CN104780139B - A kind of defence method and system based on MAC Address attack - Google Patents
A kind of defence method and system based on MAC Address attack Download PDFInfo
- Publication number
- CN104780139B CN104780139B CN201410010594.4A CN201410010594A CN104780139B CN 104780139 B CN104780139 B CN 104780139B CN 201410010594 A CN201410010594 A CN 201410010594A CN 104780139 B CN104780139 B CN 104780139B
- Authority
- CN
- China
- Prior art keywords
- address
- mac address
- arp
- former
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The invention discloses a kind of defence method and system based on MAC Address attack, IP address and corresponding MAC Address in the ARP messages that the retransmission unit receives according to it establish forwarding list, and compulsory test requires the ARP messages of the IP address and corresponding MAC Address in modification forwarding list;When MAC Address is not former MAC Address in ARP messages, the retransmission unit sends the ARP request message of construction to former IP address, detects IP address and MAC Address in the ARP answers message;When not being former IP address and MAC Address, the purpose IP address changed to the request in the ARP messages of the IP address and corresponding MAC Address in the forwarding list sends the message, this method and system solve MAC Address and the safety and stability of IP address to improve the flexibility that switch ports themselves and the network equipment are configured.
Description
Technical field
The present invention relates to industrial Ethernet technology field, more particularly to one kind to be based on medium access control(Medium/
Media Access Control, MAC)The defence method and system of address attack.
Background technology
The function of address resolution protocol (Address Resolution Protocol, ARP) is by Internet protocol
Location(Internet Protocol Address, IP)The MAC Address of corresponding ports is searched, to be realized in TCP/IP networks
Communicated between the node of shared channel using MAC Address.ARP messages are actively sent because ARP protocol exists in the design
Leak so that main frame can send the ARP request message or response message of falseness, and source IP address and source MAC in message
Address can be forged.In a local network, being both forged into IP address and the MAC of a certain main frame (such as server)
The combination of location, the combination of gateway ip address and MAC Address can also be forged into.This combination can enter according to the intention of attacker
Any collocation of row, and existing LAN prevents this forgery behavior without corresponding mechanism and agreement.In recent years, it is several
All LANs all met with the infringement of ARP spoofing attacks.
Fig. 1, which is shown, assumes that host C is the gateway in LAN, and main frame D is ARP trickers.When the calculating in LAN
It is confidential communicated with other networks (as access Internet) when, all data for being sent to other networks have all issued main frame
D, and main frame D is not real gateway, such whole network will be unable to be communicated with other networks.This phenomenon is taken advantage of in ARP
Deceive very universal in attack.
For conventional technique, employ such technical scheme, the record in arp cache table both can be it is dynamic,
Can also be static.If the record in arp cache table is dynamic, arp cache table can be reduced by aging mechanism
Length and accelerate inquiry velocity;Record in Static ARP cache table is permanent, and user can be come using TCP/IP instruments
Create and change, such as the ARP instruments of Windows operating system leukorrhea.For computer, the weight such as binding gateway can be passed through
The IP of equipment is wanted to be recorded with MAC Address to prevent ARP spoofing attacks.On switches take precautions against ARP spoofing attacks method with
It is essentially identical on computer, the MAC Address of the network equipment can be bound with switch ports themselves, and pass through port security work(
The main frame (attacker) to vary from a rule can be handled accordingly.
The MAC Address by the network equipment that existing technical scheme mainly uses is bound with switch ports themselves, this
The problem of scheme is brought is exactly that each network equipment can only be bound with the switch ports themselves set, if the port of connection
When changing, MAC Address and port must be exactly reset, although the stability of MAC Address and port can be kept, drop
Low interchanger(Retransmission unit)The flexibility that port is configured with the network equipment, meanwhile, the program is with not solving MAC
Location and the safety and stability of IP address.
The content of the invention
The embodiment of the present invention provides a kind of defence method and system based on MAC Address attack, to improve interchanger
(Retransmission unit)The flexibility that port and the network equipment are configured, meanwhile, solve the security of MAC Address and IP address and surely
It is qualitative.
The embodiments of the invention provide a kind of defence method based on MAC Address attack, methods described includes:
IP address and corresponding MAC Address in the ARP messages that retransmission unit receives according to it establish forwarding list, protect
Hold the stability of the corresponding MAC Address of IP address in forwarding list;
Whether the MAC Address of the ARP messages of the corresponding MAC Address of IP address in testing requirements modification forwarding list
For former MAC Address, if former MAC Address, the IP address and MAC Address in holding forwarding list are constant;If not former MAC
Address, the retransmission unit send the ARP request message of construction to former IP address;
After the corresponding ARP answers message of network equipment reply for obtaining former IP address, detect the ARP and reply in message
Whether IP address and MAC Address are former IP address and MAC Address, and when being former IP address and former MAC Address, request is changed into institute
The ARP messages for stating the corresponding MAC Address of the IP address in forwarding list are deleted;When not being former IP address and former MAC Address
When, the purpose IP address in the ARP messages of the corresponding MAC Address of IP address in the forwarding list is changed to the request
Send the message.
Methods described also includes:The network equipment that former IP address is not received in preset time period replys corresponding ARP
When replying message, the ARP of the corresponding MAC Address of IP address of the retransmission unit into the request modification forwarding list is reported
Purpose IP address in text sends the message.
Also include:After the network equipment of former IP address receives the ARP request message of the construction, sent out to retransmission unit
Send and reply message including the ARP of own IP address and MAC Address.
When the ARP messages of the IP address asked in the modification forwarding list and corresponding MAC Address are deleted, also wrap
Include:When retransmission unit is repeatedly from the ARP of the IP address and corresponding MAC Address received in the same request modification forwarding list
During request message, determine that the network equipment of the MAC Address carries out MAC Address attack.
The ARP messages of IP address and corresponding MAC Address in the modification forwarding list are ARP request message.
The embodiments of the invention provide a kind of system of defense based on MAC Address attack, the system includes:
ARP message save sets, IP address and corresponding MAC Address in the ARP messages received according to it, which are established, to be turned
List is sent out, keeps the stability of the corresponding MAC Address of the IP address in forwarding list;
ARP request message judgment means, the corresponding MAC Address of IP address in testing requirements modification forwarding list
Whether the MAC Address of ARP messages is former MAC Address, if former MAC Address, the IP address in holding forwarding list is with MAC
Location is constant;If not former MAC Address, ARP messages save set sends the ARP request message of construction to former IP address;
ARP replies message judgment means, after the corresponding ARP answers message of network equipment reply for obtaining former IP address, inspection
Whether the IP address and MAC Address surveyed in the ARP answers message are former IP address and former MAC Address, if former IP address
During with former MAC Address, the ARP messages for asking the corresponding MAC Address of the IP address in the modification forwarding list are deleted;
During if not former IP address and former MAC Address, the corresponding MAC of IP address in the forwarding list is changed to the request
Purpose IP address in the ARP messages of address sends the message.
The system also includes:The network equipment that former IP address is not received in preset time period replys corresponding ARP
When replying message, the corresponding MAC Address of IP address of the ARP messages save set into the request modification forwarding list
ARP messages in purpose IP address send the message.
The system also includes:The network equipment of former IP address receives the ARP request message of the construction, is answered to ARP
Multiple message judgment means send the ARP answer messages for including own IP address and MAC Address.
The ARP messages save set also includes:When ARP messages save set request is changed in the forwarding list
IP address and the ARP messages of corresponding MAC Address delete, and ARP messages save set is repeatedly from receiving the same request
During the ARP messages of IP address and corresponding MAC Address in modification forwarding list, the network equipment of the MAC Address is being determined
Carry out MAC Address attack.
The ARP messages save set also includes:IP address and corresponding MAC in the modification forwarding list
The ARP messages of location are ARP request message.
In the solution of the present invention, IP address and corresponding MAC in the ARP messages that the retransmission unit is received according to it
Forwarding list is established in address, keeps the stability of IP address MAC Address corresponding with its in forwarding list, compulsory test requirement
Change the ARP messages of the IP address and corresponding MAC Address in forwarding list;When MAC Address is not former MAC in ARP messages
Location, the retransmission unit send the ARP request message of construction to former IP address, detect the IP address in the ARP answers message
And MAC Address;When not being former IP address and MAC Address, IP address in the forwarding list and correspondingly is changed to the request
MAC Address ARP messages in purpose IP address send the message, this method and system improve switch ports themselves and network
The flexibility that equipment is configured, while solve MAC Address and the safety and stability of IP address.
Brief description of the drawings
Fig. 1 is the realization procedure chart of ARP deceptions;
Fig. 2 is the defence schematic flow sheet based on MAC Address attack;
Fig. 3 is the defence process schematic based on MAC Address attack;
Fig. 4 is the system of defense structural representation based on MAC Address attack.
Embodiment
The present invention improves the flexibility that switch ports themselves are configured with the network equipment, while solves MAC Address and IP
The safety and stability of address, there is provided a kind of defence method and system based on MAC Address attack.
With reference to Figure of description, the embodiment of the present invention is described in detail.
Fig. 2 is the defence schematic flow sheet provided in an embodiment of the present invention based on MAC Address attack, and the process includes following
Step:
S201:IP address and corresponding MAC Address in the ARP messages that the retransmission unit receives according to it, which are established, to be turned
List is sent out, keeps the stability of IP address MAC Address corresponding with its in forwarding list;
In this step, forwarding list here is to be transmitted according to ARP messages first in each network equipment, so as to each
The IP address and MAC Address of individual network equipment can all be formed in retransmission unit, that is to say, that the present invention is not to be directed to first
The network that ARP messages are established is on the defensive, but the user being directed to identifies oneself the reasonable and legal network having built up carries
Go out.Here forwarding list is stored in retransmission unit.
S202:The MAC Address of the ARP messages of IP address and corresponding MAC Address in testing requirements modification forwarding list
Whether it is former MAC Address,
Retransmission unit receives the ARP messages of the IP address and corresponding MAC Address that require in modification forwarding list, here
ARP messages are ARP request message in the present invention, in existing technical scheme, it is desirable to which the message for changing forwarding list is that ARP is returned
Multiple message, that is, sent by the network equipment of answer ARP request message and replied including the ARP of own IP address and MAC Address
Message;One of key point of the present invention is exactly that retransmission unit is not to reply message by ARP but first determine whether in ARP request message
Source MAC whether be stored in MAC Address in forwarding list, MAC Address here is corresponding with IP address.
S203:When being former MAC Address, the IP address and MAC Address in holding forwarding list are constant;
If the source MAC of ARP request message is former MAC Address, illustrate that ARP request message here is exactly original
Network equipment the reason for sending, now sending be probably situation that the network equipment restarts, the network equipment
Other network equipments into network send ARP request message, so that re-establishing network topology.
S204:When not being former MAC Address, the retransmission unit sends the ARP request message of construction to former IP address,
This step is also one of key point of the present invention, when the source MAC of ARP request message is former MAC Address, this
In retransmission unit will force to send an ARP request message to former IP address, the mesh in the ARP request message constructed here
IP addresses be exactly former IP address, will be to turning after the network equipment of former IP address receives the ARP request message of the construction
Transmitting apparatus sends the ARP answer messages for including own IP address and MAC Address.
S205:After the corresponding ARP answers message of network equipment reply for obtaining former IP address, detect the ARP and reply report
Whether IP address and MAC Address in text are former IP address and former MAC Address,
In this step, for the network equipment of former IP address if also existing always, the equipment will be based on forwarding dress
The ARP answer messages for including own MAC address and IP address are replied in the request for putting the ARP request message of transmission, and retransmission unit will
It can reply whether the MAC Address of message and IP address are MAC Address and IP that forwarding list preserves according to being used to detecting ARP
Location.
S206:When being former IP address and MAC Address, it will ask to change IP address in the forwarding list and corresponding
The ARP messages of MAC Address are deleted;
In this step, when the MAC Address and IP that ARP replies the MAC Address of message and IP address is forwarding list preservation
During address, illustrate the ARP messages of the IP address and corresponding MAC Address in the request modification forwarding list that retransmission unit receives
It is invalidation request message, retransmission unit will not change IP address and corresponding MAC in forwarding list according to the message request
Address.
S207:When not being former IP address and MAC Address, IP address in the forwarding list and right is changed to the request
Purpose IP address in the ARP messages for the MAC Address answered sends the message.
In this step, when the MAC Address and IP that ARP replies the MAC Address of message and IP address preserves with forwarding list
When address is inconsistent, the network equipment of illustration purpose IP address has changed the network equipment of another MAC Address into, at this moment, turns
Transmitting apparatus is by the IP address sent to the network equipment of purpose IP address in the modification forwarding list and corresponding MAC Address
ARP messages.
Further, comprise the following steps:
When the ARP request message for replying the construction is not received in preset time period, retransmission unit is repaiied to the request
The purpose IP address changed in the ARP messages of the IP address in the forwarding list and corresponding MAC Address sends the message.
In this step, if the network equipment of former IP address not in a network when, retransmission unit is by preset time period
The ARP that the ARP request message for replying the construction can not be received replys message, so as to requiring to change in the forwarding list
Purpose IP address in the ARP messages of IP address and corresponding MAC Address sends ARP request message, and this step is mainly for complete
Limited IP addresses can be used effectively into network.
It is the time being manually set to here preset at the time, such as can make the time spans such as 1m or 30s, and the time span needs
To be set according to being actually needed.
Further, comprise the following steps:
When being former IP address and MAC Address, by the IP address and the corresponding MAC that ask in the modification forwarding list
The ARP messages of location are deleted, in addition to:When retransmission unit is repeatedly from the IP address received in the same request modification forwarding list
During with the ARP messages of corresponding MAC Address, determine that the network equipment of the MAC Address carries out MAC Address attack.
In this step, it is determined that the former IP address network equipment also in the network device when, if also multiple request is repaiied
When the situation for changing the ARP messages of the IP address in forwarding list and corresponding MAC Address occurs, this can be determined substantially here
The network of MAC Address carries out MAC Address attack.Because the forwarding list established in retransmission unit determines substantially,
It is stable, if some equipment wishes to change always this forwarding list, it may be determined that the equipment is MAC Address attack source.
The defence schematic flow sheet based on MAC Address attack shown in implementation process and Fig. 2 is cheated based on ARP shown in Fig. 1,
The defence process schematic attacked with reference to such as Fig. 3 based on MAC Address, is described as follows:In figure 3, interchanger is as forwarding
Device, host A in store network, host B (being interchanger), host C and main frame D MAC Address and corresponding IP address,
Such as list 1.
Table 1
| Member | IP address | MAC Address |
| Host A | 192.168.1.1 | 11-11-11-11-11 |
| Host B | 192.168.1.2 | 22-22-22-22-22 |
| Host C | 192.168.1.3 | 33-33-33-33-33 |
| Main frame D | 192.168.1.4 | 44-44-44-44-44 |
In the present embodiment, host B is interchanger;Host C as network gateway, with network outside internet connected
Connect;Main frame D is ARP trickers.The IP address of the counterfeit host Cs as gateway of main frame D, made first according to the IP address of host C
For source IP address, using main frame D MAC Address as source MAC, ARP request message is constructed, by the main frame for being used as interchanger
B broadcasts the message to whole network, and when receiving the ARP request message, host B is not to be forwarded immediately to whole network, and
Be identify the ARP request message in source MAC and source IP address whether with interchanger preserve forwarding list MAC Address
It is consistent with source IP address.
Wherein, because the IP address of the counterfeit host Cs of main frame D causes IP address and MAC Address in forwarding list inconsistent, this
When, it itself is source MAC and the ARP request message of source IP address that host B, which constructs one, and the end only connected to host C
Mouth broadcast transmission is sent using the MAC Address of host C as target MAC (Media Access Control) address by unicast, and host C receives the ARP please
An ARP answer message is replied after seeking message, the ARP replies the MAC Address and IP address for including host C in message.
Host B is received after ARP replies message, by the IP address of host C in the message and MAC Address with it is right in forwarding list
The IP address and MAC Address answered contrast, if when IP address corresponding with forwarding list and consistent MAC Address, host B will
The ARP request message received from main frame D is deleted;If receive host C IP address and MAC Address with it is right in forwarding list
The IP address and MAC Address answered are inconsistent, the ARP request message that host B receives to whole network broadcast from main frame D, simultaneously
Host B protects the source IP address and source MAC that are carried in the IP address for receiving host C and MAC Address and ARP request message
Exist in forwarding list, delete IP address and MAC Address corresponding informance that original host C is preserved.
Additionally, if host B do not received in preset time period from host C reply ARP reply message when, main frame
B forwards the purpose IP address into ARP request message the ARP request message of main frame D transmissions, and forwarding here can start extensively
Broadcast, unicast or multicast.
After host A receives the ARP request message of host B construction, the IP of host A itself is included to host B transmission
The ARP of location and MAC Address replies message.
Deleted when will ask to change the ARP request message of the IP address of forwarding list and corresponding MAC Address in host B
When, in addition to:When host B is repeatedly from the IP address and corresponding MAC Address received in the same request modification forwarding list
ARP messages when, determine that the network equipment of the MAC Address carries out MAC Address attack, for example, main frame D send ARP more times please
Message is sought, and the modification of the source IP address of the ARP request message and source MAC there is no being verified for host B, now
It is exactly to carry out MAC Address attack that main frame D, which can be determined,.
Fig. 4 is a kind of system of defense structural representation based on MAC Address attack provided in an embodiment of the present invention, here
System of defense and the defence method attacked based on MAC Address based on MAC Address attack are corresponding including as follows:
ARP message save sets, IP address and corresponding MAC Address in the ARP messages received according to it, which are established, to be turned
List is sent out, keeps the stability of IP address MAC Address corresponding with its in forwarding list;
ARP request message judgment means, IP address and corresponding MAC Address in testing requirements modification forwarding list
Whether the MAC Address of ARP messages is former MAC Address, if former MAC Address, the IP address in holding forwarding list is with MAC
Location is constant;If not former MAC Address, ARP messages save set sends the ARP request message of construction to former IP address,
ARP replies message judgment means, after the corresponding ARP answers message of network equipment reply for obtaining former IP address, inspection
Survey the ARP and reply whether IP address in message and MAC Address are former IP address and MAC Address, if former IP address and
During MAC Address, the ARP messages of the IP address asked in the modification forwarding list and corresponding MAC Address are deleted;If no
When being former IP address and MAC Address, the ARP of the IP address and corresponding MAC Address in the forwarding list is changed to the request
Purpose IP address in message sends the message.
Sentence it should be noted that ARP messages save set, ARP request message judgment means and ARP here replies message
Disconnected device is all preserved in the retransmission unit by taking interchanger as an example, deterministic process i.e. the MAC Address attack of whole system
The process of defence method.Described with specific reference to accompanying drawing 3 and its related description.
The system also includes:
The network equipment of former IP address receives the ARP request message of the construction, and message judgment means hair is replied to ARP
Send and reply message including the ARP of own IP address and MAC Address.
The system also includes:
When ARP messages save set does not receive the ARP request message for replying the construction in preset time period, ARP
Message save set changes the mesh in the ARP messages of the IP address and corresponding MAC Address in the forwarding list to the request
IP address send the message.
The ARP messages save set also includes:When ARP messages save set request is changed in the forwarding list
IP address and the ARP messages of corresponding MAC Address delete, and ARP messages save set is repeatedly from receiving the same request
During the ARP messages of IP address and corresponding MAC Address in modification forwarding list, the network equipment of the MAC Address is being determined
Carry out MAC Address attack.
The ARP messages save set also includes:IP address and corresponding MAC in the modification forwarding list
The ARP messages of location are ARP request message.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program
Product.Therefore, the application can use the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Apply the form of example.Moreover, the application can use the computer for wherein including computer usable program code in one or more
Usable storage medium(Including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)The computer program production of upper implementation
The form of product.
The application is with reference to method, the equipment according to the embodiment of the present application(System)And the flow of computer program product
Figure and/or block diagram describe.It should be understood that can be by every first-class in computer program instructions implementation process figure and/or block diagram
Journey and/or the flow in square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided
The processors of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that produced by the instruction of computer or the computing device of other programmable data processing devices for real
The device for the function of being specified in present one flow of flow chart or one square frame of multiple flows and/or block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which produces, to be included referring to
Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, so as in computer or
The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in individual square frame or multiple square frames.
Although having been described for the preferred embodiment of the application, those skilled in the art once know basic creation
Property concept, then can make other change and modification to these embodiments.So appended claims be intended to be construed to include it is excellent
Select embodiment and fall into having altered and changing for the application scope.
Obviously, those skilled in the art can carry out the essence of various changes and modification without departing from the application to the application
God and scope.So, if these modifications and variations of the application belong to the scope of the application claim and its equivalent technologies
Within, then the application is also intended to comprising including these changes and modification.
Claims (8)
1. a kind of defence method based on MAC Address attack, it is characterised in that methods described includes:
IP address and corresponding MAC Address in the ARP messages that retransmission unit receives according to it establish forwarding list, keep turning
Send out the stability of the corresponding MAC Address of IP address in list;
Whether the MAC Address of the ARP messages of the corresponding MAC Address of IP address in testing requirements modification forwarding list is former
MAC Address, if former MAC Address, the IP address and MAC Address in holding forwarding list are constant;If not former MAC
Location, the ARP request message for the port broadcast transmission construction that the retransmission unit connects to the network equipment of former IP address;
The network equipment for obtaining former IP address is replied after corresponding ARP replies message, detects the ARP with replying IP in message
Whether location and MAC Address are former IP address and MAC Address, when being former IP address and former MAC Address, by described turn of request modification
The ARP messages for sending out the corresponding MAC Address of the IP address in list are deleted;When not being former IP address and former MAC Address, turn
The ARP messages of the corresponding MAC Address of IP address of the transmitting apparatus into whole network broadcast requirement modification forwarding list, simultaneously
The ARP is replied to the IP address carried in IP address and MAC Address and the ARP messages in message and MAC Address preserves
In forwarding list, IP address and MAC Address in former forwarding list are deleted;Former IP address is not received in preset time period
Network equipment when replying corresponding ARP and replying message, retransmission unit changes the IP address in the forwarding list to the request
Purpose IP address in the ARP messages of corresponding MAC Address sends the message.
2. the method as described in claim 1, it is characterised in that also include:
After the network equipment of former IP address receives the ARP request message of the construction, being sent to retransmission unit includes itself
The ARP of IP address and MAC Address replies message.
3. the method as described in claim 1, it is characterised in that by the IP address asked in the modification forwarding list and correspondingly
MAC Address ARP messages delete when, in addition to:When retransmission unit repeatedly from receive it is same it is described request modification forwarding list
In IP address and corresponding MAC Address ARP request message when, determining the network equipment of the MAC Address with carrying out MAC
Location is attacked.
4. the method as described in claim 1, it is characterised in that IP address in the modification forwarding list and corresponding
The ARP messages of MAC Address are ARP request message.
5. a kind of system of defense based on MAC Address attack, it is characterised in that the system includes:
ARP message save sets, IP address and corresponding MAC Address in the ARP messages received according to it establish forwarding row
Table, keep the stability of the corresponding MAC Address of the IP address in forwarding list;
ARP request message judgment means, the ARP of the corresponding MAC Address of IP address in testing requirements modification forwarding list
Whether the MAC Address of message is former MAC Address, if former MAC Address, keeps IP address and MAC Address in forwarding list
It is constant;If not former MAC Address, the port broadcast transmission of network equipment connection of the ARP messages save set to former IP address
The ARP request message of construction;
ARP replies message judgment means, after the corresponding ARP answers message of network equipment reply for obtaining former IP address, detects institute
State ARP reply message in IP address and MAC Address whether be former IP address and former MAC Address, if former IP address and original
During MAC Address, the ARP messages for asking the corresponding MAC Address of the IP address in the modification forwarding list are deleted;If
When not being former IP address and former MAC Address, retransmission unit to whole network broadcast requirement change forwarding list in IP address with
The ARP messages of its corresponding MAC Address, while the IP address in ARP answer messages and MAC Address and the ARP are reported
The IP address and MAC Address carried in text is stored in forwarding list, deletes IP address and MAC Address in former forwarding list;
When the network equipment of former IP address is not received in preset time period replying corresponding ARP and reply message, retransmission unit to this
Asking the purpose IP address in the ARP messages of the corresponding MAC Address of the IP address in the modification forwarding list to send should
Message.
6. system as claimed in claim 5, it is characterised in that the system also includes:
The network equipment of former IP address receives the ARP request message of the construction, and replying message judgment means to ARP sends bag
The ARP for including own IP address and MAC Address replies message.
7. system as claimed in claim 5, it is characterised in that the ARP messages save set also includes:When the ARP is reported
The ARP messages that IP address and corresponding MAC Address in the forwarding list are changed in literary save set request are deleted, and ARP is reported
Literary save set is repeatedly from the ARP reports of the IP address and corresponding MAC Address received in the same request modification forwarding list
Wen Shi, determine that the network equipment of the MAC Address carries out MAC Address attack.
8. system as claimed in claim 5, it is characterised in that the ARP messages save set also includes:Described in the modification
The ARP messages of IP address and corresponding MAC Address in forwarding list are ARP request message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410010594.4A CN104780139B (en) | 2014-01-09 | 2014-01-09 | A kind of defence method and system based on MAC Address attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410010594.4A CN104780139B (en) | 2014-01-09 | 2014-01-09 | A kind of defence method and system based on MAC Address attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104780139A CN104780139A (en) | 2015-07-15 |
| CN104780139B true CN104780139B (en) | 2018-02-13 |
Family
ID=53621386
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410010594.4A Active CN104780139B (en) | 2014-01-09 | 2014-01-09 | A kind of defence method and system based on MAC Address attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104780139B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105530187B (en) * | 2015-12-14 | 2019-06-14 | 小米科技有限责任公司 | Physical address acquisition methods and device |
| CN106899554A (en) * | 2015-12-21 | 2017-06-27 | 北京奇虎科技有限公司 | A kind of method and device for preventing ARP from cheating |
| CN108574674A (en) * | 2017-03-10 | 2018-09-25 | 武汉安天信息技术有限责任公司 | A kind of ARP message aggressions detection method and device |
| CN107360182B (en) * | 2017-08-04 | 2020-05-01 | 南京翼辉信息技术有限公司 | Embedded active network defense system and defense method thereof |
| CN110401616A (en) * | 2018-04-24 | 2019-11-01 | 北京码牛科技有限公司 | A kind of method and system improving MAC Address and IP address safety and stability |
| CN110401617A (en) * | 2018-04-24 | 2019-11-01 | 北京码牛科技有限公司 | A kind of method and system for preventing ARP from cheating |
| CN111010362B (en) * | 2019-03-20 | 2021-09-21 | 新华三技术有限公司 | Monitoring method and device for abnormal host |
| CN111835764B (en) * | 2020-07-13 | 2023-04-07 | 中国联合网络通信集团有限公司 | ARP anti-spoofing method, tunnel endpoint and electronic equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1921491A (en) * | 2006-09-14 | 2007-02-28 | 杭州华为三康技术有限公司 | Method and equipment for preventing network attack by using address analytic protocol |
| CN101110821A (en) * | 2007-09-06 | 2008-01-23 | 华为技术有限公司 | Method and apparatus for preventing ARP address cheating attack |
| US7464183B1 (en) * | 2003-12-11 | 2008-12-09 | Nvidia Corporation | Apparatus, system, and method to prevent address resolution cache spoofing |
| CN101370019A (en) * | 2008-09-26 | 2009-02-18 | 北京星网锐捷网络技术有限公司 | Method and switchboard for preventing packet cheating attack of address analysis protocol |
| CN101635713A (en) * | 2009-06-09 | 2010-01-27 | 北京安天电子设备有限公司 | Method and system for preventing local area network ARP defection attacks |
| CN101820396A (en) * | 2010-05-24 | 2010-09-01 | 杭州华三通信技术有限公司 | Method and device for verifying message safety |
| CN103152335A (en) * | 2013-02-20 | 2013-06-12 | 神州数码网络(北京)有限公司 | Method and device for preventing ARP (address resolution protocol) deceit on network equipment |
-
2014
- 2014-01-09 CN CN201410010594.4A patent/CN104780139B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7464183B1 (en) * | 2003-12-11 | 2008-12-09 | Nvidia Corporation | Apparatus, system, and method to prevent address resolution cache spoofing |
| CN1921491A (en) * | 2006-09-14 | 2007-02-28 | 杭州华为三康技术有限公司 | Method and equipment for preventing network attack by using address analytic protocol |
| CN101110821A (en) * | 2007-09-06 | 2008-01-23 | 华为技术有限公司 | Method and apparatus for preventing ARP address cheating attack |
| CN101370019A (en) * | 2008-09-26 | 2009-02-18 | 北京星网锐捷网络技术有限公司 | Method and switchboard for preventing packet cheating attack of address analysis protocol |
| CN101635713A (en) * | 2009-06-09 | 2010-01-27 | 北京安天电子设备有限公司 | Method and system for preventing local area network ARP defection attacks |
| CN101820396A (en) * | 2010-05-24 | 2010-09-01 | 杭州华三通信技术有限公司 | Method and device for verifying message safety |
| CN103152335A (en) * | 2013-02-20 | 2013-06-12 | 神州数码网络(北京)有限公司 | Method and device for preventing ARP (address resolution protocol) deceit on network equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104780139A (en) | 2015-07-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104780139B (en) | A kind of defence method and system based on MAC Address attack | |
| CN101997768B (en) | Method and device for uploading address resolution protocol messages | |
| US8782789B2 (en) | System and method for detecting address resolution protocol (ARP) spoofing | |
| CN100563149C (en) | A kind of DHCP monitor method and device thereof | |
| CN105939332B (en) | Defend the method and device of ARP attack message | |
| CN105763440B (en) | A kind of method and apparatus of message forwarding | |
| CN104219340A (en) | ARP (Address Resolution Protocol) response proxy method and apparatus | |
| CN103428032B (en) | A kind of attack location, auxiliary locator and method | |
| CN104219338B (en) | The generation method and device of the safe list item of authorized address analysis protocol | |
| Song et al. | Novel duplicate address detection with hash function | |
| JP6460112B2 (en) | Security system, security method and program | |
| CN107623757A (en) | Entry updating method and apparatus | |
| CN104901953A (en) | Distributed detection method and system for ARP (Address Resolution Protocol) cheating | |
| CN104427004A (en) | ARP message management method based on network equipment | |
| US9992159B2 (en) | Communication information detecting device and communication information detecting method | |
| CN101808097B (en) | Method and equipment for preventing ARP attack | |
| CN107786386B (en) | Selective transmission of Bidirectional Forwarding Detection (BFD) messages for authenticating multicast connections | |
| CN104023001B (en) | Method for AC equipment to forward unauthorized message information | |
| CN101931627A (en) | Security detection method, security detection device and network equipment | |
| CN103023818B (en) | Media access control-forced forwards method and the device of ARP message | |
| CN104683500B (en) | A kind of safe list item generation method and device | |
| CN102201963A (en) | Media access control-forced forwarding method and functional unit | |
| CN103095858B (en) | Method, the network equipment and the system of ARP message processing | |
| US20190281079A1 (en) | Timely detection of network traffic to registered dga generated domains | |
| CN107241297A (en) | Communicate hold-up interception method and device, server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20150715 Assignee: Hubei Dongtu Taiyi Wisdom Technology Co., Ltd. Assignor: Beijing Dongtu Technology Co., Ltd. Contract record no.: 2019990000255 Denomination of invention: Defense system based on MAC (Medium/Media Access Control) address attack and system Granted publication date: 20180213 License type: Common License Record date: 20190729 |