CN104683326A - Method for preventing hostile exhausting of DHCP (dynamic host configuration protocol) server address pool - Google Patents
Method for preventing hostile exhausting of DHCP (dynamic host configuration protocol) server address pool Download PDFInfo
- Publication number
- CN104683326A CN104683326A CN201410841939.0A CN201410841939A CN104683326A CN 104683326 A CN104683326 A CN 104683326A CN 201410841939 A CN201410841939 A CN 201410841939A CN 104683326 A CN104683326 A CN 104683326A
- Authority
- CN
- China
- Prior art keywords
- message
- dynamic host
- configuration protocol
- host configuration
- protocol server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a method for preventing hostile exhausting of a DHCP (dynamic host configuration protocol) server address pool. A DHCP server actively sends a Detect message to all on-line DHCP clients in a local network at first, users who do not respond to the Alive messages are screened out, Search messages are sent to the users for secondary on-line verification, if the response is not received, Rejest messages are sent to a gateway router of an affiliated network band of the users, and the network access of the users is refused through the gateway router. For the sending of the Search messages, the work can be realized in a way of getting off from Detect messages, i.e., the server can regularly select some users from an IP address distribution table, and the Search messages are sent for on-line confirmation. The invention provides a mechanism for enabling the server to actively trigger the detection, the IP address pool is effectively used, the on-line operation of legal users can be ensured, meanwhile, certain safety protection can also be provided, and the hostile attack is reduced.
Description
Technical field
The present invention relates to DHCP technical field, especially relate to the prevention method that a kind of malice exhausts Dynamic Host Configuration Protocol server address pool.
Background technology
The every platform computer being connected to the Internet (Internet) needs to know its IP address in transmission or before receiving data message; Network manager configures Dynamic Host Configuration Protocol server (DHCP Server) usually, it is made to provide one group of IP address (address pool), whenever once there be new computer to be connected on network, server selects an address from the address pool of configuration, and it is distributed to this computer, namely use DHCP agreement.This agreement adopts C/S mode (client-server), network configuration information such as Dynamic Host Configuration Protocol server centralized management IP address etc., and dhcp client from the respective configuration information of Dynamic Host Configuration Protocol server request, thus realizes the automatic configuration of the network equipment.
Dynamic Host Configuration Protocol server in prior art is after for every platform client computer distributing IP address, only can reclaim IP address in both cases: 1, server receives the DHCP Release message sent from client, inform that server no longer needs the IP address distributed; 2, server does not receive yet and re-rents message from client after the IP address lease expires distributed.Release message is caused not to be delivered to server in time if network exists fault; Or some low side devices can not initiatively trigger release action; Or the rental period of client application is originally longer, in fact rolls off the production line already; These situations just very easily cause IP address to leave unused, and especially under IP distributes nervous scene, cause the wasting of resources.
As do not taken safety measures, as long as the process of application IP address meets normal interaction process, client just can successfully obtain IP address; Assailant can by source MAC (SMAC) the counterfeit legitimate client of altered data message, ceaselessly acquisition request IP address, exhaust address pool in short time, thus cause legitimate user equipment can not ask IP again, thus can not normal accesses network.
Summary of the invention
The object of the invention is to the defect overcoming prior art, a kind of malice is provided to exhaust the prevention method of Dynamic Host Configuration Protocol server address pool, Dynamic Host Configuration Protocol server is detection trigger initiatively, find out the IP address utilization be assigned with out in network, to realize efficiency utilization IP address pool, certain security protection is provided simultaneously, reduces malicious attack.
For achieving the above object, the present invention proposes following technical scheme: a kind of malice exhausts the prevention method of Dynamic Host Configuration Protocol server address pool, described Dynamic Host Configuration Protocol server has IP address assignment table in local maintenance, and described prevention method comprises: Dynamic Host Configuration Protocol server is regularly from described IP address assignment
in tableselect the user carrying out online verification, Search message is sent to the user selected, if in the first time out period of setting, do not receive corresponding dhcp client and respond the Alive message of coming, then described Dynamic Host Configuration Protocol server sends Rejest message to the gateway route of the network segment belonging to user, by described gateway route by creating the mode of control law, refuse the message transmissions of described user.
The present invention also proposes another technical scheme, a kind of malice exhausts the prevention method of Dynamic Host Configuration Protocol server address pool, described Dynamic Host Configuration Protocol server has IP address assignment table in local maintenance, described prevention method comprises: Dynamic Host Configuration Protocol server sends Detect message to online dhcp clients all in local network, in the second time out period of setting, described in wait-receiving mode, dhcp client responds the Alive message of coming, then the user not responding Alive message is filtered out, and Search message is sent to the user of the described Alive of response message carry out secondary online verification, if in the first time out period of setting, do not receive corresponding dhcp client and respond the Alive message of coming, then described Dynamic Host Configuration Protocol server sends Rejest message to the gateway route of the network segment belonging to user, by described gateway route by creating the mode of control law, refuse the message transmissions of described user.
Preferably, trigger described Dynamic Host Configuration Protocol server by timer or keeper and send out described Detect message.
Preferably, start each self-corresponding timer respectively after described Dynamic Host Configuration Protocol server sends out described Detect message and after sending out described Search message, two timers set described second time out period and the first time out period respectively.
Preferably, described first time out period is at least three times of described second time out period.
Preferably, described Detect message is sent in local network in a broadcast manner by described Dynamic Host Configuration Protocol server.
Preferably, described Search message is sent by the mode of described Dynamic Host Configuration Protocol server with clean culture in local network, or passes through the transmission of Search message described in specific events trigger.Particular event refers to except according to the secondary checking after Detect message, can also initiatively send Search message by keeper by the means of order line, or the random inspection of configuration timer.
Preferably, described Rejest message is sent by the mode of described Dynamic Host Configuration Protocol server with clean culture in local network.
Preferably, described control law comprises black hole MAC or access control row
table (aCL).
Preferably, described Detect message, Search message, Alive message and Rejest message are DHCP message, and main body of the packet form is identical with described DHCP message form.
The invention has the beneficial effects as follows:
1, the Dynamic Host Configuration Protocol server in the present invention is detection trigger initiatively, find out the IP address utilization be assigned with out in network, only provide compared with IP passively according to the demand of client with existing, the present invention can utilize IP address pool efficiently, and the distribution of better managing I P.
2, keeper obtains user in time by the Detect message that the present invention defines and enlivens information, and the information according to collecting carries out the assessment of network size, the IP address resource that reasonable distribution is limited, is convenient to better maintaining network.
3, the active detecting that Dynamic Host Configuration Protocol server is regular, can effectively prevent assailant's malice from consuming IP address resource, Timeliness coverage also processes, and reduces the impact on normal users.
Accompanying drawing explanation
fig. 1it is the flow process signal that the present invention's malice exhausts the prevention method of Dynamic Host Configuration Protocol server address pool
figure;
fig. 2it is the flow process signal that the present invention's malice exhausts another embodiment of the prevention method of Dynamic Host Configuration Protocol server address pool
figure.
Embodiment
Below in conjunction with of the present invention
accompanying drawing, clear, complete description is carried out to the technical scheme of the embodiment of the present invention.
The present invention newly defines four kinds of DHCP message, Detect message, Search message, Alive message and Rejest message respectively, Dynamic Host Configuration Protocol server sends Search message or only sends Search message to dhcp client after initiatively first sending Detect message, local online user is verified, wait for that dhcp client responds corresponding Alive message, finally by sending Rejest message to the gateway route of the network segment belonging to designated user, refuse the message transmissions of these users.
Particularly, DHCP Detect message is sent in local network in a broadcast manner by Dynamic Host Configuration Protocol server, and object is all online dhcp clients in detection local network; Because the user of all Detect of receiving messages (using the user of DHCP service) needs answer back message, server can know whether the IP oneself distributed normally is used accordingly.
DHCP Search message is sent by the mode of Dynamic Host Configuration Protocol server with clean culture in local network, and whether object specifies dhcp client online in detection local network.Detect message sends rear Dynamic Host Configuration Protocol server can find out unanswered client according to local pool allocation table, carries out secondary checking by again sending Search message.
Search message is also by specific events trigger, and namely the transmission of Search message also can depart from Detect message and carrys out work.Particular event refers to except according to the secondary checking after Detect message, all right: the first, initiatively sends Search message by keeper by the means of order line; The second, the random inspection of configuration timer.
After dhcp client receives Detect or Search message, a DHCP Alive message can be responded and be used for informing its normal IP address using acquisition to server.
DHCP Rejest message is sent to each gateway router in local network by unicast service, object is when server sends after Detect, Search message all do not receive reply, sets corresponding control law to refuse corresponding customer access network resource by this message by gateway router.
Above-mentioned four kinds of DHCP message main bodys all adopt general DHCP message form, like this can well compatible prior art.As
following table 1shown in, the DHCP message form for general:
table 1the general format of DHCP message
The embodiment of the present invention newly defines option100 (Verification Code): need to carry this option100 when Detect and Search message sends, produced at random by server, Alive message also needs to carry this option100 when replying to carry out, and server is by checking whether (check) this field effectively responds (replay) message really; Object prevents assailant from being cheated online by timed sending Alive message, certainly, also can quote more senior algorithm later and strengthen fail safe.
DHCP option is mainly for the specific information that the equipment of different vendor configures under the application of varying environment, it is an option in DHCP message, this option is the field of variable length in DHCP message, contains partial charter party information, type of message etc. in general option option.Can comprise at most 255 option in Option option, minimum is 1 option.Here newly defining option100 is that we can define down, are used for the authentication function realizing mentioning here because code 100 is not also used in RFC.
In addition, the present invention also needs for above-mentioned four kinds of messages increase DHCP Message Type (option 53) newly, i.e. DHCP message type (option 53), is used for identifying DHCP message type.
The form of field options is code+length+data, as
following table 2shown in:
| Code | Len | Type |
| 53 | 1 | 0x11~0x14 |
table 2the form of field options
Because compatible with original DHCP message, as long as so the Type inside expansion option53 is just passable, namely increase by 4 kinds of DHCP message types.
Represent DHCP Detect message with 0x11, in message, also must bring option54 (Server Identifier), option100 (Verification Code).Option54 is identifier server, and this field of dhcp client distinguishes different server, and such client just can confirm that this Detect message is which server sends.
Represent DHCP Search message with 0x12, in message, also must bring option54 (Server Identifier), option61 (Client Identifier), option 100 (Verification Code).Option61 is client identifier, and be with option61 mainly to want to allow client confirm in search message, this search message issues this client really; Certainly, when this option61 applied for ip before client, server should obtain, and binds with the IP distributed, client MAC relation.
Represent DHCP Alive message with 0x13, in message, also must bring option54 (Server Identifier), option61 (Client Identifer), option 100 (Verification Code).
Represent DHCP Rejest message with 0x14, also must bring option51 (IP Address Lease Time) in message, option54 (Server Identifier), option61 (Client Identifier).Option51 (IP Address Lease Time) is the lease time that Dynamic Host Configuration Protocol server provides to client; Being with option51 to issue gateway router mainly in order to have individual reference when allowing gateway router set rule in rejest message, in the lease time of client's application, forbidding this client accesses network resource again.
as Fig. 1shown in, disclosed a kind of malice exhausts the prevention method of Dynamic Host Configuration Protocol server address pool, comprises the following steps:
Step 1, Dynamic Host Configuration Protocol server sends Detect message to online dhcp clients all in local network;
Dynamic Host Configuration Protocol server is the active initiators of event, triggers the transmission of Detect message by timer or keeper.Server can safeguard an IP address assignment table in this locality, for preserving those by applying for and the normal user using IP address.
Step 2, in the time out period of the Detect message of setting, wait-receiving mode dhcp client responds the Alive message of coming;
With the time out period of a timer setting Detect message, after Detect message sends, start this timer, wait-receiving mode Alive message in time-out time, the Alive packet loss received after time-out.
Step 3, Dynamic Host Configuration Protocol server filters out the user not responding Alive message after receiving corresponding Alive message;
Step 4, sends Search message to the user not responding Alive message and carries out secondary online verification, and in the time out period of the Search message of setting, wait-receiving mode dhcp client responds the Alive message of coming;
The time out period of Search message is equally also set with a timer, after Dynamic Host Configuration Protocol server sends Search message, enable this timer, this time out period is at least the time out period of the Detect message of 3 times, prevents because network failure causes the delay of Alive message.
Step 5, if in the time out period of the Search message of setting, does not receive corresponding dhcp client and responds the Alive message of coming, then Dynamic Host Configuration Protocol server transmission Rejest message is to the gateway route of the network segment belonging to user;
Step 6, by gateway route by creating the mode of control law, the message transmissions of refusal user.
Preferably, the control law of gateway establishing route comprises the modes such as black hole MAC, ACL.The binding hours of these users is distributed according to IP
in tablethe lease time of user's application, forbids in the rental period that this user carries out access to netwoks, and after arriving lease time, lift restrictions, user can also re-start IP application IP addresses.
The method of above-mentioned introduction is by first sending Detect message, and the mode of rear transmission Search message carries out twice checking to local online user.Certainly, the present invention is when implementing, and the transmission of Search message also can depart from Detect message and carry out work,
as Fig. 2shown in, namely without the need to above-mentioned steps 1 ~ 3, the regular secondary IP address of Dynamic Host Configuration Protocol server distributes
in tableselect some users to carry out at line justification, increase inspecting force, send Search message to the user selected, in the time out period of setting, wait-receiving mode dhcp client responds the Alive message of coming, and the flow process of carrying out afterwards is identical with step 5 ~ 6.
Technology contents of the present invention and technical characteristic have disclosed as above; but those of ordinary skill in the art still may do all replacement and the modification that do not deviate from spirit of the present invention based on teaching of the present invention and announcement; therefore; scope should be not limited to the content that embodiment discloses; and various do not deviate from replacement of the present invention and modification should be comprised, and contained by present patent application claim.
Claims (10)
1. a malice exhausts the prevention method of Dynamic Host Configuration Protocol server address pool, it is characterized in that, described Dynamic Host Configuration Protocol server has IP address assignment table in local maintenance, described prevention method comprises: Dynamic Host Configuration Protocol server regularly selects the user carrying out online verification from described IP address assignment table, Search message is sent to the user selected, if in the first time out period of setting, do not receive corresponding dhcp client and respond the Alive message of coming, then described Dynamic Host Configuration Protocol server sends Rejest message to the gateway route of the network segment belonging to user, by described gateway route by creating the mode of control law, refuse the message transmissions of described user.
2. a malice exhausts the prevention method of Dynamic Host Configuration Protocol server address pool, it is characterized in that, described Dynamic Host Configuration Protocol server has IP address assignment table in local maintenance, described prevention method comprises: Dynamic Host Configuration Protocol server sends Detect message to online dhcp clients all in local network, in the second time out period of setting, described in wait-receiving mode, dhcp client responds the Alive message of coming, then the user not responding Alive message is filtered out, and Search message is sent to the user of the described Alive of response message carry out secondary online verification, if in the first time out period of setting, do not receive corresponding dhcp client and respond the Alive message of coming, then described Dynamic Host Configuration Protocol server sends Rejest message to the gateway route of the network segment belonging to user, by described gateway route by creating the mode of control law, refuse the message transmissions of described user.
3. prevention method according to claim 2, is characterized in that, triggers described Dynamic Host Configuration Protocol server send out described Detect message by timer or keeper.
4. prevention method according to claim 2, it is characterized in that, start each self-corresponding timer respectively after described Dynamic Host Configuration Protocol server sends out described Detect message and after sending out described Search message, two timers set described second time out period and the first time out period respectively.
5. the prevention method according to claim 2 or 4, is characterized in that, described first time out period is at least three times of described second time out period.
6. prevention method according to claim 2, is characterized in that, described Detect message is by institute
State Dynamic Host Configuration Protocol server to send in a broadcast manner in local network.
7. prevention method according to claim 1 and 2, it is characterized in that, described Search message is sent by the mode of described Dynamic Host Configuration Protocol server with clean culture in local network, or pass through the transmission of Search message described in specific events trigger, described particular event comprises the transmission initiatively being triggered described Search message by timer or keeper.
8. prevention method according to claim 1 and 2, is characterized in that, described Rejest message is sent by the mode of described Dynamic Host Configuration Protocol server with clean culture in local network.
9. prevention method according to claim 1 and 2, is characterized in that, described control law comprises black hole MAC or ACL.
10. prevention method according to claim 2, is characterized in that, described Detect message, Search message, Alive message and Rejest message are DHCP message, and main body of the packet form is identical with described DHCP message form.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410841939.0A CN104683326A (en) | 2014-12-30 | 2014-12-30 | Method for preventing hostile exhausting of DHCP (dynamic host configuration protocol) server address pool |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410841939.0A CN104683326A (en) | 2014-12-30 | 2014-12-30 | Method for preventing hostile exhausting of DHCP (dynamic host configuration protocol) server address pool |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104683326A true CN104683326A (en) | 2015-06-03 |
Family
ID=53317922
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410841939.0A Pending CN104683326A (en) | 2014-12-30 | 2014-12-30 | Method for preventing hostile exhausting of DHCP (dynamic host configuration protocol) server address pool |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104683326A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108076004A (en) * | 2016-11-09 | 2018-05-25 | 中国移动通信有限公司研究院 | For IPOE authentication methods, device and the server of client detection |
| CN110445641A (en) * | 2019-07-11 | 2019-11-12 | 烽火通信科技股份有限公司 | The main/standby switching method and system of dns-proxy server |
| CN113438333A (en) * | 2021-06-07 | 2021-09-24 | 中国联合网络通信集团有限公司 | Network address allocation method, device and equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1450756A (en) * | 2002-04-08 | 2003-10-22 | 华为技术有限公司 | Method for real time detecting ethernet connected computer on-line state through insertion equipment |
| CN101325587A (en) * | 2007-06-11 | 2008-12-17 | 中兴通讯股份有限公司 | Method for monitoring DHCP conversation |
| US20140136695A1 (en) * | 2012-11-14 | 2014-05-15 | Wistron Corporation | Detection method in network system and related apparatus |
-
2014
- 2014-12-30 CN CN201410841939.0A patent/CN104683326A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1450756A (en) * | 2002-04-08 | 2003-10-22 | 华为技术有限公司 | Method for real time detecting ethernet connected computer on-line state through insertion equipment |
| CN101325587A (en) * | 2007-06-11 | 2008-12-17 | 中兴通讯股份有限公司 | Method for monitoring DHCP conversation |
| US20140136695A1 (en) * | 2012-11-14 | 2014-05-15 | Wistron Corporation | Detection method in network system and related apparatus |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108076004A (en) * | 2016-11-09 | 2018-05-25 | 中国移动通信有限公司研究院 | For IPOE authentication methods, device and the server of client detection |
| CN110445641A (en) * | 2019-07-11 | 2019-11-12 | 烽火通信科技股份有限公司 | The main/standby switching method and system of dns-proxy server |
| CN113438333A (en) * | 2021-06-07 | 2021-09-24 | 中国联合网络通信集团有限公司 | Network address allocation method, device and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101415012B (en) | Method and system for defending address analysis protocol message aggression | |
| CN101179566B (en) | Method and apparatus for preventing ARP packet attack | |
| CN108990062B (en) | Intelligent security Wi-Fi management method and system | |
| CN101459653B (en) | Method for preventing DHCP packet attack based on Snooping technique | |
| CN101917444A (en) | Method and device for creating IP source address binding list item, and switch | |
| CN104618522B (en) | The method and Ethernet access equipment that IP address of terminal automatically updates | |
| CN104883360A (en) | ARP spoofing fine-grained detecting method and system | |
| CN102438028A (en) | Method, device and system for preventing fraud of dynamic host configuration protocol (DHCP) server | |
| CN102946385B (en) | A kind of preventing forges the method and apparatus discharging message and carry out attacking | |
| CN101834864A (en) | Method and device for preventing attack in three-layer virtual private network | |
| CN104901953A (en) | Distributed detection method and system for ARP (Address Resolution Protocol) cheating | |
| CN104683326A (en) | Method for preventing hostile exhausting of DHCP (dynamic host configuration protocol) server address pool | |
| CN102801716B (en) | DHCP (Dynamic Host Configuration Protocol) anti-attacking method and device | |
| CN109327465B (en) | Method for safely resisting network hijacking | |
| CN102340555B (en) | Medium/media access control address allocation method, device and system | |
| CN102340511B (en) | Safety control method and device | |
| CN105791318A (en) | Multicast safety access apparatus and method thereof | |
| CN102711103B (en) | A kind of wireless sensor network interior joint goes offline the safety routing method reconnected | |
| CN113014530B (en) | ARP spoofing attack prevention method and system | |
| CN105592063B (en) | A kind of multicast anti-attack method and device | |
| CN114710388A (en) | Campus network security architecture and network monitoring system | |
| CN102136985A (en) | Access method and equipment | |
| WO2017092403A1 (en) | Control method and device for group network access | |
| CN103491081B (en) | The method and apparatus of detection DHCP attack source | |
| CN102710805A (en) | Method and device for updating internet protocol (IP) address |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150603 |