CN104009999B - Prevent method, device and network access server that ARP is cheated - Google Patents
Prevent method, device and network access server that ARP is cheated Download PDFInfo
- Publication number
- CN104009999B CN104009999B CN201410256080.7A CN201410256080A CN104009999B CN 104009999 B CN104009999 B CN 104009999B CN 201410256080 A CN201410256080 A CN 201410256080A CN 104009999 B CN104009999 B CN 104009999B
- Authority
- CN
- China
- Prior art keywords
- message
- address
- source
- arp
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The embodiment of the present invention provides a kind of method for preventing ARP from cheating, device and network access server.The method includes:In the first forwarding database being recorded by the message information of the first message that will be got;After the corresponding source IP address of source IP address information in knowing authentication database in the absence of the first message, source IP address is added in authentication database;And add a Static ARP list item for corresponding to source IP address to ARP databases;According to the physical port information in the list item in the first forwarding database corresponding to source IP address, second message is sent to physical port corresponding with physical port information, so that browser corresponding with source IP address redirects access web authentication server and carries out web authentication;Wherein, the second message is the redirection message of the first message, so as to realize preventing ARP from cheating during web authentication.
Description
Technical field
Address resolution protocol (Address is prevented the present invention relates to a kind of communication technology, more particularly to one kind
Resolution Protocol, referred to as:ARP) method of deception, device and network access server (Netwoek Access
Server, referred to as:NAS).
Background technology
Network (web) certification is a kind of based on HTTP (Hyper Text Transfer Protocol, letter
Claim:HTTP) the identity identifying method that technology is controlled to the authority of customer access network, generally, unauthenticated user accesses net
Need first to open a website using browser before network, the NAS for disposing identity authentication function can force browser access web authentication
Server, i.e. Portal server, user are input into identity information and enter by browser on the page that Portal server is pushed
Row authentication, only certification can just use Internet resources after passing through.
ARP refers to two Internet protocols (Internet Protocol, abbreviation on LAN:IP) communication between devices
When, the IP address according to other side knows other side's Media access contorl (Medium Access Control, abbreviation:MAC) address
Process, ARP can bind MAC Address and IP address, and using IP address as input, ARP is able to know that IP address association
MAC Address.ARP deceptions refer to the ARP messages that certain IP device externally sends vacation, other IP devices are forged into, so as to will be sent to
The data flow of other IP devices guides oneself into, realizes pry, and cause other legal IP devices cannot to communicate.
In the prior art, in order to prevent ARP from cheating, generally by prestoring IP address with the mapping database of MAC Address
The ARP messages that NAS sends all terminals are all intercepted, and school is carried out to the ARP messages for receiving by mapping database
Test, forwarded ARP messages by NAS if if verification.Mapping database in the scheme of prior art, if by static state
Configuration, then underaction and management workload is huge;If passing through DHCP (Dynamic Host
Configuration Protocol, referred to as:DHCP) sniff is automatically generated, then require that the terminal of all access NAS must be logical
Cross DHCP and obtain IP address, have very big limitation for network design, and it is cheated also to there is DHCP using DHCP
Possibility.Therefore, need badly and propose a kind of method for effectively preventing ARP from cheating.
The content of the invention
The present invention provides a kind of method for preventing ARP from cheating, device and network access server, with web authentication process
In effectively prevent ARP from cheating.
In a first aspect, the embodiment of the present invention provides a kind of method for preventing ARP from cheating, including:
The message information of the first message that acquisition is received, during the message information recorded into the first forwarding database;
Wherein, the message information includes the source Media access contorl mac address information of first message, source internet protocol IP ground
Location information, and receive the physical port information of the physical port of first message;
If in the absence of the corresponding source IP address of the source IP address information of first message in knowing authentication database,
The source IP address is added in the authentication database;And one is added corresponding to the source IP address to ARP databases
Static ARP list item;Wherein, source IP address and source MAC comprising first message in the Static ARP list item;
According to the physical port information in the list item in first forwarding database corresponding to the source IP address,
Second message is sent to physical port corresponding with the physical port information, so that corresponding with the source IP address browse
Device redirects access network web authentication server and carries out web authentication;Wherein, second message is resetting for first message
To message.
In the first possible implementation of first aspect, methods described also includes:
To the ARP databases add one correspond to the source IP address Static ARP list item when, start with it is described
The corresponding timer of Static ARP list item, deletes the Static ARP list item after the timer expiry.
With reference to the first possible implementation of first aspect or first aspect, in second possible implementation
In, before the message information of first message for obtaining and receiving, also include:
When meeting pre-conditioned, first message is intercepted.
It is described default in the third possible implementation with reference to second possible implementation of first aspect
Condition includes:
First message is TCP message;
There is the source IP address information of first message in second forwarding database;Wherein, the second forwarding data
Storehouse is synchronous with the authentication database;
The purpose IP address of first message are not the IP address of the web authentication server.
Second aspect, the embodiment of the present invention provides a kind of device for preventing ARP from cheating, including:
Acquisition module, the message information for obtaining the first message for receiving, first is recorded by the message information
In forwarding database;Wherein, the message information includes source MAC address information, the source IP address information of first message, with
And receive the physical port information of the physical port of first message;
Processing module, if for knowing the source IP address information pair in authentication database in the absence of first message
The source IP address answered, the source IP address is added in the authentication database;And to ARP databases add one correspond to
The Static ARP list item of the source IP address;Wherein, in the Static ARP list item comprising first message source IP address and
Source MAC;
Sending module, for according in the list item in first forwarding database corresponding to the source IP address
Physical port information, physical port corresponding with the physical port information is sent to by the second message so that with the source IP
The corresponding browser in address redirects access web authentication server and carries out web authentication;Wherein, second message is described first
The redirection message of message.
In the first possible implementation of second aspect, the processing module is additionally operable to:
To the ARP databases add one correspond to the source IP address Static ARP list item when, start with it is described
The corresponding timer of Static ARP list item, deletes the Static ARP list item after the timer expiry.
With reference to the first possible implementation of second aspect or second aspect, in second possible implementation
In, described device also includes blocking module, for when meeting pre-conditioned, intercepting first message.
It is described default in the third possible implementation with reference to second possible implementation of second aspect
Condition includes:
First message is TCP message;
There is the source IP address information of first message in second forwarding database;Wherein, the second forwarding data
Storehouse is synchronous with the authentication database;
The purpose IP address of first message are not the IP address of the web authentication server.
The third aspect, the embodiment of the present invention provides a kind of network access server NAS, including:
Processor, the message information for obtaining the first message for receiving, first turn is recorded by the message information
In hair database;Wherein, the message information includes that the source Media access contorl mac address information of first message, source are mutual
Networking protocol IP address information, and receive the physical port information of the physical port of first message;If knowing certification number
According to the corresponding source IP address of the source IP address information in storehouse in the absence of first message, the source IP address is added to
In the authentication database;And add a Static ARP list item for corresponding to the source IP address to ARP databases;Wherein, institute
State source IP address and source MAC comprising first message in Static ARP list item;
Transmitter, for the thing in the list item in first forwarding database corresponding to the source IP address
Reason port information, the second message is sent to physical port corresponding with the physical port information so that with the source IP ground
The corresponding browser in location redirects access network web authentication server and carries out web authentication;Wherein, second message is described
The redirection message of one message.
In the first possible implementation of the third aspect, the processor is additionally operable to:
To the ARP databases add one correspond to the source IP address Static ARP list item when, start with it is described
The corresponding timer of Static ARP list item, deletes the Static ARP list item after the timer expiry.
With reference to the first possible implementation of the third aspect or the third aspect, in second possible implementation
In, the processor is additionally operable to, when meeting pre-conditioned, intercept first message.
It is described default in the third possible implementation with reference to second possible implementation of the third aspect
Condition includes:
First message is transmission control protocol TCP message;
There is the source IP address information of first message in second forwarding database;Wherein, the second forwarding data
Storehouse is synchronous with the authentication database;
The purpose IP address of first message are not the IP address of the web authentication server.
The method for preventing ARP from cheating provided in an embodiment of the present invention, device and NAS, by the first message that will be got
Message information recorded the first forwarding database;In the absence of the source of first message in authentication database is known
After the corresponding source IP address of IP address information, the source IP address is added in the authentication database;And to ARP databases
One Static ARP list item for corresponding to the source IP address of addition;According in first forwarding database correspond to the source
The physical port information in the list item of IP address, physics corresponding with the physical port information is sent to by the second message
Port, so that browser corresponding with the source IP address redirects access web authentication server and carries out web authentication;Wherein, it is described
Second message is the redirection message of first message, so as to realize preventing ARP from cheating during web authentication.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are this hairs
Some bright embodiments, for those of ordinary skill in the art, without having to pay creative labor, can be with
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the embodiment of the method one that the present invention prevents ARP deceptions;
Fig. 2 is the structural representation of the NAS of the method that ARP deceptions are prevented using the present invention;
Fig. 3 is the structural representation of the device embodiment that the present invention prevents ARP deceptions;
Fig. 4 is the structural representation of NAS embodiments of the present invention.
Specific embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
A part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
Fig. 1 is the flow chart of the embodiment of the method one that the present invention prevents ARP deceptions.The method that the present embodiment is provided specifically may be used
Performed with by NAS, as shown in figure 1, the method that the present embodiment is provided can include:
The message information of the first message that step 101, acquisition are received, the first forwarding number is recorded by the message information
According in storehouse;Wherein, the message information includes source MAC address information, the source IP address information of first message, and receives
The physical port information of the physical port of first message.
It should be noted that NAS before the message information of the first message is obtained, it is necessary to first judge whether the first message full
Foot is pre-conditioned, if judging, the first message meets pre-conditioned, intercepts the first message;Wherein, it is pre-conditioned including:It is described
First message is transmission control protocol (Transmission Control Protocol, abbreviation:TCP) message;Second forwarding number
According to the source IP address information that there is first message in storehouse;Wherein, second forwarding database and the authentication database
It is synchronous, i.e. the source IP address of first message did not carry out web authentication;And the purpose IP address of first message are not
It is the IP address of the web authentication server.The first message simultaneously meet above three it is pre-conditioned when, NAS can be to first
Message is intercepted, then obtains the message information of the first message.
If step 102, knowing that the source IP address information in authentication database in the absence of first message is corresponding
Source IP address, the source IP address is added in the authentication database;And one is added corresponding to described to ARP databases
The Static ARP list item of source IP address;Wherein, source IP address and source MAC comprising first message in the Static ARP list item
Address.
It is index with source IP address, the source IP address is retrieved in authentication database and be whether there is, if authentication database
In do not exist the source IP address, show that the source IP address did not carried out web authentication, then by the source IP address add
Into authentication database.
Meanwhile, in order to prevent ARP from cheating during web authentication, NAS can correspond to adding one in ARP databases
The Static ARP list item of the source IP address, due to the source IP address and source MAC of the information from the first message of Static ARP list item
Address, therefore information is accurate, and due to being set to static information, would not be spoofed in communication process and distorted;In addition
After Static ARP list item, NAS starts timer corresponding with the Static ARP list item to be safeguarded to the Static ARP list item,
After timer expiry, NAS can be by the static ARP table entry deletion, to save the resource of NAS, while can avoid in appearance
When possible HTTP is forged, the cheated situations of NAS.
It should be noted that NAS is adding a Static ARP for corresponding to the source IP address to the ARP databases
During list item, timer corresponding with the Static ARP list item can be started, the Static ARP is deleted after the timer expiry
List item.
Step 103, the physics in the list item in first forwarding database corresponding to the source IP address
Port information, physical port corresponding with the physical port information is sent to by the second message so that with the source IP address
Corresponding browser redirects access web authentication server and carries out web authentication;Wherein, second message is first message
Redirection message.
In this step, after step 101- steps 102 are completed, NAS is sent to the physics end by by the second message
Mouthful, so that browser access web authentication server corresponding with source IP address carries out web authentication;That is, NAS is to end
When end sends the second message, the transmission process of ICP/IP protocol Plays is avoided, do not use ARP messages, therefore, even if
There is ARP deceptions, will not also produce influence to web authentication.
The technical scheme of the present embodiment, the first forwarding data are recorded by the message information of the first message that will be got
In storehouse;After the corresponding source IP address of the source IP address information in knowing authentication database in the absence of first message,
The source IP address is added in the authentication database;And one is added corresponding to the source IP address to ARP databases
Static ARP list item;According to the physics end in the list item in first forwarding database corresponding to the source IP address
Message cease, the second message is sent to physical port corresponding with the physical port information so that with the source IP address pair
The browser answered redirects access web authentication server and carries out web authentication;Wherein, second message is first message
Redirection message, so as to realize preventing ARP from cheating during web authentication.
With reference to Fig. 2, the implementation process and principle of the method for preventing ARP from cheating provided invention are made further
It is bright, to help understand the present invention.
First it is noted that in the method for the present embodiment offer, NAS can be specifically interchanger, router, fire prevention
The equipment of the variforms such as wall, wireless device, outlet device.It is with HTTP (Hypertext in the present embodiment
Transfer Protocol, referred to as:HTTP) as a example by interaction, illustrated for the application scenarios of web authentication, but it is real
In the application of border, in the network for deploying HTTPS, it is also suitable in the network communicated based on TCP/IP standards.
Terminal relates generally to two communication process when web authentication is carried out:HTTP redirection process and web authentication process.
The two communication process be all based on IP communication, as long as therefore prevent ARP from cheating in the two processes, it is possible to solve web
The ARP deceptions of verification process.
As shown in Fig. 2 in the present embodiment, being related to three network equipments, terminal, NAS and certificate server.Specifically,
In NAS, hardware message blocking module, TCP message sniff module, HTTP redirection module, ARP modules and hard can be included
Part data forwarding module;Wherein, NAS is by hardware message blocking module and terminal communication, by hardware data forwarding module with
Certificate server communicates.
When HTTP redirection process prevents ARP from cheating, user is input into a network address in the browser of terminal first, such as
Www.ruijie.com.cn, and tap carriage return;The hardware of NAS is let pass to all of DNS messages, makes the operating system of terminal can
With by domain name system (Domain Name System, abbreviation:DNS) agreement is normally resolved to the corresponding IP address of domain name, and
Transmission TCP message is set up with the website that user desires access to and is connected.
After hardware message blocking module receives the first message referred in message, i.e. above-described embodiment, according to default bar
Part determines whether to intercept message;Wherein, it is pre-conditioned including:The message for receiving is TCP message;In second forwarding database
There is the source IP address information of message;Wherein, the second forwarding database is synchronous with authentication database, i.e. the source IP address of message
Do not carried out web authentication;It is simultaneously full in these three conditions and the purpose IP address of message are not the IP address of certificate server
Under conditions of foot, hardware message blocking module can intercept TCP message, and be sent to TCP message sniff module.
After TCP message sniff module receives TCP message, the message information of TCP message is obtained, that is, receive the physics end of message
Physical port information, the source MAC address information of TCP message, the source IP address information of mouth, and message information recorded first turn
In hair database.After message information recorded TCP message sniff module the first forwarding database, HTTP message is sent to
HTTP redirection module is processed.
HTTP redirection module dynamically sets up the authentication database that a source IP address with HTTP message is index, works as receipts
During to HTTP message, the source IP address of HTTP message is extracted, the source IP address is then searched in authentication database and be whether there is,
If there is no, it was demonstrated that this is an also unverified user, and source IP address then is added into authentication database;And to ARP
The ARP databases of module add a Static ARP list item for corresponding to source IP address, start corresponding with the Static ARP list item
Timer.
After completing aforesaid operations, HTTP redirection module pushes a HTTP redirection page to source IP address, promotes source
The corresponding browser of IP address removes access registrar server, to carry out web authentication.
In above process, because HTTP redirection module will not in accordance with the communication process of normal ICP/IP protocol stack
HTTP message is sent to IP protocol stack, and is directly sent to TCP message sniff module;TCP message sniff module is being received
After message, according to the physical port information in the list item in the first forwarding database corresponding to source IP address, HTTP is reported in selection
Text is sent to physical port corresponding with physical port information, so as to not use ARP messages during HTTP redirection,
So even there is ARP deceptions, will not also influence be produced on HTTP redirection process.
When web authentication process prevents ARP from cheating, terminal is receiving the redirection message of NAS transmissions, i.e., above-mentioned implementation
, it is necessary to access registrar server is authenticated after the second message in example, this process is also a tcp/ip communication for standard
Process.Therefore in this process, if NAS is cheated by ARP, also result in NAS forwarding certificate server and terminal it
Between message when there is mistake, cause terminal to carry out web authentication.
During HTTP redirection process prevents ARP from cheating, HTTP redirection module can be to the ARP numbers of ARP modules
According to a Static ARP list item is added in storehouse, HTTP message source IP address and the source of self terminal are come due to the information of Static ARP list item
MAC Address, therefore information is accurate, and it is arranged to static information, during terminal communication, will not be cheated by other-end
Distort.
Meanwhile, after source IP address is added ARP databases by HTTP redirection module, start corresponding timer to static state
ARP is safeguarded.It is exactly that terminal breaks down because there is a kind of extreme situation, then Static ARP list item can not be always
Be stored on NAS, can otherwise cause the wasting of resources, or, or even can send message terminal be also one deception terminal, hair
It is in this case, corresponding quiet by being deleted after timer expiry with regard to no longer carrying out web authentication after going out a message
State ARP can avoid NAS from being cheated by this extreme case.
The technical scheme of the present embodiment, can effectively solve the problems, such as the deceptions of ARP present in web authentication process.
Fig. 3 is the structural representation of the device embodiment that the present invention prevents ARP deceptions.As shown in figure 3, the present embodiment is provided
Device can specifically be integrated in NAS, the present embodiment provide prevent ARP cheat device 10 can include:Acquisition module
11, processing module 12 and sending module 13.
Wherein, acquisition module 11 can be used for obtaining the message information of the first message for receiving, by the message information
In recorded the first forwarding database;Wherein, the message information includes source MAC address information, the source IP of first message
Address information, and receive the physical port information of the physical port of first message;
If processing module 12 can be used for knowing the source IP address in the absence of first message in authentication database
The corresponding source IP address of information, the source IP address is added in the authentication database;And add one to ARP databases
Corresponding to the Static ARP list item of the source IP address, start timer corresponding with the Static ARP list item, in the timing
The Static ARP list item is deleted after device time-out;Wherein, the source IP address comprising first message in the Static ARP list item
And source MAC;
Sending module 13 can be used for according in the list item in first forwarding database corresponding to the source IP address
The physical port information, the second message is sent to physical port corresponding with the physical port information so that with institute
State the corresponding browser of source IP address redirect access web authentication server carry out web authentication;Wherein, second message is institute
State the redirection message of the first message.
Further, the device 10 that ARP is cheated that prevents of the present embodiment offer can also include blocking module, for full
When foot is pre-conditioned, first message is intercepted.Wherein, it is described it is pre-conditioned including:First message is TCP message;The
There is the source IP address information of first message in two forwarding databases;Wherein, second forwarding database is recognized with described
Card database synchronization;The purpose IP address of first message are not the IP address of the web authentication server.
Specifically, acquisition module 11 can correspond to the TCP message sniff module in Fig. 2;Processing module 12 can be corresponded to
HTTP redirection module and ARP modules in Fig. 2;Sending module 13 can correspond to the hardware data forwarding module in Fig. 2;
Blocking module can correspond to the hardware message blocking module in Fig. 2.
What the present embodiment was provided prevents the device of ARP deceptions, can be used to perform the technical scheme of above method embodiment, its
Realization principle and technique effect are similar, and here is omitted.
Fig. 4 is the structural representation of NAS embodiments of the present invention.As shown in figure 4, the NAS20 that the present embodiment is provided specifically may be used
To include:Processor 21 and transmitter 22.
Wherein, processor 21 can be used for obtaining the message information of the first message for receiving, by message information note
Record in the first forwarding database;Wherein, the message information includes the source MAC address information of first message, source IP ground
Location information, and receive the physical port information of the physical port of first message;If not existing in knowing authentication database
The corresponding source IP address of the source IP address information of first message, the authentication data is added to by the source IP address
In storehouse;And add a Static ARP list item for corresponding to the source IP address to ARP databases;Wherein, the static ARP table
Source IP address and source MAC comprising first message in;
Transmitter 22 can be used for according in the list item in first forwarding database corresponding to the source IP address
The physical port information, physical port corresponding with the physical port information is sent to by the second message so that with it is described
The corresponding browser of source IP address redirects access web authentication server and carries out web authentication;Wherein, second message is described
The redirection message of the first message.
The processor 21 can be also used for adding one corresponding to the quiet of the source IP address to the ARP databases
During state ARP, start timer corresponding with the Static ARP list item, the static state is deleted after the timer expiry
ARP.
Further, the processor 21 can be also used for, when meeting pre-conditioned, intercepting first message;Its
In, it is described it is pre-conditioned including:First message is transmission control protocol TCP message;There is institute in second forwarding database
State the source IP address information of the first message;Wherein, second forwarding database is synchronous with the authentication database;Described first
The purpose IP address of message are not the IP address of the web authentication server.
The NAS that the present embodiment is provided, can be used to perform the technical scheme of above method embodiment, its realization principle and technology
Effect is similar to, and here is omitted.
In several embodiments provided by the present invention, it should be understood that disclosed apparatus and method, can be by it
Its mode is realized.For example, device embodiment described above is only schematical, for example, the division of the unit, only
Only a kind of division of logic function, can there is other dividing mode when actually realizing, such as multiple units or component can be tied
Another system is closed or is desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or discussed
Coupling each other or direct-coupling or communication connection can be the INDIRECT COUPLINGs or logical of device or unit by some interfaces
Letter connection, can be electrical, mechanical or other forms.
The unit that is illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit
The part for showing can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be according to the actual needs selected to realize the mesh of this embodiment scheme
's.
In addition, during each functional unit in each embodiment of the invention can be integrated in a processing unit, it is also possible to
It is that unit is individually physically present, it is also possible to which two or more units are integrated in a unit.Above-mentioned integrated list
Unit can both be realized in the form of hardware, it would however also be possible to employ hardware adds the form of SFU software functional unit to realize.
The above-mentioned integrated unit realized in the form of SFU software functional unit, can store and be deposited in an embodied on computer readable
In storage media.Above-mentioned SFU software functional unit storage is in a storage medium, including some instructions are used to so that a computer
Equipment (can be personal computer, server, or network equipment etc.) or processor (processor) perform the present invention each
The part steps of embodiment methods described.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (Read-
Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disc or CD etc. it is various
Can be with the medium of store program codes.
Those skilled in the art can be understood that, for convenience and simplicity of description, only with above-mentioned each functional module
Division carry out for example, in practical application, can distribute complete by different functional modules by above-mentioned functions as needed
Into, will the internal structure of device be divided into different functional modules, to complete all or part of function described above.On
The specific work process of the device of description is stated, the corresponding process in preceding method embodiment is may be referred to, be will not be repeated here.
Finally it should be noted that:Various embodiments above is merely illustrative of the technical solution of the present invention, rather than its limitations;To the greatest extent
Pipe has been described in detail with reference to foregoing embodiments to the present invention, it will be understood by those within the art that:Its according to
The technical scheme described in foregoing embodiments can so be modified, or which part or all technical characteristic are entered
Row equivalent;And these modifications or replacement, the essence of appropriate technical solution is departed from various embodiments of the present invention technology
The scope of scheme.
Claims (6)
1. it is a kind of prevent ARP cheat method, it is characterised in that including:
When meeting pre-conditioned, the first message is intercepted;Wherein, it is described it is pre-conditioned including:
First message is transmission control protocol TCP message;There is the source IP of first message in second forwarding database
Address information;Wherein, second forwarding database is synchronous with authentication database;The purpose IP address of first message are not
The IP address of web authentication server;
The message information of first message is obtained, during the message information recorded into the first forwarding database;Wherein, it is described
Message information includes source Media access contorl mac address information, the source internet protocol IP address information of first message, with
And receive the physical port information of the physical port of first message;
If in the absence of the corresponding source IP address of the source IP address information of first message in knowing authentication database, by institute
Source IP address is stated to be added in the authentication database;And one is added corresponding to the quiet of the source IP address to ARP databases
State ARP;Wherein, source IP address and source MAC comprising first message in the Static ARP list item;
According to the physical port information in the list item in first forwarding database corresponding to the source IP address, by the
Two messages are sent to physical port corresponding with the physical port information, so that browser corresponding with the source IP address is jumped
Turning access network web authentication server carries out web authentication;Wherein, second message is the redirection report of first message
Text.
2. method according to claim 1, it is characterised in that also include:
When the Static ARP list item that corresponds to the source IP address is added to the ARP databases, start and the static state
The corresponding timer of ARP, deletes the Static ARP list item after the timer expiry.
3. it is a kind of prevent ARP cheat device, it is characterised in that including:
Blocking module, for when meeting pre-conditioned, intercepting the first message;Wherein, it is described it is pre-conditioned including:Described first
Message is transmission control protocol TCP message;There is the source IP address information of first message in second forwarding database;Its
In, second forwarding database is synchronous with authentication database;The purpose IP address of first message are not web authentication services
The IP address of device;
Acquisition module, the message information for obtaining first message, the first forwarding data are recorded by the message information
In storehouse;Wherein, the message information includes source Media access contorl mac address information, the source internet protocol of first message
View IP address information, and the physical port information for receiving the physical port of first message;
Processing module, if corresponding for knowing the source IP address information in authentication database in the absence of first message
Source IP address, the source IP address is added in the authentication database;And one is added corresponding to described to ARP databases
The Static ARP list item of source IP address;Wherein, source IP address and source MAC comprising first message in the Static ARP list item
Address;
Sending module, for the physics in the list item in first forwarding database corresponding to the source IP address
Port information, physical port corresponding with the physical port information is sent to by the second message so that with the source IP address
Corresponding browser redirects access network web authentication server and carries out web authentication;Wherein, second message is described first
The redirection message of message.
4. device according to claim 3, it is characterised in that the processing module is additionally operable to:
When the Static ARP list item that corresponds to the source IP address is added to the ARP databases, start and the static state
The corresponding timer of ARP, deletes the Static ARP list item after the timer expiry.
5. a kind of network access server NAS, it is characterised in that including:
Processor, for when meeting pre-conditioned, intercepting the first message;Wherein, it is described it is pre-conditioned including:First report
Text is transmission control protocol TCP message;There is the source IP address information of first message in second forwarding database;Wherein,
Second forwarding database is synchronous with authentication database;The purpose IP address of first message are not web authentication servers
IP address;It is additionally operable to obtain the message information of first message, the message information is recorded into the first forwarding database
In;Wherein, the message information includes source Media access contorl mac address information, the source internet protocol of first message
IP address information, and receive the physical port information of the physical port of first message;If in knowing authentication database not
There is the corresponding source IP address of the source IP address information of first message, the source IP address is added to the certification
In database;And add a Static ARP list item for corresponding to the source IP address to ARP databases;Wherein, the static state
Source IP address and source MAC comprising first message in ARP;
Transmitter, for the physics end in the list item in first forwarding database corresponding to the source IP address
Message cease, the second message is sent to physical port corresponding with the physical port information so that with the source IP address pair
The browser answered redirects access network web authentication server and carries out web authentication;Wherein, second message is first report
The redirection message of text.
6. NAS according to claim 5, it is characterised in that the processor is additionally operable to:
When the Static ARP list item that corresponds to the source IP address is added to the ARP databases, start and the static state
The corresponding timer of ARP, deletes the Static ARP list item after the timer expiry.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410256080.7A CN104009999B (en) | 2014-06-10 | 2014-06-10 | Prevent method, device and network access server that ARP is cheated |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410256080.7A CN104009999B (en) | 2014-06-10 | 2014-06-10 | Prevent method, device and network access server that ARP is cheated |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104009999A CN104009999A (en) | 2014-08-27 |
| CN104009999B true CN104009999B (en) | 2017-06-23 |
Family
ID=51370493
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410256080.7A Active CN104009999B (en) | 2014-06-10 | 2014-06-10 | Prevent method, device and network access server that ARP is cheated |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104009999B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105472054B (en) * | 2014-09-05 | 2019-05-24 | 华为技术有限公司 | A kind of file transmitting method and access device |
| CN107786496B (en) * | 2016-08-25 | 2020-06-19 | 大连楼兰科技股份有限公司 | Early warning method and device for ARP (Address resolution protocol) table entry spoofing attack of local area network |
| JP6888437B2 (en) * | 2017-06-23 | 2021-06-16 | 住友電気工業株式会社 | In-vehicle communication device, communication control method and communication control program |
| CN109391548B (en) * | 2018-11-06 | 2021-12-17 | 迈普通信技术股份有限公司 | Table entry migration method and device and network communication system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110821A (en) * | 2007-09-06 | 2008-01-23 | 华为技术有限公司 | Method and apparatus for preventing ARP address cheating attack |
| KR100875669B1 (en) * | 2008-05-19 | 2008-12-26 | (주)넷맨 | Method for controlling access to network using authenticator located in a supplicant level and system thereof |
| CN102624729A (en) * | 2012-03-12 | 2012-08-01 | 北京星网锐捷网络技术有限公司 | Web authentication method, device and system |
| CN102638472A (en) * | 2012-05-07 | 2012-08-15 | 杭州华三通信技术有限公司 | Portal authentication method and equipment |
| CN102739684A (en) * | 2012-06-29 | 2012-10-17 | 杭州迪普科技有限公司 | Portal authentication method based on virtual IP address, and server thereof |
-
2014
- 2014-06-10 CN CN201410256080.7A patent/CN104009999B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110821A (en) * | 2007-09-06 | 2008-01-23 | 华为技术有限公司 | Method and apparatus for preventing ARP address cheating attack |
| KR100875669B1 (en) * | 2008-05-19 | 2008-12-26 | (주)넷맨 | Method for controlling access to network using authenticator located in a supplicant level and system thereof |
| CN102624729A (en) * | 2012-03-12 | 2012-08-01 | 北京星网锐捷网络技术有限公司 | Web authentication method, device and system |
| CN102638472A (en) * | 2012-05-07 | 2012-08-15 | 杭州华三通信技术有限公司 | Portal authentication method and equipment |
| CN102739684A (en) * | 2012-06-29 | 2012-10-17 | 杭州迪普科技有限公司 | Portal authentication method based on virtual IP address, and server thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104009999A (en) | 2014-08-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104158808B (en) | Portal authentication method and its device based on APP applications | |
| WO2017024842A1 (en) | Internet access authentication method, client, computer storage medium | |
| CN101582856B (en) | Session setup method of portal server and BAS (broadband access server) device and system thereof | |
| CN105592046B (en) | A kind of authentication-exempt access method and device | |
| CN101771676B (en) | Setting and authentication method for cross-domain authorization and relevant device and system | |
| CN103501331B (en) | Data transmission method, data transmission equipment and data transmission system | |
| Van Delft et al. | A security analysis of OpenID | |
| CN105939326A (en) | Message processing method and device | |
| US11770385B2 (en) | Systems and methods for malicious client detection through property analysis | |
| CN105162802B (en) | Portal authentication method and certificate server | |
| CN109067789A (en) | Web vulnerability scanning method, system based on linux system | |
| CN104009999B (en) | Prevent method, device and network access server that ARP is cheated | |
| CN110557358A (en) | Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device | |
| CN104753960B (en) | A kind of system configuration management method based on single-sign-on | |
| CN109672680B (en) | Cross-domain login method | |
| CN103428211A (en) | Network authentication system on basis of switchboards and authentication method for network authentication system | |
| CN103997479B (en) | A kind of asymmetric services IP Proxy Methods and equipment | |
| CN110099129A (en) | A kind of data transmission method and equipment | |
| CN109359446B (en) | A kind of cross-domain login validation method in internet | |
| WO2013120315A1 (en) | Method for processing domain name information, wireless router, and client | |
| CN102510386B (en) | Distributed attack prevention method and device | |
| CN101741568A (en) | Surfing method, client, security gateway and surfing system | |
| CN108156092A (en) | message transmission control method and device | |
| CN101969426B (en) | Distributed user authentication system and method | |
| WO2016201780A1 (en) | Gateway management method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |