CN104917751B - Electronic deception prevents - Google Patents
Electronic deception prevents Download PDFInfo
- Publication number
- CN104917751B CN104917751B CN201510190975.XA CN201510190975A CN104917751B CN 104917751 B CN104917751 B CN 104917751B CN 201510190975 A CN201510190975 A CN 201510190975A CN 104917751 B CN104917751 B CN 104917751B
- Authority
- CN
- China
- Prior art keywords
- address
- user
- mac
- received
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
In the standard ethernet access network for accessing internet, prevents user from changing its address information without technical safety measure and be grouped with unlawfully being diverted from other users, or be only to pretend its identity.By realizing strobe utility in access node, the general safety of network is improved without sacrificing the simplicity on Ethernet access network and the speed of transmission.The strobe utility passes through the MAC Address using the IP destination address and distribution for combining distribution, and the grouping that the user that opposite direction is connected in access node sends is filtered.It is any to be sent to user but include that the grouping of incorrect MAC or IP address all be prevented from.
Description
Technical field
The present invention relates to the share mediums for being connected to such as Ethernet to access the public network of the network user (such as because of spy
Net) safety.
Background technique
When using the internet, it may be desirable to which user is identified by the dedicated Internet Protocol address (IP).This is helped
In the identification illegal traffic or behavior dangerous to such as national security.But if user is connected by public Ethernet
To internet, then more difficult will be become to the identification of user, because user changes his IP address and MAC in standard network
Technology barrier is all not present in address (this behavior is commonly referred to as " electronic deception ").Term " public Ethernet " refers to Ethernet
Network, wherein core network is made of the self study interchanger or node for constituting aggregated network.Using the target of grouping
The exchange in converging network is completed in the Media access control address (MAC), by each node, as relevant destination address connects
MAC Address is gradually associated with to relevant destination address by receipts and redirected packets.This can be by utilizing address resolution protocol
(ARP) request is to complete, every time when the interchanger in converging network receives the grouping with new MAC Address, the request
The fringe node or router being sent in network.
Carry out what user identity was possible within an ethernet access network, wherein each user is required to allow to access net
It is logged in front of network using unique username and password, such as is carried out by peer-peer protocol PPPoE.But such system
It is not always to be approved by people, has unavoidably slowed down access speed because to log in every time.In this share medium into
The technical solution of one step is included between all users all business that route.But it does so and costs dearly and inefficiency.It connects
Ingress must be able to route all business and each user must be effectively allocated at least one IP subnet, and IP subnet is logical
It often include 4 IP address, regardless of how many IP address needed.When in Ethernet access network without it is such configuration or routing limit
When, safety in network is dependent on trusting each other and all users abide by management rule.
In view of the prior art, an object of the invention be not in network itself configuration or routing be restricted
In the case of improve Ethernet access network safety.
Summary of the invention
These or further purpose are real in the access node at least one user to be connected to ethernet network
It is existing.The access node has the table for storing the address information of connected subscriber.It further includes filtering module, is suitable for identification and exists
The destination address of received data grouping on the network, and only when the grouping has the address information with storage in the table
When corresponding destination address, just a user sends the data grouping thereto for permission.
Such generation for effectively avoiding following situations: user sends false address information, leads to polymeric network
Network by service error turns to real destination, so that the user be made to receive the information for being assigned to another user.But it should
Network yarn is not impacted and business can continue to flow by the shortest path Jing Guo converging network.
Preferably, the IP and MAC Address of user is distributed in access node storage.This can prevent in converging network because
It is based only upon MAC Address and mistakenly routing service.
Security level can also be further increased in the following manner: setting filtering module is to received from one of user
The source address information in grouping sent through network makees further identification, and and if only if the grouping source address information corresponds to table
When the address information of middle storage, just allow to send the network for these groupings.
Therefore can to avoid user by mistake or purpose from malevolence come it is illegal using vacation or duplicate IP
Any attempt of location.
Detailed description of the invention
The more targets of the present invention and advantage are combined from the description of the following preferred embodiment provided by way of example joins
Examining attached drawing will become more apparent upon.In attached drawing:
Fig. 1 schematically illustrates the standard ether with standard ethernet interchanger and access node according to the invention
Net network.
Fig. 2 schematically illustrates the functional unit of access node according to the present invention, and
Fig. 3 shows flow chart, illustrates the filtering function of access node according to the present invention.
Specific embodiment
Fig. 1 shows standard ethernet network 10, in this example its be used as to internet access network or be connected to Yin Te
The access network of another external network of net.Connection to external network ensures by router 18, router 18 be connected to by
The converging network that standard self study Ethernet switch 14,16 forms.The structure and function of the interchanger 14,16 of converging network is
It is known in the art, so just will not be further discussed here.As shown, two users, user A20-1 and user B20-2
Network 10 is connected to by access node 12-1,12-2.The user shown be PC, but it is understood that make, other equipment
It may be constructed user equipment.Conventional access node 12-1,12-2 includes the Fibre Ethernet manufactured by Ericsson
Access ELN200 or ADSL Ethernet moderm EDA ESN312 IPDSLAM.The access node 12- of the present embodiment
1,12-2 can be based on these known devices but including following additional functions and feature.
For convenient for illustrating, each of access node AN1 12-1, AN2 12-2 for showing have 5 ports.In this implementation
In example, as shown, user A20-1 is connected to the port 2 of access node AN1 12-1, user B20-2 is connected to access node
The port 5 of AN2 12-2.Remaining port of access node AN1 12-1, AN2 12-2 do not have occupied, but the technology of this field
What personnel were understood that makes, and newly-increased user may be coupled to these ports.In the configuration shown in, access node AN1 12-
1, the port 1 of each of AN2 12-2 is connected to a port for constituting the Ethernet switch 14 of converging network a part.More
In detail, access node AN1 12-1 is connected to the port 2 of this interchanger 14, and access node AN2 12-2 is connected to this interchanger
Port 3.Third port (port 1 of interchanger 14) is connected to another interchanger in converging network 16.
It is connected to each assigned IP address and MAC Address of the user A20-1 and user B20-2 of network 10.IP
Location is normally defined and communicated by the internet service provider isp.MAC Address is usually matched in User Network Interface card (NIC card)
It sets, which has predefined unique MAC Address when leaving the factory.For convenient for illustrating, the MAC Address of user A20-1 is MAC
The MAC Address of A, IP address IP1, user B20-2 are MAC B, IP address IP2.Router 18 also be assigned MAC Address and
IP address, in this example respectively MAC C and IP3.In converging network, routing is based only upon included in data packet destination address
In MAC Address.Each of interchanger 14,16 and access node 12-1,12-2 save routing iinformation.This by Fig. 1 with
The associated Ethernet routing table 140 of Ethernet switch 14 and the associated table 120-1 of access node 12-1 and and access node
The associated table 120-2 of 12-2 is shown, and associated interchanger or node utilize each table, is turned grouping according to target MAC (Media Access Control) address
It is dealt into correct port.As interchanger or node " study " are related to specific routing by the grouping with specified MAC Address
Connection includes that these tables 140, the routing iinformation in 120-1,120-2 gradually accumulate, and this association is based in ARP request
Source address information, DHCP response or other groupings received are sent.Once this type of information is formed, converging network is just passed through in grouping
It is sent by shortest path.
But in such a configuration, user may attempt to change its MAC Address or IP address with from other users there
Grouping is stolen, even if these addresses already are allocated to another user.For example, user can send with false source MAC or
The grouping of IP address, then these information can be treated as true address and be put into (be assimilated into) routing table.Example
Such as, in Fig. 1, its MAC Address can be changed to MAC A from MAC B occasionally to steal to user A20-1 and send by user B20-2
Ethernet grouping.Although the quantity for the grouping intercepted and captured in this way seldom (may have one in 10000), for disliking
It anticipates for user, this fraud use may be still attractive, because over time, it will packet in the grouping being stolen
Containing sensitive information, such as security password etc..This can be realized by the following method: user A sends TCP/IP request by PC A
To internet and awaiting acknowledgement.User B is sent by PC B to be existed using source address MAC A rather than the false grouping of MAC B, purpose
In redirection business.Vacation grouping causes Ethernet switch SW1 14 to change its routing table, so that having destination address MAC
The grouping of A is mapped to port 3 rather than port 2.Similarly, the routing table on access node AN2 12-2 is varied so that
Grouping with destination address MAC A is mapped to port 5.With these variations, to the sound of the user A TCP/IP request sent
It answers or any other is by the grouping of destination of PC A20-1 will be redirected to PC B20-2 and user B.Similarly, user
B can be that the false of MAC C is grouped by sending one with source address from PC B20-2, palm off the MAC of (assume) router 18
Address.The grouping for being sent to MAC C is mapped to end by the routing table that the step will cause Ethernet switch SW1 14 to change it
Mouth 3 replaces port 1, and access node AN2 is made to change its routing table, and MAC C is mapped to port 5.Then, in network
Any grouping (such as from PC A20-1) with destination address MAC C for intending to send to router 18 can be reset in 10
To arrive PC B20-2.
According to the present invention, this point is avoided by providing filtering function in the access node.Fig. 2 shows in access node
Simplified and schematical filtering configuration indicates in 12-2.As shown in Fig. 2, each access node 12 has filtering module 122, filtering
Module 122 extracts address information from the grouping of each entrance and verifies whether IP address corresponds to by the inquiry to table 124
In the IP address for the user for being connected to the access node 12.Table 124 includes that correct (i.e. initially allocated) is each connected use
The IP and MAC Address at family.For the filtering module 122 by reference to table 124, the address of IP address user, detection are distributed in control
All MAC destination addresses for entering grouping.If these addresses be it is matched, the user will be sent packets to;If looked for not
To matching, that just prevents grouping.In this way, if user is in the grouping of submitting using being different from being initially allocated to its MAC
Location is as source address, then as described in above-mentioned two institutes, these groupings will be prevented by access node.
Filtering function in access node 12 occurs in the unwitting situation of user.Fraudulent is misrouted to being grouped in this
When being just prevented from access node without as using Ethernet routing table, it is transmitted to user.
Other than filtering the grouping of entrance or downlink based on Target IP and MAC Address, the filtering module 22
The grouping of submitting can be filtered to guarantee that these groupings include legal IP source address.The function is for preventing user from illegally using
The IP source address of another user.For example, what user B may send the PC B20-2 in the TCP/IP request for being sent to internet
The source address of grouping is changed to IP A from IP B.Although to the IP address of IP A(, that is, PC A20-2) it sends, it is in response in network
Routing in 10 will be using the mac source address for recording (feature) in TCP/IP, such as MAC B, therefore it is redirected
User B on to PC B20-2.By preventing those source IP address from being not belonging to the grouping of one of connected user, or pass through
Those are prevented not constitute the legal grouping to (MAC Address and one of the connected subscriber being associated), the access node resistance
Swindle peculation or the accidental peculation to grouping are stopped.
For some access nodes, it is known for being filtered according to IP address to uplink or submitting grouping by it
Feature and be typically incorporated into public ethernet network so that can identify that institute is useful by their IP address
Family.But when this known strobe utility is combined with filtering function of the invention, i.e., when according to Target IP and MAC
When location is to grouping to filter entrance, internet security is considerably improved.Moreover, the improvement of this safety will not influence access
The foundation structure of network can be restricted to the user abide by the law.For example, when user is not necessarily to as realizing peer-peer protocol
(PPPoE) such when logging in, it needs to enter login process.Network operator is without making important change.
The function of strobe utility is shown in a flowchart in Fig. 3 in access node 12.Start from event 100, filters
Module 122 receives next into grouping.In step 101, determine which port what is received is grouped in.If this is grouped in end
Mouth 1 receives (therefore indicating to receive the grouping for carrying out automatic network 10), then this method proceeds to step 102.In third step, from grouping
Header extracts IP and MAC destination address pair.In step 103, these addresses and the entry in filter table 124 are compared.If this
Be in two addresses and the entry of the table it is matched, then they indicate legal station address.This method then continues to step
104 and send packets to corresponding port.On the other hand, if extracted IP and MAC destination address is to being not comprised in
In the entry of table 124, then this method goes to step 105, which is prevented from.In the case where access node is AN2 12-2,
The MAC and IP address of the filter table 124 User B (PC B, 20-2) comprising user.Therefore the entry includes port numbers 5, IP
Address ip 2 and MAC Address MAC B.Any other combination of IP and MAC Address will lead to generates "No" in step 103
As a result and this method can go to step 105, to prevent the grouping.If the grouping is from port 1 to 5 in step 101
One receives grouping (showing that it is sent by the user outside network 10 at this time), then this method goes to step 106, in the step
IP and mac source address are extracted in rapid.Then in step 107 query filter table 124, and if include the source IP in the grouping
The combination of address or IP and mac source address does not record in table, then this method goes to step 105 and the grouping is hindered
Only.This shows the IP source address distributed that user is at least in illegal modifications grouping.On the other hand, in step 107, if
The combination of the IP source address or IP and mac source address are found in table, then this method continues to step 104, with
The mode known forwards the packet to the port defined in conventional ARP table (Ethernet routing table).In addition to preventing unauthorized point
Except group, filtering function 112 can also be alerted by sending, and inform the event to network operator.In addition, access node 12 can
To generate event log, it is sent to the operator or administrator of access network, or inquire for them.By using false MAC
Address is increasing come the thing for intercepting the business datum of adjacent user, this while implying potential security risk,
It will be due to being grouped the data traffic inevitably misrouted to and influenced in access net.As a result, the service that network provides
Quality will reduce.If network operator is alerted to the problem, so that it may take steps (such as disconnect fraud user's
Port) block the user.
Filter table 124 can the generation when user is connected to access node 12.The IP address for distributing to each user can be with
Pass through message (such as the dynamic host configuration protocol (DHCP) exchanged between snooping ISP (ISP) and user
Or peer-peer protocol (PPP) message) obtain.The mode of substitution is, can be by direct if IP address is manual configuration
Inquiry user or ISP are obtained.MAC Address can also be obtained by inquiry.
Filter table 124 shown in Fig. 2 and the discrete entity relative to Ethernet routing table 120-1 and 120-2.But it can
With understanding, which will eventually replace the routing table with the port for defining the address for filtering function
120-1 and 120-2.For example, when filtering function with the address stored with 2 to 5 association of port to being operated, figure
Filter table 124 shown in 2 will be extended to comprising the information at least about the MAC Address being routed to through port 1.
Claims (4)
1. a kind of access node, for connecting the user to ethernet network, the access node includes:
Database, for storing the Internet protocol IP address of the user being associated with MAC address;With
And
Filter mechanism is connected to the database, received and be addressed to institute for being filtered through the ethernet network
State the data grouping of user and for filtering from the received data for transmitting by the ethernet network of the user
Grouping, wherein the filter mechanism is configured to:
For passing through the received each data grouping of the ethernet network:
IP destination address and MAC destination address are extracted from by the received each data grouping of the ethernet network;
Determine whether extracted IP destination address and MAC destination address match the user of storage in the database
IP address and the MAC Address;And
The only IP address of the user when extracted IP destination address and MAC destination address and storage in the database
When matching with the MAC Address, just allowing will be by the received each data packet transfer of the ethernet network described in
User;And
For from the received each data grouping of the user:
By extracting IP source address and mac source address from the received each data grouping of the user;
Determine extracted IP source address and mac source address with whether matching the IP of the user of storage in the database
Location and the MAC Address;And
The only IP address of the user when extracted IP source address and mac source address and storage in the database and institute
When stating MAC Address and matching, just allow to transmit from the received each data grouping of the user by the ethernet network.
2. access node as described in claim 1, wherein the filter mechanism is further configured to when from by the ether
The IP destination address and MAC destination address extracted in one of received described data grouping of net network not with it is described
The IP address of user stored and the MAC Address generate caution signal when matching.
3. a kind of method of the filter packets at access node, the access node connect the user to Ethernet access network,
The method includes the following steps:
The Internet protocol IP address of the user being associated with MAC address is stored in the database;
It is received and be addressed to the data of the user point that the Ethernet access network is filtered through using filter mechanism
Group, wherein for by the received each data grouping of the Ethernet access network, the filter mechanism executes following step
It is rapid:
IP destination address and MAC destination address are extracted from by the received each data grouping of the Ethernet access network;
Determine whether extracted IP destination address and MAC destination address match the user of storage in the database
IP address and the MAC Address;And
The only IP address of the user when extracted IP destination address and MAC destination address and storage in the database
When matching with the MAC Address, just allow to arrive by the received each data packet transfer of the Ethernet access network
The user;And
It is filtered using the filter mechanism from the received number for by the Ethernet access network transmission of the user
According to grouping, wherein the filter mechanism executes the following steps for from the user received each data grouping:
By extracting IP source address and mac source address from the received each data grouping of the user;
Determine extracted IP source address and mac source address with whether matching the IP of the user of storage in the database
Location and the MAC Address;And
The only IP address of the user when extracted IP source address and the mac source address and storage in the database
When matching with the MAC Address, just allow that the Ethernet access will be passed through from the received each data grouping of the user
Network transmission.
4. method as claimed in claim 3 further includes the following steps:
When the IP target extracted from through one of received described data grouping of the Ethernet access network
Address and MAC destination address generate caution signal when not matching with the IP address stored and MAC Address of the user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510190975.XA CN104917751B (en) | 2006-12-22 | 2006-12-22 | Electronic deception prevents |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510190975.XA CN104917751B (en) | 2006-12-22 | 2006-12-22 | Electronic deception prevents |
CN200680056732.6A CN101641933A (en) | 2006-12-22 | 2006-12-22 | Preventing of electronic deception |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN200680056732.6A Division CN101641933A (en) | 2006-12-22 | 2006-12-22 | Preventing of electronic deception |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104917751A CN104917751A (en) | 2015-09-16 |
CN104917751B true CN104917751B (en) | 2019-06-04 |
Family
ID=54106056
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510190975.XA Expired - Fee Related CN104917751B (en) | 2006-12-22 | 2006-12-22 | Electronic deception prevents |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104917751B (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1178951A (en) * | 1997-07-23 | 1998-04-15 | 北京天融信技贸有限责任公司 | Special grouped filter fire-proof wall |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7624431B2 (en) * | 2003-12-04 | 2009-11-24 | Cisco Technology, Inc. | 802.1X authentication technique for shared media |
-
2006
- 2006-12-22 CN CN201510190975.XA patent/CN104917751B/en not_active Expired - Fee Related
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1178951A (en) * | 1997-07-23 | 1998-04-15 | 北京天融信技贸有限责任公司 | Special grouped filter fire-proof wall |
Non-Patent Citations (1)
Title |
---|
思科交换机如何防范典型欺骗和攻击;lynn;《赛迪网》;20061020 |
Also Published As
Publication number | Publication date |
---|---|
CN104917751A (en) | 2015-09-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8966608B2 (en) | Preventing spoofing | |
US7320070B2 (en) | Methods and apparatus for protecting against IP address assignments based on a false MAC address | |
US7873985B2 (en) | IP based security applications using location, port and/or device identifier information | |
US6292838B1 (en) | Technique for automatic remote media access control (MAC) layer address resolution | |
USRE45445E1 (en) | Method and arrangement for preventing illegitimate use of IP addresses | |
KR100459569B1 (en) | Secure communicating method using media access control address | |
US9191365B2 (en) | Method and system for authentication event security policy generation | |
US20060109850A1 (en) | IP-SAN network access control list generating method and access control list setup method | |
US20020156867A1 (en) | Virtual private volume method and system | |
US8260941B2 (en) | System and method for detecting and reporting cable modems with duplicate media access control addresses | |
US6032259A (en) | Secure network authentication server via dedicated serial communication path | |
TW200837603A (en) | Virtual firewall | |
CN101345743A (en) | Method and system for preventing network attack by utilizing address analysis protocol | |
US8072978B2 (en) | Method for facilitating application server functionality and access node comprising same | |
CN101459653B (en) | Method for preventing DHCP packet attack based on Snooping technique | |
CN104917751B (en) | Electronic deception prevents | |
RU2163745C2 (en) | Protective system for virtual channel of corporate network using authentication router and built around shared communication network channels and switching facilities | |
US7359378B2 (en) | Security system for preventing unauthorized packet transmission between customer servers in a server farm | |
US20060072601A1 (en) | Virtual IP interface | |
CN101399678B (en) | Method for authenticating and charging fixed IP user | |
JP2004032134A (en) | Communication monitoring system | |
KR20210051208A (en) | Apparatus and method for providing security to an end-to-end communication | |
USRE47253E1 (en) | Method and arrangement for preventing illegitimate use of IP addresses | |
GB2410402A (en) | Preventing fraudulent logging on to network services | |
KR20180015033A (en) | Network switch apparatus for managing an unauthorized terminal and Managing method for the unauthorized terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190604 Termination date: 20201222 |