving port of an ICMPv6 message overlarge message belongs to a configured trust port, if so, forwarding the message to an IPv6 host, and if not, discarding the message;
D. and the IPv6 host receives the transmitted ICMPv6 message oversize message and adjusts the Maximum Transmission Unit (MTU) value transmitted to the target equipment.
In the step A, the configured trust port is a two-layer port and/or a convergence port connected with an IPv6 router on the switch.
In step C, when the receiving port of the ICMPv6 message oversize message belongs to the trust port, the MAC address table is inquired, and the ICMPv6 message oversize message is forwarded from the port connected with the IPv6 host.
The system comprises a receiving module, a port configuration module, a processing module and a forwarding module, wherein the processing module is respectively connected with the receiving module, the port configuration module and the forwarding module;
the receiving module is used for receiving an ICMPv6 message with an overlarge message;
the port configuration module is used for configuring a trust port for the switch;
the processing module is configured to read the receiving port information of the ICMPv6 message with an excessively large message size, determine whether the receiving port of the ICMPv6 message with an excessively large message size belongs to a configured trusted port, and if the receiving port of the ICMPv6 message with an excessively large message size belongs to the configured trusted port, send the ICMPv6 message with an excessively large message size to the forwarding module; if not, discarding the ICMPv6 message with too large message;
the forwarding module is configured to forward the ICMPv6 message oversized message sent by the processing module to the destination host of the ICMPv6 message oversized message.
The port configuration module is a trust port configured by the switch and is a two-layer port and/or a convergence port connected with an IPv6 router on the switch.
When the processing module judges that the receiving port of the ICMPv6 message oversize message belongs to the trust port, the forwarding module inquires an MAC address table and forwards the ICMPv6 message oversize message from the port connected with the IPv6 host.
By adopting the technical scheme of the invention, the safe use of the ICMPv6 message oversize message is ensured, the malicious ICMPv6 message oversize message is prevented from being forwarded, and the normal work of the network is ensured.
Drawings
Fig. 1 is a flowchart illustrating a method for preventing a PMTU attack in an IPv6 network according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of network device connection in the IPv6 network PMTU attack prevention method according to the embodiment of the present invention.
Fig. 3 is a schematic structural diagram of an apparatus for preventing a PMTU attack in an IPv6 network according to an embodiment of the present invention.
Detailed Description
The technical scheme of the invention is further explained by the specific implementation mode in combination with the attached drawings.
Fig. 1 is a flowchart illustrating a method for preventing a PMTU attack in an IPv6 network according to an embodiment of the present invention. As shown in fig. 1, the method comprises the steps of:
and step S101, the switch starts the function of preventing IPv6 network PMTU attack and configures a trust port for the switch.
After the switch starts the function of preventing IPv6 network PMTU attack, the rule of redirecting the ICMPv6 message to the CPU is issued to the switch chip, so that when the switch chip receives the ICMPv6 message, the message is redirected to the CPU of the switch, and the CPU analyzes and forwards the software.
The ICMPv6 message oversized message is characterized in that: the 17 th, 18 th byte of the ethernet header has an ethertype of 0x86 dd; the nexthdr of the 6 th byte of the ipv6 header is 58; the ipv6 header has a 41 st byte with icmpv6 type of 2.
The trust port configured for the switch is a layer two port and/or a convergence port connected with an IPv6 router on the switch.
Usually, the number of ports on the switch for connecting the router is less than that for connecting the host node, the secure ICMPv6 message is from the router, and the non-secure ICMPv6 message is from the malicious host node. Therefore, when configuring the trusted port for the switch, the layer two port and/or the aggregation port connected to the IPv6 router on the switch are generally configured as trusted ports, and all other ports that are not configured are default to be untrusted ports. Therefore, the number of ports needing to be configured is small, and the port configuration is convenient for a user to operate and change.
And step S102, receiving an ICMPv6 message overlarge message.
After the function of preventing IPv6 network PMTU attack is started, because the rule that the ICMPv6 message is redirected to the CPU is valid, the ICMPv6 message is sent to the CPU of the switch by the switch chip for processing after the message reaches the port of the switch.
Step S103, judging whether the receiving port of the ICMPv6 message with the overlarge message belongs to the configured trust port, if so, forwarding the message to the IPv6 host, and if not, discarding the message.
The ICMPv6 message oversized message is redirected to the CPU of the switch, and the CPU analyzes and forwards the software. The software running on the CPU points to each message by a software structure that contains fields representing the receiving ports. After the exchange chip sends the message to the CPU, the packet receiving driver reads the port number from the register of the chip and writes the port number into the port field of the software structure of the message. The software running in the CPU reads the port information in the field and matches with the trust port information configured in the step S101; if the host belongs to the trust port, forwarding an ICMPv6 message oversize message received by the port to a target IPv6 host of the message; if not, directly discarding the ICMPv6 message with too large message size. Therefore, the illegal ICMPv6 message overlarge message sent by the malicious host node cannot reach the target IPv6 host, and the safe use of the ICMPv6 message overlarge message is ensured.
And step S104, the IPv6 host receives the forwarded ICMPv6 message oversize message, adjusts the corresponding MTU value according to the ICMPv6 message oversize message, and when the packet is sent again, the message is smoothly forwarded to the destination node by the router.
As shown in fig. 2, by using the method for preventing PMTU attack in IPv6 network provided by the specific embodiment of the present invention, an IPv6 host serving as a source node sends a packet with an initial MTU value, when the packet is forwarded by a router, the router finds that the packet is greater than the MTU value of a sending interface, the router sends an ICMPv6 packet over-size message to an IPv6 host serving as a source node, when the packet reaches a switch, the packet is redirected to a CPU of the switch for processing, the switch determines that the ICMPv6 packet over-size message is received from a port of an upper-link router, and the port is set as a trusted port, the ICMPv6 packet over-size message is safely forwarded to an IPv6 host serving as a source node, the IPv6 host of the source node adjusts a corresponding MTU value according to the ICMPv6 packet over-size message, and when the source node forwards the packet again, the sent packet is smoothly forwarded to a destination node by the router.
And the ICMPv6 message forged by the malicious host node is sent to the IPv6 host of the source node, when the message reaches the switch, the rule that the ICMPv6 message oversize message is redirected to the CPU of the switch is matched, the message is sent to the CPU of the switch for processing, the switch judges that the receiving port is an untrusted port, the ICMPv6 message oversize message is discarded and cannot be sent to the IPv6 host of the source node, and the source node is ensured not to be attacked by the ICMPv6 message oversize message forged by the malicious host node.
Fig. 3 is a schematic structural diagram of an apparatus for preventing a PMTU attack in an IPv6 network according to an embodiment of the present invention. As shown in fig. 3, the apparatus includes a receiving module 301, a port configuration module 302, a processing module 303 and a forwarding module 304, wherein the processing module is connected to the receiving module, the port configuration module and the forwarding module respectively;
the receiving module 301 is configured to receive an ICMPv6 message with an excessively large message size;
the port configuration module 302 is configured to configure a trusted port for the switch;
the processing module 303 is configured to read the receiving port information of the ICMPv6 message with an excessively large message size, determine whether the receiving port of the ICMPv6 message with an excessively large message size belongs to a configured trusted port, and if the receiving port belongs to the configured trusted port, send the ICMPv6 message with an excessively large message size to the forwarding module; if not, discarding the ICMPv6 message with too large message;
the forwarding module 304 is configured to forward the ICMPv6 message with an excessively large message size sent by the processing module to the destination host of the ICMPv6 message with an excessively large message size.
After the switch starts the function of preventing IPv6 network PMTU attack, the rule of redirecting the ICMPv6 message to the CPU is issued to the switching chip, when the switching chip receives the ICMPv6 message, the message is redirected to the CPU, and the CPU analyzes and forwards the software.
The ICMPv6 message oversized message is redirected to the CPU of the switch, and is analyzed and forwarded by a software system running on the CPU. The software running on the CPU points to each message by a software structure that contains fields representing the receiving ports. After the exchange chip sends the message to the CPU, the packet receiving driver reads the port number from the register of the chip and writes the port number into the port field of the software structure of the message. And a receiving module in the software system running in the CPU receives the ICMPv6 message oversize message of the software structure and sends the message to a processing module. The processing module reads the port information of the port field in the software structure and matches with the trust port configured by the port configuration module; if the ICMPv6 message belongs to the trust port, the ICMPv6 message with the overlarge message is sent to a forwarding module, and the forwarding module forwards the ICMPv6 message with the overlarge message to a target host; if not, directly discarding the ICMPv6 message with too large message size. Therefore, the illegal ICMPv6 message overlarge message sent by the malicious host node cannot reach the target IPv6 host, and the safe use of the ICMPv6 message overlarge message is ensured.
The port configuration module is a trust port configured by the switch and is a two-layer port and/or a convergence port connected with an IPv6 router on the switch.
When configuring the trusted port for the switch, the layer two port and/or the aggregation port connected with the IPv6 router on the switch are generally configured as trusted ports, and all other ports that are not configured are default as untrusted ports. Therefore, the number of ports needing to be configured is small, and the port configuration is convenient for a user to operate and change.
When the processing module judges that the receiving port of the ICMPv6 message oversize message belongs to the trust port configured by the port module, the forwarding module inquires an MAC address table and forwards the ICMPv6 message oversize message from the port connected with the IPv6 host.
When the IPv6 host connected to the switch receives the transmitted ICMPv6 message with overlarge message, the corresponding MTU value is adjusted according to the ICMPv6 message with overlarge message, and when the packet is transmitted again, the transmitted message can be smoothly transmitted to the destination node by the router.
By adopting the technical scheme of the specific implementation mode of the invention, the safe use of the ICMPv6 message oversize message is ensured, the forwarding of the malicious ICMPv6 message oversize message is prevented, and the normal work of the network is ensured.
The above description is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (6)
1. A method for preventing PMTU attack of Path Maximum Transmission Unit (PMTU) in IPv6 network includes the following steps:
A. the switch starts the function of preventing IPv6 network PMTU attack and configures a trust port for the switch;
B. receiving an ICMPv6 message overlarge message of the sixth version of the Internet control message protocol;
C. judging whether the receiving port of the ICMPv6 message oversized message belongs to the configured trust port,
if the message belongs to the IPv6 host, forwarding the message to the IPv6 host, and if the message does not belong to the IPv6 host, discarding the message; wherein,
the ICMPv6 message oversized message is redirected to the CPU of the switch, and each message is pointed by a software structure in the software running in the CPU; after the exchange chip sends the message to the CPU, the packet receiving driver reads the port number from the register of the chip and writes the port number into the port field of the software structure of the message; the software running in the CPU reads the port information in the field and matches with the trust port information configured in the step S101;
D. and the IPv6 host receives the transmitted ICMPv6 message oversize message and adjusts the Maximum Transmission Unit (MTU) value transmitted to the destination node.
2. The IPv6 network PMTU attack prevention method according to claim 1, wherein in step a, the configured trusted port is a layer two port and/or an aggregation port connected to an IPv6 router on the switch.
3. The IPv6 network PMTU attack preventing method according to claim 1 or 2, wherein in step C, when the receiving port of ICMPv6 message is a trusted port, the MAC address table is queried and ICMPv6 message is forwarded from the port connected to IPv6 host.
4. An IPv6 network device for preventing PMTU attack, which is characterized in that the device comprises a receiving module, a port configuration module, a processing module and a forwarding module, wherein the processing module is respectively connected with the receiving module, the port configuration module and the forwarding module;
the receiving module is used for receiving an ICMPv6 message with an overlarge message;
the port configuration module is used for configuring a trust port for the switch;
the processing module is configured to read the receiving port information of the ICMPv6 message with an excessively large message size, determine whether the receiving port of the ICMPv6 message with an excessively large message size belongs to a configured trusted port, and if the receiving port of the ICMPv6 message with an excessively large message size belongs to the configured trusted port, send the ICMPv6 message with an excessively large message size to the forwarding module; if not, discarding the ICMPv6 message with too large message; the ICMPv6 message too large message is redirected to the CPU of the switch, each message is pointed by a software structure in the software running in the CPU, the switch chip sends the message to the CPU, and the packet receiving driver reads the port number from the register of the chip and writes the port number into the port field of the software structure of the message; a receiving module running in a software system of the CPU receives an ICMPv6 message oversize message of the software structure and sends the message to a processing module; the processing module reads the port information of the port field in the software structure and matches with the trust port configured by the port configuration module;
the forwarding module is configured to forward the ICMPv6 message oversized message sent by the processing module to the destination host of the ICMPv6 message oversized message.
5. The IPv6 network PMTU attack prevention device of claim 4, wherein the port configuration module is a trusted port configured for a switch, a two-layer port and/or an aggregation port connected to an IPv6 router on the switch.
6. The IPv6 network PMTU attack prevention device of claim 4 or 5, wherein the processing module determines that the receiving port of ICMPv6 message over-size message belongs to a trusted port, and the forwarding module queries the MAC address table and forwards the ICMPv6 message over-size message from the port connected to the IPv6 host.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210027389.XA CN102594810B (en) | 2012-02-08 | 2012-02-08 | The method and apparatus that a kind of IPv6 network prevents PMTU from attacking |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210027389.XA CN102594810B (en) | 2012-02-08 | 2012-02-08 | The method and apparatus that a kind of IPv6 network prevents PMTU from attacking |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102594810A CN102594810A (en) | 2012-07-18 |
| CN102594810B true CN102594810B (en) | 2016-03-30 |
Family
ID=46483011
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210027389.XA Active CN102594810B (en) | 2012-02-08 | 2012-02-08 | The method and apparatus that a kind of IPv6 network prevents PMTU from attacking |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102594810B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2953311B1 (en) | 2013-06-26 | 2019-01-16 | Huawei Technologies Co., Ltd. | Packet identification method and protective device |
| CN104348785B (en) * | 2013-07-29 | 2018-06-05 | 中国电信股份有限公司 | The method, apparatus and system for preventing host PMTU from attacking in IPv6 nets |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030945A (en) * | 2007-04-06 | 2007-09-05 | 中兴通讯股份有限公司 | Method for preventing PPPoE from being attacked by personnel server and false server |
| CN101141396A (en) * | 2007-09-18 | 2008-03-12 | 华为技术有限公司 | Packet processing method and network appliance |
| WO2009134900A2 (en) * | 2008-04-30 | 2009-11-05 | Viasat, Inc. | Trusted network interface |
| CN102325076A (en) * | 2011-05-24 | 2012-01-18 | 中兴通讯股份有限公司 | Method for discovering PMTU (Path Maximum Transfer Unit) and node |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080198749A1 (en) * | 2007-02-20 | 2008-08-21 | Dell Products, Lp | Technique for handling service requests in an information handling system |
-
2012
- 2012-02-08 CN CN201210027389.XA patent/CN102594810B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030945A (en) * | 2007-04-06 | 2007-09-05 | 中兴通讯股份有限公司 | Method for preventing PPPoE from being attacked by personnel server and false server |
| CN101141396A (en) * | 2007-09-18 | 2008-03-12 | 华为技术有限公司 | Packet processing method and network appliance |
| WO2009134900A2 (en) * | 2008-04-30 | 2009-11-05 | Viasat, Inc. | Trusted network interface |
| CN102325076A (en) * | 2011-05-24 | 2012-01-18 | 中兴通讯股份有限公司 | Method for discovering PMTU (Path Maximum Transfer Unit) and node |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102594810A (en) | 2012-07-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7940757B2 (en) | Systems and methods for access port ICMP analysis | |
| EP2790382B1 (en) | Protection method and device against attacks | |
| US9148374B2 (en) | ARP packet processing method, communication system and device | |
| JP5883920B2 (en) | System and method for packet deduplication | |
| US8499146B2 (en) | Method and device for preventing network attacks | |
| EP2093943B1 (en) | A method, forwarding engine and communication device for message acces control | |
| US9674074B2 (en) | Systems and methods for stopping and starting a packet processing task | |
| US8130756B2 (en) | Tunnel configuration associated with packet checking in a network | |
| US11463474B2 (en) | Defend against denial of service attack | |
| WO2014021870A1 (en) | Feature enablement or disablement determination based on discovery message | |
| CN102546661B (en) | A kind of method and system preventing IPv6 gateway neighbours spoofing attack | |
| KR101386809B1 (en) | Communication Terminal creating Multiple MTU and Data Transferring Method Using The Same | |
| KR20120060655A (en) | Routing Method And Apparatus For Detecting Server Attacking And Network Using Method Thereof | |
| EP4047886A1 (en) | Information reporting method and information processing method, and device | |
| CN102510385A (en) | Method for preventing fragment attack of IP (Internet Protocol) datagram | |
| US9473402B2 (en) | Methods and systems for receiving and transmitting internet protocol (IP) data packets | |
| EP3133790B1 (en) | Message sending method and apparatus | |
| WO2019096104A1 (en) | Attack prevention | |
| WO2017071511A1 (en) | Anti-attack data transmission method and device | |
| CN102594810B (en) | The method and apparatus that a kind of IPv6 network prevents PMTU from attacking | |
| WO2020052499A1 (en) | Method, device, and system for anti-phishing attack check | |
| JP2011055299A (en) | Service protecting system | |
| CN104009967A (en) | Method for preventing attack of untrusted servers | |
| FI126032B (en) | Detection of a threat in a telecommunications network | |
| Bahnasse et al. | Security of Dynamic and Multipoint Virtual Private Network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee after: Beijing Shenzhou Digital Cloud Information Technology Co.,Ltd. Address before: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee before: DIGITAL CHINA NETWORKS (BEIJING) Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190613 Address after: 430000 Six Floors of 777B Office Building, Guanggu Third Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province Patentee after: Wuhan Shenzhou Digital Cloud Technology Co.,Ltd. Address before: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee before: Beijing Shenzhou Digital Cloud Information Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240429 Address after: 430000 Six Floors of 777B Office Building, Guanggu Third Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province Patentee after: Wuhan Shenzhou Digital Cloud Technology Co.,Ltd. Country or region after: China Patentee after: Shenzhou Kuntai (Xiamen) Information Technology Co.,Ltd. Address before: 430000 Six Floors of 777B Office Building, Guanggu Third Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province Patentee before: Wuhan Shenzhou Digital Cloud Technology Co.,Ltd. Country or region before: China |