CN107018136A - A kind of detection method and device of ARP attacks - Google Patents
A kind of detection method and device of ARP attacks Download PDFInfo
- Publication number
- CN107018136A CN107018136A CN201710221269.6A CN201710221269A CN107018136A CN 107018136 A CN107018136 A CN 107018136A CN 201710221269 A CN201710221269 A CN 201710221269A CN 107018136 A CN107018136 A CN 107018136A
- Authority
- CN
- China
- Prior art keywords
- electronic equipment
- network connection
- connection state
- abnormal
- mac address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
Abstract
The present invention provides a kind of detection method and device of ARP attacks, judge whether the network connection state of LAN inner electronic equipment is abnormal, and judge to whether there is at least two identical MAC Address in the ARP table of the corresponding interchanger of LAN, if there are at least two identical MAC Address in ARP table, determine that ARP attacks main frame will be changed to ARP by the MAC Address of attack main frame and attack the MAC Address of main frame, then judge whether electronic equipment corresponding with identical MAC Address is the abnormal electronic equipment of network connection state in ARP table;If the abnormal electronic equipment of network connection state, then the abnormal electronic equipment of network connection state is attacked by ARP.Realize detected by way of searching ARP table electronic equipment whether the purpose attacked by ARP, ARP orders need not be inputted on an electronic device one by one, it could judge whether electronic equipment is attacked by ARP, improve detection efficiency, shorten the detection cycle for detecting whether to be attacked by ARP.
Description
Technical field
The invention belongs to the detection method and device in ARP attack technologies field, more particularly to a kind of ARP attacks.
Background technology
ARP (Address Resolution Protocol, address resolution protocol) attacks occur in LAN, pass through
Forge IP address and MAC Address realizes that ARP is cheated, the substantial amounts of ARP traffics can be produced in a network makes network congestion.Specifically
Ground, as long as the continual arp response bag for sending forgery of ARP attack main frames can be just changed by arp cache in attack main frame
IP-MAC entries, will by the MAC Address of attack main frame be changed to ARP attack main frame MAC Address, cause to be attacked main frame
Network interruption.
In order to avoid local net network inner electronic equipment by ARP because being attacked, cause communication failure in LAN, it is necessary to and
When detect to be subjected to the electronic equipment of ARP attacks, and exclude this ARP attacks.
At present detection electronic equipment whether be by the ARP methods attacked:Judging every electronic equipment in LAN is
No network connection is abnormal.It is many due to causing Network Abnormal, it is therefore desirable to further determine that and cause electronic equipment
Whether the reason for Network Abnormal is to receive ARP attacks.For every electronic equipment of Network Abnormal, ARP orders are inputted respectively,
And then know gateway, IP address and the MAC Address of every electronic equipment connection in a switch.According to gateway, IP address with
And MAC Address, judge whether every electronic equipment receives ARP attacks.
Due to need to detect one by one every electronic equipment in LAN whether Network Abnormal, and in every Network Abnormal
ARP orders are inputted on electronic equipment respectively, so could detect obtain every generation Network Abnormal electronic equipment whether all by
ARP attacks have been arrived, have caused to judge in LAN that the detection cycle whether every electronic equipment is attacked by ARP is long.
The content of the invention
In view of this, it is an object of the invention to provide a kind of detection method and device of ARP attacks, to solve existing skill
Whether local area network inner electronic equipment is in the detection method attacked by ARP in art, the problem of detection cycle is long.
Technical scheme is as follows:
The present invention provides a kind of detection method of ARP attacks, including:
Judge whether the network connection state of LAN inner electronic equipment is abnormal, and interchanger corresponding with the LAN
ARP table in whether there is at least two identical MAC Address;
If the network connection state of the LAN inner electronic equipment is abnormal, and there are at least two phases in the ARP table
Same MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;
Judge whether electronic equipment corresponding with identical MAC Address is the network connection shape respectively in the ARP table
The abnormal electronic equipment of state;
If electronic equipment corresponding with identical MAC Address is that the abnormal electronics of network connection state is set in the ARP table
Standby, then the abnormal electronic equipment of the network connection state is attacked by ARP.
Preferably, it is described to judge whether electronic equipment corresponding with identical MAC Address is described respectively in the ARP table
The abnormal electronic equipment of network connection state, including:
Obtain the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN;
Obtain the corresponding IP address of identical MAC Address in the ARP table;
Whether different with the network connection state respectively compare the corresponding IP address of identical MAC Address in the ARP table
The corresponding IP address of normal electronic equipment is identical.
Preferably, it is described to judge whether electronic equipment corresponding with identical MAC Address is described respectively in the ARP table
The abnormal electronic equipment of network connection state, including:
Obtain the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN;
IP address corresponding with the electronic equipment that the network connection state is abnormal is obtained in the ARP table corresponding
MAC Address;
Compare the whether respectively electronic equipment abnormal with the network connection state of identical MAC Address in the ARP table
Corresponding MAC Address is identical.
Preferably, whether the network connection state for judging LAN inner electronic equipment is abnormal, including:
Send the packet of predetermined quantity respectively to the LAN inner electronic equipment;
The number for the packet that the electronic equipment that detection is received in the scheduled time is returned;
Judge whether the number for the packet that electronic equipment is returned is identical with the predetermined quantity;
If the number for the packet that electronic equipment is returned is identical with the predetermined quantity, the network connection shape of electronic equipment
State is normal;
If the number for the packet that electronic equipment is returned is different from the predetermined quantity, the network connection shape of electronic equipment
State is abnormal.
Preferably, if electronic equipment corresponding with identical MAC Address is that network connection state is different in the ARP table
Normal electronic equipment, then after the abnormal electronic equipment of the network connection state is attacked by ARP, in addition to:
If electronic equipment corresponding with identical MAC Address is that the normal electronics of network connection state is set in the ARP table
It is standby, then forbid the network interface card of the normal electronic equipment of the network connection state.
The present invention also provides a kind of detection means of ARP attacks, including:
First judging unit, for judging whether the network connection state of LAN inner electronic equipment abnormal, and with it is described
It whether there is at least two identical MAC Address in the ARP table of the corresponding interchanger of LAN;
Searching unit, if the network connection state for the LAN inner electronic equipment is abnormal, and is deposited in the ARP table
In at least two identical MAC Address, then electronic equipment corresponding with identical MAC Address in the ARP table is searched;
Second judging unit, for judging whether electronic equipment corresponding with identical MAC Address is distinguished in the ARP table
It is the abnormal electronic equipment of the network connection state;
If electronic equipment corresponding with identical MAC Address is that the abnormal electronics of network connection state is set in the ARP table
Standby, then the abnormal electronic equipment of the network connection state is attacked by ARP.
Preferably, second judging unit, including:
First acquisition unit, it is corresponding for obtaining the abnormal electronic equipment of the network connection state in the LAN
IP address;
Second acquisition unit, for obtaining the corresponding IP address of identical MAC Address in the ARP table;
First comparing unit, for compare in the ARP table the corresponding IP address of identical MAC Address whether respectively with institute
State the abnormal corresponding IP address of electronic equipment of network connection state identical.
Preferably, second judging unit, including:
3rd acquiring unit, it is corresponding for obtaining the abnormal electronic equipment of the network connection state in the LAN
IP address;
4th acquiring unit, for obtaining the electronic equipment pair abnormal with the network connection state in the ARP table
The corresponding MAC Address of IP address answered;
Second comparing unit, for compare in the ARP table identical MAC Address whether respectively with the network connection shape
The abnormal corresponding MAC Address of electronic equipment of state is identical.
Preferably, first judging unit includes:
Transmitting element, the packet for sending predetermined quantity respectively to the LAN inner electronic equipment;
Receiving unit, the number for the packet that the electronic equipment received for being detected in the scheduled time is returned;
3rd judging unit, for judge the packet that electronic equipment is returned number and the predetermined quantity whether phase
Together;
If the number for the packet that electronic equipment is returned is identical with the predetermined quantity, the network connection shape of electronic equipment
State is normal;
If the number for the packet that electronic equipment is returned is different from the predetermined quantity, the network connection shape of electronic equipment
State is abnormal.
Preferably, the detection means also includes:
Forbid unit, if being network connection state for electronic equipment corresponding with identical MAC Address in the ARP table
Normal electronic equipment, then forbid the network interface card of the normal electronic equipment of the network connection state.
Compared with prior art, judge whether the network connection state of LAN inner electronic equipment is abnormal in the present invention, and
Judge to whether there is at least two identical MAC Address in the ARP table of the corresponding interchanger of LAN, due to storing in ARP table
Be the IP address and MAC Address corresponding with IP address of whole electronic equipments in whole LAN, therefore exist when in ARP table
During at least two identical MAC Address, it may be determined that be that the ARP being located in LAN attacks main frame by by attack main frame
MAC Address is changed to the MAC Address that ARP attacks main frame, that is, attacks the corresponding MAC Address of main frame corresponding with by attack main frame
MAC Address is identical.In order to position the electronic equipment attacked in LAN by ARP, judge in ARP table with identical MAC Address
Whether one-to-one electronic equipment is the abnormal electronic equipment of network connection state respectively;If network connection state exception
Electronic equipment, then after illustrating that electronic equipment is attacked by ARP, cause the network interruption of electronic equipment, i.e., described network connection
The electronic equipment of abnormal state is attacked by ARP.In the application by way of searching ARP table, realize in detection LAN
The abnormal electronic equipment of network connection state whether the function of being attacked by ARP, without one by one on every electronic equipment
ARP orders are inputted, and then judge whether every electronic equipment is attacked by ARP, detection efficiency is improved, shortens and detect whether
The detection cycle attacked by ARP.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention
Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
These accompanying drawings obtain other accompanying drawings.
Fig. 1 is a kind of flow chart of the detection method of ARP attacks provided in an embodiment of the present invention;
Fig. 2 is the flow chart of the detection method of another ARP attacks provided in an embodiment of the present invention;
Fig. 3 is a kind of structural representation of the detection means of ARP attacks provided in an embodiment of the present invention;
Fig. 4 is the structural representation of the detection means of another ARP attacks provided in an embodiment of the present invention.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
A part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
The invention discloses a kind of detection method of ARP attacks, referring to Fig. 1, the embodiment comprises the following steps:
S101, judge whether the network connection state of LAN inner electronic equipment is abnormal and corresponding with the LAN
It whether there is at least two identical MAC Address in the ARP table of interchanger;
ARP attacks occur in LAN, realize that ARP is cheated by forging IP address and MAC Address, can be in a network
Producing the substantial amounts of ARP traffics makes network congestion.Specifically, as long as the continual ARP for sending forgery of ARP attack main frames rings
Should wrap can just change by the IP-MAC entries in arp cache in attack main frame, will be changed to ARP by the MAC Address of attack main frame
The MAC Address of main frame is attacked, causes to be attacked the network interruption of main frame.
But it is not the original for uniquely causing the network connection state of LAN inner electronic equipment abnormal to be attacked by ARP
Cause, the reason for also there are other can all cause the network connection state of LAN inner electronic equipment abnormal.Therefore, can not be only
Judge whether electronic equipment receives ARP attacks by the network connection state of electronic equipment.
Because the ARP principles attacked are changed by the MAC Address of attack main frame, and due to interchanger corresponding with LAN
Internal memory contains the IP address and MAC Address corresponding with IP address of each electronic equipment in whole LAN, therefore works as LAN
Some interior electronic equipment is received after ARP attacks, will be changed to by the MAC Address of attack main frame corresponding with attack main frame
MAC Address identical MAC Address, then there will be in two identical MAC Address, two identical MAC Address one in ARP table
Correspondence attack main frame, another correspondence is by attack main frame.Certainly, when in LAN multiple electronic equipments all receive ARP attack
Afterwards, there will be a correspondence attack main frame in multiple identical MAC Address, multiple identical MAC Address in ARP table, it is other
Correspond to respectively different by attack main frame.
It is whether abnormal and judge to whether there is extremely in ARP table by the network connection state for judging LAN inner electronic equipment
The two conditions of few two identical MAC Address, are deposited when in the network connection state exception and ARP table for meeting electronic equipment simultaneously
In at least two identical MAC Address, illustrate that LAN inner electronic equipment receives ARP attacks.Need to further determine that office
Which electronic equipment receives ARP attacks in the net of domain.
In the present embodiment, restriction judges whether the network connection state of LAN inner electronic equipment is abnormal and judges
It whether there is the sequencing of at least two identical MAC Address in ARP table.
Alternatively, judge that the whether abnormal step of the network connection state of LAN inner electronic equipment includes:
Send the packet of predetermined quantity respectively to the LAN inner electronic equipment;
The number for the packet that the electronic equipment that detection is received in the scheduled time is returned;
Judge whether the number for the packet that electronic equipment is returned is identical with the predetermined quantity;
If the number for the packet that electronic equipment is returned is identical with the predetermined quantity, the network connection shape of electronic equipment
State is normal;
If the number for the packet that electronic equipment is returned is different from the predetermined quantity, the network connection shape of electronic equipment
State is abnormal.
The packet that the number for judging the packet that every electronic equipment is sent is returned with the electronic equipment received
Number it is whether identical;Returned when the number and the electronic equipment that receives of the packet sent to electronic equipment
When the number of packet is identical, then illustrate that electronic equipment can be normally received and be sent data, and then electronic equipment by network
Network connection state it is normal.When the number of the packet sent to electronic equipment is returned with the electronic equipment that receives
When the number of the packet returned is different, then illustrate that electronic equipment can not be normally received and be sent data, and then electronics by network
The network connection state of equipment is abnormal.
In actual applications, the packet that predetermined quantity is sent to electronic equipment can be realized by specifically instructing, in advance
The process for the interior number for detecting the packet that the electronic equipment received is returned of fixing time.Specific instruction can be " Ping ",
Ping is a particular command under Windows, Unix and linux system.Utilize whether " Ping " order can check network
Connection, can well analyze and judge network failure.It is using form:Ping+ spaces+IP address.
Utilize " Ping " to order and realize whether abnormal mode is the network connection state for judging LAN inner electronic equipment:
In the input of cmd interfaces " the Ping IP ", click " carriage return " button, you can shown by display interface of electronic equipment
Ping statistical informations, including when the packet number sent, the packet number received, bursts dropping ratio and reaction
Between etc. information.
For example, input " after Ping 192.168.10.222 ", is clicked on after " carriage return ", shown in display interface
" 192.168.10.222 Ping statistical informations:Packet:=4 have been sent ,=0 has been received ,=4 (100% loses) are lost "
Information.
According to the content of display, the packet that the number of the packet sent to electronic equipment is returned with electronic equipment is judged
Number be different, therefore the network connection state of the corresponding electronic equipments of IP address 192.168.10.222 is abnormal.
If the network connection state of S102, the LAN inner electronic equipment is abnormal, and has at least two in the ARP table
Individual identical MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;
It is identical when having at least two in the network connection state exception and ARP table for meeting LAN inner electronic equipment simultaneously
The two conditions of MAC Address when, then illustrate there is the electronic equipment attacked by ARP in LAN, wherein, attacked by ARP
The corresponding MAC Address of electronic equipment hit is identical with the corresponding MAC Address of electronic equipment attacked, and is stored in interchanger
In ARP table.
Search the electricity for including attack in electronic equipment corresponding with identical MAC Address in ARP table, the electronic equipment
Sub- equipment and all electronic equipments attacked by ARP.
S103, judge in the ARP table whether electronic equipment corresponding with identical MAC Address is that the network connects respectively
Connect the electronic equipment of abnormal state;
Alternatively, in one embodiment, this step includes:
S1031, the corresponding IP address of electronic equipment for obtaining the network connection state exception in the LAN;
The step whether abnormal by judging the network connection state of LAN inner electronic equipment, can know in LAN
The abnormal electronic equipment of network connection state.
Obtain the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN having learned that.
With using " Ping " order, judge LAN inner electronic equipment network connection state whether exception mode be
Example, it is necessary to input the IP address of electronic equipment during due to input " Ping " order, by performing the display knot after " Ping " order
Really, when judging that the network connection state of electronic equipment is abnormal, then the IP address carried in " Ping " order for directly obtaining input,
Realize and obtain the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN.
It is understood that can obtain corresponding with the electronic equipment that network connection state is abnormal in different ways
IP address.Do not limited in the present embodiment and obtain the specific of the abnormal corresponding IP address of electronic equipment of the network connection state
Implementation.
The corresponding IP address of identical MAC Address in S1032, the acquisition ARP table;
Due to each corresponding IP address of electronic equipment and MAC corresponding with IP address in the LAN that is stored with ARP table
Address, therefore find in ARP table after identical MAC Address, it can obtain corresponding with each MAC Address directly in ARP table
IP address.
In ARP table described in S1033, comparison the corresponding IP address of identical MAC Address whether respectively with the network connection
The corresponding IP address of electronic equipment of abnormal state is identical.
The abnormal corresponding IP address of electronic equipment of network connection state in LAN is got, and is got in ARP table
The corresponding IP address of identical MAC Address, compares with whether the corresponding IP address of identical MAC Address is different with network connection state
The corresponding IP of normal electronic equipment is identical.
If electronic equipment corresponding with identical MAC Address is the abnormal electricity of network connection state in S104, the ARP table
Sub- equipment, then the abnormal electronic equipment of the network connection state attacked by ARP;
The corresponding electronic equipment of identical MAC Address includes the attack corresponding electronic equipment of main frame and all quilts in ARP table
The corresponding electronic equipment of main frame is attacked, the function of the corresponding electronic equipment of attack main frame is not influenceed by any, therefore attack
The network connection state of the corresponding electronic equipment of main frame is normal, only by the network interruption of the corresponding electronic equipment of attack main frame,
I.e. network connection state is abnormal.
For example, there are two identical MAC Address in ARP table, corresponding IP address is IP1 and IP2 respectively, then with
In the presence of an attack main frame and one by attack main frame in the corresponding electronic equipments of IP1 and electronic equipment corresponding with IP2.Obtain
The corresponding IP address of identical MAC Address is IP1 and IP2 in ARP table.
Perform after step S1031, the abnormal electronic equipment pair of the network connection state in the LAN got
The IP address answered is IP2.
Compare the corresponding IP1 and IP2 of identical MAC Address in the ARP table whether respectively electronics abnormal with network connection state
The corresponding IP2 of equipment is identical;
The corresponding IP2 of identical MAC Address is identical with the corresponding IP2 of electronic equipment that network connection state is abnormal in ARP table,
Then illustrate that electronic equipment corresponding with IP2 receives ARP attacks.
If electronic equipment corresponding with identical MAC Address is that network connection state is normally electric in S105, the ARP table
Sub- equipment, then forbid the network interface card of the normal electronic equipment of the network connection state.
The corresponding IP1 of identical MAC Address is different from the corresponding IP2 of electronic equipment that network connection state is abnormal in ARP table,
Then illustrate that the network connection state of electronic equipment corresponding with IP1 is normal, i.e., electronic equipment corresponding with IP1 is ARP attack masters
Machine, forbids the network interface card of electronic equipment corresponding with IP1.Corresponding with IP1 electronic equipment is avoided to continue to attack in LAN other
Electronic equipment.
It was found from above-mentioned technical proposal, in a kind of detection method of ARP attacks disclosed in the present embodiment, judge in LAN
Whether the network connection state of electronic equipment is abnormal, and judges in the ARP table of the corresponding interchanger of LAN with the presence or absence of at least
Two identical MAC Address, are the IP address of whole electronic equipments and with IP in whole LAN due to what is stored in ARP table
The corresponding MAC Address in location, therefore when there is at least two identical MAC Address in ARP table, it may be determined that it is to be located at LAN
Interior ARP attacks main frame will be changed to the MAC Address that ARP attacks main frame by the MAC Address of attack main frame, that is, attack main frame
Corresponding MAC Address is identical with by the corresponding MAC Address of attack main frame.In order to position the electronics attacked in LAN by ARP
Equipment, judges whether electronic equipment corresponding with identical MAC Address is the abnormal electronics of network connection state respectively in ARP table
Equipment;If the abnormal electronic equipment of network connection state, then after illustrating that electronic equipment is attacked by ARP, cause electronics and set
Standby network interruption, i.e., the abnormal electronic equipment of described network connection state is attacked by ARP.By searching ARP in the application
The mode of table, realize in detection LAN the abnormal electronic equipment of network connection state whether the function of being attacked by ARP, and
ARP orders need not be inputted on every electronic equipment one by one, and then judge whether every electronic equipment is attacked by ARP, are carried
High detection efficiency, shortens the detection cycle for detecting whether to be attacked by ARP.
The invention discloses the detection method of another ARP attacks, referring to Fig. 2, the embodiment comprises the following steps:
S201, judge whether the network connection state of LAN inner electronic equipment is abnormal and corresponding with the LAN
It whether there is at least two identical MAC Address in the ARP table of interchanger;
If the network connection state of S202, the LAN inner electronic equipment is abnormal, and has at least two in the ARP table
Individual identical MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;
Step S101-S102 in embodiment in the present embodiment shown in step S201-S202 specific implementation and Fig. 1
Specific implementation it is identical, here is omitted.
S203, the corresponding IP address of electronic equipment for obtaining the network connection state exception in the LAN;
Step S203 specific implementation and the specific implementation of step S1031 in a upper embodiment in the present embodiment
Identical, here is omitted.
For example, the abnormal corresponding IP address of electronic equipment of the network connection state is IP2 in the LAN got.
S204, the acquisition IP address pair corresponding with the electronic equipment that the network connection state is abnormal in the ARP table
The MAC Address answered;
Because the corresponding electronic equipments of IP2 are an electronic equipments in LAN, therefore electronic equipment corresponding with IP2
IP address and MAC Address corresponding with IP address be all stored in ARP table.
MAC Address corresponding with IP2 is obtained in ARP table, the corresponding MAC Address of such as IP2 is MAC2.
The identical MAC Address whether respectively electronics abnormal with the network connection state in ARP table described in S205, comparison
The corresponding MAC Address of equipment is identical.
At least two identical MAC Address present in the ARP table can be known by performing step S201, for example
There are two MAC Address in ARP table is all MAC2.
Whether identical with the corresponding MAC2 of electronic equipment that the network connection state is abnormal compare MAC2 in ARP table.
If electronic equipment corresponding with identical MAC Address is the abnormal electricity of network connection state in S206, the ARP table
Sub- equipment, then the abnormal electronic equipment of the network connection state attacked by ARP.
MAC2 MAC2s corresponding with the electronic equipment that the network connection state is abnormal is identical in the ARP table, i.e.,
Electronic equipment corresponding with identical MAC Address is the abnormal electronic equipment of network connection state in the ARP table, then the net
The abnormal electronic equipment of network connection status is that electronic equipment corresponding with IP2 receives ARP attacks.
If electronic equipment corresponding with identical MAC Address is that network connection state is normally electric in S207, the ARP table
Sub- equipment, then forbid the network interface card of the normal electronic equipment of the network connection state.
There are two MAC Address in ARP table is all MAC2, and each MAC2 corresponds to an electronic equipment, a correspondence respectively
Be electronic equipment that IP address is IP2, this electronic equipment is the electronic equipment attacked by ARP.Another MAC2 is corresponding
Electronic equipment, then be the corresponding electronic equipment of attack main frame.Forbid attacking the network interface card of the corresponding electronic equipment of main frame.
It was found from above-mentioned technical proposal, in a kind of detection method of ARP attacks disclosed in the present embodiment, judge in LAN
Whether the network connection state of electronic equipment is abnormal, and judges in the ARP table of the corresponding interchanger of LAN with the presence or absence of at least
Two identical MAC Address, if the network connection state of the LAN inner electronic equipment is abnormal, and exist in the ARP table
At least two identical MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;Obtain local
The abnormal corresponding IP address of electronic equipment of network connection state in net, is obtained and the network connection shape in the ARP table
The abnormal corresponding MAC Address of the corresponding IP address of electronic equipment of state;Compare whether identical MAC Address in the ARP table divides
It is not identical with the corresponding MAC Address of electronic equipment that the network connection state is abnormal, if identical, illustrate in ARP table with phase
The same corresponding electronic equipment of MAC Address is the abnormal electronic equipment of network connection state, then the network connection state is abnormal
Electronic equipment attacked by ARP.In the application by compare in ARP table have identical MAC Address whether respectively with the net
The abnormal corresponding MAC Address of electronic equipment of network connection status is identical, realizes network connection state in detection LAN abnormal
Electronic equipment whether the function of being attacked by ARP, without one by one on every electronic equipment input ARP orders, and then
Judge whether every electronic equipment is attacked by ARP, improve detection efficiency, shorten the inspection for detecting whether to be attacked by ARP
The survey cycle.
The detection method of the above-mentioned ARP attacks of correspondence, present invention also offers a kind of detection means of ARP attacks, its structure
Schematic diagram is referred to shown in Fig. 3, in the present embodiment, and the detection means of the ARP attacks includes:
First judging unit 301, searching unit 302, the second judging unit 303 and forbid unit 304;
First judging unit 301, for judging whether the network connection state of LAN inner electronic equipment abnormal, and with institute
State and whether there is at least two identical MAC Address in the ARP table of the corresponding interchanger of LAN;
Alternatively, the first judging unit 301 includes:Transmitting element 3011, the judging unit of receiving unit 3012 and the 3rd
3013;Wherein:
Transmitting element 3011, the packet for sending predetermined quantity respectively to the LAN inner electronic equipment;
Receiving unit 3012, the number for the packet that the electronic equipment received for being detected in the scheduled time is returned;
3rd judging unit 3013, for judge the packet that electronic equipment is returned number and the predetermined quantity whether
It is identical;
If the number for the packet that electronic equipment is returned is identical with the predetermined quantity, the network connection shape of electronic equipment
State is normal;
If the number for the packet that electronic equipment is returned is different from the predetermined quantity, the network connection shape of electronic equipment
State is abnormal.
Searching unit 302, if the network connection state for the LAN inner electronic equipment is abnormal, and the ARP table
It is middle to there are at least two identical MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;
Second judging unit 303, for judging in the ARP table whether is electronic equipment corresponding with identical MAC Address
It is the abnormal electronic equipment of the network connection state respectively;
If electronic equipment corresponding with identical MAC Address is that the abnormal electronics of network connection state is set in the ARP table
Standby, then the abnormal electronic equipment of the network connection state is attacked by ARP.
Alternatively, the second judging unit 303 includes:
First acquisition unit 3031, for obtaining the abnormal electronic equipment pair of the network connection state in the LAN
The IP address answered;
Second acquisition unit 3032, for obtaining the corresponding IP address of identical MAC Address in the ARP table;
First comparing unit 3033, for comparing whether the corresponding IP address of identical MAC Address in the ARP table is distinguished
It is identical with the corresponding IP address of electronic equipment that the network connection state is abnormal.
Forbid unit 304, if being network connection for electronic equipment corresponding with identical MAC Address in the ARP table
The normal electronic equipment of state, then forbid the network interface card of the normal electronic equipment of the network connection state.
In the technical scheme that the embodiment of the present invention is provided, the first judging unit judges the network of LAN inner electronic equipment
Whether connection status is abnormal, and judges with whether there is at least two identical MAC in the ARP table of the corresponding interchanger of LAN
, if the network connection state of the LAN inner electronic equipment is abnormal, and there are at least two identicals in the ARP table in location
MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table, then pass through second by searching unit
Judging unit judges whether electronic equipment corresponding with identical MAC Address is the network connection shape respectively in the ARP table
The abnormal electronic equipment of state, if electronic equipment corresponding with identical MAC Address is that network connection state is abnormal in the ARP table
Electronic equipment, then the abnormal electronic equipment of the network connection state attacked by ARP.By searching ARP table in the application
Mode, realize in detection LAN the abnormal electronic equipment of network connection state whether the function of being attacked by ARP, without
Need to input ARP orders on every electronic equipment one by one, and then judge whether every electronic equipment is attacked by ARP, improve
Detection efficiency, shortens the detection cycle for detecting whether to be attacked by ARP.
For the device that the present embodiment is provided, because it is corresponding with the method that embodiment is provided, so description
Fairly simple, related part is referring to method part illustration.
The embodiment of the present invention additionally provides a kind of detection means of ARP attacks, and its structural representation is referred to shown in Fig. 4,
The detection means of ARP attacks includes:
First judging unit 401, searching unit 402, the 3rd acquiring unit 403, the 4th acquiring unit 404, second are compared
Unit 405 and forbid unit 406;Wherein, the first judging unit 401, searching unit 402 and the specific works for forbidding unit 406
First judging unit 301, searching unit 302 and the specific work process for forbidding unit 304 in process embodiment corresponding with Fig. 3
Identical, here is omitted.
3rd acquiring unit 403, for obtaining the abnormal electronic equipment pair of the network connection state in the LAN
The IP address answered;
4th acquiring unit 404, for obtaining the electronic equipment abnormal with the network connection state in the ARP table
The corresponding MAC Address of corresponding IP address;
Second comparing unit 405, for comparing whether identical MAC Address in the ARP table connects with the network respectively
The corresponding MAC Address of electronic equipment for connecing abnormal state is identical.
In the technical scheme that the embodiment of the present invention is provided, the first judging unit judges the network of LAN inner electronic equipment
Whether connection status is abnormal, and judges with whether there is at least two identical MAC in the ARP table of the corresponding interchanger of LAN
, if the network connection state of the LAN inner electronic equipment is abnormal, and there are at least two identicals in the ARP table in location
MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table, then pass through the 3rd by searching unit
Acquiring unit obtains the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN;4th obtains single
The corresponding MAC Address of member acquisition in ARP table IP address corresponding with the electronic equipment that the network connection state is abnormal,
It is whether different with the network connection state respectively finally by identical MAC Address in the second comparing unit ARP table
The corresponding MAC Address of normal electronic equipment is identical.Electronic equipment corresponding with identical MAC Address is network in the ARP table
The abnormal electronic equipment of connection status, then the abnormal electronic equipment of the network connection state attacked by ARP.Lead in the application
The mode of the lookup ARP table different from a upper embodiment is crossed, the abnormal electronics of network connection state in detection LAN is realized
Equipment whether the function of being attacked by ARP, without one by one on every electronic equipment input ARP orders, and then judge often
Whether platform electronic equipment is attacked by ARP, improves detection efficiency, shortens the detection cycle for detecting whether to be attacked by ARP.
It should be noted that each embodiment in this specification is described by the way of progressive, each embodiment weight
Point explanation be all between difference with other embodiment, each embodiment identical similar part mutually referring to.
Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relational terms be used merely to by
One entity or operation make a distinction with another entity or operation, and not necessarily require or imply these entities or operation
Between there is any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant meaning
Covering including for nonexcludability, so that process, method, article or equipment including a series of key elements not only include that
A little key elements, but also other key elements including being not expressly set out, or also include be this process, method, article or
The intrinsic key element of equipment.In the absence of more restrictions, the key element limited by sentence "including a ...", is not arranged
Except also there is other identical element in the process including the key element, method, article or equipment.
The foregoing description of the disclosed embodiments, enables those skilled in the art to realize or using the present invention.To this
A variety of modifications of a little embodiments will be apparent for a person skilled in the art, and generic principles defined herein can
Without departing from the spirit or scope of the present invention, to realize in other embodiments.Therefore, the present invention will not be limited
It is formed on the embodiments shown herein, and is to fit to consistent with features of novelty with principles disclosed herein most wide
Scope.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (10)
1. a kind of detection method of ARP attacks, it is characterised in that including:
Judge whether the network connection state of LAN inner electronic equipment is abnormal, and interchanger corresponding with the LAN
It whether there is at least two identical MAC Address in ARP table;
If the network connection state of the LAN inner electronic equipment is abnormal, and there are at least two identicals in the ARP table
MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;
Judge whether electronic equipment corresponding with identical MAC Address is that the network connection state is different respectively in the ARP table
Normal electronic equipment;
If electronic equipment corresponding with identical MAC Address is the abnormal electronic equipment of network connection state in the ARP table,
The abnormal electronic equipment of the network connection state is attacked by ARP.
2. detection method according to claim 1, it is characterised in that with identical MAC in the judgement ARP table
Whether the corresponding electronic equipment in location is the abnormal electronic equipment of the network connection state respectively, including:
Obtain the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN;
Obtain the corresponding IP address of identical MAC Address in the ARP table;
Whether abnormal with the network connection state respectively compare the corresponding IP address of identical MAC Address in the ARP table
The corresponding IP address of electronic equipment is identical.
3. detection method according to claim 1, it is characterised in that with identical MAC in the judgement ARP table
Whether the corresponding electronic equipment in location is the abnormal electronic equipment of the network connection state respectively, including:
Obtain the abnormal corresponding IP address of electronic equipment of the network connection state in the LAN;
The corresponding MAC of the corresponding IP address of electronic equipment with network connection state exception is obtained in the ARP table
Location;
Whether corresponding with the electronic equipment that the network connection state is abnormal respectively compare identical MAC Address in the ARP table
MAC Address it is identical.
4. the detection method according to claim any one of 1-3, it is characterised in that the judgement LAN inner electronic equipment
Network connection state it is whether abnormal, including:
Send the packet of predetermined quantity respectively to the LAN inner electronic equipment;
The number for the packet that the electronic equipment that detection is received in the scheduled time is returned;
Judge whether the number for the packet that electronic equipment is returned is identical with the predetermined quantity;
If the number for the packet that electronic equipment is returned is identical with the predetermined quantity, the network connection state of electronic equipment is just
Often;
If the number for the packet that electronic equipment is returned is different from the predetermined quantity, the network connection state of electronic equipment is different
Often.
5. the detection method according to claim any one of 1-3, it is characterised in that if in the ARP table with it is identical
The corresponding electronic equipment of MAC Address be the abnormal electronic equipment of network connection state, then the network connection state is abnormal
After electronic equipment is attacked by ARP, in addition to:
If electronic equipment corresponding with identical MAC Address is the normal electronic equipment of network connection state in the ARP table,
Forbid the network interface card of the normal electronic equipment of the network connection state.
6. a kind of detection means of ARP attacks, it is characterised in that including:
First judging unit, for judging whether the network connection state of LAN inner electronic equipment abnormal, and with the local
Net and whether there is at least two identical MAC Address in the ARP table of corresponding interchanger;
Searching unit, if the network connection state for the LAN inner electronic equipment is abnormal, and exists extremely in the ARP table
Few two identical MAC Address, then search electronic equipment corresponding with identical MAC Address in the ARP table;
Second judging unit, for judging whether electronic equipment corresponding with identical MAC Address is institute respectively in the ARP table
State the abnormal electronic equipment of network connection state;
If electronic equipment corresponding with identical MAC Address is the abnormal electronic equipment of network connection state in the ARP table,
The abnormal electronic equipment of the network connection state is attacked by ARP.
7. detection means according to claim 6, it is characterised in that second judging unit, including:
First acquisition unit, for obtaining in the LAN the abnormal corresponding IP of electronic equipment of the network connection state
Location;
Second acquisition unit, for obtaining the corresponding IP address of identical MAC Address in the ARP table;
First comparing unit, for compare in the ARP table the corresponding IP address of identical MAC Address whether respectively with the net
The abnormal corresponding IP address of electronic equipment of network connection status is identical.
8. detection means according to claim 6, it is characterised in that second judging unit, including:
3rd acquiring unit, for obtaining in the LAN the abnormal corresponding IP of electronic equipment of the network connection state
Location;
4th acquiring unit, for obtaining corresponding with the electronic equipment that the network connection state is abnormal in the ARP table
The corresponding MAC Address of IP address;
Second comparing unit, it is whether different with the network connection state respectively for comparing identical MAC Address in the ARP table
The corresponding MAC Address of normal electronic equipment is identical.
9. the detection means according to claim any one of 6-8, it is characterised in that first judging unit includes:
Transmitting element, the packet for sending predetermined quantity respectively to the LAN inner electronic equipment;
Receiving unit, the number for the packet that the electronic equipment received for being detected in the scheduled time is returned;
3rd judging unit, for judging whether the number for the packet that electronic equipment is returned is identical with the predetermined quantity;
If the number for the packet that electronic equipment is returned is identical with the predetermined quantity, the network connection state of electronic equipment is just
Often;
If the number for the packet that electronic equipment is returned is different from the predetermined quantity, the network connection state of electronic equipment is different
Often.
10. the detection means according to claim any one of 6-8, it is characterised in that the detection means also includes:
Forbid unit, if being that network connection state is normal for electronic equipment corresponding with identical MAC Address in the ARP table
Electronic equipment, then forbid the network interface card of the normal electronic equipment of the network connection state.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710221269.6A CN107018136A (en) | 2017-04-06 | 2017-04-06 | A kind of detection method and device of ARP attacks |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710221269.6A CN107018136A (en) | 2017-04-06 | 2017-04-06 | A kind of detection method and device of ARP attacks |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107018136A true CN107018136A (en) | 2017-08-04 |
Family
ID=59445344
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710221269.6A Pending CN107018136A (en) | 2017-04-06 | 2017-04-06 | A kind of detection method and device of ARP attacks |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107018136A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109314707A (en) * | 2017-04-06 | 2019-02-05 | 诺防网络科技有限公司 | ARP on Internet of Things (IoT) network cheats anti-locking system |
CN110166450A (en) * | 2019-05-17 | 2019-08-23 | 固高科技(深圳)有限公司 | Data transmission method, device and communication equipment based on Industrial Ethernet |
CN111327592A (en) * | 2020-01-19 | 2020-06-23 | 深圳市博威创盛科技有限公司 | Network monitoring method and related device |
WO2020187295A1 (en) * | 2019-03-20 | 2020-09-24 | 新华三技术有限公司 | Monitoring of abnormal host |
CN112165483A (en) * | 2020-09-24 | 2021-01-01 | Oppo(重庆)智能科技有限公司 | ARP attack defense method, device, equipment and storage medium |
CN112333146A (en) * | 2020-09-21 | 2021-02-05 | 南方电网海南数字电网研究院有限公司 | ARP security defense method for intelligent power transformation gateway and intelligent power transformation gateway |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101009689A (en) * | 2006-01-26 | 2007-08-01 | 西门子(中国)有限公司 | A method for preventing the address parsing cheating |
CN101951367A (en) * | 2010-09-09 | 2011-01-19 | 健雄职业技术学院 | Method for preventing campus network from virus attacks |
CN103051597A (en) * | 2011-10-14 | 2013-04-17 | 国家纳米技术与工程研究院 | Method for realizing address resolution protocol (ARP) deception detection on switch |
CN103812728A (en) * | 2014-02-13 | 2014-05-21 | 普联技术有限公司 | Network diagnostic method, system and router |
CN104219339A (en) * | 2014-09-17 | 2014-12-17 | 北京金山安全软件有限公司 | Method and device for detecting address resolution protocol attack in local area network |
CN104883360A (en) * | 2015-05-05 | 2015-09-02 | 中国科学院信息工程研究所 | ARP spoofing fine-grained detecting method and system |
CN104901953A (en) * | 2015-05-05 | 2015-09-09 | 中国科学院信息工程研究所 | Distributed detection method and system for ARP (Address Resolution Protocol) cheating |
-
2017
- 2017-04-06 CN CN201710221269.6A patent/CN107018136A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101009689A (en) * | 2006-01-26 | 2007-08-01 | 西门子(中国)有限公司 | A method for preventing the address parsing cheating |
CN101951367A (en) * | 2010-09-09 | 2011-01-19 | 健雄职业技术学院 | Method for preventing campus network from virus attacks |
CN103051597A (en) * | 2011-10-14 | 2013-04-17 | 国家纳米技术与工程研究院 | Method for realizing address resolution protocol (ARP) deception detection on switch |
CN103812728A (en) * | 2014-02-13 | 2014-05-21 | 普联技术有限公司 | Network diagnostic method, system and router |
CN104219339A (en) * | 2014-09-17 | 2014-12-17 | 北京金山安全软件有限公司 | Method and device for detecting address resolution protocol attack in local area network |
CN104883360A (en) * | 2015-05-05 | 2015-09-02 | 中国科学院信息工程研究所 | ARP spoofing fine-grained detecting method and system |
CN104901953A (en) * | 2015-05-05 | 2015-09-09 | 中国科学院信息工程研究所 | Distributed detection method and system for ARP (Address Resolution Protocol) cheating |
Non-Patent Citations (1)
Title |
---|
郝俊华,胡志齐: "《网络安全配置与测试》", 31 August 2015, 北京:机械工业出版社 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109314707A (en) * | 2017-04-06 | 2019-02-05 | 诺防网络科技有限公司 | ARP on Internet of Things (IoT) network cheats anti-locking system |
WO2020187295A1 (en) * | 2019-03-20 | 2020-09-24 | 新华三技术有限公司 | Monitoring of abnormal host |
CN110166450A (en) * | 2019-05-17 | 2019-08-23 | 固高科技(深圳)有限公司 | Data transmission method, device and communication equipment based on Industrial Ethernet |
CN111327592A (en) * | 2020-01-19 | 2020-06-23 | 深圳市博威创盛科技有限公司 | Network monitoring method and related device |
CN111327592B (en) * | 2020-01-19 | 2022-11-18 | 陈建慧 | Network monitoring method and related device |
CN112333146A (en) * | 2020-09-21 | 2021-02-05 | 南方电网海南数字电网研究院有限公司 | ARP security defense method for intelligent power transformation gateway and intelligent power transformation gateway |
CN112165483A (en) * | 2020-09-24 | 2021-01-01 | Oppo(重庆)智能科技有限公司 | ARP attack defense method, device, equipment and storage medium |
CN112165483B (en) * | 2020-09-24 | 2022-09-09 | Oppo(重庆)智能科技有限公司 | ARP attack defense method, device, equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107018136A (en) | A kind of detection method and device of ARP attacks | |
CN101267313B (en) | Flooding attack detection method and detection device | |
CN101572701B (en) | Security gateway system for resisting DDoS attack for DNS service | |
CN1320833C (en) | Method and apparatus for ensuring address information of a wireless terminal device in communications network | |
CN107360184B (en) | Terminal equipment authentication method and device | |
CN103609089B (en) | A kind of preventing is attached to the method and device of Denial of Service attack on the main frame of subnet | |
CN110768999B (en) | Method and device for detecting illegal external connection of equipment | |
CN104601394B (en) | A kind of method, apparatus and system of business chain detection of connectivity | |
CN107528862A (en) | The method and device of domain name mapping | |
KR100779072B1 (en) | ARP poisoning detection apparatus and method | |
CN106341656A (en) | Video equipment monitoring method, device and system | |
CN113328990B (en) | Internet route hijacking detection method based on multiple filtering and electronic equipment | |
CN105897947A (en) | Network access method and device for mobile terminal | |
CN107528817A (en) | The detection method and device of Domain Hijacking | |
CN104113443A (en) | Network equipment detection method, device and cloud detection system | |
CN107454037A (en) | The recognition methods of network attack and system | |
CN103634166B (en) | Equipment survival detection method and equipment survival detection device | |
CN1722707A (en) | Method for securing communication in a local area network switch | |
CN106101161A (en) | A kind of method and system of the tcp data bag for processing forgery | |
CN110138759A (en) | The lightweight self-adapting detecting method and system of Packet-In injection attacks are directed under SDN environment | |
CN107454205A (en) | A kind of method and apparatus of connection server | |
CN106411727A (en) | Message processing method and device and autonomous system | |
CN106161461B (en) | A kind of processing method and processing device of ARP message | |
CN106790077A (en) | A kind of DNS full flows kidnap the detection method and device of risk | |
CN101330409A (en) | Method and system for detecting network loophole |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170804 |