CN103685265A - Security detection method and system of passive optical network - Google Patents
Security detection method and system of passive optical network Download PDFInfo
- Publication number
- CN103685265A CN103685265A CN201310665263.XA CN201310665263A CN103685265A CN 103685265 A CN103685265 A CN 103685265A CN 201310665263 A CN201310665263 A CN 201310665263A CN 103685265 A CN103685265 A CN 103685265A
- Authority
- CN
- China
- Prior art keywords
- onu
- checked
- equipment
- source mac
- mac
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 48
- 230000003287 optical effect Effects 0.000 title abstract description 12
- 239000013307 optical fiber Substances 0.000 claims description 44
- 230000006870 function Effects 0.000 claims description 10
- 238000005242 forging Methods 0.000 claims description 9
- 230000032683 aging Effects 0.000 claims description 7
- 230000016571 aggressive behavior Effects 0.000 claims description 6
- 238000012217 deletion Methods 0.000 claims description 6
- 230000037430 deletion Effects 0.000 claims description 6
- 238000000605 extraction Methods 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 abstract description 5
- 238000000034 method Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 239000000284 extract Substances 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 239000002609 medium Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 239000006163 transport media Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a security detection method and system of a passive optical network. The passive optical network comprises OLT equipment and ONU equipment which is in network connection with the OLT equipment, and the ONU equipment has a unique logic link sign. The OLT equipment is used for learning the source MAC address of received data information, the MAC address of the corresponding ONU equipment is obtained according to the source MAC address, and therefore the MAC address of the ONU equipment is used as the logic link sign corresponding to the ONU equipment so as to generate ONU sign information corresponding to the ONU equipment; an association list of the source MAC address and the ONU sign information is built, whether the data information received by the OLT equipment comes from an attack source or not is detected according to the association list, and the category of the attack source can be determined. The loophole problems that an existing network security mechanism cannot achieve accurate network limitation and an OLT cannot detect MAC address cheating are solved.
Description
Technical field
The present invention relates to networking technology area, particularly relate to a kind of safety detection method and system of passive optical-fiber network.
Background technology
In network, assailant often uses the mode attacking network of MAC Address inundation or MAC address spoofing, causes network paralysis, and operator, for security consideration, needs OLT equipment MAC Address can be detected and attacks, and automatically cut off attack source, keeps the unimpeded of network.
PON(EPON) system is by OLT(optical line terminal), ONU(optical network unit) and ODN(Optical Distribution Network) etc. the point-to-multipoint system that forms.OLT is positioned at local side, and ONU is positioned at user side, and ODN is comprised of passive optical splitters and fibre circuit.
OLT system is done two layers of forwarding by using exchange chip to converge the Frame that each PON mouth comes in, exchange chip has powerful learning functionality and capacity, can be by the source MAC of dynamic learning Frame, form and safeguard a mac address table (claiming again content-addressable memory) for exchanging, the corresponding relation of this table record MAC Address and interface.When exchange chip receives a Frame, extract the target MAC (Media Access Control) address of this Frame, and according to this for according to showing inquiry, if found, this Frame is forwarded by corresponding interface; If do not found, to all of the port, broadcast, now, exchange chip extracts the source MAC of this Frame, checks mac address table, if do not had, MAC Address and the port that receives this MAC Address are written to mac address table, when receiving a Frame that sends to this MAC Address, just do not need to all of the port broadcast like this, this process is called MAC address learning process.The dynamic learning of exchange chip is not changeless, but starts a timer, and when this timer is decremented to zero, this list item is deleted, and this process is called MAC address aging, and certainly, every use once this address forwards, and timer returns to initial value.
Exchange chip has generally all been realized functionality of vlan, this time, mac address table has been become the corresponding relation of MAC Address, VLAN ID and interface by the corresponding relation of MAC Address and interface, when receiving a Frame, according to the target MAC (Media Access Control) address of Frame and two of VLAN ID, inquire about mac address table.
The content-addressable memory of exchange chip is normally limited, and assailant is easy to by the mode of MAC Address inundation, content-addressable memory be overflowed, once overflow, all Frames newly entering can be processed without exchange, are broadcast to all of the port.That for MAC Address, attacks at present prevents, normally by the MAC address learning quantity of switching chip port is set, controls MAC Address flood attack, once the quantity of port study surpasses threshold value, new packet can be dropped.
In OLT system, there is following shortcoming in this way:
(1) exchange chip of OLT system is commonly used to converge, chip port down direction is connecting PON chip, once and there is MAC Address flood attack, exchange chip can abandon all legal data packet that this PON mouth is newly come in automatically, owing to connecting at least 32 ONU under the PON mouth of OLT, so this mode that limits MAC address learning quantity by switching port causes a large amount of validated users still cannot accesses network;
(2) once assailant uses the mode of MAC address spoofing, as assailant constructs the Frame that source MAC is the MAC Address of OLT system first line of a couplet equipment, after the coated exchange chip of this invalid data is learnt, exchange chip can be bound the port at this address and assailant place, and the legal Frame that mails to this first line of a couplet equipment all can be forwarded to illegal port.
Summary of the invention
The shortcoming of prior art in view of the above, target of the present invention is to provide a kind of safety detection method and system of passive optical-fiber network, for solve above-mentioned prior art passive optical-fiber network safety detection inaccuracy, there is the problem of leak.
For realizing above-mentioned target and other related objectives, the invention provides a kind of safety detection method of passive optical-fiber network, described passive optical-fiber network comprises: OLT equipment, network connect the ONU equipment of described OLT equipment, described ONU equipment has exclusive logical links mark, and described safety detection method comprises: the source MAC of the data message that OLT learning equipment receives; According to described source MAC, obtain corresponding ONU device mac address; Described ONU device mac address is filled to the logical links mark of corresponding ONU equipment, to generate the ONU beacon information of corresponding described ONU equipment; Foundation comprises the contingency table of described source MAC, ONU beacon information; Whether the data message receiving according to described contingency table detection OLT equipment comes from attack source.
Preferably, the safety detection method of described passive optical-fiber network also comprises: according to detecting as coming from the data message of attack source, locate the position of described attack source.
Preferably, whether the described data message receiving according to described contingency table detection OLT equipment comes from attack source, comprising: the source MAC to be checked in the data message that extraction OLT equipment receives; Described source MAC to be checked and the target MAC (Media Access Control) address of waiting to receive the object equipment of described data message are compared; If compare identically, assert that source MAC to be checked is for forging MAC Address; If comparison is different, at described contingency table, searches source MAC to be checked and whether exist; If do not exist, source MAC to be checked and the corresponding ONU identification information to be checked generating are joined to this contingency table; Set the address life cycle time; Detection is in described address life cycle in the time, OLT learning equipment to the MAC Address quantity to be checked of correspondence ONU identification information to be checked whether exceed threshold value; If exceed, regard as MAC Address extensive aggression; If described source MAC to be checked is present in contingency table, the address life cycle time of upgrading described source MAC to be checked is initial value.
Preferably, when the described address life cycle time, expire, in contingency table to comprising that the entry that expires of ONU identification information and corresponding MAC Address does aging deletion, and upgrade described contingency table.
Preferably, described contingency table is HASH table; Describedly in contingency table, search source MAC to be checked and whether exist, comprise: by default HASH function, source MAC to be checked is calculated to corresponding index value, pass through calculated index value and search and compare HASH and show to judge whether source MAC to be checked exists.
For realizing above-mentioned target and other related objectives, the invention provides a kind of safety detecting system of passive optical-fiber network, described passive optical-fiber network comprises: OLT equipment, network connect the ONU equipment of described OLT equipment, described ONU equipment has exclusive logical links mark, described safety detecting system comprises: study module, for making the source MAC of the data message that OLT learning equipment receives; Address acquisition module, for obtaining corresponding ONU device mac address according to described source MAC; Beacon information generation module, for described ONU device mac address being filled to the logical links mark of corresponding ONU equipment, to generate the ONU beacon information of corresponding described ONU equipment; Contingency table is set up module, for setting up the contingency table that comprises described source MAC, ONU beacon information; Whether detection module, come from attack source for the data message receiving according to described contingency table detection OLT equipment.
Preferably, the safety detecting system of described passive optical-fiber network also comprises: locating module, for according to detecting as coming from the data message of attack source, locate the position of described attack source.
Preferably, described detection module comprises: extraction module, for extracting the source MAC to be checked of the data message that OLT equipment receives; Comparing module, for comparing described source MAC to be checked and the target MAC (Media Access Control) address of waiting to receive the object equipment of described data message; Search module, for when described comparison is different, at described contingency table, search source MAC to be checked and whether exist; Update module, for searching while not existing described, joins this contingency table by source MAC to be checked and the corresponding ONU identification information to be checked generating; Time block, for setting the address life cycle time, and described when searching source MAC to be checked and being present in described contingency table, the address life cycle time of upgrading described source MAC to be checked is initial value; Attack and assert module, for when described comparison is identical, assert that source MAC to be checked is for forging MAC Address; Module is assert in described attack, also for when the described source MAC to be checked of searching is not present in described contingency table, detection is in described address life cycle in the time, OLT learning equipment to the source MAC quantity to be checked of correspondence ONU identification information to be checked whether exceed threshold value, if exceed, regard as MAC Address extensive aggression.
Preferably, described update module also for when the described address life cycle time expires, to comprising that the entry that expires of ONU identification information and corresponding MAC Address does aging deletion, and is upgraded described contingency table in contingency table.
Preferably, described contingency table is HASH table; The described module of searching, for source MAC to be checked being calculated to corresponding index value by default HASH function, passes through calculated index value and searches and compare HASH and show to judge whether source MAC to be checked exists.
As mentioned above, the invention provides a kind of safety detection method and system of passive optical-fiber network, described passive optical-fiber network comprises: OLT equipment, network connects the ONU equipment of described OLT equipment, described ONU equipment has exclusive logical links mark, the source MAC of the data message that described method and system receive by OLT learning equipment, according to described source MAC, obtain corresponding ONU device mac address again, and then described ONU device mac address is filled to the logical links mark of corresponding ONU equipment, to generate the ONU beacon information of corresponding described ONU equipment, foundation comprises the contingency table of described source MAC, ONU beacon information, whether the data message receiving according to described contingency table detection OLT equipment again comes from attack source, and can judge the classification of attack source, solve existing network security mechanism cannot precision net restriction and OLT the leak problems such as MAC address spoofing cannot be detected.
Accompanying drawing explanation
Fig. 1 is shown as the steps flow chart schematic diagram of an embodiment of the safety detection method of passive optical-fiber network of the present invention.
Fig. 2 is shown as the steps flow chart schematic diagram of an embodiment of the safety detection method of passive optical-fiber network of the present invention.
Fig. 3 is shown as the structural representation of an embodiment of the safety detecting system of passive optical-fiber network of the present invention.
Fig. 4 is shown as the structural representation of an embodiment of the safety detecting system of passive optical-fiber network of the present invention.
Element numbers explanation
Embodiment
Below, by specific instantiation explanation embodiments of the present invention, those skilled in the art can understand other advantages of the present invention and effect easily by the disclosed content of this specification.The present invention can also be implemented or be applied by other different embodiment, and the every details in this specification also can be based on different viewpoints and application, carries out various modifications or change not deviating under spirit of the present invention.It should be noted that, in the situation that not conflicting, embodiment and the feature in embodiment in the application can combine mutually.
Refer to Fig. 1, the invention provides a kind of safety detection method of passive optical-fiber network, described passive optical-fiber network comprises: OLT equipment, network connect the ONU equipment of described OLT equipment, and described ONU equipment has exclusive logical links mark, and described safety detection method comprises:
The source MAC of the data message that step S1:OLT learning equipment receives;
Step S2: obtain corresponding ONU device mac address according to described source MAC;
Step S3: described ONU device mac address is filled to the logical links mark of corresponding ONU equipment, to generate the ONU beacon information of corresponding described ONU equipment;
Step S4: set up the contingency table that comprises described source MAC, ONU beacon information;
Step S5: whether the data message receiving according to described contingency table detection OLT equipment comes from attack source.
Preferably, the safety detection method of described passive optical-fiber network also comprises:
Step S6: according to detecting as coming from the data message of attack source, locate the position of described attack source.In the present embodiment, described position is the position in network, by for example port or the facility information of attack source MAC Address, reception attack message or data, can locate described position.
Preferably, above-mentioned data message comprises Frame, packet, message, generally all can contain the source MAC of unlabeled data information source device location.
Preferably, described passive optical-fiber network is EPON or GPON network, and described logical links is labeled as corresponding LLID or GEMPORT-ID.In the present embodiment, FTTx(optical fiber is somewhither) be a kind of general designation to the various forms of broadband optical access net, in broadband optical access net, optical fiber can be only transmission medium or be backbone transport medium.The physical location arriving according to optical fiber is different, and FTTx exists multiple application type, generally can be divided into following several:
(1) Fiber To The Cabinet (FibertotheCabinet, FTTCab);
(2) Fiber-To-The-Building space/junction box (FibertotheBuilding/Curb, FTTB/C);
(3) optical fiber is to company/office (FibertotheOffice, FTTO);
(4) fiber-to-the-home front yard user (FibertotheHome, FTTH).
PON technology is considered to build the topmost broadband access technology of FTTx, this makes with EPON(EthernetPassiveOpticalNetwork, Ethernet passive optical network) and GPON(Gigabit-Capable Passive Optical Network, gigabit passive optical network) for the broadband of representative, start to be at home able to the network design of certain scale, according to PON agreement, although the down going channel between OLT and ONU adopts broadcast mode to transmit data, but every transfer of data logical channel (LLID in EPON, GEMPOrt in GPON) only belong to some ONU, when receiving the data that are designated other ONU, ONU should abandon these data, thereby correct forwarding and the safety isolation of user data have been guaranteed.Under unicast transmission mode, OLT can copy N part downlink broadcast messages and be distributed to a plurality of data transfer logic passages and be sent to ONU, therefore the present invention has and utilizes the sign of LLID or GEMPORT to process, and is that the LLID having used in EPON network indicates in the present embodiment.
Refer to Fig. 2, preferred, in one embodiment, described step 5, can comprise:
Step S501: the source MAC to be checked in the data message that extraction OLT equipment receives;
Step S502: described source MAC to be checked and the target MAC (Media Access Control) address of waiting to receive the object equipment of described data message are compared; In the present embodiment, the first line of a couplet equipment that described object equipment is OLT equipment, described data message can be the Frame that reports, packet, message etc.
Step S503: if compare identically, assert that source MAC to be checked is for forging MAC Address; And then detection of end flow process, carry out as rejection, search the operations such as source of forging MAC Address.
Step S504: if comparison is different, searches source MAC to be checked at described contingency table and whether exist;
Step S505: if do not exist, source MAC to be checked and the corresponding ONU identification information to be checked generating are joined to this contingency table;
Step S506: set the address life cycle time;
Step S507: detect in described address life cycle in the time, OLT learning equipment to the MAC Address quantity to be checked of correspondence ONU identification information to be checked whether exceed threshold value;
Step S508: if exceed, regard as MAC Address extensive aggression; And then detection of end flow process, carry out as rejection, search the operations such as source of forging MAC Address.
Step S509: if described source MAC to be checked is present in contingency table, the address life cycle time of upgrading described source MAC to be checked is initial value.
Preferably, described method also comprises the update mechanism to described contingency table:
When the described address life cycle time, expire, in contingency table to comprising that the entry that expires of ONU identification information and corresponding MAC Address does aging deletion, and upgrade described contingency table, in the present embodiment, described renewal can be the statistical value that upgrades the MAC Address quantity that this ONU ID is corresponding.
Preferably, described contingency table is HASH table (Hash table), and in the present embodiment, hash table (Hash table is also Hash table), is the data structure directly conducting interviews according to key value (Key value).That is to say, it visits record by key value being mapped to a position in table, with the speed of accelerating to search.This mapping function is called hash function, and the array of put is called hash table, and Hash table is widely used in internet protocol address communication and management.
Corresponding, described step S504 comprises: by default HASH function, source MAC to be checked is calculated to corresponding index value, pass through calculated index value and search and compare HASH and show to judge whether source MAC to be checked exists.
As shown in Figure 3, the invention provides a kind of safety detecting system 1 of passive optical-fiber network, the safety detection method of its know-why and above-mentioned passive optical-fiber network is roughly the same, so part correlation technique details is repeating no more below; Described passive optical-fiber network comprises: OLT equipment, network connect the ONU equipment of described OLT equipment, described ONU equipment has exclusive logical links mark, described safety detecting system 1 comprises: study module 11, for making the source MAC of the data message that OLT learning equipment receives; Address acquisition module 12, for obtaining corresponding ONU device mac address according to described source MAC; Beacon information generation module 13, for described ONU device mac address being filled to the logical links mark of corresponding ONU equipment, to generate the ONU beacon information of corresponding described ONU equipment; Contingency table is set up module 14, for setting up the contingency table that comprises described source MAC, ONU beacon information; Whether detection module 15, come from attack source for the data message receiving according to described contingency table detection OLT equipment.
Preferably, the safety detecting system 1 of described passive optical-fiber network also comprises: locating module 16, for according to detecting as coming from the data message of attack source, locate the position of described attack source.
Preferably, described data message comprises Frame, packet, message.
Preferably, described passive optical-fiber network is EPON or GPON network, and described logical links is labeled as corresponding LLID or GEMPORT-ID.
Refer to Fig. 4, preferred, in one embodiment, described detection module 15 comprises: extraction module 151, for extracting the source MAC to be checked of the data message that OLT equipment receives; Comparing module 152, for comparing described source MAC to be checked and the target MAC (Media Access Control) address of waiting to receive the object equipment of described data message; Search module 153, for when described comparison is different, at described contingency table, search source MAC to be checked and whether exist; Update module 154, for searching while not existing described, joins this contingency table by source MAC to be checked and the corresponding ONU identification information to be checked generating; Time block 155, for setting the address life cycle time, and described when searching source MAC to be checked and being present in described contingency table, the address life cycle time of upgrading described source MAC to be checked is initial value; Attack and assert module 156, for when described comparison is identical, assert that source MAC to be checked is for forging MAC Address; Module 156 is assert in described attack, also for when the described source MAC to be checked of searching is not present in described contingency table, detection is in described address life cycle in the time, OLT learning equipment to the source MAC quantity to be checked of correspondence ONU identification information to be checked whether exceed threshold value, if exceed, regard as MAC Address extensive aggression.
Preferably, described update module 154 also for when the described address life cycle time expires, to comprising that the entry that expires of ONU identification information and corresponding MAC Address does aging deletion, and is upgraded described contingency table in contingency table.
Preferably, described contingency table is HASH table; The described module 153 of searching, for source MAC to be checked being calculated to corresponding index value by default HASH function, passes through calculated index value and searches and compare HASH and show to judge whether source MAC to be checked exists.
Specifically, the safety detection method of passive optical-fiber network of the present invention and system, its principle is:
Because MAC Address attack generally comprises: (1), by constructing a large amount of Frames that comprises different source MACs, causes the exchange chip table capacity of OLT system to overflow; (2) by the MAC Address of structure OLT system first line of a couplet device port, cause OLT systems exchange chip to learn wrong MAC Address and the binding relationship of port.
Therefore in OLT system, descending PON chip accesses ONU, and up PON chip connection exchange chip is linked into first line of a couplet equipment and realizes interconnected.The ONU that is linked into OLT system must and authorize through registration, Frame through ONU could pass through OLT like this, register and authorize be exactly in fact OLT system PON chip as access ONU Resources allocation set up data channel, take EPON system as example, OLT can distribute LLID for ONU, and the Registry of foundation and preservation ONU
When being connected to the user of ONU and sending Frame, the PON chip of OLT can record according to LLID the source MAC of all Frames.Source MAC and LLID information that the present invention utilizes PON chip to learn, find MAC Address attack source by the mode of statistical monitoring, and the counter mechanism of looking into MAC Address is provided, judgement MAC address spoofing.
Therefore, the present invention is directed to OLT system and detect MAC Address flood attack and MAC address spoofing, concrete technology realize can be in the following example shown in:
OLT system starts, the task of operation detection module, PON chip in OLT equipment is set, automatically report the MAC Address of the Frame that arrives of study, according to this source MAC, obtain the MAC Address of ONU equipment, this ONU MAC Address is filled to ONU ID, as ONU sign (take EPON as example, is generally LLID information);
According to the HASH function of design, the source MAC of usining calculates HASH index value as keyword, for each PON mouth, sets up a dynamic record sheet, and this list item comprises source MAC, ONU id information;
When the source MAC of Frame is reported by PON chip, intercept and capture reporting information, extract MAC Address, by this address and for example MAC Address comparison of first line of a couplet equipment of object equipment, if identical, this MAC Address is for forging MAC Address, if different, according to HASH function, calculate key, and search HASH table according to this key, according to HASH table clause comparison MAC Address, whether exist, if do not existed, MAC Address and corresponding ONU ID sign are joined to this HASH table
Timer is set, and upgrades the MAC Address quantity statistics value that this ONU ID is corresponding, detect this statistical value and whether exceed threshold value, as exceed, occur MAC Address flood attack; As existed, upgrade the value of timer to initial value;
When timer setting-up time expires, in HASH table, delete this entry, and upgrade the MAC Address quantity statistics value that this ONU ID is corresponding.
So, MAC Address and the ONU id information by obtaining PON chip, learnt, take MAC Address as keyword generation Hash concordance list, and this Hash table element comprises source MAC, ONU ID, and by MAC Address quantity corresponding to this ONU ID of statistics, judge whether to occur attacking; According to the anti-Hash table of looking into of the MAC Address of first line of a couplet equipment, judge whether to exist MAC address spoofing, thereby realized active detecting MAC Address flood attack in OLT system, attack source can be navigated to concrete ONU, and can detect MAC address spoofing.The mode of having used HASH table, makes to detect the efficiency of searching high.Through applicant, on FP6508, test and simulate, the present invention can realize active detecting MAC Address flood attack, and can detect MAC address spoofing.
In sum, the invention provides a kind of safety detection method and system of passive optical-fiber network, described passive optical-fiber network comprises: OLT equipment, network connects the ONU equipment of described OLT equipment, described ONU equipment has exclusive logical links mark, the source MAC of the data message that described method and system receive by OLT learning equipment, according to described source MAC, obtain corresponding ONU device mac address again, and then described ONU device mac address is filled to the logical links mark of corresponding ONU equipment, to generate the ONU beacon information of corresponding described ONU equipment, foundation comprises the contingency table of described source MAC, ONU beacon information, whether the data message receiving according to described contingency table detection OLT equipment again comes from attack source, and can judge the classification of attack source, solve existing network security mechanism cannot precision net restriction and OLT the leak problems such as MAC address spoofing cannot be detected.
Above-described embodiment is illustrative principle of the present invention and effect thereof only, but not for limiting the present invention.Any person skilled in the art scholar all can, under spirit of the present invention and category, modify or change above-described embodiment.Therefore, such as in affiliated technical field, have and conventionally know that the knowledgeable, not departing from all equivalence modifications that complete under disclosed spirit and technological thought or changing, must be contained by claim of the present invention.
Claims (10)
1. the safety detection method of a passive optical-fiber network, described passive optical-fiber network comprises: OLT equipment, network connect the ONU equipment of described OLT equipment, described ONU equipment has exclusive logical links mark, it is characterized in that, described safety detection method comprises:
The source MAC of the data message that OLT learning equipment receives;
According to described source MAC, obtain corresponding ONU device mac address;
Described ONU device mac address is filled to the logical links mark of corresponding ONU equipment, to generate the ONU beacon information of corresponding described ONU equipment;
Foundation comprises the contingency table of described source MAC, ONU beacon information;
Whether the data message receiving according to described contingency table detection OLT equipment comes from attack source.
2. the safety detection method of passive optical-fiber network according to claim 1, is characterized in that, also comprises: according to detecting as coming from the data message of attack source, locate the position of described attack source.
3. the safety detection method of passive optical-fiber network according to claim 1, is characterized in that, whether the described data message receiving according to described contingency table detection OLT equipment comes from attack source, comprising:
Source MAC to be checked in the data message that extraction OLT equipment receives;
Described source MAC to be checked and the target MAC (Media Access Control) address of waiting to receive the object equipment of described data message are compared;
If compare identically, assert that source MAC to be checked is for forging MAC Address;
If comparison is different, at described contingency table, searches source MAC to be checked and whether exist;
If do not exist, source MAC to be checked and the corresponding ONU identification information to be checked generating are joined to this contingency table;
Set the address life cycle time;
Detection is in described address life cycle in the time, OLT learning equipment to the MAC Address quantity to be checked of correspondence ONU identification information to be checked whether exceed threshold value;
If exceed, regard as MAC Address extensive aggression;
If described source MAC to be checked is present in contingency table, the address life cycle time of upgrading described source MAC to be checked is initial value.
4. the safety detection method of passive optical-fiber network according to claim 3, it is characterized in that, when the described address life cycle time, expire, in contingency table to comprising that the entry that expires of ONU identification information and corresponding MAC Address does aging deletion, and upgrade described contingency table.
5. according to the safety detection method of the passive optical-fiber network in described in claim 3 or 4, it is characterized in that, described contingency table is HASH table; Describedly in contingency table, search source MAC to be checked and whether exist, comprising:
By default HASH function, source MAC to be checked is calculated to corresponding index value, pass through calculated index value and search and compare HASH and show to judge whether source MAC to be checked exists.
6. the safety detecting system of a passive optical-fiber network, described passive optical-fiber network comprises: OLT equipment, network connect the ONU equipment of described OLT equipment, described ONU equipment has exclusive logical links mark, it is characterized in that, described safety detecting system comprises:
Study module, for making the source MAC of the data message that OLT learning equipment receives;
Address acquisition module, for obtaining corresponding ONU device mac address according to described source MAC;
Beacon information generation module, for described ONU device mac address being filled to the logical links mark of corresponding ONU equipment, to generate the ONU beacon information of corresponding described ONU equipment;
Contingency table is set up module, for setting up the contingency table that comprises described source MAC, ONU beacon information;
Whether detection module, come from attack source for the data message receiving according to described contingency table detection OLT equipment.
7. the safety detecting system of passive optical-fiber network according to claim 6, is characterized in that, also comprises: locating module, for according to detecting as coming from the data message of attack source, locate the position of described attack source.
8. the safety detecting system of passive optical-fiber network according to claim 6, is characterized in that, described detection module comprises:
Extraction module, for extracting the source MAC to be checked of the data message that OLT equipment receives;
Comparing module, for comparing described source MAC to be checked and the target MAC (Media Access Control) address of waiting to receive the object equipment of described data message;
Search module, for when described comparison is different, at described contingency table, search source MAC to be checked and whether exist;
Update module, for searching while not existing described, joins this contingency table by source MAC to be checked and the corresponding ONU identification information to be checked generating;
Time block, for setting the address life cycle time, and described when searching source MAC to be checked and being present in described contingency table, the address life cycle time of upgrading described source MAC to be checked is initial value;
Attack and assert module, for when described comparison is identical, assert that source MAC to be checked is for forging MAC Address; Module is assert in described attack, also for when the described source MAC to be checked of searching is not present in described contingency table, detection is in described address life cycle in the time, OLT learning equipment to the source MAC quantity to be checked of correspondence ONU identification information to be checked whether exceed threshold value, if exceed, regard as MAC Address extensive aggression.
9. the safety detecting system of passive optical-fiber network according to claim 8, it is characterized in that, described update module, also for when the described address life cycle time expires, in contingency table, to comprising that the entry that expires of ONU identification information and corresponding MAC Address does aging deletion, and upgrade described contingency table.
10. the safety detecting system of the passive optical-fiber network according to claim 8 or claim 9, is characterized in that, described contingency table is HASH table; The described module of searching, for source MAC to be checked being calculated to corresponding index value by default HASH function, passes through calculated index value and searches and compare HASH and show to judge whether source MAC to be checked exists.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310665263.XA CN103685265B (en) | 2013-12-09 | 2013-12-09 | The safety detection method and system of a kind of passive optical-fiber network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310665263.XA CN103685265B (en) | 2013-12-09 | 2013-12-09 | The safety detection method and system of a kind of passive optical-fiber network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103685265A true CN103685265A (en) | 2014-03-26 |
| CN103685265B CN103685265B (en) | 2018-01-02 |
Family
ID=50321580
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310665263.XA Active CN103685265B (en) | 2013-12-09 | 2013-12-09 | The safety detection method and system of a kind of passive optical-fiber network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103685265B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506436A (en) * | 2014-12-22 | 2015-04-08 | 上海斐讯数据通信技术有限公司 | Data message sending method for Ethernet passive optical network |
| CN105245402A (en) * | 2015-10-23 | 2016-01-13 | 武汉长光科技有限公司 | MAC address source tracing method based on HomePlug AV chip |
| CN105262854A (en) * | 2015-10-15 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Method and device for performing unified management on MAC address table on OLT equipment |
| CN106878057A (en) * | 2016-12-31 | 2017-06-20 | 广东东研网络科技股份有限公司 | Loop detection and sweep-out method in Ethernet passive optical network EPON system |
| CN112565190A (en) * | 2020-11-05 | 2021-03-26 | 上海欣诺通信技术股份有限公司 | Special detection optical modem equipment, back-end processing server and special detection system |
| CN113727222A (en) * | 2021-08-16 | 2021-11-30 | 烽火通信科技股份有限公司 | Method and device for detecting MAC address drift in PON system |
| WO2022082870A1 (en) * | 2020-10-23 | 2022-04-28 | 苏州聚慧邦信息科技有限公司 | Information security detection method and apparatus based on office device, and computer device |
| CN115022048A (en) * | 2022-06-06 | 2022-09-06 | 上海百功半导体有限公司 | PON gateway equipment authentication method, optical communication chip and PON gateway equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101389147A (en) * | 2008-10-29 | 2009-03-18 | 深圳华为通信技术有限公司 | Slave node data interconnecting device, method and system base on one point to several points network |
| CN101453464A (en) * | 2007-11-28 | 2009-06-10 | 中兴通讯股份有限公司 | Attack prevention method for Ethernet passive optical network |
| CN102045108A (en) * | 2010-12-30 | 2011-05-04 | 中国联合网络通信集团有限公司 | Method and equipment for detecting illegal user in passive optical network (PON) |
-
2013
- 2013-12-09 CN CN201310665263.XA patent/CN103685265B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101453464A (en) * | 2007-11-28 | 2009-06-10 | 中兴通讯股份有限公司 | Attack prevention method for Ethernet passive optical network |
| CN101389147A (en) * | 2008-10-29 | 2009-03-18 | 深圳华为通信技术有限公司 | Slave node data interconnecting device, method and system base on one point to several points network |
| CN102045108A (en) * | 2010-12-30 | 2011-05-04 | 中国联合网络通信集团有限公司 | Method and equipment for detecting illegal user in passive optical network (PON) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506436A (en) * | 2014-12-22 | 2015-04-08 | 上海斐讯数据通信技术有限公司 | Data message sending method for Ethernet passive optical network |
| CN105262854A (en) * | 2015-10-15 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Method and device for performing unified management on MAC address table on OLT equipment |
| CN105245402A (en) * | 2015-10-23 | 2016-01-13 | 武汉长光科技有限公司 | MAC address source tracing method based on HomePlug AV chip |
| CN106878057A (en) * | 2016-12-31 | 2017-06-20 | 广东东研网络科技股份有限公司 | Loop detection and sweep-out method in Ethernet passive optical network EPON system |
| WO2022082870A1 (en) * | 2020-10-23 | 2022-04-28 | 苏州聚慧邦信息科技有限公司 | Information security detection method and apparatus based on office device, and computer device |
| CN112565190A (en) * | 2020-11-05 | 2021-03-26 | 上海欣诺通信技术股份有限公司 | Special detection optical modem equipment, back-end processing server and special detection system |
| CN113727222A (en) * | 2021-08-16 | 2021-11-30 | 烽火通信科技股份有限公司 | Method and device for detecting MAC address drift in PON system |
| CN113727222B (en) * | 2021-08-16 | 2023-11-03 | 烽火通信科技股份有限公司 | Method and device for detecting MAC address drift in PON system |
| CN115022048A (en) * | 2022-06-06 | 2022-09-06 | 上海百功半导体有限公司 | PON gateway equipment authentication method, optical communication chip and PON gateway equipment |
| CN115022048B (en) * | 2022-06-06 | 2024-04-16 | 上海百功半导体有限公司 | PON gateway equipment authentication method, optical communication chip and PON gateway equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103685265B (en) | 2018-01-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103685265A (en) | Security detection method and system of passive optical network | |
| CN104253735B (en) | Optical network unit, communication system and method | |
| CN108964756B (en) | Fault detection method and device of optical distribution network and passive optical network system | |
| US9755749B2 (en) | ONU, communication system and communication method for ONU | |
| CN1319329C (en) | Automatic method for reporting MAC address from device of optical network unit at remote side to network management system | |
| US7873039B2 (en) | Enhanced optical line terminal controller | |
| US9531469B2 (en) | Collecting status from a partner management domain | |
| CN106487879A (en) | A kind of network equipment recognition methodss based on device-fingerprint storehouse and device | |
| US8711856B2 (en) | Method and device for processing broadcast packets/multicast control messages | |
| CN101971576B (en) | Communication control method, station side device, subscriber side device, and communication system | |
| CN104219122A (en) | Detection method for quickly positioning far-end ONU (optical network unit) loop ports by OLT (optical line terminal) local sides | |
| CN106464356B (en) | A kind of detection method of rogue's optical network unit, apparatus and system | |
| CN100454894C (en) | Information insulating method and device for downlink broadcast, flood of Ethernet passive optical network | |
| CN102571353A (en) | Method for verifying legitimacy of home gateway in passive optical network | |
| CN101959087B (en) | Multicast processing method and device | |
| CN104079428B (en) | The system and method for managing configuration information conflict | |
| US8184640B2 (en) | Compact virtual local area network mapper for the gigabit-passive optical network optical network management and control interface | |
| CN105591956B (en) | Flow control methods and equipment based on User-Network Interface UNI | |
| CN105721963A (en) | Method for connecting out-of-limit number of ONUs (Optical Network Units) with EPON-OLT (Ethernet Passive Optical Network-Optical Line Terminal) | |
| US9820022B2 (en) | Managing network access based on ranging information | |
| CN113727222B (en) | Method and device for detecting MAC address drift in PON system | |
| CN102395057B (en) | A kind of collocation method and device of port locations form | |
| CN105049265B (en) | A kind of OLT user-side ports address localization method and generation method | |
| KR20060080783A (en) | Apparatus and method for managing a ethernet passive optical network | |
| WO2016202078A1 (en) | Method and device for fiber-to-the-home |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20201103 Address after: 318015 no.2-3167, zone a, Nonggang City, no.2388, Donghuan Avenue, Hongjia street, Jiaojiang District, Taizhou City, Zhejiang Province Patentee after: Taizhou Jiji Intellectual Property Operation Co.,Ltd. Address before: 201616 Shanghai city Songjiang District Guangfulin road 4855 Lane 20, No. 90 Patentee before: Phicomm (Shanghai) Co.,Ltd. |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20140326 Assignee: ZHEJIANG SUPCON TECHNOLOGY Co.,Ltd. Assignor: Taizhou Jiji Intellectual Property Operation Co.,Ltd. Contract record no.: X2021330000764 Denomination of invention: A security detection method and system for passive optical fiber network Granted publication date: 20180102 License type: Common License Record date: 20211117 Application publication date: 20140326 Assignee: Hangzhou Bolian Intelligent Technology Co.,Ltd. Assignor: Taizhou Jiji Intellectual Property Operation Co.,Ltd. Contract record no.: X2021330000763 Denomination of invention: A security detection method and system for passive optical fiber network Granted publication date: 20180102 License type: Common License Record date: 20211117 |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231214 Address after: 030000, Building A, 21st Floor, Jinmao Building, No.1 Pingyang Road, Xiaodian District, Taiyuan City, Shanxi Province, China, Peak Maker Zone D, No.1 Patentee after: Yima Technology Co.,Ltd. Address before: 318015 no.2-3167, area a, nonggangcheng, 2388 Donghuan Avenue, Hongjia street, Jiaojiang District, Taizhou City, Zhejiang Province Patentee before: Taizhou Jiji Intellectual Property Operation Co.,Ltd. |