CN106506531A - The defence method and device of ARP attack messages - Google Patents

The defence method and device of ARP attack messages Download PDF

Info

Publication number
CN106506531A
CN106506531A CN201611110395.6A CN201611110395A CN106506531A CN 106506531 A CN106506531 A CN 106506531A CN 201611110395 A CN201611110395 A CN 201611110395A CN 106506531 A CN106506531 A CN 106506531A
Authority
CN
China
Prior art keywords
arp
time period
list item
polling time
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611110395.6A
Other languages
Chinese (zh)
Inventor
杨印州
张岩
常伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201611110395.6A priority Critical patent/CN106506531A/en
Publication of CN106506531A publication Critical patent/CN106506531A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/20Support for services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of defence method of ARP attack message and device, and methods described includes:Judge that the ARP table that ARP table that current polling time period collects and the previous polling time period corresponding to current polling time period are collected whether there is incomplete same list item;If there is the incomplete same list item, based on determining port to be detected in the MAC table that the incomplete same list item is collected from current polling time period;List item in the ARP table that the ARP messages received from the port to be detected are collected with current polling time period is mated;If the match is successful, the ARP messages are determined for attack message, and abandon the ARP messages.The application present invention can effectively lock attacked port, therefore, it can to solve correlation technique because locking the attacked port of ARP spoofing attacks, and the caused problem that cannot effectively defend ARP spoofing attacks.

Description

The defence method and device of ARP attack messages
Technical field
The present invention relates to communication technical field, more particularly to a kind of ARP (Address Resolution Protocol, ground Location analysis protocol) attack message defence method and device.
Background technology
With the development and popularization of network technology, it is more and more frequent that ARP spoofing attacks also occur.ARP deceptions can make The frequent suspension of most of users of the same network segment, causes whole LAN normally cannot run, when serious, can cause whole net The large area paralysis of network.
In order to be on the defensive to ARP spoofing attacks, correlation technique employs manual configuration Static ARP list item and in correlation The method for configuring ARP message rate-limiting strategies on equipment.Although correlation technique can reduce ARP spoofing attacks pair to a certain extent The impact that current network is caused, but, as correlation technique cannot lock the attacked port of ARP spoofing attacks, therefore can not have The defence ARP spoofing attacks of effect ground.
Content of the invention
In view of this, the present invention provides a kind of defence method of ARP attack messages and device, solves correlation technique because of nothing Vinculum iuris determines the attacked port of ARP spoofing attacks, and the caused problem that cannot effectively defend ARP spoofing attacks.
Specifically, the present invention is achieved through the following technical solutions:
A kind of first aspect according to embodiments of the present invention, there is provided defender of ARP attack message Method, is applied to switching equipment, and the switching equipment presets poll time, and the switching equipment is based on default polling time period Property collection local medium access control MAC table and ARP table, methods described includes:
Judge ARP table that current polling time period collects and corresponding to current polling time period previous poll when Between the ARP table that collects of cycle whether there is incomplete same list item;
If there is the incomplete same list item, based on the incomplete same list item from current polling time period Port to be detected is determined in the MAC table for collecting;
In the ARP table that the ARP messages received from the port to be detected are collected with current polling time period List item is mated;
If the match is successful, the ARP messages are determined for attack message, and abandon the ARP messages.
Optionally, the incomplete same list item includes the list item that source IP address is identical and source MAC is differed, with And source IP address is differed and source MAC identical list item.
Optionally, the switching equipment presets table to be detected, and methods described also includes:
If ARP table and the previous poll time corresponding to current polling time period that current polling time period is collected There is incomplete same list item in the ARP table that the cycle collects, then add the incomplete same list item and preset to described Table to be detected in;
The ARP table that the ARP messages received from the port to be detected are collected with current polling time period In list item mated, including:
The ARP messages received from the port to be detected are mated with the list item in the table to be detected.
Optionally, the identical message of the switching equipment is collected for each polling time period specify information Numerical statistic is carried out, wherein, the specify information includes source IP address and source MAC, the switching equipment default first Threshold value and the Second Threshold more than the first threshold, methods described also include:
If the numerical statistic result of the identical ARP messages of the specify information collected for a certain polling time period More than first threshold and less than Second Threshold, then the ARP corresponding to the ARP messages is set to Static ARP list item;
If the numerical statistic result of the identical ARP messages of the specify information collected for a certain polling time period It is more than Second Threshold, it is determined that the ARP messages are attack message, and abandon the ARP messages.
A kind of second aspect according to embodiments of the present invention, there is provided defence installation of ARP attack message, Switching equipment is applied to, the switching equipment presets poll time, the switching equipment is based on default polling time period Collection local medium access control MAC table and ARP table, described device include:
Judge module, for judging ARP table that current polling time period collects and corresponding to current poll time week The ARP table that the previous polling time period of phase is collected whether there is incomplete same list item;
Determining module, if for there is the incomplete same list item, based on the incomplete same list item from work as Port to be detected is determined in the MAC table that front polling time period is collected;
Matching module, for gathering the ARP messages received from the port to be detected and current polling time period To ARP table in list item mated;
Discard module, if for the match is successful, determining the ARP messages for attack message, and abandoning the ARP messages.
Optionally, the incomplete same list item includes the list item that source IP address is identical and source MAC is differed, with And source IP address is differed and source MAC identical list item.
Optionally, the switching equipment presets table to be detected, and described device also includes:
Add module, if the ARP table collected for current polling time period and corresponding to current polling time period The ARP table that collects of previous polling time period there is incomplete same list item, then by the incomplete same list item In adding to the default table to be detected;
The matching module specifically for:
The ARP messages received from the port to be detected are mated with the list item in the table to be detected.
Optionally, the identical message of the switching equipment is collected for each polling time period specify information Numerical statistic is carried out, wherein, the specify information includes source IP address and source MAC, the switching equipment default first Threshold value and the Second Threshold more than the first threshold, described device also include:
Setup module, if the identical ARP messages of the specify information for collecting for a certain polling time period Numerical statistic result more than first threshold and be less than Second Threshold, then will be set to corresponding to the ARP of the ARP messages Static ARP list item;
The discard module is further used for:
If the numerical statistic result of the identical ARP messages of the specify information collected for a certain polling time period It is more than Second Threshold, it is determined that the ARP messages are attack message, and abandon the ARP messages.
In the present invention, switching equipment may determine that ARP table that current polling time period collects and corresponding to current The ARP table that the previous polling time period of polling time period is collected whether there is incomplete same list item, and exist During incomplete same list item, determine based in the MAC table that incomplete same list item is collected from current polling time period Port to be detected, then, switching equipment can be by the ARP messages received from the port to be detected and current polling time period List item in the ARP table for collecting is mated, if the match is successful, be can determine the ARP messages for attack message, and is abandoned The ARP messages.
In the present invention, the ARP table that switching equipment can be collected according to two adjacent polling time periods determines to be checked List item is surveyed, attacked port is locked from MAC table according to the list item to be detected then, and the message that the attacked port is received is entered Row is further to be defendd, and as the present invention effectively can lock attacked port, therefore, it can solve correlation technique because locking The attacked port of ARP spoofing attacks, and the caused problem that cannot effectively defend ARP spoofing attacks.
Description of the drawings
Fig. 1 is a kind of flow chart of the defence method of the ARP attack messages shown in one embodiment of the invention;
Fig. 2 is a kind of hardware structure diagram of the defence installation place equipment of ARP attack messages of the present invention;
Fig. 3 is one embodiment block diagram of the defence installation of ARP attack messages of the present invention.
Specific embodiment
Here in detail exemplary embodiment will be illustrated, its example is illustrated in the accompanying drawings.Explained below is related to During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment Described in embodiment do not represent and the consistent all embodiments of the present invention.Conversely, they be only with as appended by The example of consistent apparatus and method in terms of some being described in detail in claims, of the invention.
It is the purpose only merely for description specific embodiment in terminology used in the present invention, and is not intended to be limiting the present invention. " one kind ", " described " and " being somebody's turn to do " of singulative used in the present invention and appended claims is also intended to include majority Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein is referred to and is wrapped Containing one or more associated any or all possible combination for listing project.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the present invention A little information should not necessarily be limited by these terms.These terms are only used for same type of information is distinguished from each other out.For example, without departing from In the case of the scope of the invention, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depend on linguistic context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determining ".
Fig. 1 is referred to, is a kind of flow chart of the defence method of ARP attack messages shown in one embodiment of the invention.Should Embodiment is applied to switching equipment, comprises the following steps:
Step 101:Judge ARP table that current polling time period collects and corresponding to current polling time period before The ARP table that one polling time period is collected whether there is incomplete same list item.
In the present invention, above-mentioned switching equipment can both be operated in OSI (Open System Interconnection, opened Put the interconnection of formula system) second layer of network standard model, i.e. data link layer, it is also possible to be operated in OSI network standard models Third layer, i.e. Internet.
In the present invention, above-mentioned switching equipment can preset poll time, and wherein, the default poll time can be to set Standby default value, it is also possible to by the self-defined setting of related personnel, for example, it is possible to be 0.2S, the present invention is without limitation.
After poll time has been preset, above-mentioned switching equipment can be based on the polling time period collection local mac (Media Access Control, medium access control) table and ARP table, specifically, above-mentioned switching equipment can be from caching Middle periodicity collection switch_mac files and switch_arp files.
In the present invention, above-mentioned switching equipment can receive ARP messages, and the message attribute based on the ARP messages is believed Ceasing and corresponding list item being generated in the ARP table of caching, wherein, the message attribute information can include source IP address, source MAC ground The information such as location, purpose IP address and target MAC (Media Access Control) address.
In the one embodiment for illustrating, it can be assumed that the message attribute information of the ARP messages for receiving is as shown in table 1:
Source MAC Source IP address Target MAC (Media Access Control) address Purpose IP address
00-23-5A-15-99-42 22.22.22.22 05-31-13-25-19-36 33.33.33.33
Table 1
Then now the ARP table of above-mentioned switching equipment caching can be as shown in table 2:
Source MAC Source IP address Target MAC (Media Access Control) address Purpose IP address
00-23-5A-15-99-42 22.22.22.22 05-31-13-25-19-36 33.33.33.33
Table 2
In the present invention, above-mentioned switching equipment is in the ARP table for collecting current polling time period and corresponding to current After the ARP table of the previous polling time period of polling time period, it can be determined that whether there is in two ARP tables for collecting Incomplete same list item.
Wherein, the incomplete same list item can be the list item that source IP address is identical and source MAC is differed, or source IP address is differed and source MAC identical list item.
In one embodiment, it can be assumed that the ARP table that current polling time period is collected is as shown in table 3:
Source MAC Source IP address Target MAC (Media Access Control) address Purpose IP address
00-23-5A-15-99-42 33.33.33.33 05-31-13-25-19-36 33.33.33.33
Table 3
Assume that ARP table such as 2 institute of table that the previous polling time period corresponding to current polling time period is collected Show, then can determine that there is source IP address in two ARP tables differs and source MAC identical list item, i.e. two ARP There is incomplete same list item in table.
In one embodiment, if the ARP table that currently polling time period is collected is all with corresponding to current poll time There is no identical source IP address and source MAC in the ARP table that the previous polling time period of phase is collected, then can be true There is no incomplete same list item in fixed two ARP tables.
Step 102:If there is the incomplete same list item, based on the incomplete same list item from current poll Port to be detected is determined in the MAC table that time cycle collects.
In the present invention, if the ARP table that collects of current polling time period with adopt corresponding to current polling time period There is incomplete same list item in the ARP table for collecting, then above-mentioned switching equipment can based on incomplete same list item from work as Port to be detected is determined in the MAC table that front polling time period is collected.
In one embodiment, it can be assumed that two ARP tables that two adjacent polling time periods are collected are respectively such as Shown in table 2 and table 3, then can learn that the list item that source MAC is 00-23-5A-15-99-42 is above-mentioned incomplete same table , now, determine in the MAC table that above-mentioned switching equipment can be collected from current polling time period based on the source MAC Port to be detected.
Assume that above-mentioned switching equipment is as shown in table 4 in the MAC table that current polling time period is collected:
Source MAC Port
00-23-5A-15-99-42 35
Table 4
Then as shown in Table 4,35 ports can be defined as port to be detected.
In an embodiment of the invention, above-mentioned switching equipment can preset table to be detected, if current polling time period The ARP table that the ARP table that collects and the previous polling time period corresponding to current polling time period are collected cannot be present completely Exactly the same list item, then during above-mentioned switching equipment can add the incomplete same list item to default table to be detected, so Afterwards, above-mentioned switching equipment can determine port to be detected for the list item in table to be detected from the MAC table for collecting.
In the one embodiment for illustrating, it can be assumed that source MAC is above-mentioned for the list item of 00-23-5A-15-99-42 The incomplete same list item of two ARP tables for collecting, now, the list item can be added to default by above-mentioned switching equipment In table to be detected, it can be assumed that add the table to be detected after the list item as shown in table 5:
Table 5
Then, above-mentioned switching equipment can be with the source MAC in traversal list 5, and based on each source MAC from collecting MAC table in determine corresponding port to be detected.
Wherein, determine that the particular content of corresponding port to be detected exists from the MAC table for collecting according to source MAC Illustrate in above-described embodiment, therefore the present invention will not be described here.
Step 103:The ARP messages received from the port to be detected and current polling time period are collected List item in ARP table is mated.
Step 104:If the match is successful, the ARP messages are determined for attack message, and abandon the ARP messages.
In the present invention, after port to be detected is determined, can by the ARP messages received from port to be detected with current List item in the ARP table that polling time period is collected is mated.
In one embodiment, it can be assumed that 35 ports are determined for port to be detected, receive a certain ARP reports from 35 ports The message attribute information of text can be as shown in table 6:
Source MAC Source IP address Target MAC (Media Access Control) address Purpose IP address
00-23-5A-15-99-42 44.44.44.44 05-31-13-25-19-36 33.33.33.33
Table 6
Assume that the ARP table that current polling time period is collected is as shown in table 2, then can determine the ARP messages not The ARP table that the current polling time period of successful match is collected.
In another embodiment, 35 ports can be also assumed that for port to be detected, from 35 ports receive a certain The message attribute of ARP messages can be as shown in table 7:
Source MAC Source IP address Target MAC (Media Access Control) address Purpose IP address
00-23-5A-15-99-42 22.22.22.22 05-31-13-25-19-36 33.33.33.33
Table 7
Can also assume that the ARP table that current polling time period is collected is as shown in table 2, then can determine that the message can With the ARP table that the current polling time period of successful match is collected.
In the one embodiment shown in the present invention, if above-mentioned switching equipment presets table to be detected, can be by be checked The message that survey port receives is mated with the list item in table to be detected.Wherein, in the matching process and above-described embodiment Matching process is identical, therefore the present invention will not be described here.
In the present invention, if the ARP messages received from port to be detected can be with the current polling time period of successful match List item in the ARP table for collecting, then can determine the ARP messages for attack message, and now, above-mentioned switching equipment can be abandoned The ARP messages.
If the ARP table that the current polling time period of the unsuccessful coupling of the ARP messages received from port to be detected is collected In list item, then can determine the ARP messages for normal message, now, above-mentioned switching equipment can be based on default process plan Slightly the ARP messages are further processed.
In the one embodiment shown in the present invention, above-mentioned switching equipment can be collected for each polling time period The identical message of specify information carry out numerical statistic, wherein, the specify information can include source IP address and source MAC Address, above-mentioned switching equipment can be with preset first threshold value and the Second Thresholds more than first threshold, wherein, first threshold and second Threshold value can be by the self-defined setting of related personnel, and for example, first threshold can be 30, and Second Threshold can be 100 etc., the present invention Without limitation.
Numerical statistic result when the identical ARP messages of the specify information collected for a certain polling time period When being more than first threshold and being less than Second Threshold, the ARP corresponding to the ARP messages can be set to by above-mentioned switching equipment Static ARP list item;Numerical statistic when the identical ARP messages of the specify information collected for a certain polling time period When being as a result more than Second Threshold, then above-mentioned switching equipment can determine the ARP messages for attack message, and abandon the ARP messages.
In the one embodiment for illustrating, it can be assumed that the finger that above-mentioned switching equipment is collected to current polling time period Determine the identical ARP messages of information numerical statistic result be 40, more than first threshold 30 and be less than Second Threshold 100, then ARP corresponding with the ARP messages can be set to Static ARP list item, it can be assumed that the message attribute letter of the ARP messages List item in table 2 corresponding to the ARP messages as shown in table 1, then can be set to Static ARP list item, i.e. can be by such as table by breath List item shown in 8 is set to Static ARP list item:
Source MAC Source IP address
00-23-5A-15-99-42 22.22.22.22
Table 8
In another embodiment for illustrating, it can be assumed that above-mentioned switching equipment is collected to current polling time period The numerical statistic result of the identical ARP messages of specify information is 120, and more than Second Threshold 100, then above-mentioned switching equipment can So that the ARP messages are defined as attack message, and abandon the ARP messages.
In the present invention, switching equipment may determine that ARP table that current polling time period collects and corresponding to current The ARP table that the previous polling time period of polling time period is collected whether there is incomplete same list item, and exist During incomplete same list item, determine based in the MAC table that incomplete same list item is collected from current polling time period Port to be detected, then, switching equipment can be by the ARP messages received from the port to be detected and current polling time period List item in the ARP table for collecting is mated, if the match is successful, be can determine the ARP messages for attack message, and is abandoned The ARP messages.
In the present invention, the ARP table that switching equipment can be collected according to two adjacent polling time periods determines to be checked List item is surveyed, attacked port is locked from MAC table according to the list item to be detected then, and the message that the attacked port is received is entered Row is further to be defendd, and as the present invention effectively can lock attacked port, therefore, it can solve correlation technique because locking The attacked port of ARP spoofing attacks, and the caused problem that cannot effectively defend ARP spoofing attacks.
Corresponding with the embodiment of the defence method of aforementioned ARP attack messages, present invention also offers ARP attack messages The embodiment of defence installation.
The embodiment of the defence installation of ARP attack messages of the present invention can be applied in switching equipment.Device embodiment can be with Realized by software, it is also possible to realized by way of hardware or software and hardware combining.As a example by implemented in software, patrol as one Device in volume meaning, is by corresponding computer program instructions in nonvolatile memory by the processor of its place equipment Read what operation in internal memory was formed.From for hardware view, as shown in Fig. 2 the defence installation for ARP attack messages of the present invention A kind of hardware structure diagram of place equipment, except the processor shown in Fig. 2, internal memory, network interface and nonvolatile memory Outside, the equipment that device is located in embodiment can also generally include other hardware, such as be responsible for processing forwarding chip of message etc. Deng.
Fig. 3 is refer to, is one embodiment block diagram of the defence installation of ARP attack messages of the present invention:
The device can include:Judge module 310, determining module 320, matching module 330 and discard module 340.
Wherein, judge module 310, for judging ARP table that current polling time period collects and corresponding to working as front-wheel The ARP table that the previous polling time period of inquiry time cycle is collected whether there is incomplete same list item;
Determining module 320, if for there is the incomplete same list item, based on the incomplete same list item from Port to be detected is determined in the MAC table that current polling time period is collected;
Matching module 330, for adopting the ARP messages received from the port to be detected and current polling time period List item in the ARP table for collecting is mated;
Discard module 340, if for the match is successful, determining the ARP messages for attack message, and abandons the ARP reports Text.
In an optional implementation, the incomplete same list item can include that source IP address is identical and source The list item that MAC Address is differed, and source IP address differs and source MAC identical list item.
In an optional implementation, the switching equipment can preset table to be detected, and described device can also be wrapped Include (not shown in Fig. 3):
Add module, if the ARP table collected for current polling time period and corresponding to current polling time period The ARP table that collects of previous polling time period there is incomplete same list item, then by the incomplete same list item In adding to the default table to be detected;
The matching module 330 specifically for:
The ARP messages received from the port to be detected are mated with the list item in the table to be detected.
In an optional implementation, the specified letter that the switching equipment is collected for each polling time period Ceasing identical message carries out numerical statistic, and wherein, the specify information includes source IP address and source MAC, described Switching equipment preset first threshold value and the Second Threshold more than the first threshold, described device can also include (not showing in Fig. 3 Go out):
Setup module, if the identical ARP messages of the specify information for collecting for a certain polling time period Numerical statistic result more than first threshold and be less than Second Threshold, then will be set to corresponding to the ARP of the ARP messages Static ARP list item;
The discard module 340 is further used for:
If the numerical statistic result of the identical ARP messages of the specify information collected for a certain polling time period It is more than Second Threshold, it is determined that the ARP messages are attack message, and abandon the ARP messages.
In the present invention, switching equipment may determine that ARP table that current polling time period collects and corresponding to current The ARP table that the previous polling time period of polling time period is collected whether there is incomplete same list item, and exist During incomplete same list item, determine based in the MAC table that incomplete same list item is collected from current polling time period Port to be detected, then, switching equipment can be by the ARP messages received from the port to be detected and current polling time period List item in the ARP table for collecting is mated, if the match is successful, be can determine the ARP messages for attack message, and is abandoned The ARP messages.
In the present invention, the ARP table that switching equipment can be collected according to two adjacent polling time periods determines to be checked List item is surveyed, attacked port is locked from MAC table according to the list item to be detected then, and the message that the attacked port is received is entered Row is further to be defendd, and as the present invention effectively can lock attacked port, therefore, it can solve correlation technique because locking The attacked port of ARP spoofing attacks, and the caused problem that cannot effectively defend ARP spoofing attacks.
In said apparatus, the function of unit and effect realizes that process specifically refers in said method corresponding step Process is realized, be will not be described here.
For device embodiment, as which corresponds essentially to embodiment of the method, so related part is referring to method reality Apply the part explanation of example.Device embodiment described above is only schematically, wherein described as separating component The unit of explanation can be or may not be physically separate, as the part that unit shows can be or can also It is not physical location, you can be located at a place, or can also be distributed on multiple NEs.Can be according to reality Need to select some or all of module therein to realize the purpose of the present invention program.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
Presently preferred embodiments of the present invention is the foregoing is only, not in order to limit the present invention, all in essence of the invention Within god and principle, any modification, equivalent substitution and improvements that is done etc. are should be included within the scope of protection of the invention.

Claims (8)

1. a kind of defence method of ARP attack message, is applied to switching equipment, it is characterised in that the friendship Exchange device presets poll time, and the switching equipment gathers local medium access control based on default polling time period MAC table and ARP table, methods described include:
Judge ARP table and the previous poll time week corresponding to current polling time period that current polling time period collects The ARP table that phase collects whether there is incomplete same list item;
If there is the incomplete same list item, gathered from current polling time period based on the incomplete same list item To MAC table in determine port to be detected;
List item in the ARP table that the ARP messages received from the port to be detected are collected with current polling time period Mated;
If the match is successful, the ARP messages are determined for attack message, and abandon the ARP messages.
2. method according to claim 1, it is characterised in that the incomplete same list item includes that source IP address is identical And the list item that source MAC is differed, and source IP address differs and source MAC identical list item.
3. method according to claim 1, it is characterised in that the switching equipment presets table to be detected, and methods described is also Including:
If ARP table and the previous polling time period corresponding to current polling time period that current polling time period is collected There is incomplete same list item in the ARP table for collecting, then add the incomplete same list item and default treat to described In detection table;
In the ARP table that the ARP messages received from the port to be detected are collected with current polling time period List item is mated, including:
The ARP messages received from the port to be detected are mated with the list item in the table to be detected.
4. method according to claim 1, it is characterised in that the switching equipment is gathered for each polling time period To the identical message of specify information carry out numerical statistic, wherein, the specify information includes source IP address and source MAC Address, the switching equipment preset first threshold value and the Second Threshold more than the first threshold, methods described also include:
If the numerical statistic result of the identical ARP messages of the specify information collected for a certain polling time period is more than First threshold and Second Threshold is less than, then Static ARP list item will be set to corresponding to the ARP of the ARP messages;
If the numerical statistic result of the identical ARP messages of the specify information collected for a certain polling time period is more than Second Threshold, it is determined that the ARP messages are attack message, and abandon the ARP messages.
5. a kind of defence installation of ARP attack message, is applied to switching equipment, it is characterised in that the friendship Exchange device presets poll time, and the switching equipment gathers local medium access control based on default polling time period MAC table and ARP table, described device include:
Judge module, for judging ARP table that current polling time period collects and corresponding to current polling time period The ARP table that previous polling time period is collected whether there is incomplete same list item;
Determining module, if for there is the incomplete same list item, based on the incomplete same list item from working as front-wheel Port to be detected is determined in the MAC table that the inquiry time cycle collects;
Matching module, for collected the ARP messages received from the port to be detected and current polling time period List item in ARP table is mated;
Discard module, if for the match is successful, determining the ARP messages for attack message, and abandoning the ARP messages.
6. device according to claim 5, it is characterised in that the incomplete same list item includes that source IP address is identical And the list item that source MAC is differed, and source IP address differs and source MAC identical list item.
7. device according to claim 5, it is characterised in that the switching equipment presets table to be detected, and described device is also Including:
Add module, if the ARP table collected for current polling time period and corresponding to current polling time period before Be present incomplete same list item in the ARP table that one polling time period is collected, then add the incomplete same list item Into the default table to be detected;
The matching module specifically for:
The ARP messages received from the port to be detected are mated with the list item in the table to be detected.
8. device according to claim 5, it is characterised in that the switching equipment is gathered for each polling time period To the identical message of specify information carry out numerical statistic, wherein, the specify information includes source IP address and source MAC Address, the switching equipment preset first threshold value and the Second Threshold more than the first threshold, described device also include:
Setup module, if the number of the identical ARP messages of the specify information for collecting for a certain polling time period Data-Statistics result more than first threshold and is less than Second Threshold, then the ARP corresponding to the ARP messages is set to static state ARP;
The discard module is further used for:
If the numerical statistic result of the identical ARP messages of the specify information collected for a certain polling time period is more than Second Threshold, it is determined that the ARP messages are attack message, and abandon the ARP messages.
CN201611110395.6A 2016-12-06 2016-12-06 The defence method and device of ARP attack messages Pending CN106506531A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611110395.6A CN106506531A (en) 2016-12-06 2016-12-06 The defence method and device of ARP attack messages

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611110395.6A CN106506531A (en) 2016-12-06 2016-12-06 The defence method and device of ARP attack messages

Publications (1)

Publication Number Publication Date
CN106506531A true CN106506531A (en) 2017-03-15

Family

ID=58330565

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611110395.6A Pending CN106506531A (en) 2016-12-06 2016-12-06 The defence method and device of ARP attack messages

Country Status (1)

Country Link
CN (1) CN106506531A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107086965A (en) * 2017-06-01 2017-08-22 杭州迪普科技股份有限公司 A kind of generation method of ARP, device and interchanger
CN107689963A (en) * 2017-09-26 2018-02-13 杭州迪普科技股份有限公司 A kind of detection method and device for arp reply message aggression
CN108430063A (en) * 2018-04-13 2018-08-21 上海连尚网络科技有限公司 A kind of method and apparatus for monitoring ARP deceptions in WLAN
CN109962906A (en) * 2017-12-22 2019-07-02 诺防网络科技有限公司 ARP cheats detection system and its method
CN112165483A (en) * 2020-09-24 2021-01-01 Oppo(重庆)智能科技有限公司 ARP attack defense method, device, equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101009689A (en) * 2006-01-26 2007-08-01 西门子(中国)有限公司 A method for preventing the address parsing cheating
CN101370019A (en) * 2008-09-26 2009-02-18 北京星网锐捷网络技术有限公司 Method and switchboard for preventing packet cheating attack of address analysis protocol
CN101635628A (en) * 2009-08-28 2010-01-27 杭州华三通信技术有限公司 Method and device for preventing ARP attacks
CN104883360A (en) * 2015-05-05 2015-09-02 中国科学院信息工程研究所 ARP spoofing fine-grained detecting method and system
CN105978859A (en) * 2016-04-25 2016-09-28 杭州华三通信技术有限公司 Message processing method and message processing device
US20160301655A1 (en) * 2015-04-07 2016-10-13 Nicira, Inc. Address resolution protocol suppression using a flow-based forwarding element

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101009689A (en) * 2006-01-26 2007-08-01 西门子(中国)有限公司 A method for preventing the address parsing cheating
CN101370019A (en) * 2008-09-26 2009-02-18 北京星网锐捷网络技术有限公司 Method and switchboard for preventing packet cheating attack of address analysis protocol
CN101635628A (en) * 2009-08-28 2010-01-27 杭州华三通信技术有限公司 Method and device for preventing ARP attacks
US20160301655A1 (en) * 2015-04-07 2016-10-13 Nicira, Inc. Address resolution protocol suppression using a flow-based forwarding element
CN104883360A (en) * 2015-05-05 2015-09-02 中国科学院信息工程研究所 ARP spoofing fine-grained detecting method and system
CN105978859A (en) * 2016-04-25 2016-09-28 杭州华三通信技术有限公司 Message processing method and message processing device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
QWM54335: "ARP攻击技术白皮书", 《百度文库》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107086965A (en) * 2017-06-01 2017-08-22 杭州迪普科技股份有限公司 A kind of generation method of ARP, device and interchanger
CN107086965B (en) * 2017-06-01 2020-04-03 杭州迪普科技股份有限公司 ARP (Address resolution protocol) table entry generation method and device and switch
CN107689963A (en) * 2017-09-26 2018-02-13 杭州迪普科技股份有限公司 A kind of detection method and device for arp reply message aggression
CN109962906A (en) * 2017-12-22 2019-07-02 诺防网络科技有限公司 ARP cheats detection system and its method
CN108430063A (en) * 2018-04-13 2018-08-21 上海连尚网络科技有限公司 A kind of method and apparatus for monitoring ARP deceptions in WLAN
CN112165483A (en) * 2020-09-24 2021-01-01 Oppo(重庆)智能科技有限公司 ARP attack defense method, device, equipment and storage medium
CN112165483B (en) * 2020-09-24 2022-09-09 Oppo(重庆)智能科技有限公司 ARP attack defense method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
EP1665011B1 (en) Method and system for displaying network security incidents
CN106506531A (en) The defence method and device of ARP attack messages
CN109347830B (en) Network dynamic defense system and method
CN107426242B (en) Network security protection method, device and storage medium
CN100448203C (en) System and method for identifying and preventing malicious intrusions
CN101018121B (en) Log convergence processing method and convergence processing device
US8763122B2 (en) Active computer system defense technology
US7463593B2 (en) Network host isolation tool
Sung et al. Large-scale IP traceback in high-speed internet: practical techniques and information-theoretic foundation
EP2901612A2 (en) Apparatus, system and method for identifying and mitigating malicious network threats
US20040255162A1 (en) Security gateway system and method for intrusion detection
CN110933111B (en) DDoS attack identification method and device based on DPI
AU2009200102A1 (en) Method and apparatus for inspecting inter-layer address binding protocols
CN108234473A (en) A kind of message anti-attack method and device
Mohammed et al. Honeycyber: Automated signature generation for zero-day polymorphic worms
CN104135474A (en) Network anomaly behavior detection method based on out-degree and in-degree of host
CN101572711A (en) Network-based detection method of rebound ports Trojan horse
CN107733867A (en) It is a kind of to find Botnet and the method and system of protection
US7469418B1 (en) Deterring network incursion
CN105939328A (en) Method and device for updating network attack feature library
CN115208679B (en) Attacker IP defending method and defending system based on honey array cooperation
CN112511559B (en) Method and system for detecting intranet lateral movement attack
CN115987531A (en) Intranet safety protection system and method based on dynamic deception parallel network
Cisco Working with Sensor Signatures
CN108076068B (en) Anti-attack method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170315