CN107018136A - A kind of detection method and device of ARP attacks - Google Patents

A kind of detection method and device of ARP attacks Download PDF

Info

Publication number
CN107018136A
CN107018136A CN201710221269.6A CN201710221269A CN107018136A CN 107018136 A CN107018136 A CN 107018136A CN 201710221269 A CN201710221269 A CN 201710221269A CN 107018136 A CN107018136 A CN 107018136A
Authority
CN
China
Prior art keywords
electronic equipment
network connection
connection state
abnormal
mac address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710221269.6A
Other languages
Chinese (zh)
Inventor
沈文策
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Cnfol Information Technology Co Ltd
Original Assignee
Fujian Cnfol Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Cnfol Information Technology Co Ltd filed Critical Fujian Cnfol Information Technology Co Ltd
Priority to CN201710221269.6A priority Critical patent/CN107018136A/en
Publication of CN107018136A publication Critical patent/CN107018136A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]

Abstract

The present invention provides a kind of detection method and device of ARP attacks, judge whether the network connection state of LAN inner electronic equipment is abnormal, and judge to whether there is at least two identical MAC Address in the ARP table of the corresponding interchanger of LAN, if there are at least two identical MAC Address in ARP table, determine that ARP attacks main frame will be changed to ARP by the MAC Address of attack main frame and attack the MAC Address of main frame, then judge whether electronic equipment corresponding with identical MAC Address is the abnormal electronic equipment of network connection state in ARP table;If the abnormal electronic equipment of network connection state, then the abnormal electronic equipment of network connection state is attacked by ARP.Realize detected by way of searching ARP table electronic equipment whether the purpose attacked by ARP, ARP orders need not be inputted on an electronic device one by one, it could judge whether electronic equipment is attacked by ARP, improve detection efficiency, shorten the detection cycle for detecting whether to be attacked by ARP.

Description

A kind of detection method and device of ARP attacks
Technical field
The invention belongs to the detection method and device in ARP attack technologies field, more particularly to a kind of ARP attacks.
Background technology
ARP (Address Resolution Protocol, address resolution protocol) attacks occur in LAN, pass through Forge IP address and MAC Address realizes that ARP is cheated, the substantial amounts of ARP traffics can be produced in a network makes network congestion.Specifically Ground, as long as the continual arp response bag for sending forgery of ARP attack main frames can be just changed by arp cache in attack main frame IP-MAC entries, will by the MAC Address of attack main frame be changed to ARP attack main frame MAC Address, cause to be attacked main frame Network interruption.
In order to avoid local net network inner electronic equipment by ARP because being attacked, cause communication failure in LAN, it is necessary to and When detect to be subjected to the electronic equipment of ARP attacks, and exclude this ARP attacks.
At present detection electronic equipment whether be by the ARP methods attacked:Judging every electronic equipment in LAN is No network connection is abnormal.It is many due to causing Network Abnormal, it is therefore desirable to further determine that and cause electronic equipment Whether the reason for Network Abnormal is to receive ARP attacks.For every electronic equipment of Network Abnormal, ARP orders are inputted respectively, And then know gateway, IP address and the MAC Address of every electronic equipment connection in a switch.According to gateway, IP address with And MAC Address, judge whether every electronic equipment receives ARP attacks.
Due to need to detect one by one every electronic equipment in LAN whether Network Abnormal, and in every Network Abnormal ARP orders are inputted on electronic equipment respectively, so could detect obtain every generation Network Abnormal electronic equipment whether all by ARP attacks have been arrived, have caused to judge in LAN that the detection cycle whether every electronic equipment is attacked by ARP is long.
The content of the invention
In view of this, it is an object of the invention to provide a kind of detection method and device of ARP attacks, to solve existing skill Whether local area network inner electronic equipment is in the detection method attacked by ARP in art, the problem of detection cycle is long.
Technical scheme is as follows:
The present invention provides a kind of detection method of ARP attacks, including:
Judge whether the network connection state of LAN inner electronic equipment is abnormal, and interchanger corresponding with the LAN ARP table in whether there is at least two identical MAC Address;
If the network connection state of the LAN inner electronic equipment is abnormal, and there are at least two phases in the ARP table Same MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;
Judge whether electronic equipment corresponding with identical MAC Address is the network connection shape respectively in the ARP table The abnormal electronic equipment of state;
If electronic equipment corresponding with identical MAC Address is that the abnormal electronics of network connection state is set in the ARP table Standby, then the abnormal electronic equipment of the network connection state is attacked by ARP.
Preferably, it is described to judge whether electronic equipment corresponding with identical MAC Address is described respectively in the ARP table The abnormal electronic equipment of network connection state, including:
Obtain the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN;
Obtain the corresponding IP address of identical MAC Address in the ARP table;
Whether different with the network connection state respectively compare the corresponding IP address of identical MAC Address in the ARP table The corresponding IP address of normal electronic equipment is identical.
Preferably, it is described to judge whether electronic equipment corresponding with identical MAC Address is described respectively in the ARP table The abnormal electronic equipment of network connection state, including:
Obtain the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN;
IP address corresponding with the electronic equipment that the network connection state is abnormal is obtained in the ARP table corresponding MAC Address;
Compare the whether respectively electronic equipment abnormal with the network connection state of identical MAC Address in the ARP table Corresponding MAC Address is identical.
Preferably, whether the network connection state for judging LAN inner electronic equipment is abnormal, including:
Send the packet of predetermined quantity respectively to the LAN inner electronic equipment;
The number for the packet that the electronic equipment that detection is received in the scheduled time is returned;
Judge whether the number for the packet that electronic equipment is returned is identical with the predetermined quantity;
If the number for the packet that electronic equipment is returned is identical with the predetermined quantity, the network connection shape of electronic equipment State is normal;
If the number for the packet that electronic equipment is returned is different from the predetermined quantity, the network connection shape of electronic equipment State is abnormal.
Preferably, if electronic equipment corresponding with identical MAC Address is that network connection state is different in the ARP table Normal electronic equipment, then after the abnormal electronic equipment of the network connection state is attacked by ARP, in addition to:
If electronic equipment corresponding with identical MAC Address is that the normal electronics of network connection state is set in the ARP table It is standby, then forbid the network interface card of the normal electronic equipment of the network connection state.
The present invention also provides a kind of detection means of ARP attacks, including:
First judging unit, for judging whether the network connection state of LAN inner electronic equipment abnormal, and with it is described It whether there is at least two identical MAC Address in the ARP table of the corresponding interchanger of LAN;
Searching unit, if the network connection state for the LAN inner electronic equipment is abnormal, and is deposited in the ARP table In at least two identical MAC Address, then electronic equipment corresponding with identical MAC Address in the ARP table is searched;
Second judging unit, for judging whether electronic equipment corresponding with identical MAC Address is distinguished in the ARP table It is the abnormal electronic equipment of the network connection state;
If electronic equipment corresponding with identical MAC Address is that the abnormal electronics of network connection state is set in the ARP table Standby, then the abnormal electronic equipment of the network connection state is attacked by ARP.
Preferably, second judging unit, including:
First acquisition unit, it is corresponding for obtaining the abnormal electronic equipment of the network connection state in the LAN IP address;
Second acquisition unit, for obtaining the corresponding IP address of identical MAC Address in the ARP table;
First comparing unit, for compare in the ARP table the corresponding IP address of identical MAC Address whether respectively with institute State the abnormal corresponding IP address of electronic equipment of network connection state identical.
Preferably, second judging unit, including:
3rd acquiring unit, it is corresponding for obtaining the abnormal electronic equipment of the network connection state in the LAN IP address;
4th acquiring unit, for obtaining the electronic equipment pair abnormal with the network connection state in the ARP table The corresponding MAC Address of IP address answered;
Second comparing unit, for compare in the ARP table identical MAC Address whether respectively with the network connection shape The abnormal corresponding MAC Address of electronic equipment of state is identical.
Preferably, first judging unit includes:
Transmitting element, the packet for sending predetermined quantity respectively to the LAN inner electronic equipment;
Receiving unit, the number for the packet that the electronic equipment received for being detected in the scheduled time is returned;
3rd judging unit, for judge the packet that electronic equipment is returned number and the predetermined quantity whether phase Together;
If the number for the packet that electronic equipment is returned is identical with the predetermined quantity, the network connection shape of electronic equipment State is normal;
If the number for the packet that electronic equipment is returned is different from the predetermined quantity, the network connection shape of electronic equipment State is abnormal.
Preferably, the detection means also includes:
Forbid unit, if being network connection state for electronic equipment corresponding with identical MAC Address in the ARP table Normal electronic equipment, then forbid the network interface card of the normal electronic equipment of the network connection state.
Compared with prior art, judge whether the network connection state of LAN inner electronic equipment is abnormal in the present invention, and Judge to whether there is at least two identical MAC Address in the ARP table of the corresponding interchanger of LAN, due to storing in ARP table Be the IP address and MAC Address corresponding with IP address of whole electronic equipments in whole LAN, therefore exist when in ARP table During at least two identical MAC Address, it may be determined that be that the ARP being located in LAN attacks main frame by by attack main frame MAC Address is changed to the MAC Address that ARP attacks main frame, that is, attacks the corresponding MAC Address of main frame corresponding with by attack main frame MAC Address is identical.In order to position the electronic equipment attacked in LAN by ARP, judge in ARP table with identical MAC Address Whether one-to-one electronic equipment is the abnormal electronic equipment of network connection state respectively;If network connection state exception Electronic equipment, then after illustrating that electronic equipment is attacked by ARP, cause the network interruption of electronic equipment, i.e., described network connection The electronic equipment of abnormal state is attacked by ARP.In the application by way of searching ARP table, realize in detection LAN The abnormal electronic equipment of network connection state whether the function of being attacked by ARP, without one by one on every electronic equipment ARP orders are inputted, and then judge whether every electronic equipment is attacked by ARP, detection efficiency is improved, shortens and detect whether The detection cycle attacked by ARP.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis These accompanying drawings obtain other accompanying drawings.
Fig. 1 is a kind of flow chart of the detection method of ARP attacks provided in an embodiment of the present invention;
Fig. 2 is the flow chart of the detection method of another ARP attacks provided in an embodiment of the present invention;
Fig. 3 is a kind of structural representation of the detection means of ARP attacks provided in an embodiment of the present invention;
Fig. 4 is the structural representation of the detection means of another ARP attacks provided in an embodiment of the present invention.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is A part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
The invention discloses a kind of detection method of ARP attacks, referring to Fig. 1, the embodiment comprises the following steps:
S101, judge whether the network connection state of LAN inner electronic equipment is abnormal and corresponding with the LAN It whether there is at least two identical MAC Address in the ARP table of interchanger;
ARP attacks occur in LAN, realize that ARP is cheated by forging IP address and MAC Address, can be in a network Producing the substantial amounts of ARP traffics makes network congestion.Specifically, as long as the continual ARP for sending forgery of ARP attack main frames rings Should wrap can just change by the IP-MAC entries in arp cache in attack main frame, will be changed to ARP by the MAC Address of attack main frame The MAC Address of main frame is attacked, causes to be attacked the network interruption of main frame.
But it is not the original for uniquely causing the network connection state of LAN inner electronic equipment abnormal to be attacked by ARP Cause, the reason for also there are other can all cause the network connection state of LAN inner electronic equipment abnormal.Therefore, can not be only Judge whether electronic equipment receives ARP attacks by the network connection state of electronic equipment.
Because the ARP principles attacked are changed by the MAC Address of attack main frame, and due to interchanger corresponding with LAN Internal memory contains the IP address and MAC Address corresponding with IP address of each electronic equipment in whole LAN, therefore works as LAN Some interior electronic equipment is received after ARP attacks, will be changed to by the MAC Address of attack main frame corresponding with attack main frame MAC Address identical MAC Address, then there will be in two identical MAC Address, two identical MAC Address one in ARP table Correspondence attack main frame, another correspondence is by attack main frame.Certainly, when in LAN multiple electronic equipments all receive ARP attack Afterwards, there will be a correspondence attack main frame in multiple identical MAC Address, multiple identical MAC Address in ARP table, it is other Correspond to respectively different by attack main frame.
It is whether abnormal and judge to whether there is extremely in ARP table by the network connection state for judging LAN inner electronic equipment The two conditions of few two identical MAC Address, are deposited when in the network connection state exception and ARP table for meeting electronic equipment simultaneously In at least two identical MAC Address, illustrate that LAN inner electronic equipment receives ARP attacks.Need to further determine that office Which electronic equipment receives ARP attacks in the net of domain.
In the present embodiment, restriction judges whether the network connection state of LAN inner electronic equipment is abnormal and judges It whether there is the sequencing of at least two identical MAC Address in ARP table.
Alternatively, judge that the whether abnormal step of the network connection state of LAN inner electronic equipment includes:
Send the packet of predetermined quantity respectively to the LAN inner electronic equipment;
The number for the packet that the electronic equipment that detection is received in the scheduled time is returned;
Judge whether the number for the packet that electronic equipment is returned is identical with the predetermined quantity;
If the number for the packet that electronic equipment is returned is identical with the predetermined quantity, the network connection shape of electronic equipment State is normal;
If the number for the packet that electronic equipment is returned is different from the predetermined quantity, the network connection shape of electronic equipment State is abnormal.
The packet that the number for judging the packet that every electronic equipment is sent is returned with the electronic equipment received Number it is whether identical;Returned when the number and the electronic equipment that receives of the packet sent to electronic equipment When the number of packet is identical, then illustrate that electronic equipment can be normally received and be sent data, and then electronic equipment by network Network connection state it is normal.When the number of the packet sent to electronic equipment is returned with the electronic equipment that receives When the number of the packet returned is different, then illustrate that electronic equipment can not be normally received and be sent data, and then electronics by network The network connection state of equipment is abnormal.
In actual applications, the packet that predetermined quantity is sent to electronic equipment can be realized by specifically instructing, in advance The process for the interior number for detecting the packet that the electronic equipment received is returned of fixing time.Specific instruction can be " Ping ", Ping is a particular command under Windows, Unix and linux system.Utilize whether " Ping " order can check network Connection, can well analyze and judge network failure.It is using form:Ping+ spaces+IP address.
Utilize " Ping " to order and realize whether abnormal mode is the network connection state for judging LAN inner electronic equipment:
In the input of cmd interfaces " the Ping IP ", click " carriage return " button, you can shown by display interface of electronic equipment Ping statistical informations, including when the packet number sent, the packet number received, bursts dropping ratio and reaction Between etc. information.
For example, input " after Ping 192.168.10.222 ", is clicked on after " carriage return ", shown in display interface " 192.168.10.222 Ping statistical informations:Packet:=4 have been sent ,=0 has been received ,=4 (100% loses) are lost " Information.
According to the content of display, the packet that the number of the packet sent to electronic equipment is returned with electronic equipment is judged Number be different, therefore the network connection state of the corresponding electronic equipments of IP address 192.168.10.222 is abnormal.
If the network connection state of S102, the LAN inner electronic equipment is abnormal, and has at least two in the ARP table Individual identical MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;
It is identical when having at least two in the network connection state exception and ARP table for meeting LAN inner electronic equipment simultaneously The two conditions of MAC Address when, then illustrate there is the electronic equipment attacked by ARP in LAN, wherein, attacked by ARP The corresponding MAC Address of electronic equipment hit is identical with the corresponding MAC Address of electronic equipment attacked, and is stored in interchanger In ARP table.
Search the electricity for including attack in electronic equipment corresponding with identical MAC Address in ARP table, the electronic equipment Sub- equipment and all electronic equipments attacked by ARP.
S103, judge in the ARP table whether electronic equipment corresponding with identical MAC Address is that the network connects respectively Connect the electronic equipment of abnormal state;
Alternatively, in one embodiment, this step includes:
S1031, the corresponding IP address of electronic equipment for obtaining the network connection state exception in the LAN;
The step whether abnormal by judging the network connection state of LAN inner electronic equipment, can know in LAN The abnormal electronic equipment of network connection state.
Obtain the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN having learned that.
With using " Ping " order, judge LAN inner electronic equipment network connection state whether exception mode be Example, it is necessary to input the IP address of electronic equipment during due to input " Ping " order, by performing the display knot after " Ping " order Really, when judging that the network connection state of electronic equipment is abnormal, then the IP address carried in " Ping " order for directly obtaining input, Realize and obtain the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN.
It is understood that can obtain corresponding with the electronic equipment that network connection state is abnormal in different ways IP address.Do not limited in the present embodiment and obtain the specific of the abnormal corresponding IP address of electronic equipment of the network connection state Implementation.
The corresponding IP address of identical MAC Address in S1032, the acquisition ARP table;
Due to each corresponding IP address of electronic equipment and MAC corresponding with IP address in the LAN that is stored with ARP table Address, therefore find in ARP table after identical MAC Address, it can obtain corresponding with each MAC Address directly in ARP table IP address.
In ARP table described in S1033, comparison the corresponding IP address of identical MAC Address whether respectively with the network connection The corresponding IP address of electronic equipment of abnormal state is identical.
The abnormal corresponding IP address of electronic equipment of network connection state in LAN is got, and is got in ARP table The corresponding IP address of identical MAC Address, compares with whether the corresponding IP address of identical MAC Address is different with network connection state The corresponding IP of normal electronic equipment is identical.
If electronic equipment corresponding with identical MAC Address is the abnormal electricity of network connection state in S104, the ARP table Sub- equipment, then the abnormal electronic equipment of the network connection state attacked by ARP;
The corresponding electronic equipment of identical MAC Address includes the attack corresponding electronic equipment of main frame and all quilts in ARP table The corresponding electronic equipment of main frame is attacked, the function of the corresponding electronic equipment of attack main frame is not influenceed by any, therefore attack The network connection state of the corresponding electronic equipment of main frame is normal, only by the network interruption of the corresponding electronic equipment of attack main frame, I.e. network connection state is abnormal.
For example, there are two identical MAC Address in ARP table, corresponding IP address is IP1 and IP2 respectively, then with In the presence of an attack main frame and one by attack main frame in the corresponding electronic equipments of IP1 and electronic equipment corresponding with IP2.Obtain The corresponding IP address of identical MAC Address is IP1 and IP2 in ARP table.
Perform after step S1031, the abnormal electronic equipment pair of the network connection state in the LAN got The IP address answered is IP2.
Compare the corresponding IP1 and IP2 of identical MAC Address in the ARP table whether respectively electronics abnormal with network connection state The corresponding IP2 of equipment is identical;
The corresponding IP2 of identical MAC Address is identical with the corresponding IP2 of electronic equipment that network connection state is abnormal in ARP table, Then illustrate that electronic equipment corresponding with IP2 receives ARP attacks.
If electronic equipment corresponding with identical MAC Address is that network connection state is normally electric in S105, the ARP table Sub- equipment, then forbid the network interface card of the normal electronic equipment of the network connection state.
The corresponding IP1 of identical MAC Address is different from the corresponding IP2 of electronic equipment that network connection state is abnormal in ARP table, Then illustrate that the network connection state of electronic equipment corresponding with IP1 is normal, i.e., electronic equipment corresponding with IP1 is ARP attack masters Machine, forbids the network interface card of electronic equipment corresponding with IP1.Corresponding with IP1 electronic equipment is avoided to continue to attack in LAN other Electronic equipment.
It was found from above-mentioned technical proposal, in a kind of detection method of ARP attacks disclosed in the present embodiment, judge in LAN Whether the network connection state of electronic equipment is abnormal, and judges in the ARP table of the corresponding interchanger of LAN with the presence or absence of at least Two identical MAC Address, are the IP address of whole electronic equipments and with IP in whole LAN due to what is stored in ARP table The corresponding MAC Address in location, therefore when there is at least two identical MAC Address in ARP table, it may be determined that it is to be located at LAN Interior ARP attacks main frame will be changed to the MAC Address that ARP attacks main frame by the MAC Address of attack main frame, that is, attack main frame Corresponding MAC Address is identical with by the corresponding MAC Address of attack main frame.In order to position the electronics attacked in LAN by ARP Equipment, judges whether electronic equipment corresponding with identical MAC Address is the abnormal electronics of network connection state respectively in ARP table Equipment;If the abnormal electronic equipment of network connection state, then after illustrating that electronic equipment is attacked by ARP, cause electronics and set Standby network interruption, i.e., the abnormal electronic equipment of described network connection state is attacked by ARP.By searching ARP in the application The mode of table, realize in detection LAN the abnormal electronic equipment of network connection state whether the function of being attacked by ARP, and ARP orders need not be inputted on every electronic equipment one by one, and then judge whether every electronic equipment is attacked by ARP, are carried High detection efficiency, shortens the detection cycle for detecting whether to be attacked by ARP.
The invention discloses the detection method of another ARP attacks, referring to Fig. 2, the embodiment comprises the following steps:
S201, judge whether the network connection state of LAN inner electronic equipment is abnormal and corresponding with the LAN It whether there is at least two identical MAC Address in the ARP table of interchanger;
If the network connection state of S202, the LAN inner electronic equipment is abnormal, and has at least two in the ARP table Individual identical MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;
Step S101-S102 in embodiment in the present embodiment shown in step S201-S202 specific implementation and Fig. 1 Specific implementation it is identical, here is omitted.
S203, the corresponding IP address of electronic equipment for obtaining the network connection state exception in the LAN;
Step S203 specific implementation and the specific implementation of step S1031 in a upper embodiment in the present embodiment Identical, here is omitted.
For example, the abnormal corresponding IP address of electronic equipment of the network connection state is IP2 in the LAN got.
S204, the acquisition IP address pair corresponding with the electronic equipment that the network connection state is abnormal in the ARP table The MAC Address answered;
Because the corresponding electronic equipments of IP2 are an electronic equipments in LAN, therefore electronic equipment corresponding with IP2 IP address and MAC Address corresponding with IP address be all stored in ARP table.
MAC Address corresponding with IP2 is obtained in ARP table, the corresponding MAC Address of such as IP2 is MAC2.
The identical MAC Address whether respectively electronics abnormal with the network connection state in ARP table described in S205, comparison The corresponding MAC Address of equipment is identical.
At least two identical MAC Address present in the ARP table can be known by performing step S201, for example There are two MAC Address in ARP table is all MAC2.
Whether identical with the corresponding MAC2 of electronic equipment that the network connection state is abnormal compare MAC2 in ARP table.
If electronic equipment corresponding with identical MAC Address is the abnormal electricity of network connection state in S206, the ARP table Sub- equipment, then the abnormal electronic equipment of the network connection state attacked by ARP.
MAC2 MAC2s corresponding with the electronic equipment that the network connection state is abnormal is identical in the ARP table, i.e., Electronic equipment corresponding with identical MAC Address is the abnormal electronic equipment of network connection state in the ARP table, then the net The abnormal electronic equipment of network connection status is that electronic equipment corresponding with IP2 receives ARP attacks.
If electronic equipment corresponding with identical MAC Address is that network connection state is normally electric in S207, the ARP table Sub- equipment, then forbid the network interface card of the normal electronic equipment of the network connection state.
There are two MAC Address in ARP table is all MAC2, and each MAC2 corresponds to an electronic equipment, a correspondence respectively Be electronic equipment that IP address is IP2, this electronic equipment is the electronic equipment attacked by ARP.Another MAC2 is corresponding Electronic equipment, then be the corresponding electronic equipment of attack main frame.Forbid attacking the network interface card of the corresponding electronic equipment of main frame.
It was found from above-mentioned technical proposal, in a kind of detection method of ARP attacks disclosed in the present embodiment, judge in LAN Whether the network connection state of electronic equipment is abnormal, and judges in the ARP table of the corresponding interchanger of LAN with the presence or absence of at least Two identical MAC Address, if the network connection state of the LAN inner electronic equipment is abnormal, and exist in the ARP table At least two identical MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;Obtain local The abnormal corresponding IP address of electronic equipment of network connection state in net, is obtained and the network connection shape in the ARP table The abnormal corresponding MAC Address of the corresponding IP address of electronic equipment of state;Compare whether identical MAC Address in the ARP table divides It is not identical with the corresponding MAC Address of electronic equipment that the network connection state is abnormal, if identical, illustrate in ARP table with phase The same corresponding electronic equipment of MAC Address is the abnormal electronic equipment of network connection state, then the network connection state is abnormal Electronic equipment attacked by ARP.In the application by compare in ARP table have identical MAC Address whether respectively with the net The abnormal corresponding MAC Address of electronic equipment of network connection status is identical, realizes network connection state in detection LAN abnormal Electronic equipment whether the function of being attacked by ARP, without one by one on every electronic equipment input ARP orders, and then Judge whether every electronic equipment is attacked by ARP, improve detection efficiency, shorten the inspection for detecting whether to be attacked by ARP The survey cycle.
The detection method of the above-mentioned ARP attacks of correspondence, present invention also offers a kind of detection means of ARP attacks, its structure Schematic diagram is referred to shown in Fig. 3, in the present embodiment, and the detection means of the ARP attacks includes:
First judging unit 301, searching unit 302, the second judging unit 303 and forbid unit 304;
First judging unit 301, for judging whether the network connection state of LAN inner electronic equipment abnormal, and with institute State and whether there is at least two identical MAC Address in the ARP table of the corresponding interchanger of LAN;
Alternatively, the first judging unit 301 includes:Transmitting element 3011, the judging unit of receiving unit 3012 and the 3rd 3013;Wherein:
Transmitting element 3011, the packet for sending predetermined quantity respectively to the LAN inner electronic equipment;
Receiving unit 3012, the number for the packet that the electronic equipment received for being detected in the scheduled time is returned;
3rd judging unit 3013, for judge the packet that electronic equipment is returned number and the predetermined quantity whether It is identical;
If the number for the packet that electronic equipment is returned is identical with the predetermined quantity, the network connection shape of electronic equipment State is normal;
If the number for the packet that electronic equipment is returned is different from the predetermined quantity, the network connection shape of electronic equipment State is abnormal.
Searching unit 302, if the network connection state for the LAN inner electronic equipment is abnormal, and the ARP table It is middle to there are at least two identical MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;
Second judging unit 303, for judging in the ARP table whether is electronic equipment corresponding with identical MAC Address It is the abnormal electronic equipment of the network connection state respectively;
If electronic equipment corresponding with identical MAC Address is that the abnormal electronics of network connection state is set in the ARP table Standby, then the abnormal electronic equipment of the network connection state is attacked by ARP.
Alternatively, the second judging unit 303 includes:
First acquisition unit 3031, for obtaining the abnormal electronic equipment pair of the network connection state in the LAN The IP address answered;
Second acquisition unit 3032, for obtaining the corresponding IP address of identical MAC Address in the ARP table;
First comparing unit 3033, for comparing whether the corresponding IP address of identical MAC Address in the ARP table is distinguished It is identical with the corresponding IP address of electronic equipment that the network connection state is abnormal.
Forbid unit 304, if being network connection for electronic equipment corresponding with identical MAC Address in the ARP table The normal electronic equipment of state, then forbid the network interface card of the normal electronic equipment of the network connection state.
In the technical scheme that the embodiment of the present invention is provided, the first judging unit judges the network of LAN inner electronic equipment Whether connection status is abnormal, and judges with whether there is at least two identical MAC in the ARP table of the corresponding interchanger of LAN , if the network connection state of the LAN inner electronic equipment is abnormal, and there are at least two identicals in the ARP table in location MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table, then pass through second by searching unit Judging unit judges whether electronic equipment corresponding with identical MAC Address is the network connection shape respectively in the ARP table The abnormal electronic equipment of state, if electronic equipment corresponding with identical MAC Address is that network connection state is abnormal in the ARP table Electronic equipment, then the abnormal electronic equipment of the network connection state attacked by ARP.By searching ARP table in the application Mode, realize in detection LAN the abnormal electronic equipment of network connection state whether the function of being attacked by ARP, without Need to input ARP orders on every electronic equipment one by one, and then judge whether every electronic equipment is attacked by ARP, improve Detection efficiency, shortens the detection cycle for detecting whether to be attacked by ARP.
For the device that the present embodiment is provided, because it is corresponding with the method that embodiment is provided, so description Fairly simple, related part is referring to method part illustration.
The embodiment of the present invention additionally provides a kind of detection means of ARP attacks, and its structural representation is referred to shown in Fig. 4, The detection means of ARP attacks includes:
First judging unit 401, searching unit 402, the 3rd acquiring unit 403, the 4th acquiring unit 404, second are compared Unit 405 and forbid unit 406;Wherein, the first judging unit 401, searching unit 402 and the specific works for forbidding unit 406 First judging unit 301, searching unit 302 and the specific work process for forbidding unit 304 in process embodiment corresponding with Fig. 3 Identical, here is omitted.
3rd acquiring unit 403, for obtaining the abnormal electronic equipment pair of the network connection state in the LAN The IP address answered;
4th acquiring unit 404, for obtaining the electronic equipment abnormal with the network connection state in the ARP table The corresponding MAC Address of corresponding IP address;
Second comparing unit 405, for comparing whether identical MAC Address in the ARP table connects with the network respectively The corresponding MAC Address of electronic equipment for connecing abnormal state is identical.
In the technical scheme that the embodiment of the present invention is provided, the first judging unit judges the network of LAN inner electronic equipment Whether connection status is abnormal, and judges with whether there is at least two identical MAC in the ARP table of the corresponding interchanger of LAN , if the network connection state of the LAN inner electronic equipment is abnormal, and there are at least two identicals in the ARP table in location MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table, then pass through the 3rd by searching unit Acquiring unit obtains the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN;4th obtains single The corresponding MAC Address of member acquisition in ARP table IP address corresponding with the electronic equipment that the network connection state is abnormal, It is whether different with the network connection state respectively finally by identical MAC Address in the second comparing unit ARP table The corresponding MAC Address of normal electronic equipment is identical.Electronic equipment corresponding with identical MAC Address is network in the ARP table The abnormal electronic equipment of connection status, then the abnormal electronic equipment of the network connection state attacked by ARP.Lead in the application The mode of the lookup ARP table different from a upper embodiment is crossed, the abnormal electronics of network connection state in detection LAN is realized Equipment whether the function of being attacked by ARP, without one by one on every electronic equipment input ARP orders, and then judge often Whether platform electronic equipment is attacked by ARP, improves detection efficiency, shortens the detection cycle for detecting whether to be attacked by ARP.
It should be noted that each embodiment in this specification is described by the way of progressive, each embodiment weight Point explanation be all between difference with other embodiment, each embodiment identical similar part mutually referring to.
Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relational terms be used merely to by One entity or operation make a distinction with another entity or operation, and not necessarily require or imply these entities or operation Between there is any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant meaning Covering including for nonexcludability, so that process, method, article or equipment including a series of key elements not only include that A little key elements, but also other key elements including being not expressly set out, or also include be this process, method, article or The intrinsic key element of equipment.In the absence of more restrictions, the key element limited by sentence "including a ...", is not arranged Except also there is other identical element in the process including the key element, method, article or equipment.
The foregoing description of the disclosed embodiments, enables those skilled in the art to realize or using the present invention.To this A variety of modifications of a little embodiments will be apparent for a person skilled in the art, and generic principles defined herein can Without departing from the spirit or scope of the present invention, to realize in other embodiments.Therefore, the present invention will not be limited It is formed on the embodiments shown herein, and is to fit to consistent with features of novelty with principles disclosed herein most wide Scope.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims (10)

1. a kind of detection method of ARP attacks, it is characterised in that including:
Judge whether the network connection state of LAN inner electronic equipment is abnormal, and interchanger corresponding with the LAN It whether there is at least two identical MAC Address in ARP table;
If the network connection state of the LAN inner electronic equipment is abnormal, and there are at least two identicals in the ARP table MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;
Judge whether electronic equipment corresponding with identical MAC Address is that the network connection state is different respectively in the ARP table Normal electronic equipment;
If electronic equipment corresponding with identical MAC Address is the abnormal electronic equipment of network connection state in the ARP table, The abnormal electronic equipment of the network connection state is attacked by ARP.
2. detection method according to claim 1, it is characterised in that with identical MAC in the judgement ARP table Whether the corresponding electronic equipment in location is the abnormal electronic equipment of the network connection state respectively, including:
Obtain the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN;
Obtain the corresponding IP address of identical MAC Address in the ARP table;
Whether abnormal with the network connection state respectively compare the corresponding IP address of identical MAC Address in the ARP table The corresponding IP address of electronic equipment is identical.
3. detection method according to claim 1, it is characterised in that with identical MAC in the judgement ARP table Whether the corresponding electronic equipment in location is the abnormal electronic equipment of the network connection state respectively, including:
Obtain the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN;
The corresponding MAC of the corresponding IP address of electronic equipment with network connection state exception is obtained in the ARP table Location;
Whether corresponding with the electronic equipment that the network connection state is abnormal respectively compare identical MAC Address in the ARP table MAC Address it is identical.
4. the detection method according to claim any one of 1-3, it is characterised in that the judgement LAN inner electronic equipment Network connection state it is whether abnormal, including:
Send the packet of predetermined quantity respectively to the LAN inner electronic equipment;
The number for the packet that the electronic equipment that detection is received in the scheduled time is returned;
Judge whether the number for the packet that electronic equipment is returned is identical with the predetermined quantity;
If the number for the packet that electronic equipment is returned is identical with the predetermined quantity, the network connection state of electronic equipment is just Often;
If the number for the packet that electronic equipment is returned is different from the predetermined quantity, the network connection state of electronic equipment is different Often.
5. the detection method according to claim any one of 1-3, it is characterised in that if in the ARP table with it is identical The corresponding electronic equipment of MAC Address be the abnormal electronic equipment of network connection state, then the network connection state is abnormal After electronic equipment is attacked by ARP, in addition to:
If electronic equipment corresponding with identical MAC Address is the normal electronic equipment of network connection state in the ARP table, Forbid the network interface card of the normal electronic equipment of the network connection state.
6. a kind of detection means of ARP attacks, it is characterised in that including:
First judging unit, for judging whether the network connection state of LAN inner electronic equipment abnormal, and with the local Net and whether there is at least two identical MAC Address in the ARP table of corresponding interchanger;
Searching unit, if the network connection state for the LAN inner electronic equipment is abnormal, and exists extremely in the ARP table Few two identical MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;
Second judging unit, for judging whether electronic equipment corresponding with identical MAC Address is institute respectively in the ARP table State the abnormal electronic equipment of network connection state;
If electronic equipment corresponding with identical MAC Address is the abnormal electronic equipment of network connection state in the ARP table, The abnormal electronic equipment of the network connection state is attacked by ARP.
7. detection means according to claim 6, it is characterised in that second judging unit, including:
First acquisition unit, for obtaining in the LAN the abnormal corresponding IP of electronic equipment of the network connection state Location;
Second acquisition unit, for obtaining the corresponding IP address of identical MAC Address in the ARP table;
First comparing unit, for compare in the ARP table the corresponding IP address of identical MAC Address whether respectively with the net The abnormal corresponding IP address of electronic equipment of network connection status is identical.
8. detection means according to claim 6, it is characterised in that second judging unit, including:
3rd acquiring unit, for obtaining in the LAN the abnormal corresponding IP of electronic equipment of the network connection state Location;
4th acquiring unit, for obtaining corresponding with the electronic equipment that the network connection state is abnormal in the ARP table The corresponding MAC Address of IP address;
Second comparing unit, it is whether different with the network connection state respectively for comparing identical MAC Address in the ARP table The corresponding MAC Address of normal electronic equipment is identical.
9. the detection means according to claim any one of 6-8, it is characterised in that first judging unit includes:
Transmitting element, the packet for sending predetermined quantity respectively to the LAN inner electronic equipment;
Receiving unit, the number for the packet that the electronic equipment received for being detected in the scheduled time is returned;
3rd judging unit, for judging whether the number for the packet that electronic equipment is returned is identical with the predetermined quantity;
If the number for the packet that electronic equipment is returned is identical with the predetermined quantity, the network connection state of electronic equipment is just Often;
If the number for the packet that electronic equipment is returned is different from the predetermined quantity, the network connection state of electronic equipment is different Often.
10. the detection means according to claim any one of 6-8, it is characterised in that the detection means also includes:
Forbid unit, if being that network connection state is normal for electronic equipment corresponding with identical MAC Address in the ARP table Electronic equipment, then forbid the network interface card of the normal electronic equipment of the network connection state.
CN201710221269.6A 2017-04-06 2017-04-06 A kind of detection method and device of ARP attacks Pending CN107018136A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710221269.6A CN107018136A (en) 2017-04-06 2017-04-06 A kind of detection method and device of ARP attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710221269.6A CN107018136A (en) 2017-04-06 2017-04-06 A kind of detection method and device of ARP attacks

Publications (1)

Publication Number Publication Date
CN107018136A true CN107018136A (en) 2017-08-04

Family

ID=59445344

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710221269.6A Pending CN107018136A (en) 2017-04-06 2017-04-06 A kind of detection method and device of ARP attacks

Country Status (1)

Country Link
CN (1) CN107018136A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109314707A (en) * 2017-04-06 2019-02-05 诺防网络科技有限公司 ARP on Internet of Things (IoT) network cheats anti-locking system
CN110166450A (en) * 2019-05-17 2019-08-23 固高科技(深圳)有限公司 Data transmission method, device and communication equipment based on Industrial Ethernet
CN111327592A (en) * 2020-01-19 2020-06-23 深圳市博威创盛科技有限公司 Network monitoring method and related device
WO2020187295A1 (en) * 2019-03-20 2020-09-24 新华三技术有限公司 Monitoring of abnormal host
CN112165483A (en) * 2020-09-24 2021-01-01 Oppo(重庆)智能科技有限公司 ARP attack defense method, device, equipment and storage medium
CN112333146A (en) * 2020-09-21 2021-02-05 南方电网海南数字电网研究院有限公司 ARP security defense method for intelligent power transformation gateway and intelligent power transformation gateway

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101009689A (en) * 2006-01-26 2007-08-01 西门子(中国)有限公司 A method for preventing the address parsing cheating
CN101951367A (en) * 2010-09-09 2011-01-19 健雄职业技术学院 Method for preventing campus network from virus attacks
CN103051597A (en) * 2011-10-14 2013-04-17 国家纳米技术与工程研究院 Method for realizing address resolution protocol (ARP) deception detection on switch
CN103812728A (en) * 2014-02-13 2014-05-21 普联技术有限公司 Network diagnostic method, system and router
CN104219339A (en) * 2014-09-17 2014-12-17 北京金山安全软件有限公司 Method and device for detecting address resolution protocol attack in local area network
CN104883360A (en) * 2015-05-05 2015-09-02 中国科学院信息工程研究所 ARP spoofing fine-grained detecting method and system
CN104901953A (en) * 2015-05-05 2015-09-09 中国科学院信息工程研究所 Distributed detection method and system for ARP (Address Resolution Protocol) cheating

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101009689A (en) * 2006-01-26 2007-08-01 西门子(中国)有限公司 A method for preventing the address parsing cheating
CN101951367A (en) * 2010-09-09 2011-01-19 健雄职业技术学院 Method for preventing campus network from virus attacks
CN103051597A (en) * 2011-10-14 2013-04-17 国家纳米技术与工程研究院 Method for realizing address resolution protocol (ARP) deception detection on switch
CN103812728A (en) * 2014-02-13 2014-05-21 普联技术有限公司 Network diagnostic method, system and router
CN104219339A (en) * 2014-09-17 2014-12-17 北京金山安全软件有限公司 Method and device for detecting address resolution protocol attack in local area network
CN104883360A (en) * 2015-05-05 2015-09-02 中国科学院信息工程研究所 ARP spoofing fine-grained detecting method and system
CN104901953A (en) * 2015-05-05 2015-09-09 中国科学院信息工程研究所 Distributed detection method and system for ARP (Address Resolution Protocol) cheating

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
郝俊华,胡志齐: "《网络安全配置与测试》", 31 August 2015, 北京:机械工业出版社 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109314707A (en) * 2017-04-06 2019-02-05 诺防网络科技有限公司 ARP on Internet of Things (IoT) network cheats anti-locking system
WO2020187295A1 (en) * 2019-03-20 2020-09-24 新华三技术有限公司 Monitoring of abnormal host
CN110166450A (en) * 2019-05-17 2019-08-23 固高科技(深圳)有限公司 Data transmission method, device and communication equipment based on Industrial Ethernet
CN111327592A (en) * 2020-01-19 2020-06-23 深圳市博威创盛科技有限公司 Network monitoring method and related device
CN111327592B (en) * 2020-01-19 2022-11-18 陈建慧 Network monitoring method and related device
CN112333146A (en) * 2020-09-21 2021-02-05 南方电网海南数字电网研究院有限公司 ARP security defense method for intelligent power transformation gateway and intelligent power transformation gateway
CN112165483A (en) * 2020-09-24 2021-01-01 Oppo(重庆)智能科技有限公司 ARP attack defense method, device, equipment and storage medium
CN112165483B (en) * 2020-09-24 2022-09-09 Oppo(重庆)智能科技有限公司 ARP attack defense method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN107018136A (en) A kind of detection method and device of ARP attacks
CN101267313B (en) Flooding attack detection method and detection device
CN101572701B (en) Security gateway system for resisting DDoS attack for DNS service
CN1320833C (en) Method and apparatus for ensuring address information of a wireless terminal device in communications network
CN107360184B (en) Terminal equipment authentication method and device
CN103609089B (en) A kind of preventing is attached to the method and device of Denial of Service attack on the main frame of subnet
CN110768999B (en) Method and device for detecting illegal external connection of equipment
CN104601394B (en) A kind of method, apparatus and system of business chain detection of connectivity
CN107528862A (en) The method and device of domain name mapping
KR100779072B1 (en) ARP poisoning detection apparatus and method
CN106341656A (en) Video equipment monitoring method, device and system
CN113328990B (en) Internet route hijacking detection method based on multiple filtering and electronic equipment
CN105897947A (en) Network access method and device for mobile terminal
CN107528817A (en) The detection method and device of Domain Hijacking
CN104113443A (en) Network equipment detection method, device and cloud detection system
CN107454037A (en) The recognition methods of network attack and system
CN103634166B (en) Equipment survival detection method and equipment survival detection device
CN1722707A (en) Method for securing communication in a local area network switch
CN106101161A (en) A kind of method and system of the tcp data bag for processing forgery
CN110138759A (en) The lightweight self-adapting detecting method and system of Packet-In injection attacks are directed under SDN environment
CN107454205A (en) A kind of method and apparatus of connection server
CN106411727A (en) Message processing method and device and autonomous system
CN106161461B (en) A kind of processing method and processing device of ARP message
CN106790077A (en) A kind of DNS full flows kidnap the detection method and device of risk
CN101330409A (en) Method and system for detecting network loophole

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170804