CN102594810B - The method and apparatus that a kind of IPv6 network prevents PMTU from attacking - Google Patents
The method and apparatus that a kind of IPv6 network prevents PMTU from attacking Download PDFInfo
- Publication number
- CN102594810B CN102594810B CN201210027389.XA CN201210027389A CN102594810B CN 102594810 B CN102594810 B CN 102594810B CN 201210027389 A CN201210027389 A CN 201210027389A CN 102594810 B CN102594810 B CN 102594810B
- Authority
- CN
- China
- Prior art keywords
- message
- port
- icmpv6
- switch
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 15
- 230000002776 aggregation Effects 0.000 claims description 8
- 238000004220 aggregation Methods 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 3
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 2
- 239000012634 fragment Substances 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明公开了一种IPv6网络防止PMTU攻击的方法和装置,交换机开启ICMPv6报文过大消息安全功能,为交换机配置信任端口;接收ICMPv6报文过大消息报文;判断ICMPv6报文过大消息报文的接收端口是否属于配置的信任端口,若属于,则转发至IPv6主机,若不属于,则丢弃该报文。采用本发明的技术方案,保证了ICMPv6报文过大消息的安全使用,防止恶意ICMPv6报文过大消息的转发,确保网络的正常工作。
The invention discloses a method and a device for preventing PMTU attacks on an IPv6 network. The switch enables the safety function of the ICMPv6 message too large message, and configures a trusted port for the switch; receives the ICMPv6 message message message that is too large; and judges the ICMPv6 message message message Whether the receiving port of the message belongs to the configured trusted port, if so, it will be forwarded to the IPv6 host, if not, the message will be discarded. The adoption of the technical solution of the invention ensures the safe use of the ICMPv6 oversized message, prevents the forwarding of the malicious ICMPv6 oversized message, and ensures the normal operation of the network.
Description
技术领域 technical field
本发明涉及计算机数据通信领域,尤其涉及一种IPv6网络防止PMTU攻击的方法和装置。The invention relates to the field of computer data communication, in particular to a method and device for preventing PMTU attacks on an IPv6 network.
背景技术 Background technique
由于IPv6路由器不进行转发数据包的分片,改用路径最大传输单元(PathMaximumTransmissionUnit,PMTU)发现(Discovery)机制以互联网控制消息协议第六版(ICMPv6)消息通知数据包源节点重新合理分片。但目前ICMPv6协议并没有对中间路由器发出的ICMP包过大消息进行可靠性验证,攻击者可以伪造过小的PMTU,向源节点发送PMTU消息,使节点以后向该目的地址总是发送过小报文,导致网络性能下降。攻击者也可以伪造过大的PMTU,发送给发包节点,发包节点调整MTU值,发送过大的报文,导致中间路由器丢弃报文,造成报文的丢失,这实际上是一种拒绝服务(Denial-of-Service)攻击。因此,保证ICMPv6报文过大消息的合法,防止恶意用户使用ICMPv6报文过大消息进行攻击,是确保IPv6网络正常运行的一个重要因素。Since the IPv6 router does not fragment the forwarded data packet, the PathMaximum Transmission Unit (PMTU) discovery (Discovery) mechanism is used to notify the source node of the data packet to re-fragment reasonably with the sixth version of the Internet Control Message Protocol (ICMPv6) message. However, the current ICMPv6 protocol does not verify the reliability of the ICMP packet sent by the intermediate router. The attacker can forge the too small PMTU and send the PMTU message to the source node, so that the node will always send a small report to the destination address in the future. files, causing network performance to degrade. An attacker can also forge an oversized PMTU and send it to the sending node. The sending node adjusts the MTU value and sends an oversized message, causing the intermediate router to discard the message and causing the loss of the message. This is actually a denial of service ( Denial-of-Service) attack. Therefore, ensuring the legitimacy of ICMPv6 oversized messages and preventing malicious users from using ICMPv6 oversized messages to attack is an important factor to ensure the normal operation of an IPv6 network.
发明内容 Contents of the invention
本发明的目的在于提出一种IPv6网络防止PMTU攻击的方法和装置,保证ICMPv6报文过大消息的合法,防止恶意攻击者利用ICMPv6报文过大消息,实施拒绝服务攻击。The purpose of the present invention is to propose a method and device for preventing PMTU attacks on an IPv6 network, to ensure the legitimacy of the ICMPv6 message too large message, and to prevent malicious attackers from using the ICMPv6 message too large message to implement a denial of service attack.
为达此目的,本发明采用以下技术方案:For reaching this purpose, the present invention adopts following technical scheme:
一种IPv6网络防止PMTU攻击的方法,包括以下步骤:A kind of method that IPv6 network prevents PMTU attack, comprises the following steps:
A、交换机开启防止IPv6网络PMTU攻击的功能,为交换机配置信任端口;A. The switch enables the function of preventing IPv6 network PMTU attacks, and configures trusted ports for the switch;
B、接收ICMPv6报文过大消息报文;B. Receive an ICMPv6 packet too large message;
C、判断ICMPv6报文过大消息报文的接收端口是否属于配置的信任端口,若属于,则转发至IPv6主机,若不属于,则丢弃该报文;C, judge whether the receiving port of ICMPv6 message too big message message belongs to the trusted port of configuration, if belong to, then forward to IPv6 host computer, if not belong to, then discard this message;
D、所述IPv6主机收到转发的ICMPv6报文过大消息报文,调整发往目标设备的最大传输单元(MTU)值。D. The IPv6 host receives the forwarded ICMPv6 packet too large message, and adjusts the maximum transmission unit (MTU) value sent to the target device.
步骤A中,配置的信任端口为交换机上连接IPv6路由器的二层端口和/或汇聚端口。In step A, the configured trusted port is the Layer 2 port and/or aggregation port connected to the IPv6 router on the switch.
步骤C中,当ICMPv6报文过大消息报文的接收端口属于信任端口时,查询MAC地址表,从连接IPv6主机的端口将ICMPv6报文过大消息报文转发出去。In step C, when the receiving port of the ICMPv6 too large message belongs to a trusted port, the MAC address table is queried, and the ICMPv6 too large message is forwarded from the port connected to the IPv6 host.
包括接收模块、端口配置模块、处理模块和转发模块,其中处理模块分别与接收模块、端口配置模块和转发模块连接;It includes a receiving module, a port configuration module, a processing module and a forwarding module, wherein the processing module is connected to the receiving module, the port configuration module and the forwarding module respectively;
所述接收模块,用于接收ICMPv6报文过大消息报文;The receiving module is configured to receive an ICMPv6 packet too large message;
所述端口配置模块,用于为交换机配置信任端口;The port configuration module is configured to configure a trusted port for a switch;
所述处理模块,用于读取所述ICMPv6报文过大消息报文的接收端口信息,判断ICMPv6报文过大消息报文的接收端口是否属于配置的信任端口,若属于,则将所述ICMPv6报文过大消息报文发送给转发模块;若不属于,则丢弃所述ICMPv6报文过大消息报文;The processing module is used to read the receiving port information of the ICMPv6 message too large message message, and judge whether the receiving port of the ICMPv6 message message message belongs to the trusted port of configuration, and if it belongs, the The ICMPv6 packet is too large message message is sent to the forwarding module; if it does not belong, then the ICMPv6 message message message is discarded;
所述转发模块,用于将处理模块发来的ICMPv6报文过大消息报文转发至所述ICMPv6报文过大消息报文的目的主机。The forwarding module is configured to forward the ICMPv6 too large message sent by the processing module to the destination host of the ICMPv6 too large message.
所述端口配置模块为交换机配置的信任端口,为交换机上连接IPv6路由器的二层端口和/或汇聚端口。The port configuration module is a trusted port configured by a switch, and is a layer 2 port and/or aggregation port connected to an IPv6 router on the switch.
所述处理模块判断ICMPv6报文过大消息报文的接收端口属于信任端口时,转发模块查询MAC地址表,从连接IPv6主机的端口将ICMPv6报文过大消息报文转发出去。When the processing module determines that the receiving port of the ICMPv6 too large message belongs to a trusted port, the forwarding module queries the MAC address table, and forwards the ICMPv6 too large message from the port connected to the IPv6 host.
采用本发明的技术方案,保证了ICMPv6报文过大消息的安全使用,防止恶意ICMPv6报文过大消息的转发,确保网络的正常工作。The adoption of the technical solution of the invention ensures the safe use of the ICMPv6 oversized message, prevents the forwarding of the malicious ICMPv6 oversized message, and ensures the normal operation of the network.
附图说明 Description of drawings
图1是本发明具体实施方式提供的IPv6网络防止PMTU攻击的方法流程示意图。FIG. 1 is a schematic flowchart of a method for preventing PMTU attacks in an IPv6 network provided by a specific embodiment of the present invention.
图2是本发明具体实施方式提供的IPv6网络防止PMTU攻击方法中的网络设备连接示意图。FIG. 2 is a schematic diagram of network device connections in the method for preventing PMTU attacks on an IPv6 network provided by a specific embodiment of the present invention.
图3是本发明具体实施方式提供的IPv6网络防止PMTU攻击的装置结构示意图。FIG. 3 is a schematic structural diagram of a device for preventing PMTU attacks on an IPv6 network provided by a specific embodiment of the present invention.
具体实施方式 detailed description
下面结合附图并通过具体实施方式来进一步说明本发明的技术方案。The technical solutions of the present invention will be further described below in conjunction with the accompanying drawings and through specific implementation methods.
图1是本发明具体实施方式提供的IPv6网络防止PMTU攻击的方法流程示意图。如图1所示,该方法包括以下步骤:FIG. 1 is a schematic flowchart of a method for preventing PMTU attacks in an IPv6 network provided by a specific embodiment of the present invention. As shown in Figure 1, the method includes the following steps:
步骤S101,交换机开启防止IPv6网络PMTU攻击的功能,为交换机配置信任端口。In step S101, the switch enables the function of preventing PMTU attacks on the IPv6 network, and configures trusted ports for the switch.
交换机开启防止IPv6网络PMTU攻击的功能后,将ICMPv6报文过大消息报文重定向至CPU的规则下发至交换芯片,使交换芯片收到ICMPv6报文过大消息报文时,将报文重定向至交换机的CPU,由CPU进行软件的解析和转发。After the switch enables the function of preventing PMTU attacks on the IPv6 network, the rules for redirecting ICMPv6 oversized messages to the CPU are sent to the switch chip so that when the switch chip receives an ICMPv6 oversized message, it forwards the message to the CPU. Redirect to the CPU of the switch, and the CPU performs software analysis and forwarding.
ICMPv6报文过大消息报文的特征为:以太首部第17,18字节的以太类型为0x86dd;ipv6首部第6字节的nexthdr为58;ipv6首部第41字节的icmpv6类型为2。The characteristics of the ICMPv6 packet too large message are: the ether type of the 17th and 18th bytes of the Ethernet header is 0x86dd; the nexthdr of the 6th byte of the ipv6 header is 58; the icmpv6 type of the 41st byte of the ipv6 header is 2.
所述为交换机配置的信任端口为交换机上连接IPv6路由器的二层端口和/或汇聚端口。The trusted port configured for the switch is a Layer 2 port and/or aggregation port connected to an IPv6 router on the switch.
通常交换机上用来连接路由器的端口数量要少于用来连接主机节点的端口数量,而安全的ICMPv6报文过大消息报文来自路由器,非安全的ICMPv6报文过大消息报文往往来自恶意主机节点。因此在为交换机配置所述信任端口时,通常将交换机上连接IPv6路由器的二层端口和/或汇聚端口配置为信任端口,其他未进行配置的端口则均缺省为非信任端口。这样,需要进行配置的端口数量较少,方便用户操作和更改端口配置。Generally, the number of ports used to connect routers on a switch is less than the number of ports used to connect host nodes, and secure ICMPv6 message packets are too large from routers, and non-secure ICMPv6 message packets are often from malicious host node. Therefore, when configuring the trusted port for the switch, the Layer 2 port and/or aggregation port connected to the IPv6 router on the switch is usually configured as a trusted port, and other unconfigured ports are all defaulted as untrusted ports. In this way, fewer ports need to be configured, which is convenient for users to operate and change port configurations.
步骤S102,接收ICMPv6报文过大消息报文。Step S102, receiving an ICMPv6 packet too large message packet.
开启防止IPv6网络PMTU攻击的功能后,由于ICMPv6报文过大消息报文重定向至CPU的规则已生效,ICMPv6报文过大消息报文到达交换机端口后,被交换芯片送到交换机CPU处理。After the function of preventing PMTU attacks on the IPv6 network is enabled, the rule for redirecting ICMPv6 oversized messages to the CPU takes effect. After reaching the switch port, the ICMPv6 oversized messages are sent to the switch CPU by the switch chip for processing.
步骤S103,判断ICMPv6报文过大消息报文的接收端口是否属于配置的信任端口,若属于,则转发至IPv6主机,若不属于,则丢弃该报文。Step S103, judging whether the receiving port of the ICMPv6 oversized message belongs to the configured trusted port, if so, forwards the message to the IPv6 host, and if not, discards the message.
ICMPv6报文过大消息报文重定向至交换机的CPU,由CPU进行软件的解析和转发。运行在CPU的软件里对每一个报文由一个软件结构来指向,里面包含表示接收端口的字段。交换芯片将报文送到CPU后,收包驱动从芯片的寄存器里读出端口号,写到该报文的软件结构的端口字段里。运行在CPU的软件读取该字段中的端口信息,与步骤S101中配置的信任端口信息进行匹配;如果属于所述信任端口,则将该端口收到的ICMPv6报文过大消息报文转发至该报文的目标IPv6主机;如果不属于所述信任端口,则直接丢弃该ICMPv6报文过大消息报文。这样便使恶意主机节点发送的非法ICMPv6报文过大消息报文,无法到达其目标IPv6主机,保证了ICMPv6报文过大消息的安全使用。The ICMPv6 packet is too large message packet is redirected to the CPU of the switch, and the CPU performs software analysis and forwarding. In the software running on the CPU, each message is pointed to by a software structure, which contains a field indicating the receiving port. After the switching chip sends the message to the CPU, the packet receiving driver reads the port number from the register of the chip and writes it into the port field of the software structure of the message. The software running in CPU reads the port information in this field, and matches with the trusted port information configured in step S101; if it belongs to the trusted port, the ICMPv6 packet received by the port is forwarded to The target IPv6 host of the message; if it does not belong to the trusted port, the ICMPv6 message is too large message message is directly discarded. In this way, the illegal ICMPv6 packet too large message message sent by the malicious host node cannot reach its target IPv6 host, which ensures the safe use of the ICMPv6 message too large message.
步骤S104,所述IPv6主机收到转发的ICMPv6报文过大消息报文,根据所述ICMPv6报文过大消息调整相应的MTU值,再次发包时,报文将被路由器顺利的转发至目的节点。Step S104, the IPv6 host receives the forwarded ICMPv6 packet too large message, adjusts the corresponding MTU value according to the ICMPv6 packet too large message, and when sending the packet again, the packet will be smoothly forwarded to the destination node by the router .
如图2所示,采用了本发明具体实施方式提供的IPv6网络防止PMTU攻击的方法,作为源节点的IPv6主机以初始MTU值发送报文,报文经过路由器转发时,路由器发现报文大于发送接口的MTU值,路由器向源节点IPv6主机发送ICMPv6报文过大消息报文,报文到达交换机时,被重定向至交换机CPU处理,交换机判断所述ICMPv6报文过大消息报文是从上联路由器的端口收到,而此端口被设为信任口,则ICMPv6报文过大消息报文被安全的转发至作为源节点的IPv6主机,源节点的IPv6主机根据ICMPv6报文过大消息调整相应的MTU值,源节点再次发包时,发送的报文将被路由器顺利的转发至目的节点。As shown in Figure 2, adopted the IPv6 network that the specific embodiment of the present invention provides to prevent the method for PMTU attack, the IPv6 host computer as source node sends message with initial MTU value, when message forwards through router, router finds that message is larger than sending The MTU value of the interface. When the router sends an ICMPv6 too large message message to the source node IPv6 host, when the message reaches the switch, it is redirected to the switch CPU for processing. The switch judges that the ICMPv6 message is too large. If the port of the connected router receives it, and this port is set as a trusted port, the ICMPv6 message is too large and the message is safely forwarded to the IPv6 host as the source node. The IPv6 host of the source node adjusts the ICMPv6 message according to the message Corresponding MTU value, when the source node sends a packet again, the sent packet will be smoothly forwarded to the destination node by the router.
而恶意主机节点伪造的ICMPv6报文过大消息报文发往源节点的IPv6主机,报文到达交换机时,匹配ICMPv6报文过大消息报文重定向至交换机CPU的规则,被送至交换机CPU处理,经交换机判断接收端口为非信任端口,则该ICMPv6报文过大消息报文被丢弃,不会发往源节点IPv6主机,保证了源节点不受恶意伪造的ICMPv6报文过大消息报文攻击。However, the malicious host node forges the ICMPv6 packet too large message packet and sends it to the IPv6 host of the source node. When the packet reaches the switch, it matches the rule that the ICMPv6 packet is too large message packet is redirected to the switch CPU, and is sent to the switch CPU. After the switch judges that the receiving port is an untrusted port, the ICMPv6 message is discarded and will not be sent to the source node IPv6 host, which ensures that the source node is free from malicious forged ICMPv6 message messages text attack.
图3是本发明具体实施方式提供的IPv6网络防止PMTU攻击的装置结构示意图。如图3所示,所述装置包括接收模块301、端口配置模块302、处理模块303和转发模块304,其中处理模块分别与接收模块、端口配置模块和转发模块连接;FIG. 3 is a schematic structural diagram of a device for preventing PMTU attacks on an IPv6 network provided by a specific embodiment of the present invention. As shown in Figure 3, the device includes a receiving module 301, a port configuration module 302, a processing module 303 and a forwarding module 304, wherein the processing module is connected to the receiving module, the port configuration module and the forwarding module respectively;
所述接收模块301,用于接收ICMPv6报文过大消息报文;The receiving module 301 is configured to receive an ICMPv6 packet too large message;
所述端口配置模块302,用于为交换机配置信任端口;The port configuration module 302 is configured to configure a trusted port for a switch;
所述处理模块303,用于读取所述ICMPv6报文过大消息报文的接收端口信息,判断ICMPv6报文过大消息报文的接收端口是否属于配置的信任端口,若属于,则将所述ICMPv6报文过大消息报文发送给转发模块;若不属于,则丢弃所述ICMPv6报文过大消息报文;The processing module 303 is used to read the receiving port information of the ICMPv6 message too large message message, and judge whether the receiving port of the ICMPv6 message message message belongs to the trusted port of configuration, and if it belongs to, then the The ICMPv6 message is too large and the message message is sent to the forwarding module; if it does not belong, the ICMPv6 message is too large message message is discarded;
所述转发模块304,用于将处理模块发来的ICMPv6报文过大消息报文转发至所述ICMPv6报文过大消息报文的目的主机。The forwarding module 304 is configured to forward the ICMPv6 too large message sent by the processing module to the destination host of the ICMPv6 too large message.
当交换机开启防止IPv6网络PMTU攻击的功能后,将ICMPv6报文过大消息报文重定向至CPU的规则下发至所述交换芯片,所述交换芯片收到ICMPv6报文过大消息报文时,将该报文重定向至CPU,CPU进行软件的解析和转发。After the switch enables the function of preventing PMTU attacks on the IPv6 network, the rule of redirecting the ICMPv6 too large message message to the CPU is issued to the switching chip, and when the switching chip receives the ICMPv6 message too large message message , redirect the packet to the CPU, and the CPU performs software parsing and forwarding.
ICMPv6报文过大消息报文重定向至交换机的CPU,由运行在CPU的软件系统进行解析和转发。运行在CPU的软件里对每一个报文由一个软件结构来指向,里面包含表示接收端口的字段。交换芯片将报文送到CPU后,收包驱动从芯片的寄存器里读出端口号,写到该报文的软件结构的端口字段里。运行在CPU的软件系统中的接收模块接收所述软件结构的ICMPv6报文过大消息报文,将其发送到处理模块。所述处理模块读取软件结构中端口字段的端口信息,与端口配置模块配置的信任端口进行匹配;如果属于所述信任端口,则将所述ICMPv6报文过大消息报文发送到转发模块,由转发模块将ICMPv6报文过大消息报文转发到目的主机;如果不属于所述信任端口,则直接丢弃该ICMPv6报文过大消息报文。这样便使恶意主机节点发送的非法ICMPv6报文过大消息报文,无法到达其目的IPv6主机,保证了ICMPv6报文过大消息的安全使用。The ICMPv6 packet is too large message packet is redirected to the CPU of the switch, and the software system running on the CPU parses and forwards it. In the software running on the CPU, each message is pointed to by a software structure, which contains a field indicating the receiving port. After the switching chip sends the message to the CPU, the packet receiving driver reads the port number from the register of the chip and writes it into the port field of the software structure of the message. The receiving module running in the software system of the CPU receives the ICMPv6 packet too large message message of the software structure, and sends it to the processing module. The processing module reads the port information of the port field in the software structure, and matches with the trusted port configured by the port configuration module; if it belongs to the trusted port, the ICMPv6 packet is too large message is sent to the forwarding module, The ICMPv6 too large message is forwarded to the destination host by the forwarding module; if it does not belong to the trusted port, the ICMPv6 too large message is directly discarded. In this way, the illegal ICMPv6 packet too large message sent by the malicious host node cannot reach its destination IPv6 host, which ensures the safe use of the ICMPv6 message too large message.
所述端口配置模块为交换机配置的信任端口,为交换机上连接IPv6路由器的二层端口和/或汇聚端口。The port configuration module is a trusted port configured by a switch, and is a layer 2 port and/or aggregation port connected to an IPv6 router on the switch.
在为交换机配置所述信任端口时,通常将交换机上连接IPv6路由器的二层端口和/或汇聚端口配置为信任端口,其他未进行配置的端口则均缺省为非信任端口。这样,需要进行配置的端口数量较少,方便用户操作和更改端口配置。When configuring the trusted port for the switch, the Layer 2 port and/or aggregation port connected to the IPv6 router on the switch is usually configured as a trusted port, and other unconfigured ports are defaulted as untrusted ports. In this way, fewer ports need to be configured, which is convenient for users to operate and change port configurations.
当处理模块判断ICMPv6报文过大消息报文的接收端口属于所述端口模块配置的信任端口时,转发模块查询MAC地址表,从连接IPv6主机的端口将ICMPv6报文过大消息报文转发出去。When the processing module judges that the receiving port of the ICMPv6 message too large message belongs to the trusted port configured by the port module, the forwarding module queries the MAC address table, and forwards the ICMPv6 message too large message from the port connected to the IPv6 host .
连接到所述交换机的IPv6主机收到转发的ICMPv6报文过大消息报文时,根据ICMPv6报文过大消息调整相应的MTU值,再次发包时,发送的报文将能够被路由器顺利的转发至目的节点。When the IPv6 host connected to the switch receives the forwarded ICMPv6 packet too large message, it adjusts the corresponding MTU value according to the ICMPv6 packet too large message, and when sending the packet again, the sent packet will be smoothly forwarded by the router to the destination node.
采用以上本发明具体实施方式的技术方案,保证了ICMPv6报文过大消息的安全使用,防止恶意ICMPv6报文过大消息的转发,确保网络的正常工作。Adopting the above technical solution of the specific implementation mode of the present invention ensures the safe use of the ICMPv6 oversized message, prevents the forwarding of the malicious ICMPv6 oversized message, and ensures the normal operation of the network.
以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉该技术的人在本发明所揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求的保护范围为准。The above is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any person familiar with the technology can easily think of changes or replacements within the technical scope disclosed in the present invention. , should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims.
Claims (6)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210027389.XA CN102594810B (en) | 2012-02-08 | 2012-02-08 | The method and apparatus that a kind of IPv6 network prevents PMTU from attacking |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210027389.XA CN102594810B (en) | 2012-02-08 | 2012-02-08 | The method and apparatus that a kind of IPv6 network prevents PMTU from attacking |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102594810A CN102594810A (en) | 2012-07-18 |
| CN102594810B true CN102594810B (en) | 2016-03-30 |
Family
ID=46483011
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210027389.XA Active CN102594810B (en) | 2012-02-08 | 2012-02-08 | The method and apparatus that a kind of IPv6 network prevents PMTU from attacking |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102594810B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2953311B1 (en) | 2013-06-26 | 2019-01-16 | Huawei Technologies Co., Ltd. | Packet identification method and protective device |
| CN104348785B (en) * | 2013-07-29 | 2018-06-05 | 中国电信股份有限公司 | The method, apparatus and system for preventing host PMTU from attacking in IPv6 nets |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030945A (en) * | 2007-04-06 | 2007-09-05 | 中兴通讯股份有限公司 | Method for preventing PPPoE from being attacked by personnel server and false server |
| CN101141396A (en) * | 2007-09-18 | 2008-03-12 | 华为技术有限公司 | Packet processing method and network appliance |
| WO2009134900A2 (en) * | 2008-04-30 | 2009-11-05 | Viasat, Inc. | Trusted network interface |
| CN102325076A (en) * | 2011-05-24 | 2012-01-18 | 中兴通讯股份有限公司 | Method for discovering PMTU (Path Maximum Transfer Unit) and node |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080198749A1 (en) * | 2007-02-20 | 2008-08-21 | Dell Products, Lp | Technique for handling service requests in an information handling system |
-
2012
- 2012-02-08 CN CN201210027389.XA patent/CN102594810B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030945A (en) * | 2007-04-06 | 2007-09-05 | 中兴通讯股份有限公司 | Method for preventing PPPoE from being attacked by personnel server and false server |
| CN101141396A (en) * | 2007-09-18 | 2008-03-12 | 华为技术有限公司 | Packet processing method and network appliance |
| WO2009134900A2 (en) * | 2008-04-30 | 2009-11-05 | Viasat, Inc. | Trusted network interface |
| CN102325076A (en) * | 2011-05-24 | 2012-01-18 | 中兴通讯股份有限公司 | Method for discovering PMTU (Path Maximum Transfer Unit) and node |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102594810A (en) | 2012-07-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113709057B (en) | Network congestion notification method, proxy node, network node and computer equipment | |
| EP3570516B1 (en) | Malicious attack detection method and apparatus | |
| US7969894B2 (en) | System and method for dead gateway detection | |
| WO2008080314A1 (en) | A method, forwarding engine and communication device for message acces control | |
| US8320249B2 (en) | Method and system for controlling network access on a per-flow basis | |
| CN103609070A (en) | Network traffic detection method, system, equipment and controller | |
| WO2011032321A1 (en) | Data forwarding method, data processing method, system and device thereof | |
| CN102474444B (en) | A method of limiting the amount of network traffic reaching a local node operating according to an industrial Ethernet protocol | |
| WO2019127134A1 (en) | Data transmission method and virtual switch | |
| TW201101751A (en) | Apparatuses and methods for processing packet fragments and computer-readable mediums thereof | |
| WO2021093797A1 (en) | Information reporting method and information processing method, and device | |
| US12177250B2 (en) | Anti-spoofing attack check method, device, and system | |
| CN116405281B (en) | A real-time information detection network exchange system | |
| US11855888B2 (en) | Packet verification method, device, and system | |
| EP3133790B1 (en) | Message sending method and apparatus | |
| CN102594810B (en) | The method and apparatus that a kind of IPv6 network prevents PMTU from attacking | |
| WO2019196914A1 (en) | Method for discovering forwarding path, and related device thereof | |
| TW201132055A (en) | Routing device and related packet processing circuit | |
| US11627110B2 (en) | Systems and methods for operating a networking device | |
| CN102821051B (en) | PMTU change method in generic routing encapsulation tunnel | |
| EP2953311B1 (en) | Packet identification method and protective device | |
| CN108243034B (en) | Fault determination method, receiver and transmitter | |
| CN104601465B (en) | A kind of processing method and equipment of VRRP messages | |
| WO2024099078A1 (en) | Method for detecting attack traffic, and related device | |
| CN111431913B (en) | Method and device for detecting existence of router advertisement protection mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee after: Beijing Shenzhou Digital Cloud Information Technology Co.,Ltd. Address before: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee before: DIGITAL CHINA NETWORKS (BEIJING) Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190613 Address after: 430000 Six Floors of 777B Office Building, Guanggu Third Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province Patentee after: Wuhan Shenzhou Digital Cloud Technology Co.,Ltd. Address before: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee before: Beijing Shenzhou Digital Cloud Information Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240429 Address after: 430000 Six Floors of 777B Office Building, Guanggu Third Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province Patentee after: Wuhan Shenzhou Digital Cloud Technology Co.,Ltd. Country or region after: China Patentee after: Shenzhou Kuntai (Xiamen) Information Technology Co.,Ltd. Address before: 430000 Six Floors of 777B Office Building, Guanggu Third Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province Patentee before: Wuhan Shenzhou Digital Cloud Technology Co.,Ltd. Country or region before: China |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20250208 Address after: 430000 Six Floors of 777B Office Building, Guanggu Third Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province Patentee after: Wuhan Shenzhou Digital Cloud Technology Co.,Ltd. Country or region after: China Patentee after: Hefei Shenzhou Kuntai Information Technology Co.,Ltd. Address before: 430000 Six Floors of 777B Office Building, Guanggu Third Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province Patentee before: Wuhan Shenzhou Digital Cloud Technology Co.,Ltd. Country or region before: China Patentee before: Shenzhou Kuntai (Xiamen) Information Technology Co.,Ltd. |