CN104917751B - Electronic deception prevents - Google Patents

Electronic deception prevents Download PDF

Info

Publication number
CN104917751B
CN104917751B CN201510190975.XA CN201510190975A CN104917751B CN 104917751 B CN104917751 B CN 104917751B CN 201510190975 A CN201510190975 A CN 201510190975A CN 104917751 B CN104917751 B CN 104917751B
Authority
CN
China
Prior art keywords
address
user
mac
received
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201510190975.XA
Other languages
Chinese (zh)
Other versions
CN104917751A (en
Inventor
U.贾雷达尔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Priority to CN201510190975.XA priority Critical patent/CN104917751B/en
Priority claimed from CN200680056732.6A external-priority patent/CN101641933A/en
Publication of CN104917751A publication Critical patent/CN104917751A/en
Application granted granted Critical
Publication of CN104917751B publication Critical patent/CN104917751B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

In the standard ethernet access network for accessing internet, prevents user from changing its address information without technical safety measure and be grouped with unlawfully being diverted from other users, or be only to pretend its identity.By realizing strobe utility in access node, the general safety of network is improved without sacrificing the simplicity on Ethernet access network and the speed of transmission.The strobe utility passes through the MAC Address using the IP destination address and distribution for combining distribution, and the grouping that the user that opposite direction is connected in access node sends is filtered.It is any to be sent to user but include that the grouping of incorrect MAC or IP address all be prevented from.

Description

Electronic deception prevents
Technical field
The present invention relates to the share mediums for being connected to such as Ethernet to access the public network of the network user (such as because of spy Net) safety.
Background technique
When using the internet, it may be desirable to which user is identified by the dedicated Internet Protocol address (IP).This is helped In the identification illegal traffic or behavior dangerous to such as national security.But if user is connected by public Ethernet To internet, then more difficult will be become to the identification of user, because user changes his IP address and MAC in standard network Technology barrier is all not present in address (this behavior is commonly referred to as " electronic deception ").Term " public Ethernet " refers to Ethernet Network, wherein core network is made of the self study interchanger or node for constituting aggregated network.Using the target of grouping The exchange in converging network is completed in the Media access control address (MAC), by each node, as relevant destination address connects MAC Address is gradually associated with to relevant destination address by receipts and redirected packets.This can be by utilizing address resolution protocol (ARP) request is to complete, every time when the interchanger in converging network receives the grouping with new MAC Address, the request The fringe node or router being sent in network.
Carry out what user identity was possible within an ethernet access network, wherein each user is required to allow to access net It is logged in front of network using unique username and password, such as is carried out by peer-peer protocol PPPoE.But such system It is not always to be approved by people, has unavoidably slowed down access speed because to log in every time.In this share medium into The technical solution of one step is included between all users all business that route.But it does so and costs dearly and inefficiency.It connects Ingress must be able to route all business and each user must be effectively allocated at least one IP subnet, and IP subnet is logical It often include 4 IP address, regardless of how many IP address needed.When in Ethernet access network without it is such configuration or routing limit When, safety in network is dependent on trusting each other and all users abide by management rule.
In view of the prior art, an object of the invention be not in network itself configuration or routing be restricted In the case of improve Ethernet access network safety.
Summary of the invention
These or further purpose are real in the access node at least one user to be connected to ethernet network It is existing.The access node has the table for storing the address information of connected subscriber.It further includes filtering module, is suitable for identification and exists The destination address of received data grouping on the network, and only when the grouping has the address information with storage in the table When corresponding destination address, just a user sends the data grouping thereto for permission.
Such generation for effectively avoiding following situations: user sends false address information, leads to polymeric network Network by service error turns to real destination, so that the user be made to receive the information for being assigned to another user.But it should Network yarn is not impacted and business can continue to flow by the shortest path Jing Guo converging network.
Preferably, the IP and MAC Address of user is distributed in access node storage.This can prevent in converging network because It is based only upon MAC Address and mistakenly routing service.
Security level can also be further increased in the following manner: setting filtering module is to received from one of user The source address information in grouping sent through network makees further identification, and and if only if the grouping source address information corresponds to table When the address information of middle storage, just allow to send the network for these groupings.
Therefore can to avoid user by mistake or purpose from malevolence come it is illegal using vacation or duplicate IP Any attempt of location.
Detailed description of the invention
The more targets of the present invention and advantage are combined from the description of the following preferred embodiment provided by way of example joins Examining attached drawing will become more apparent upon.In attached drawing:
Fig. 1 schematically illustrates the standard ether with standard ethernet interchanger and access node according to the invention Net network.
Fig. 2 schematically illustrates the functional unit of access node according to the present invention, and
Fig. 3 shows flow chart, illustrates the filtering function of access node according to the present invention.
Specific embodiment
Fig. 1 shows standard ethernet network 10, in this example its be used as to internet access network or be connected to Yin Te The access network of another external network of net.Connection to external network ensures by router 18, router 18 be connected to by The converging network that standard self study Ethernet switch 14,16 forms.The structure and function of the interchanger 14,16 of converging network is It is known in the art, so just will not be further discussed here.As shown, two users, user A20-1 and user B20-2 Network 10 is connected to by access node 12-1,12-2.The user shown be PC, but it is understood that make, other equipment It may be constructed user equipment.Conventional access node 12-1,12-2 includes the Fibre Ethernet manufactured by Ericsson Access ELN200 or ADSL Ethernet moderm EDA ESN312 IPDSLAM.The access node 12- of the present embodiment 1,12-2 can be based on these known devices but including following additional functions and feature.
For convenient for illustrating, each of access node AN1 12-1, AN2 12-2 for showing have 5 ports.In this implementation In example, as shown, user A20-1 is connected to the port 2 of access node AN1 12-1, user B20-2 is connected to access node The port 5 of AN2 12-2.Remaining port of access node AN1 12-1, AN2 12-2 do not have occupied, but the technology of this field What personnel were understood that makes, and newly-increased user may be coupled to these ports.In the configuration shown in, access node AN1 12- 1, the port 1 of each of AN2 12-2 is connected to a port for constituting the Ethernet switch 14 of converging network a part.More In detail, access node AN1 12-1 is connected to the port 2 of this interchanger 14, and access node AN2 12-2 is connected to this interchanger Port 3.Third port (port 1 of interchanger 14) is connected to another interchanger in converging network 16.
It is connected to each assigned IP address and MAC Address of the user A20-1 and user B20-2 of network 10.IP Location is normally defined and communicated by the internet service provider isp.MAC Address is usually matched in User Network Interface card (NIC card) It sets, which has predefined unique MAC Address when leaving the factory.For convenient for illustrating, the MAC Address of user A20-1 is MAC The MAC Address of A, IP address IP1, user B20-2 are MAC B, IP address IP2.Router 18 also be assigned MAC Address and IP address, in this example respectively MAC C and IP3.In converging network, routing is based only upon included in data packet destination address In MAC Address.Each of interchanger 14,16 and access node 12-1,12-2 save routing iinformation.This by Fig. 1 with The associated Ethernet routing table 140 of Ethernet switch 14 and the associated table 120-1 of access node 12-1 and and access node The associated table 120-2 of 12-2 is shown, and associated interchanger or node utilize each table, is turned grouping according to target MAC (Media Access Control) address It is dealt into correct port.As interchanger or node " study " are related to specific routing by the grouping with specified MAC Address Connection includes that these tables 140, the routing iinformation in 120-1,120-2 gradually accumulate, and this association is based in ARP request Source address information, DHCP response or other groupings received are sent.Once this type of information is formed, converging network is just passed through in grouping It is sent by shortest path.
But in such a configuration, user may attempt to change its MAC Address or IP address with from other users there Grouping is stolen, even if these addresses already are allocated to another user.For example, user can send with false source MAC or The grouping of IP address, then these information can be treated as true address and be put into (be assimilated into) routing table.Example Such as, in Fig. 1, its MAC Address can be changed to MAC A from MAC B occasionally to steal to user A20-1 and send by user B20-2 Ethernet grouping.Although the quantity for the grouping intercepted and captured in this way seldom (may have one in 10000), for disliking It anticipates for user, this fraud use may be still attractive, because over time, it will packet in the grouping being stolen Containing sensitive information, such as security password etc..This can be realized by the following method: user A sends TCP/IP request by PC A To internet and awaiting acknowledgement.User B is sent by PC B to be existed using source address MAC A rather than the false grouping of MAC B, purpose In redirection business.Vacation grouping causes Ethernet switch SW1 14 to change its routing table, so that having destination address MAC The grouping of A is mapped to port 3 rather than port 2.Similarly, the routing table on access node AN2 12-2 is varied so that Grouping with destination address MAC A is mapped to port 5.With these variations, to the sound of the user A TCP/IP request sent It answers or any other is by the grouping of destination of PC A20-1 will be redirected to PC B20-2 and user B.Similarly, user B can be that the false of MAC C is grouped by sending one with source address from PC B20-2, palm off the MAC of (assume) router 18 Address.The grouping for being sent to MAC C is mapped to end by the routing table that the step will cause Ethernet switch SW1 14 to change it Mouth 3 replaces port 1, and access node AN2 is made to change its routing table, and MAC C is mapped to port 5.Then, in network Any grouping (such as from PC A20-1) with destination address MAC C for intending to send to router 18 can be reset in 10 To arrive PC B20-2.
According to the present invention, this point is avoided by providing filtering function in the access node.Fig. 2 shows in access node Simplified and schematical filtering configuration indicates in 12-2.As shown in Fig. 2, each access node 12 has filtering module 122, filtering Module 122 extracts address information from the grouping of each entrance and verifies whether IP address corresponds to by the inquiry to table 124 In the IP address for the user for being connected to the access node 12.Table 124 includes that correct (i.e. initially allocated) is each connected use The IP and MAC Address at family.For the filtering module 122 by reference to table 124, the address of IP address user, detection are distributed in control All MAC destination addresses for entering grouping.If these addresses be it is matched, the user will be sent packets to;If looked for not To matching, that just prevents grouping.In this way, if user is in the grouping of submitting using being different from being initially allocated to its MAC Location is as source address, then as described in above-mentioned two institutes, these groupings will be prevented by access node.
Filtering function in access node 12 occurs in the unwitting situation of user.Fraudulent is misrouted to being grouped in this When being just prevented from access node without as using Ethernet routing table, it is transmitted to user.
Other than filtering the grouping of entrance or downlink based on Target IP and MAC Address, the filtering module 22 The grouping of submitting can be filtered to guarantee that these groupings include legal IP source address.The function is for preventing user from illegally using The IP source address of another user.For example, what user B may send the PC B20-2 in the TCP/IP request for being sent to internet The source address of grouping is changed to IP A from IP B.Although to the IP address of IP A(, that is, PC A20-2) it sends, it is in response in network Routing in 10 will be using the mac source address for recording (feature) in TCP/IP, such as MAC B, therefore it is redirected User B on to PC B20-2.By preventing those source IP address from being not belonging to the grouping of one of connected user, or pass through Those are prevented not constitute the legal grouping to (MAC Address and one of the connected subscriber being associated), the access node resistance Swindle peculation or the accidental peculation to grouping are stopped.
For some access nodes, it is known for being filtered according to IP address to uplink or submitting grouping by it Feature and be typically incorporated into public ethernet network so that can identify that institute is useful by their IP address Family.But when this known strobe utility is combined with filtering function of the invention, i.e., when according to Target IP and MAC When location is to grouping to filter entrance, internet security is considerably improved.Moreover, the improvement of this safety will not influence access The foundation structure of network can be restricted to the user abide by the law.For example, when user is not necessarily to as realizing peer-peer protocol (PPPoE) such when logging in, it needs to enter login process.Network operator is without making important change.
The function of strobe utility is shown in a flowchart in Fig. 3 in access node 12.Start from event 100, filters Module 122 receives next into grouping.In step 101, determine which port what is received is grouped in.If this is grouped in end Mouth 1 receives (therefore indicating to receive the grouping for carrying out automatic network 10), then this method proceeds to step 102.In third step, from grouping Header extracts IP and MAC destination address pair.In step 103, these addresses and the entry in filter table 124 are compared.If this Be in two addresses and the entry of the table it is matched, then they indicate legal station address.This method then continues to step 104 and send packets to corresponding port.On the other hand, if extracted IP and MAC destination address is to being not comprised in In the entry of table 124, then this method goes to step 105, which is prevented from.In the case where access node is AN2 12-2, The MAC and IP address of the filter table 124 User B (PC B, 20-2) comprising user.Therefore the entry includes port numbers 5, IP Address ip 2 and MAC Address MAC B.Any other combination of IP and MAC Address will lead to generates "No" in step 103 As a result and this method can go to step 105, to prevent the grouping.If the grouping is from port 1 to 5 in step 101 One receives grouping (showing that it is sent by the user outside network 10 at this time), then this method goes to step 106, in the step IP and mac source address are extracted in rapid.Then in step 107 query filter table 124, and if include the source IP in the grouping The combination of address or IP and mac source address does not record in table, then this method goes to step 105 and the grouping is hindered Only.This shows the IP source address distributed that user is at least in illegal modifications grouping.On the other hand, in step 107, if The combination of the IP source address or IP and mac source address are found in table, then this method continues to step 104, with The mode known forwards the packet to the port defined in conventional ARP table (Ethernet routing table).In addition to preventing unauthorized point Except group, filtering function 112 can also be alerted by sending, and inform the event to network operator.In addition, access node 12 can To generate event log, it is sent to the operator or administrator of access network, or inquire for them.By using false MAC Address is increasing come the thing for intercepting the business datum of adjacent user, this while implying potential security risk, It will be due to being grouped the data traffic inevitably misrouted to and influenced in access net.As a result, the service that network provides Quality will reduce.If network operator is alerted to the problem, so that it may take steps (such as disconnect fraud user's Port) block the user.
Filter table 124 can the generation when user is connected to access node 12.The IP address for distributing to each user can be with Pass through message (such as the dynamic host configuration protocol (DHCP) exchanged between snooping ISP (ISP) and user Or peer-peer protocol (PPP) message) obtain.The mode of substitution is, can be by direct if IP address is manual configuration Inquiry user or ISP are obtained.MAC Address can also be obtained by inquiry.
Filter table 124 shown in Fig. 2 and the discrete entity relative to Ethernet routing table 120-1 and 120-2.But it can With understanding, which will eventually replace the routing table with the port for defining the address for filtering function 120-1 and 120-2.For example, when filtering function with the address stored with 2 to 5 association of port to being operated, figure Filter table 124 shown in 2 will be extended to comprising the information at least about the MAC Address being routed to through port 1.

Claims (4)

1. a kind of access node, for connecting the user to ethernet network, the access node includes:
Database, for storing the Internet protocol IP address of the user being associated with MAC address;With And
Filter mechanism is connected to the database, received and be addressed to institute for being filtered through the ethernet network State the data grouping of user and for filtering from the received data for transmitting by the ethernet network of the user Grouping, wherein the filter mechanism is configured to:
For passing through the received each data grouping of the ethernet network:
IP destination address and MAC destination address are extracted from by the received each data grouping of the ethernet network;
Determine whether extracted IP destination address and MAC destination address match the user of storage in the database IP address and the MAC Address;And
The only IP address of the user when extracted IP destination address and MAC destination address and storage in the database When matching with the MAC Address, just allowing will be by the received each data packet transfer of the ethernet network described in User;And
For from the received each data grouping of the user:
By extracting IP source address and mac source address from the received each data grouping of the user;
Determine extracted IP source address and mac source address with whether matching the IP of the user of storage in the database Location and the MAC Address;And
The only IP address of the user when extracted IP source address and mac source address and storage in the database and institute When stating MAC Address and matching, just allow to transmit from the received each data grouping of the user by the ethernet network.
2. access node as described in claim 1, wherein the filter mechanism is further configured to when from by the ether The IP destination address and MAC destination address extracted in one of received described data grouping of net network not with it is described The IP address of user stored and the MAC Address generate caution signal when matching.
3. a kind of method of the filter packets at access node, the access node connect the user to Ethernet access network, The method includes the following steps:
The Internet protocol IP address of the user being associated with MAC address is stored in the database;
It is received and be addressed to the data of the user point that the Ethernet access network is filtered through using filter mechanism Group, wherein for by the received each data grouping of the Ethernet access network, the filter mechanism executes following step It is rapid:
IP destination address and MAC destination address are extracted from by the received each data grouping of the Ethernet access network;
Determine whether extracted IP destination address and MAC destination address match the user of storage in the database IP address and the MAC Address;And
The only IP address of the user when extracted IP destination address and MAC destination address and storage in the database When matching with the MAC Address, just allow to arrive by the received each data packet transfer of the Ethernet access network The user;And
It is filtered using the filter mechanism from the received number for by the Ethernet access network transmission of the user According to grouping, wherein the filter mechanism executes the following steps for from the user received each data grouping:
By extracting IP source address and mac source address from the received each data grouping of the user;
Determine extracted IP source address and mac source address with whether matching the IP of the user of storage in the database Location and the MAC Address;And
The only IP address of the user when extracted IP source address and the mac source address and storage in the database When matching with the MAC Address, just allow that the Ethernet access will be passed through from the received each data grouping of the user Network transmission.
4. method as claimed in claim 3 further includes the following steps:
When the IP target extracted from through one of received described data grouping of the Ethernet access network Address and MAC destination address generate caution signal when not matching with the IP address stored and MAC Address of the user.
CN201510190975.XA 2006-12-22 2006-12-22 Electronic deception prevents Expired - Fee Related CN104917751B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510190975.XA CN104917751B (en) 2006-12-22 2006-12-22 Electronic deception prevents

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510190975.XA CN104917751B (en) 2006-12-22 2006-12-22 Electronic deception prevents
CN200680056732.6A CN101641933A (en) 2006-12-22 2006-12-22 Preventing of electronic deception

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN200680056732.6A Division CN101641933A (en) 2006-12-22 2006-12-22 Preventing of electronic deception

Publications (2)

Publication Number Publication Date
CN104917751A CN104917751A (en) 2015-09-16
CN104917751B true CN104917751B (en) 2019-06-04

Family

ID=54106056

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510190975.XA Expired - Fee Related CN104917751B (en) 2006-12-22 2006-12-22 Electronic deception prevents

Country Status (1)

Country Link
CN (1) CN104917751B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1178951A (en) * 1997-07-23 1998-04-15 北京天融信技贸有限责任公司 Special grouped filter fire-proof wall

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7624431B2 (en) * 2003-12-04 2009-11-24 Cisco Technology, Inc. 802.1X authentication technique for shared media

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1178951A (en) * 1997-07-23 1998-04-15 北京天融信技贸有限责任公司 Special grouped filter fire-proof wall

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
思科交换机如何防范典型欺骗和攻击;lynn;《赛迪网》;20061020

Also Published As

Publication number Publication date
CN104917751A (en) 2015-09-16

Similar Documents

Publication Publication Date Title
US8966608B2 (en) Preventing spoofing
US7320070B2 (en) Methods and apparatus for protecting against IP address assignments based on a false MAC address
US7873985B2 (en) IP based security applications using location, port and/or device identifier information
US6292838B1 (en) Technique for automatic remote media access control (MAC) layer address resolution
USRE45445E1 (en) Method and arrangement for preventing illegitimate use of IP addresses
KR100459569B1 (en) Secure communicating method using media access control address
US9191365B2 (en) Method and system for authentication event security policy generation
US20060109850A1 (en) IP-SAN network access control list generating method and access control list setup method
US20020156867A1 (en) Virtual private volume method and system
US8260941B2 (en) System and method for detecting and reporting cable modems with duplicate media access control addresses
US6032259A (en) Secure network authentication server via dedicated serial communication path
TW200837603A (en) Virtual firewall
CN101345743A (en) Method and system for preventing network attack by utilizing address analysis protocol
US8072978B2 (en) Method for facilitating application server functionality and access node comprising same
CN101459653B (en) Method for preventing DHCP packet attack based on Snooping technique
CN104917751B (en) Electronic deception prevents
RU2163745C2 (en) Protective system for virtual channel of corporate network using authentication router and built around shared communication network channels and switching facilities
US7359378B2 (en) Security system for preventing unauthorized packet transmission between customer servers in a server farm
US20060072601A1 (en) Virtual IP interface
CN101399678B (en) Method for authenticating and charging fixed IP user
JP2004032134A (en) Communication monitoring system
KR20210051208A (en) Apparatus and method for providing security to an end-to-end communication
USRE47253E1 (en) Method and arrangement for preventing illegitimate use of IP addresses
GB2410402A (en) Preventing fraudulent logging on to network services
KR20180015033A (en) Network switch apparatus for managing an unauthorized terminal and Managing method for the unauthorized terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190604

Termination date: 20201222