CN107040507A - Network blocking method and equipment - Google Patents
Network blocking method and equipment Download PDFInfo
- Publication number
- CN107040507A CN107040507A CN201611021969.2A CN201611021969A CN107040507A CN 107040507 A CN107040507 A CN 107040507A CN 201611021969 A CN201611021969 A CN 201611021969A CN 107040507 A CN107040507 A CN 107040507A
- Authority
- CN
- China
- Prior art keywords
- package
- address
- equipment
- block group
- forgery
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000000903 blocking effect Effects 0.000 title claims abstract description 70
- 238000000034 method Methods 0.000 title claims abstract description 22
- 230000006855 networking Effects 0.000 claims abstract description 127
- 230000004044 response Effects 0.000 claims description 57
- 238000004891 communication Methods 0.000 claims description 47
- 238000012545 processing Methods 0.000 claims description 26
- 230000005540 biological transmission Effects 0.000 claims description 17
- 238000005242 forging Methods 0.000 claims description 7
- 101710093674 Cyclic nucleotide-gated cation channel beta-1 Proteins 0.000 description 29
- 102100025946 Transforming growth factor beta activator LRRC32 Human genes 0.000 description 29
- 101710169732 Transforming growth factor beta activator LRRC32 Proteins 0.000 description 29
- 238000003881 globally optimized alternating phase rectangular pulse Methods 0.000 description 29
- 238000012546 transfer Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 241000700605 Viruses Species 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000032683 aging Effects 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a network blocking method and a device, which are suitable for network management of networking equipment in a network domain and comprise the following steps. It is determined whether the networked device belongs to a blocked group. At least one forged address is generated. This forged address is excluded from the physical addresses of the networked devices in the lockout group. Then, the forged packets are broadcast to each networking device in the blocking group. The spoofed packet includes one of the spoofed addresses. Therefore, the network blocking can be effectively achieved.
Description
Technical field
The present invention relates to a kind of network management (network management) technology, particularly a kind of network blocking method
And equipment.
Background technology
With the fast development of science and technology, miscellaneous electronic installation becomes increasingly popular.And in order to reach the mesh of resource-sharing
, network turns into the necessary outfit that information is exchanged, so as to bring up commercial and family expenses networking gear (for example, smart phone, intelligence are taken the photograph
Shadow machine, wireless Wireless Router, intelligent electric regard etc.) rapid growth.In response in the setting of a large amount of networking gears, webmaster personnel are also required to
Management and control is carried out for the network function of these networking gears.
On the other hand, money peace problem is a great problem that network management faces.In face of violate money peace strategy (for example,
Install piracy software, virus characteristic do not update, excess broadcast etc.) networking gear, webmaster personnel would generally set to these networkings
It is standby to carry out network blocking, to prevent these networking gears from further influenceing other networking gears in domain.It follows that having needs
Propose network blocking scheme that is a kind of effective and meeting actual demand.
The content of the invention
The present invention provides a kind of network blocking method and apparatus, and it has puppet for networking gear to be blocked by broadcast
The forgery package of address is made, so as to block the network of these networking gears.
The present invention proposes a kind of network blocking method, and it to the networking gear in network domains suitable for carrying out network pipe
Reason, and comprise the following steps.Judge whether networking gear belongs to block group.Produce at least one and forge address.This is spuriously
Location, which is excluded, to be blocked in group at this outside physical address of networking gear.Then, it is wide for each networking gear in block group
Broadcast forgery package.And this forgery package includes one in foregoing forgery address.
For another viewpoint, the present invention also proposes a kind of network blocking equipment, and it is suitable for the company in network domains
Net equipment carries out network management, and including communication module and processing unit.Communication module is to transmit and receive package.And handle
Unit connection communication module, and be configured to perform the following steps.Judge whether networking gear belongs to block group.Produce extremely
Few forgery address.And these are forged address and are excluded in block group outside the physical address of networking gear.Then, pin
To each networking gear in block group, package is forged by communication module broadcast.And this forgery package includes foregoing forgery address
In one.
Based on above-mentioned, the network blocking method and apparatus that the embodiment of the present invention is proposed, it, which is directed to, belongs to block group
Networking gear, which is produced, forges address, and broadcast includes the gratuitous address resolution protocol (Gratuitous that this forges address
Address Resolution Protocol;GARP) response packet.Accordingly, if other networking gears intend transmission package to envelope
Networking gear in group is locked, then this package will be unable to effectively be sent to, so as to be blocked to the network for blocking group.And by wide
Broadcast mode, more can be in response in a large amount of networking gears except package transmission amount can be greatly decreased.On the other hand, for a small amount of
Networking gear to be blocked, the embodiment of the present invention is also by intercepting address resolution protocol (Address Resolution
Protocol;ARP) ARP packages are forged in package and transmission, to be blocked to the package that networking gear to be blocked is sent.
For the features described above and advantage of the present invention can be become apparent, special embodiment below, and coordinate institute's accompanying drawings
It is described in detail below.
Brief description of the drawings
Fig. 1 is the schematic diagram for illustrating communication system according to one embodiment of the present of invention.
Fig. 2 is the component block diagram for illustrating network blocking equipment according to one embodiment of the present of invention.
Fig. 3 is to illustrate a kind of network blocking method flow diagram according to one embodiment of the present of invention.
Fig. 4 is the flow chart that an example illustrates network blocking.
Description of reference numerals
10:Communication system;
110:Networking gear;
150:Network blocking equipment;
151:Communication module;
155:Processing unit;
S310~S350, S410~S490:Step.
Embodiment
Gratuitous address resolution protocol (Gratuitous Address Resolution Protocol;GARP) response packet
It is one kind of ARP response packets, and in order to broadcast GARP response (reply) packages, target medium access control (Media
Access Contorl;MAC FF must) be set as:FF:FF:FF:FF:FF.And the embodiment of the present invention is to utilize to broadcast GARP sound
Package is answered, the networking gear in the domain is received forgery GARP response packets (e.g., including forging address), from
And allow networking gear package effectively can not be sent into the networking gear in block group, and then it is adapted to the timeliness of ARP packages
The environment of property and a large amount of networking gears.In addition, the ARP that the embodiment of the present invention also intercepts networking gear in block group requires envelope
Bag, and forgery arp response package (e.g., including forging address) is responded, so as to allow the follow-up transmission of block group can not be smooth
Complete.Multiple embodiments of the spirit set forth below for meeting the present invention, can be according to its demand to these realities using the present embodiment person
Apply example and carry out appropriate adjustment, be not limited solely to it is described below in content.
Fig. 1 is the schematic diagram for illustrating communication system according to one embodiment of the present of invention.It refer to Fig. 1, communication system 10
Including one or more networking (IP connected) device network 110 and network blocking equipment 150.In the present embodiment, lead to
Each equipment in letter system 10 is in identical domain (for example, LAN (Local Area Network;LAN), internal network
Deng).In other embodiments, the equipment component in communication system 10 is in heterogeneous networks, then communication system 10 may separately be present
ARP proxy (proxy) equipment.In addition, in Fig. 1 the quantity of networking gear 110 be only for example explanation, and and be not used to limitation
The embodiment of the present invention.
Networking gear 110 can be computer, mobile phone, wireless Wireless Router, server, intelligent telephone set, display device, intelligence
The electronic installations such as energy type video camera, router, network switch, it can be based at least one IP, transmission control protocol
(Transmission Control Protocol;TCP), user's datagram protocol (User Datagram Protocol;
) etc. UDP agreement carries out data transmission or is connected to internet with another networked devices 110 and network blocking equipment 150.
Network blocking equipment 150 can be all types of servers, wireless Wireless Router, router, network switch, calculating
The equipment such as machine, work station.In practical application, network blocking equipment 150 can be webmaster personnel to as in affiliated domain
The equipment of the network control center.For hardware point, Fig. 2 is to illustrate network blocking equipment according to one embodiment of the present of invention
150 component block diagram.Fig. 2 is refer to, network blocking equipment 150 at least includes (but being not limited only to) communication module 151 and place
Manage unit 155.
Communication module 151 can be support WiFi standards or other possess any types wireless network of wireless transmission function
Interface module or support Ethernet (Ethernet), optical fiber (optical fiber) or other possess wire transmission
The combination of any kind of wired network interface module of function, even wireless and wired network interface module.In the present invention
In embodiment, network blocking equipment 150 is communicated by communication module 151 with networking gear 110.
Processing unit 155 is connected with communication module 151, and it can be CPU (Central Processing
Unit, CPU), or other programmables general service or specific use microprocessor (Microprocessor), numeral
Signal processor (Digital Signal Processor, DSP), programmable controller, ASIC
(Application Specific Integrated Circuit, ASIC) or other similar assemblies or said modules combination.
In embodiments of the present invention, all operations of the processing unit 155 to perform network blocking equipment 150.
To facilitate understanding of the present embodiment of the invention operating process, will describe the present invention in detail real for many embodiments below
Apply the network blocking method of network blocking equipment 150 in example.Fig. 3 is to illustrate a kind of network envelope according to one embodiment of the present of invention
Locking method flow chart.Fig. 3 is refer to, the method for the present embodiment is applied to Fig. 1 and Fig. 2 network blocking equipment 150.Hereinafter,
By in the method described in the every component and the module declaration embodiment of the present invention in network blocking equipment 150.This method each
Flow can therewith be adjusted according to implementation situation, and be not limited to that.In addition, the embodiment of the present invention can be distinguished into active envelope
Lock and passive type block, first will be illustrated for active block below.
In step S310, the processing unit 155 of network blocking equipment 150 judges whether networking gear 110 belongs to block
Group.Specifically, webmaster personnel can set management plan for the network management of each networking gear 110 in its affiliated domain
Slightly.This management strategy is probably to be updated for identity validation, system update, virus characteristic, disable software, Network Abnormal, newly add
Networking gear 110, IP conflicts, laws and regulations requirement of domain etc. belonging to entering, the embodiment of the present invention is not any limitation as.And for violating pipe
The networking gear 110 of strategy is managed, the embodiment of the present invention includes these networking gears 110 in block group, with further to envelope
Lock communications of the group in affiliated domain to be blocked, so as to avoid blocking in group each networking gear 110 via network
Influence the networking gear 110 of other non-block groups (for example, normal group).
It should be noted that, because network blocking equipment 150 is that, as the network control center in the network, therefore it is
The on-line information of each networking gear 110 is (for example, IP address, physical address (or MAC Address), port in domain belonging to storage
(port), VLAN (Virtual Local Area Network;VLAN) identifier (Identifer;ID) etc.), dress
The information such as confidence breath (for example, computer name, group name etc.), it is also possible to detected by real-time event (for example, flow is excessive, IP
Address aging, operation is logined, disabling software, use time is loaded and exceedes predetermined unused time etc.) carry out auxiliary judgment networking gear
Whether 110 belong to block group.
In step S330, the processing unit 155 of network blocking equipment 150, which is produced, forges address.This forges address and arranged
In addition to the physical address of networking gear 110 in block group at this.Specifically, in ARP flows, device A send for
The ARP of the inquiry of equipment B physical address requires package, and equipment B can respond its physical address to device A, follow-up to ensure
Communication is smoothed out between device A and B.And in order to reach the purpose of network blocking, in the embodiment of active block, network
Block equipment 150 will produce forgery address by each networking gear 110 in block group, with the networking in domain belonging to allowing
Equipment 110 intends that this forgery address can be transferred data to when transferring data to the networking gear 110 in block group.Thereby,
Just the data for being intended to be sent to each networking gear 110 in block group can be allowed not to be sent to smoothly.
This forges address and can be set as the physical address of network blocking equipment 150, special entity address (for example, 00:
00:00:00:00:01、FF:FF:FF:00:00:00 etc.) or generating random number physical address, it is any with block group in connect
Net equipment 110 is different or incoherent physical address, except 00:00:00:00:00:00 and FF:FF:FF:FF:FF:FF may be used
Using the present invention is not limited.
In step S350, for each networking gear 110, the processing unit 155 of network blocking equipment 150 in block group
Package is forged by the broadcast of communication module 151.And this forgery package includes one in foregoing forgery address.In the present embodiment
In, it is GARP response packets that this, which forges package,.And processing unit 155 every 0.03 second or 0.05 second etc. sequentially (for example, be directed to down
One networking gear 110 to be blocked) for each networking gear 110 in block group, puppet is included by the broadcast of communication module 151
Make the GARP response packets of one in address.In addition, this GARP response packet is also included in block group in networking gear
The IP address of one.
Specifically, it is assumed that in a situation, exist in a certain LAN n platforms networking gear 110 (including institute in block
Block the equipment C, n of group are positive integer).Processing unit 155 (can be set by communication module 151 to other n-1 platforms except blocking
Standby C) the ARP packages that respectively transmission is forged of networking gear 110 (including forging address), to notify this equipment of n-1 platforms networking gear 110
C MAC Address is that this forges address (for example, 00:00:00:00:00:01).And set when this n-1 platform equipment is intended to transfer data to
Standby C, data are carried to the MAC Address that this is forged so that data can not correctly be sent to equipment C.
And in another situation, in order to block communications of the equipment C to other n-1 platforms networking gears 110, network blocking equipment
150 processing unit 155 needs to send n-1 forgery ARP package to equipment C by communication module 151, is set with telling respectively
The MAC Address of this n-1 platforms networking gear 110 of standby C is to forge address.Therefore, when equipment C is intended to transfer data to this n-1 platform networking
During equipment 110, data just can all be sent to forgery address, so that the data for allowing equipment C to send can not correctly be delivered to this n-1
Platform networking gear 110.
In foregoing two situation, in order to not influence the running of networking gear 110, processing unit 155 generally passes through the mould that communicates
Block 151 often send 1 forge ARP packages be accomplished by pause retransmit within such as 0.03 second 1 forgery ARP packages.However, these are deposited
It is that the forgery ARP packet informations in networking gear 110 are effective property, therefore every 60 seconds processing units 155 just have to
Forgery ARP packet informations are retransferred to networking gear 110 by communication module 151.Otherwise, these forge ARP packet informations
Will be expired, so that communication that can not be between effective blockade equipment, therefore foregoing situation has its own shortcomings:
A. networking gear 110 increases, and block will be caused to fail
Assuming that networking gear 110 has 1200, in order to block wherein one equipment C and other 1199 on-line equipments 110
Between communication, network blocking equipment 150 need to other 1199 on-line equipments 110 (except equipment C) each send one
ARP packages are forged, to inform that this 1199 on-line equipment 110 equipment C MAC Address is that some forges address respectively.Network is sealed
Lock device 150 is also required to send equipment C the ARP packages of 1199 forgeries, with this 1199 on-line equipments 110 of annunciator C
MAC Address be some forge address.Therefore, previous cases have sent 1199+1199=2398 and forge ARP packages just altogether
The communication that can be blocked between equipment C and other 1199 on-line equipments 110.However, just being needed due to sending a forgery ARP package
Stop sending out next again within 0.03 second and forging ARP packages, therefore send 2398 forgery packages and at least take (2398-1) * 0.03 second
=71.91 seconds.So may be successively by the forgery ARP packet informations for causing on-line equipment 110 to be received at first 11 seconds at the beginning
Failed or expired at 60 seconds~71 seconds, now equipment C just has an opportunity to be communicated with other 1199 on-line equipments 110.
B. equipment to be blocked increases a little, and block will be caused to fail
Assuming that the on-line equipment 110 reached the standard grade there are 500, wherein 5 equipment D~H are blocked.Network blocking equipment 150
Processing unit 155 needs to send other 495 on-line equipments 110 respectively a forgery ARP package by communication module 151,
And need to send equipment D the ARP packages of 495 forgeries (block equipment E~H forgery ARP package sending methods are identical or phase
It is similar to block equipment D, is repeated no more in this).Therefore, the communication of block equipment D~between H and other 495 on-line equipments 110
Need to send the ARP packages that (495+495) * 5=4950 are forged, at least take (4950-1) * 0.03 second=148.47 seconds, will
The forgery ARP packet informations for causing these on-line equipments 110 to receive will be expired successively at 60 seconds~148 seconds.Such equipment D~H
Just having an opportunity at 60 seconds~148 seconds can be with other 495 equipment communication.
In order to solve aforesaid drawbacks, in the embodiment of active block of the invention, rely on for support in broadcast GARP response packages
(its target MAC (Media Access Control) address is, for example, FF:FF:FF:FF:FF:FF, and purpose IP address is, for example, 0.0.0.0), network blocking equipment
150 processing unit 155 produces corresponding GARP by each networking gear 110 in 151 pairs of block groups of communication module and responded
Package.And the IP address of each GARP responses package can be set as blocking the IP address of one in group in networking gear 110, and
It is to forge one in address to carry out source MAC, to inform that a certain particular ip address of networking gear 110 (that is, is blocked and connected in group
The IP address of one in net equipment 110) MAC Address for forge address.
For example, equipment C IP address is 192.168.4.6, then corresponding to coming in equipment C forgery GARP responses
Source IP address is set as 192.168.4.6, and it carrys out source MAC and is set as 00:00:00:00:00:01.
(need to send other n-1 platforms networking gears 110 respectively a forgery ARP envelope compared to previously mentioned situation
Bag, therefore n-1 forgery ARP package is sent altogether), the embodiment of the present invention is for one in networking gear 110 in block group
Individual (for example, equipment C) only needs to send a forgery GARP response package, you can other n-1 platforms networking gears 110 can be received
MAC Address to equipment C is forgery address.Therefore, as this n-1 platform 110 equipment C to be transferred data to of networking gear, data
So far spuriously location will be transmitted, so that equipment C can not be correctly sent to.
In addition, responding package (for example, for a certain networking gear 110 in block group) in a certain GARP fails it
Before, the processing unit 155 of network blocking equipment 150 can broadcast this gratuitous address resolution protocol again by communication module 151 and ring
Answer package.Specifically, gratuitous address resolution protocol response package has ageing (for example, 60 seconds, the end sighting target such as 50 seconds
It is certainly adopted).Therefore, the processing unit 155 of network blocking equipment 150 is needed every special time (for example, at 60 seconds or foregoing
Effect property the definition time) by communication module 151 broadcast again it is identical or different (for example, forge address can change, but GARP ring
It is this networking gear 110 in block group to answer source IP addresses in package) GARP response packets, until the company to be blocked
Net equipment 110 is not belonging to block group.
On the other hand, the embodiment blocked for passive type, in step S310, the processing list of network blocking equipment 150
Member 155 also captures ARP by communication module 151 and requires package, and judges that ARP requires whether the source in package corresponds to block
Networking gear in group.Specifically, when each networking gear 110 is intended in block group and other networking gears 110 are led to
During letter, each meeting of networking gear 110 broadcast arp requires package in block group, is set with attempting to obtain other networkings for being intended to communicate
Standby 110 MAC Address.And processing unit 155 is to require that package is monitored by the ARP of 151 pairs of broadcast of communication module, and
Package, which is captured, to be required to the ARP that each networking gear 110 in block group is sent.
Then, if ARP requires the networking gear 110 that the source in package corresponds in block group, network blocking is set
Standby 150 processing unit 155 is also transmitted the arp response package of one for including forging in address by communication module 151 and extremely sent out
Send the networking gear 110 (belonging to block group) that ARP requires package.And the source IP addresses in this arp response package are set as
ARP requires the source IP addresses in package, carrys out source MAC and is set as forging address (for example, 00:00:00:00:00:01),
And purpose IP address and MAC Address require the IP address and MAC Address of the networking gear 110 of package for transmission ARP.
For example, equipment C transmissions ARP requirements package (including purpose IP address is 192.168.9.5), and network blocking
Equipment 150 receives this ARP and requires package, and just response according to this forges arp response package (including source IP addresses are
192.168.9.5, carry out source MAC to forge 00:00:00:00:00:01st, purpose IP address and the IP that MAC Address is equipment C
Address and MAC Address) to equipment C.
Conversely, if ARP requires that the source in package does not correspond to the networking gear 110 blocked in group, network
The processing unit 155 of block equipment 150 will not respond forgery response package.
Compared to previously mentioned situation (need to inform equipment C that other n-1 platforms networking gears 110 have and forge address,
Therefore n-1 is sent altogether forge ARP packages), the embodiment of the present invention is only needed by intercepting networking gear 110 in block group
The ARP that is sent requires package, just can effective blockade these networking gears 110 communication.When the equipment C for belonging to block group is intended to
When transferring data to other n-1 platform networking gears 110, data will be sent to forgery address, be intended to lead to so as to can not correctly transmit
The networking gear 110 of letter.
In order to allow those skilled in the art to understand the operating process of this new creation, an another example of lifting is said below
It is bright.Fig. 4 is the flow chart that an example illustrates network blocking.Referring to Fig. 1 and Fig. 4, hereinafter, it will be networked in collocation Fig. 1
Equipment 110 and the explanation of network blocking equipment 150 implement situation.Each flow can therewith be adjusted according to implementation situation, and not
It is only limitted to this.
First, network blocking equipment 150 be based on management strategy (for example, if load disabling software, system whether update,
Whether virus characteristic updates) judge whether to need to be blocked (step S410), and (if so, occurring to violate management strategy
Event) by networking gear 110 divide into normal group and block group (step S420).Assuming that there is x platforms networking in normal group
Equipment 110, and there is y platforms networking gear 110 in block group.X, y are positive integer.
The data for blocking group are transmitted with (that is, active network is blocked), network blocking equipment for blocking normal group
150 every 60 seconds and GARP response packet (steps are forged in 0.03 second in every interval sequentially to send out y in block group
S430).This y GARP response package indicates respectively the MAC Address of this y platforms networking gear 110 to forge address (for example, 00:
00:00:00:00:01).And that received in sequence of x platforms networking gear 110 will think this y to this y forgery GARP response packet
The MAC Address of platform networking gear 110 is all to forge address (for example, 00:00:00:00:00:01).Therefore, when this x platform networking is set
Standby 110 when will transfer data to that y platform networking gear 110, its data can all be sent in the absence of equipment MAC spuriously
Location, so as to reach the purpose of communication block.On the other hand, if need not be blocked, network blocking equipment 150 stops capturing
ARP requires package (step S440), and terminates program (step S450) according to this.
Block (that is, Passive Network is blocked) for block group to the data transmission of normal group, network blocking is set
Standby 150 judge whether to stop capturing ARP requirement packages (step S460).If (for example, y is zero), then terminate program (step
S450).Conversely, if not (for example, y is 5), then network blocking equipment 150 captures ARP and requires package (step S470).Then,
Network blocking equipment 150 judges that ARP requires whether package belongs to block group (step S480).If (for example, ARP requires envelope
The source of bag is that y platforms networking gear 110 for belonging to block group), then 150 pairs of network blocking equipment sends ARP and requires package
That y platforms networking gear 110 in a response forge arp response package and (required for example, source IP addresses are ARP in package
Set purpose IP address, and carry out source MAC and be set as 00:00:00:00:00:01) (step S490).Therefore, as this y
One (for example, equipment y1) in platform networking gear 110 to transfer data in that x platforms networking gear 110 one (for example,
Equipment x1) when, this data can all be sent to non-existent forgery address.In addition, when the arp response package of these forgeries was in 60 seconds
During failure, equipment y1 may send ARP again and require package, to inquire equipment x1 MAC Address.And network blocking equipment
150 also forge arp response package (for example, carrying out source MAC is set as 00 to this equipment y1 responses again:00:00:00:00:
01), with respond this equipment of equipment y1 x1 MAC positions only be non-existent MAC Address 00:00:00:00:00:01.In this way, week and
Renew to reach the purpose of communication block.
In summary, the network blocking method and device that the embodiment of the present invention is proposed, it is sent by active and forged
GARP responds package and passive response forges arp response package, so as to reach the normal group of block to block group and block
Group transmits to the data of normal group.
Accordingly, for aforesaid drawbacks A (equipment of reaching the standard grade increases), it is assumed that networking gear of reaching the standard grade has 1200, in order to block
1199 networking gears communicate to equipment C, and the embodiment of the present invention, which only needs transmission one to forge GARP response packages, can just accuse
The MAC Address for knowing this 1199 this equipment of networking gear C is a MAC Address forged.Send this GARP response package times
Can't more than 60 second time, with cause these forge GARP respond packet information before next 60 seconds expired, can have enough
Time retransmits this and forges GARP response packages.1199 networking gears are communicated as block equipment C, because equipment C is logical
Before letter can broadcast arp package is required to attempt to obtain the MAC Address of networking gear of communicating, as long as therefore being required to seal according to ARP
The packet information of bag, response apparatus C forges arp response package, and (response apparatus C is the MAC Address for the networking gear that will be communicated
It is that some forges MAC Address), equipment C can not just transfer data to the networking gear to be communicated.And if equipment C can be sent again
ARP broadcasting packages inquire the MAC Address of this communication networking gear, and the embodiment of the present invention equally can require package according to this ARP
Relevant information, response apparatus C forges ARP packages, and (MAC Address of the same annunciator C networking gears to be communicated is that some is pseudo-
Make address), the progress so gone round and begun again, untill equipment C stoppings communicate intention with other normal devices.
And for aforesaid drawbacks B (equipment to be blocked increases a little), it is assumed that networking gear of reaching the standard grade has 500, in order to block
495 normal devices communicate to equipment D~H, as long as prior art sends 5 forgery GARP response packages and can just inform this
495 this equipment of equipment D~H MAC Address be forge MAC Address (this 5 forgery GARP response packets send interval is also
0.03 second).And send 5 GARP response packages and be about (5-1) * 0.03=0.12 seconds comprising transmission interval time, it does not surpass
Spend 60 seconds.Therefore, this 5 forge GARP respond packet informations before next 60 seconds expired, the embodiment of the present invention just at once again
Transmit this 5 and forge GARP response packages.As for block equipment D~H to 495 equipment communications because equipment D~H with it is normal
ARP can be sent out before equipment communication to require package to attempt to obtain the MAC Address for wanting normal device, as long as therefore being required according to this ARP
Packet information, it is possible to which response apparatus D~H forges ARP packages, and (response apparatus D~H normal device MAC Address to be communicated is
Forge address), equipment D~H can not just transfer data to the networking gear to be communicated.
Embodiment described above only expresses the several embodiments of the present invention, and it describes more specific and detailed, but simultaneously
Therefore the limitation to the scope of the claims of the present invention can not be interpreted as.It should be pointed out that for one of ordinary skill in the art
For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to the guarantor of the present invention
Protect scope.Therefore, the protection domain of patent of the present invention should be determined by the appended claims.
Claims (10)
1. network blocking method, it is adaptable to which network management is carried out to multiple networking gears in network domains, it is characterised in that
Including:
Judge whether the multiple networking gear belongs to a block group;
Produce at least one and forge address, wherein at least one described forgery address is excluded these companies in the block group
Outside the physical address of net equipment;And
Package is forged for each the multiple networking gear broadcast one in the block group, wherein the forgery package includes institute
State one at least one forgery address.
2. network blocking method according to claim 1, it is characterised in that the forgery package is assisted for free address resolution
Discuss response packet, and for each the multiple networking gear broadcast in the block group, include the step of the forgery package:
Each the multiple networking gear in the block group is sequentially directed to, broadcast is included at least one described forgery address
The gratuitous address resolution protocol response package of one, wherein the gratuitous address resolution protocol response package is also including described
Block the Internet Protocol address of one in multiple networking gears described in group.
3. network blocking method according to claim 2, it is characterised in that broadcast includes at least one described forgery address
In the gratuitous address resolution protocol response packet of one the step of after, in addition to:
Before gratuitous address resolution protocol response package failure, the gratuitous address resolution protocol response envelope is broadcasted again
Bag.
4. network blocking method according to claim 1, it is characterised in that judge whether the multiple networking gear belongs to
The step of block group, includes:
Capture address resolution protocol and require package;And
Judge that the address resolution protocol requires the multiple the company whether source in package corresponds in the block group
Net equipment.
5. network blocking method according to claim 3, it is characterised in that judge that the address resolution protocol requires package
In the source whether correspond to it is described block group in the multiple networking gear the step of after, in addition to:
If the address resolution protocol requires the multiple networking that the source in package corresponds in the block group
Equipment, then transmission includes one address resolution protocol response package at least one described forgery address.
6. network blocking equipment, it is adaptable to which network management is carried out to multiple networking gears in network domains, it is characterised in that
Including:
Communication module, to transmit and receive package;
Processing unit, connects the communication module, and is configured to perform:
Judge whether the multiple networking gear belongs to a block group;
Produce at least one and forge address, wherein at least one described forgery address is excluded and blocks many described in group described
Outside the physical address of individual networking gear;And
For each the multiple networking gear in the block group, package, wherein institute are forged by communication module broadcast
State one forged in package at least one forgery address including described in.
7. network blocking equipment according to claim 6, it is characterised in that each package of forging is gratuitous address resolution protocol
Response packet, and the processing unit is also configured to perform:
Sequentially for each the multiple networking gear in the block group, broadcasted by the communication module described in including at least
The gratuitous address resolution protocol response package of one in one forgery address, wherein the gratuitous address resolution protocol rings
Package is answered also to include the Internet Protocol address of one described in the block group in multiple networking gears.
8. network blocking equipment according to claim 7, it is characterised in that the processing unit is also configured to perform:
The gratuitous address resolution protocol response package failure before, again by the communication module broadcast described in gratis
Location analysis protocol response package.
9. network blocking equipment according to claim 6, it is characterised in that the processing unit is also configured to perform:
Address resolution protocol is captured by the communication module and requires package;And
Judge that the address resolution protocol requires the multiple the company whether source in package corresponds in the block group
Net equipment.
10. network blocking equipment according to claim 9, it is characterised in that the processing unit is also configured to perform:
If the address resolution protocol requires the multiple networking that the source in package corresponds in the block group
Equipment, then transmission includes one address resolution protocol response package at least one described forgery address.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW105101821 | 2016-01-21 | ||
| TW105101821 | 2016-01-21 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107040507A true CN107040507A (en) | 2017-08-11 |
| CN107040507B CN107040507B (en) | 2020-06-23 |
Family
ID=59370285
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611021969.2A Active CN107040507B (en) | 2016-01-21 | 2016-11-21 | Network blocking method and equipment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107040507B (en) |
| TW (2) | TWM541160U (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWM541160U (en) * | 2016-01-21 | 2017-05-01 | 曜祥網技股份有限公司 | Apparatus for blocking network and computer-readable medium |
| TWI611377B (en) * | 2017-03-30 | 2018-01-11 | 崑山科技大學 | Anti-lost alarm method and system with grouping multiple warning devices |
| TWI709309B (en) * | 2019-09-25 | 2020-11-01 | 飛泓科技股份有限公司 | Network management device and network management method thereof |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101562542A (en) * | 2009-05-21 | 2009-10-21 | 杭州华三通信技术有限公司 | Response method for free ARP request and gateway device thereof |
| CN101616191A (en) * | 2008-06-27 | 2009-12-30 | 英业达股份有限公司 | Address simulating device and method thereof |
| CN101820396A (en) * | 2010-05-24 | 2010-09-01 | 杭州华三通信技术有限公司 | Method and device for verifying message safety |
| CN102195862A (en) * | 2010-03-11 | 2011-09-21 | 正文科技股份有限公司 | Routing device and related packet processing circuit |
| WO2012108687A2 (en) * | 2011-02-08 | 2012-08-16 | Ahnlab., Inc. | Method of detecting arp spoofing attacks using arp locking and computer-readable recording medium storing program for executing the method |
| CN103856443A (en) * | 2012-11-29 | 2014-06-11 | 台众计算机股份有限公司 | Method of determination and blocking of website |
| US8800025B2 (en) * | 2009-11-10 | 2014-08-05 | Hei Tao Fung | Integrated virtual desktop and security management system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWM541160U (en) * | 2016-01-21 | 2017-05-01 | 曜祥網技股份有限公司 | Apparatus for blocking network and computer-readable medium |
-
2016
- 2016-10-19 TW TW105215896U patent/TWM541160U/en unknown
- 2016-10-19 TW TW105133640A patent/TWI660284B/en active
- 2016-11-21 CN CN201611021969.2A patent/CN107040507B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101616191A (en) * | 2008-06-27 | 2009-12-30 | 英业达股份有限公司 | Address simulating device and method thereof |
| CN101562542A (en) * | 2009-05-21 | 2009-10-21 | 杭州华三通信技术有限公司 | Response method for free ARP request and gateway device thereof |
| US8800025B2 (en) * | 2009-11-10 | 2014-08-05 | Hei Tao Fung | Integrated virtual desktop and security management system |
| CN102195862A (en) * | 2010-03-11 | 2011-09-21 | 正文科技股份有限公司 | Routing device and related packet processing circuit |
| CN101820396A (en) * | 2010-05-24 | 2010-09-01 | 杭州华三通信技术有限公司 | Method and device for verifying message safety |
| WO2012108687A2 (en) * | 2011-02-08 | 2012-08-16 | Ahnlab., Inc. | Method of detecting arp spoofing attacks using arp locking and computer-readable recording medium storing program for executing the method |
| CN103856443A (en) * | 2012-11-29 | 2014-06-11 | 台众计算机股份有限公司 | Method of determination and blocking of website |
Non-Patent Citations (4)
| Title |
|---|
| 刘素芹、曹绍华主编: "第49-51页 第4.5节 ARP攻击的防御 和 第4.6节 免费ARP", 《TCP/IP协议分析》 * |
| 徐春林: "基于Gratuitous ARP泛洪的局域网故障分析", 《淮海工学院学报(自然科学版)》 * |
| 方睿主编: "第6.1.5节 免费ARP 和 第6.1.6 ARP欺骗", 《网络测试技术》 * |
| 萧瑛旗: "简易ARP欺骗攻击侦测与防卫系统之实作", 《台湾国立交通大学硕士论文》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| TWI660284B (en) | 2019-05-21 |
| TW201727529A (en) | 2017-08-01 |
| CN107040507B (en) | 2020-06-23 |
| TWM541160U (en) | 2017-05-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104469660B (en) | Network-building method based on bluetooth | |
| CN101171809B (en) | Method and system for transmitting a multicast stream in data exchange network | |
| CN104104744B (en) | A kind of method and apparatus of IP address distribution | |
| CN102882828A (en) | Information safe transmission control method between inside network and outside network and gateway thereof | |
| CN103166874A (en) | Message forwarding method and device | |
| CN107360247B (en) | The method and the network equipment of processing business | |
| CN106302371A (en) | A kind of firewall control method based on subscriber service system and system | |
| CN107819730B (en) | Data transmission method, safety isolation device and vehicle-mounted Ethernet system | |
| CN112995234B (en) | Media transmission link management method and device | |
| CN107040507A (en) | Network blocking method and equipment | |
| CN100420197C (en) | Method for guarding against attack realized for networked devices | |
| CN101321102A (en) | Detection method and access equipment of DHCP server | |
| CN102984031B (en) | Method and device for allowing encoding equipment to be safely accessed to monitoring and control network | |
| CN101984693A (en) | Monitoring method and monitoring device for access of terminal to local area network (LAN) | |
| CN106506200A (en) | A kind of ARP protocol submodel based on SDN | |
| WO2012014509A1 (en) | Unauthorized access blocking control method | |
| CN102984175A (en) | Front-end monitoring equipment without IP and agent device | |
| CN110690990B (en) | Server upgrading method and device, electronic equipment and storage medium | |
| CN101309169A (en) | Network management method and network management system, network apparatus | |
| WO2021099186A3 (en) | Method for monitoring communication on a communication bus, electronic device for connection to a communication bus, and central monitoring device for connection to a communication bus | |
| CN107786647A (en) | A kind of PLC remote device managements method, apparatus and system based on social attribute | |
| CN112217779A (en) | Method and apparatus for analyzing service oriented communications | |
| CN102340511A (en) | Safety control method and device | |
| Wang et al. | A SDN-based heterogeneous networking scheme for profinet and Modbus Networks | |
| CN102136985B (en) | Access method and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |