CN107690004B - Method and device for processing address resolution protocol message - Google Patents
Method and device for processing address resolution protocol message Download PDFInfo
- Publication number
- CN107690004B CN107690004B CN201610638974.1A CN201610638974A CN107690004B CN 107690004 B CN107690004 B CN 107690004B CN 201610638974 A CN201610638974 A CN 201610638974A CN 107690004 B CN107690004 B CN 107690004B
- Authority
- CN
- China
- Prior art keywords
- arp
- address
- message
- priority
- white list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/32—Flooding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for processing an address resolution protocol message, wherein the method comprises the following steps: receiving an Address Resolution Protocol (ARP) message; acquiring priority information of the ARP message according to a preset white list; and uploading the ARP messages to a Central Processing Unit (CPU) according to the priority information for ARP learning, wherein the uploading bandwidths of the ARP messages corresponding to different priority information are different. The invention solves the problem of low efficiency of preventing ARP flooding attack in the related technology.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a method and an apparatus for processing an address resolution protocol packet.
Background
An Address Resolution Protocol (ARP) in the related art is a TCP/IP Protocol that obtains a physical Address according to an IP Address. When the host sends information, the ARP request containing the target IP address is broadcasted to all hosts on the network, and a return message is received, so that the physical address of the target is determined; after receiving the return message, the IP address and the physical address are stored in the local ARP cache and are kept for a certain time, and the ARP cache is directly inquired when the next request is made so as to save resources. The address resolution protocol is established on the basis that all hosts trust each other in the network, the hosts on the network can independently send ARP response messages, and other hosts can not detect the authenticity of the messages and can record the messages into the ARP cache of the hosts when receiving the response messages. Fig. 1 is a schematic diagram of an ARP packet format according to the related art of the present invention, where the ARP packet format is shown in fig. 1.
The number of ARP entries in any router device is limited, so that unlimited learning is not possible, and no learning is possible after the number of entries reaches an upper limit. According to the design of the ARP protocol, even if a received ARP response is not obtained by self request, the corresponding relation between the IP address and the MAC address of a host can be added into the self ARP mapping table. This may reduce excessive ARP data traffic on the network, but also allows for "ARP spoofing". A flooding attack exists in a network, that is, a malicious user sends out a large number of ARP messages, which causes an ARP entry of a router device to overflow, resulting in normal communication that normal traffic affects forwarding of normal user traffic because the entry cannot learn the ARP, fig. 2 is a schematic diagram of ARP flooding attack according to the related art of the present invention, as shown in fig. 2. In addition, the existing router devices generally have control plane security speed limit packet loss measures, and if a flooding attack exists, the normal ARP packet of the control plane may be discarded indiscriminately, so that the protocol interaction of the control plane is affected.
In order to deal with the above situation, there are several methods in the related art:
1 starting Dynamic Host configuration Protocol (DHCP for short) snooping
The user table information established by the dhcp snooping is used for carrying out validity check on the received ARP message, the illegal ARP message is directly discarded without being sent to the CPU, so as to achieve the purpose of protecting the ARP resource on the CPU
2 configuring various ARP-based speed limits
1) The configuration carries out ARP Miss message speed limit according to the source IP address, avoids the waste of equipment resources on processing ARP discarded messages, and ensures that other services of a user can normally run. The method prevents the user side from forming ARP flooding attack by sending a large number of IP messages with inaccessible destination IP addresses by an attacker. The method and the device can ensure that the equipment can normally process a large number of ARP discard messages sent by the server, and avoid the phenomenon that the network cannot normally communicate due to discarding of the messages.
2) The ARP table item limitation based on the interface is configured, so that the ARP table resources of the equipment are prevented from being exhausted when a certain user accessed under the interface initiates ARP attacks.
3) The ARP speed-limiting function is configured according to the source MAC address and the source IP address respectively, ARP flooding attack formed by a large number of ARP messages with fixed source MAC addresses and fixed source IP addresses sent by a user is prevented, and the influence on the CPU processing normal service due to the busy CPU process is avoided.
In the method 1, DHCP SNOOPING is required to be deployed, the message processing process is troublesome, the message processing efficiency of the router is seriously influenced, and the common router is not access equipment and does not deploy DHCP SNOOPING; in case of attack, the method 2 may result in some normal ARP learning being lost by mistake, affecting some normal services.
In view of the above problems in the related art, no effective solution has been found at present.
Disclosure of Invention
The embodiment of the invention provides a method and a device for processing an address resolution protocol message, which are used for at least solving the problem of low efficiency of preventing ARP flooding attack in the related technology.
According to an embodiment of the present invention, a method for processing an address resolution protocol packet is provided, including: receiving an Address Resolution Protocol (ARP) message; acquiring priority information of the ARP message according to a preset white list; and uploading the ARP messages to a Central Processing Unit (CPU) according to the priority information for ARP learning, wherein the uploading bandwidths of the ARP messages corresponding to different priority information are different.
Optionally, the preset white list includes a legal IP address, and the legal IP address includes at least one of the following: an Internet Protocol (IP) address obtained through active learning; confirming the existing IP address through passive learning and reverse detection; the CPU forwards the IP address used historically when routing; and obtaining the preset IP address through static configuration.
Optionally, the preset white list includes protocol priorities of protocols to which the various ARP messages belong, and obtaining the priority information of the ARP messages according to the preset white list includes: for the white lists of the active IP and the target IP, determining the priority information of the white list according to the protocol priority corresponding to the IP protocol using the ARP message; the white list with the destination IP and the source IP simultaneously is of a first priority, the white list with the destination IP only is of a second priority, the white list without the destination IP and the source IP is of a third priority, and the first priority, the second priority and the third priority are sequentially decreased.
Optionally, the obtaining the priority information of the ARP packet according to the preset white list includes: extracting a source IP address and a destination IP address in the ARP message to match white list entries; matching a white list table item according to a source IP address and a target IP address in the ARP message, wherein when the hit ARP white list table item does not comprise the source IP address and the target IP address, the lowest priority of the ARP message is determined; the hit ARP white list item comprises a source IP address and a target IP address, when the target IP address is matched with the local IP address, the highest priority of the ARP message is determined, only the target address is used for the hit ARP white list item, and when the target IP address is matched with the local IP address, the message priority is centered.
Optionally, the uploading the ARP report to the central processing unit CPU according to the priority information includes: and (4) passing the ARP message through a channel with corresponding bandwidth according to the priority information, and uploading the ARP message to a Central Processing Unit (CPU) for ARP learning.
According to another embodiment of the present invention, an apparatus for processing an address resolution protocol packet is provided, including: the receiving module is used for receiving an Address Resolution Protocol (ARP) message; the acquisition module is used for acquiring the priority information of the ARP message according to a preset white list; and the uploading module is used for uploading the ARP messages to the central processing unit CPU for ARP learning according to the priority information, wherein the uploading bandwidths of the ARP messages corresponding to different priority information are different.
Optionally, the preset white list includes a legal IP address, and the legal IP address includes at least one of the following: an Internet Protocol (IP) address obtained through active learning; confirming the existing IP address through passive learning and reverse detection; the CPU forwards the IP address used historically when routing; and obtaining the preset IP address through static configuration.
Optionally, the preset white list includes protocol priorities of protocols to which the various ARP packets belong, and the obtaining module includes: and a determining unit, configured to determine, for the white lists of the active IP and the destination IP, priority information of the white list entry according to a protocol priority corresponding to the IP protocol using the ARP entry, where, for example, a protocol priority of a border gateway protocol BGP is greater than a protocol priority of an internet packet explorer PING. The number of classes can be classified according to the importance of the protocol.
Optionally, the feeding module comprises: and the uploading unit is used for uploading the ARP message to the central processing unit CPU for ARP learning through a channel with corresponding bandwidth according to the priority information.
According to still another embodiment of the present invention, there is also provided a storage medium. The storage medium is configured to store program code for performing the steps of:
receiving an Address Resolution Protocol (ARP) message;
acquiring priority information of the ARP message according to a preset white list;
and uploading the ARP messages to a Central Processing Unit (CPU) according to the priority information for ARP learning, wherein the uploading bandwidths of the ARP messages corresponding to different priority information are different.
According to the invention, an address resolution protocol ARP message is received; acquiring priority information of the ARP message according to a preset white list; and uploading the ARP messages to a Central Processing Unit (CPU) according to the priority information for ARP learning, wherein the uploading bandwidths of the ARP messages corresponding to different priority information are different. Because the bandwidth which is uploaded to the CPU is selected according to the priority information of the ARP message, when invalid messages are filtered, the smooth passing of legal messages is ensured, the problem of low efficiency of preventing ARP flooding attacks in the related technology can be solved, the effect of accurately identifying the ARP messages is achieved, the overall overhead of a system is saved, and the processing efficiency and the protection effect are improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a schematic diagram of an ARP packet format according to the related art of the present invention;
FIG. 2 is a schematic diagram of an ARP flooding attack according to the related art of the present invention;
FIG. 3 is a flow chart of a method of processing an ARP message according to an embodiment of the present invention;
fig. 4 is a block diagram of a processing apparatus of an address resolution protocol packet according to an embodiment of the present invention;
fig. 5 is a block diagram of an ARP flooding attack defense apparatus according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a white list filter table format of an ARP message according to the invention;
fig. 7 is a flowchart of the process of the legal user confirmation and the generation of the class a white list according to the embodiment of the present invention.
Detailed Description
The invention will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
Example 1
In this embodiment, a method for processing an address resolution protocol packet is provided, and fig. 3 is a flowchart of a method for processing an address resolution protocol packet according to an embodiment of the present invention, as shown in fig. 3, the flowchart includes the following steps:
step S302, receiving an address resolution protocol ARP message;
step S304, obtaining the priority information of the ARP message according to a preset white list;
and step S306, the ARP messages are sent to a Central Processing Unit (CPU) for ARP learning according to the priority information, wherein the uploading bandwidths of the ARP messages corresponding to different priority information are different.
Through the steps, receiving an Address Resolution Protocol (ARP) message; acquiring priority information of the ARP message according to a preset white list; and uploading the ARP messages to a Central Processing Unit (CPU) according to the priority information for ARP learning, wherein the uploading bandwidths of the ARP messages corresponding to different priority information are different. Because the bandwidth which is uploaded to the CPU is selected according to the priority information of the ARP message, when invalid messages are filtered, the smooth passing of legal messages is ensured, the problem of low efficiency of preventing ARP flooding attacks in the related technology can be solved, the effect of accurately identifying the ARP messages is achieved, the overall overhead of a system is saved, and the processing efficiency and the protection effect are improved.
Optionally, the executing subject of the above steps may be a router, a switch, a management device of a routing table entry, and the like, but is not limited thereto.
Optionally, the preset white list includes a legal IP address, and the legal IP address may be, but is not limited to: an Internet Protocol (IP) address obtained through active learning; confirming the existing IP address through passive learning and reverse detection; the CPU historically uses the IP address when forwarding the route; a preset IP address obtained through static configuration, and the like.
Optionally, the preset white list includes protocol priorities of protocols to which the various ARP messages belong, and obtaining the priority information of the ARP messages according to the preset white list includes: for the white lists of the active IP and the destination IP, the priority information of the white list entry is determined according to the Protocol priority corresponding to the IP Protocol using the ARP entry, for example, the Protocol priority of the Border Gateway Protocol (BGP for short) is greater than the Protocol priority of the Internet Packet explorer (Packet Internet Groper for short). The number of classes can be classified according to the importance of the protocol. There are also ARP entries, as used for data packet transmission, which may have a priority between them.
Optionally, obtaining the priority information of the ARP packet according to the preset white list includes:
s11, extracting the source IP address and the destination IP address in the ARP message to match with the white list items;
s12, judging whether the ARP message includes a source IP address and a destination IP address;
s13, when the hit ARP white list item does not include the source IP address and the destination IP address, the priority of the ARP message is determined to be the lowest, when the hit ARP white list item includes the source IP address and the destination IP address, and the destination IP address is matched with the local IP address, the priority of the ARP message is determined to be the highest, and when the hit ARP white list item includes only one of the source IP address and the destination IP address, the priority is between the source IP address and the destination IP address.
Further, when the ARP packet includes the destination IP address, the method further includes:
s13, extracting the destination IP address in the ARP message, and checking whether a legal IP address set included in a preset white list includes a source IP address;
s14, according to the checking result, determining the priority information of the ARP message, wherein the priority of the ARP message when the legal IP address set is checked to include the source IP address is larger than the priority of the ARP message when the legal IP address set is checked not to include the source IP address.
Optionally, the sending the ARP message to the central processing unit CPU according to the priority information for ARP learning includes: and (3) passing the ARP message through the channels with corresponding bandwidths according to the priority information, and uploading the ARP message to a Central Processing Unit (CPU) for ARP learning, wherein the channels with different bandwidths have different speed limit values.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
In this embodiment, a device for processing an address resolution protocol packet is further provided, where the device is used to implement the foregoing embodiment and preferred embodiments, and details are not repeated for what has been described. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 4 is a block diagram of a processing apparatus for an address resolution protocol packet according to an embodiment of the present invention, and as shown in fig. 4, the apparatus includes:
a receiving module 40, configured to receive an address resolution protocol ARP packet;
an obtaining module 42, configured to obtain priority information of the ARP packet according to a preset white list;
and the uploading module 44 is configured to upload the ARP message to the central processing unit CPU according to the priority information to perform ARP learning, where the uploading bandwidths of the ARP messages corresponding to different priority information are different.
Optionally, the preset white list includes a legal IP address, and the legal IP address may be, but is not limited to: an Internet Protocol (IP) address obtained through active learning; confirming the existing IP address through passive learning and reverse detection; the CPU historically uses the IP address when forwarding the route; a preset IP address obtained through static configuration, and the like.
Optionally, the preset white list includes protocol priorities of protocols to which the various ARP messages belong, and obtaining the priority information of the ARP messages according to the preset white list includes: for the white lists of the active IP and the target IP, determining the priority information of the white list entry according to the protocol priority corresponding to the IP protocol using the ARP entry, for example, the protocol priority of a Border Gateway Protocol (BGP) is greater than that of an Internet packet explorer (PING). The number of classes can be classified according to the importance of the protocol. There are also ARP entries, as used for data packet transmission, which may have a priority between them.
Optionally, the uploading module further includes an uploading unit (not shown in the figure) configured to upload the ARP message to the central processing unit CPU for ARP learning through a channel with a corresponding bandwidth according to the priority information.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
Example 3
The embodiment provides a method and a device for preventing ARP flooding attack. The device for preventing ARP flooding attack of the embodiment comprises the following modules:
fig. 5 is a block diagram of an ARP flooding attack defense apparatus according to an embodiment of the present invention, including: ARP table entry management module 50, control plane security module 52, forwarding table management module 54, and microcode processing module 56, all in a relationship as shown in fig. 5. The ARP list item management module is responsible for generating a correct ARP message white list filtering table and sending the correct ARP message white list filtering table to the forwarding table management module; the control surface safety module is responsible for controlling all levels of speed limits of messages sent to the CPU, the speed limits are mainly carried out according to priorities, and the uploading bandwidths of different priorities are different; the forwarding table management module is responsible for writing the white list filtering table of the received ARP message into a hardware table; when receiving ARP message, the microcode processing module inquires ARP white list filtering hardware list, judges the legality of ARP message, if the message is legal, the high priority is sent, and if not, the low priority is sent. And (3) sending the message at a high priority, wherein the packet loss is less when the message is sent from the microcode to the protocol CPU, and the packet loss is more when the message is sent at a low priority.
The method for preventing ARP flooding of the embodiment comprises the following steps:
first, ARP list management module identifies legal user IP address by some method, and generates ARP message white list filter list.
And secondly, the ARP table item management module issues the generated ARP message white list filtering table to the forwarding table management module.
Thirdly, the forwarding table management module writes the received table entry into the hardware table.
Fourthly, the microcode processing module receives the ARP message, inquires an ARP white list filtering hardware table, acquires the message uploading priority, searches out all levels of speed limit values from the table entry of the control surface safety according to the priority in the uploading process, and uploads the ARP to the CPU according to the speed limit values.
The key of the invention is how to identify the legal user IP. The invention provides several methods, but is not limited to the scheme provided at this time.
1) When the ARP list item management module learns the ARP list item, if the list item is actively learned by the ARP list item management module, the IP can be considered to be legal;
2) if the ARP list item is passively learned, the existence of the IP is confirmed through reverse detection, and the ARP list item is considered to be legal;
3) if the ARP item is used, the IP can be considered to be legal;
4) the user may also manually configure a static legitimate user IP.
The IP can be prioritized even according to the importance of the IP protocol sent by the upper layer. An ARP entry used for packet transmission, such as a routing Protocol BGP (Border Gateway Protocol), whose IP priority may be considered to be the highest; an ARP item used for Packet sending of inspection protocols such as PING (Packet Internet Groper, Internet Packet explorer) and the like, and the IP priority of the ARP item can be lower than that of a routing protocol; such as an ARP entry used for data packet forwarding, its IP priority may be relatively low. For the scheme 1, the priority of the IP can be determined according to the IP message triggering ARP learning; for the scheme 2, because passive learning is adopted, the default is a lower priority, and the priority is updated after the message is sent; for scenario 3, the priority is determined directly from the transmitted IP. The priority can be based on the highest priority of the IP using the ARP, for example, the IP is firstly used by PING and has a priority, then BGP is reused, the priority is higher than PING, and the IP priority is set according to the priority of BGP; if the first BGP usage has a priority and then the PING is used, the IP priority is not adjusted here because the PING has a lower priority than the BGP priority. For scenario 4, the statically configured user IP priority is highest.
After the ARP table item management module identifies the legality and the priority of the IP, an ARP message white list filtering table can be generated, the table item contents mainly comprise destination IP (user IP), local IP, priority, ARP message marks and the like, different priorities correspond to different CPU uploading speed limit values, and the higher the priority is, the larger the uploading bandwidth is; conversely, the lower the priority, the smaller the upper bandwidth. Fig. 6 is a schematic diagram of a format of an ARP packet white list filtering table according to the present invention, and as shown in fig. 6, the ARP packet white list filtering table can be classified as follows:
1) filtering a white list by the C-type ARP message: ARP message mark and priority, other fields are not filled, and the priority of the white list entry is lowest. When the target IP of the ARP message is not the local IP, the ARP message is sent according to the table entry, the normal message is the ARP proxy message, and the abnormal message is the attack message.
2) B type ARP message filtering white list: local IP, ARP message tags and priority, such entries are typically used where an unacknowledged user learns local IP ARP message uploads. The white list entry of class B has higher priority than class C.
3) Filtering a white list by the A-type ARP message: the white list has higher priority than the former two, and the priority can be further refined according to the IP message priority using ARP. Static configurations are also included in this, except that the priority of the static configuration is highest.
The three types of entries are stored from high to low according to the priority, and when the three types of entries are matched, the three types of entries are matched with the high priority first, and the three types of entries are not matched with the high priority and then are matched with the low priority. The microcode processing module receives the ARP message, extracts the message source and the destination IP, respectively matches with the user IP and the local IP in the ARP message white list filtering table, finds the table entry, extracts the priority information, and sends the message with high priority in a speed-limiting manner according to the priority, and the message with high priority is sent to each channel and is processed preferentially. Therefore, the legal ARP message is ensured to be sent up preferentially.
Compared with the prior art, the method and the device (system) of the embodiment make obvious progress, achieve the effect of accurately identifying the ARP message, save the overall overhead of the system, improve the processing efficiency, the protection effect and the like.
The invention mainly uses a certain mode to accurately identify various ARP messages, and sends the ARP messages according to different priorities aiming at various different ARP messages, thereby protecting the message receiving and sending of the ARP items used by the service of the control plane and ensuring that the service is not interrupted because of the loss of the ARP messages; and diagnosing ARP flooding of the invalid source IP, and confirming the effectiveness of an ARP entry by sending ARP detection aiming at the IP, wherein the detection fails, and the ARP entry is directly deleted, so that the overflow of the ARP entry of the equipment is avoided.
The processing steps of the flow section are as follows:
1ARP message filtering white list generation
1.1 after the system starts the function of defending ARP flooding, the ARP list item management module firstly generates C type ARP message in figure 6 to filter the white list, and sends the white list to the forwarding list management module for the microcode to send the message.
1.2 if there is ARP message on the interface, generating B type ARP message filtering white list in figure 6 according to the interface IP.
1.3 under the condition of message receiving and sending on the interface, fig. 7 is a flow chart of legal user confirmation and generation of a class a white list according to the embodiment of the present invention, and a class a ARP message is generated to filter a white list according to the flow chart of fig. 7.
2ARP message filtering white list issuing
The ARP message filtering white list is sent to a forwarding table management module, the forwarding table management module writes a hardware table according to a certain sequence, and in the hardware table, the class A is in front of the class B, and the class B is in front of the class C, so that the A class ARP message filtering white list is matched preferentially when microcode is searched in a front-to-back sequence.
3ARP flood attack defense
ARP message is sent, and microcode searches ARP message filtering white list table according to the message to obtain corresponding uploading priority. And then sending the data to the control surface safety module, wherein in the sending process, each level of channel respectively acquires the sending speed limit value corresponding to the channel from the control surface safety module according to the priority, and then limits the speed. Therefore, the confirmed ARP message is not sent to the CPU too fast, and the CPU is not flushed and the ARP list item is not overflowed in a short time. For the confirmed message, the priority is higher, high priority uploading is ensured in each part of the channel, the probability of packet loss is lower, and the problem of the service using the ARP to send the packet is ensured not to occur due to ARP deletion. The passively learned ARP triggers a reverse detection to detect whether an IP address exists or not when the defense is started and learned, and deletes an entry if the IP address does not exist. Therefore, invalid IP attacks can be identified quickly, ARP entries generated by the invalid IP attacks can be deleted quickly, and the ARP entries cannot overflow.
Example 4
The embodiment of the invention also provides a storage medium. Alternatively, in the present embodiment, the storage medium may be configured to store program codes for performing the following steps:
s1, receiving an ARP message;
s2, acquiring the priority information of the ARP message according to a preset white list;
and S3, the ARP messages are sent to the central processing unit CPU for ARP learning according to the priority information, wherein the uploading bandwidths of the ARP messages corresponding to different priority information are different.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
Optionally, in this embodiment, the processor executes receiving an address resolution protocol ARP message according to a program code stored in the storage medium;
optionally, in this embodiment, the processor executes, according to a program code stored in the storage medium, to obtain priority information of the ARP packet according to a preset white list;
optionally, in this embodiment, the processor executes, according to the program code stored in the storage medium, to send the ARP message to the central processing unit CPU according to the priority information for ARP learning, where the bandwidth of the ARP message corresponding to different priority information is different.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes will occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A processing method of an address resolution protocol message is characterized by comprising the following steps:
receiving an Address Resolution Protocol (ARP) message;
filtering preset white lists of the white lists according to the ARP messages of different types to obtain priority information of the ARP messages, wherein the bandwidths of uploading channels of the ARP messages corresponding to the priority information of the different ARP messages are different;
according to the priority information of the ARP message, the ARP message is sent to a Central Processing Unit (CPU) for ARP learning; during the process of uploading the ARP message to the Central Processing Unit (CPU), the uploading channels at all levels acquire corresponding uploading speed limit values according to the priority information of the ARP message, and limit the speed of the ARP message.
2. The method of claim 1, wherein the predefined white list includes legitimate IP addresses, and wherein the legitimate IP addresses include at least one of:
an Internet Protocol (IP) address obtained through active learning;
confirming the existing IP address through passive learning and reverse detection;
the CPU historically uses the IP address when forwarding the route;
and obtaining the preset IP address through static configuration.
3. The method of claim 1, wherein the white list includes protocol priorities of protocols to which the ARP packets belong, and obtaining the priority information of the ARP packets according to the white list includes:
for the white lists of the active IP and the target IP, determining the priority information of the white list according to the protocol priority corresponding to the IP protocol using the ARP message; the white list with the destination IP and the source IP simultaneously is of a first priority, the white list with the destination IP only is of a second priority, the white list without the destination IP and the source IP is of a third priority, and the first priority, the second priority and the third priority are sequentially decreased.
4. The method of claim 1, wherein obtaining priority information of the ARP packet according to a predefined white list comprises:
extracting a source IP address and a destination IP address in the ARP message to match white list entries;
matching a white list table item according to a source IP address and a target IP address in the ARP message, wherein when the hit ARP white list table item does not comprise the source IP address and the target IP address, the lowest priority of the ARP message is determined; the hit ARP white list item comprises a source IP address and a target IP address, when the target IP address is matched with the local IP address, the highest priority of the ARP message is determined, only the target address is used for the hit ARP white list item, and when the target IP address is matched with the local IP address, the message priority is centered.
5. The method of claim 4, wherein when the source IP address is included in the ARP message, the method further comprises:
extracting a source IP address in the ARP message, and checking whether a legal IP address set included in a preset white list includes the source IP address or not;
and determining the priority information of the ARP message according to the checking result, wherein the priority of the ARP message is higher when the legal IP address set is checked to comprise the source IP address than when the legal IP address set is checked to not comprise the source IP address.
6. The method of claim 1, wherein uploading ARP messages to a central processing unit CPU for ARP learning according to priority information comprises:
and (4) passing the ARP message through a channel with corresponding bandwidth according to the priority information, and uploading the ARP message to a Central Processing Unit (CPU) for ARP learning.
7. An apparatus for processing an address resolution protocol packet, comprising:
the receiving module is used for receiving an Address Resolution Protocol (ARP) message;
the acquisition module is used for filtering the preset white lists of the white lists according to the ARP messages with different types to acquire the priority information of the ARP messages, wherein the bandwidths of the uploading channels of the ARP messages corresponding to the priority information of different ARP messages are different;
the uploading module is used for uploading the ARP message to the central processing unit CPU for ARP learning according to the priority information of the ARP message;
during the process of uploading the ARP message to the Central Processing Unit (CPU), the uploading channels at all levels acquire corresponding uploading speed limit values according to the priority information of the ARP message, and limit the speed of the ARP message.
8. The apparatus of claim 7, wherein the predefined white list comprises legitimate IP addresses, wherein the legitimate IP addresses comprise at least one of:
an Internet Protocol (IP) address obtained through active learning;
confirming the existing IP address through passive learning and reverse detection;
the CPU historically uses the IP address when forwarding the route;
and obtaining the preset IP address through static configuration.
9. The apparatus of claim 7, wherein the whitelist includes protocol priorities of protocols to which the ARP packets belong, and the obtaining module includes:
and the determining unit is used for determining the priority information of the received ARP message according to the protocol priority obtained by checking the white list table.
10. The apparatus of claim 7, wherein the upstream module comprises:
and the uploading unit is used for uploading the ARP message to the central processing unit CPU for ARP learning through a channel with corresponding bandwidth according to the priority information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610638974.1A CN107690004B (en) | 2016-08-04 | 2016-08-04 | Method and device for processing address resolution protocol message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610638974.1A CN107690004B (en) | 2016-08-04 | 2016-08-04 | Method and device for processing address resolution protocol message |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107690004A CN107690004A (en) | 2018-02-13 |
| CN107690004B true CN107690004B (en) | 2021-10-08 |
Family
ID=61151219
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610638974.1A Active CN107690004B (en) | 2016-08-04 | 2016-08-04 | Method and device for processing address resolution protocol message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107690004B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110505176B9 (en) | 2018-05-16 | 2023-04-11 | 中兴通讯股份有限公司 | Method and device for determining and sending message priority, and routing system |
| CN109803032A (en) * | 2019-02-26 | 2019-05-24 | 安徽皖通邮电股份有限公司 | A kind of processing method of ARP message |
| CN110022319B (en) * | 2019-04-03 | 2020-10-30 | 奇安信科技集团股份有限公司 | Attack data security isolation method and device, computer equipment and storage equipment |
| CN112383559B (en) * | 2020-11-25 | 2023-04-25 | 杭州迪普信息技术有限公司 | Address resolution protocol attack protection method and device |
| CN115914163A (en) * | 2022-11-15 | 2023-04-04 | 北京北信源软件股份有限公司 | Address information maintenance method, device, computer equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006081454A2 (en) * | 2005-01-26 | 2006-08-03 | Internet Broadcasting Corporation | Layered multicast and fair bandwidth allocation and packet prioritization |
| CN1852253A (en) * | 2006-02-17 | 2006-10-25 | 华为技术有限公司 | ARP message processing method |
| CN1996939A (en) * | 2006-12-29 | 2007-07-11 | 华为技术有限公司 | Method for message access control, forwarding engine and communication device |
| CN104283882A (en) * | 2014-10-11 | 2015-01-14 | 武汉烽火网络有限责任公司 | Intelligent safety protection method for router |
| CN104754070A (en) * | 2013-12-31 | 2015-07-01 | 华为技术有限公司 | Method and device for learning address resolution protocol table entries and network device |
| CN105262738A (en) * | 2015-09-24 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Router and method for preventing ARP attacks thereof |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040236966A1 (en) * | 2003-05-19 | 2004-11-25 | Alcatel | Queuing methods for mitigation of packet spoofing |
| CN101083563B (en) * | 2007-07-20 | 2010-08-11 | 杭州华三通信技术有限公司 | Method and apparatus for preventing distributed refuse service attack |
| CN103414730A (en) * | 2013-08-29 | 2013-11-27 | 迈普通信技术股份有限公司 | Method and device for processing ARP messages |
| CN104468855B (en) * | 2013-09-25 | 2018-04-03 | 阿里巴巴集团控股有限公司 | The treating method and apparatus of ARP message |
| CN104853001B (en) * | 2015-04-21 | 2019-06-07 | 新华三技术有限公司 | A kind of processing method and equipment of ARP message |
-
2016
- 2016-08-04 CN CN201610638974.1A patent/CN107690004B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006081454A2 (en) * | 2005-01-26 | 2006-08-03 | Internet Broadcasting Corporation | Layered multicast and fair bandwidth allocation and packet prioritization |
| CN1852253A (en) * | 2006-02-17 | 2006-10-25 | 华为技术有限公司 | ARP message processing method |
| CN1996939A (en) * | 2006-12-29 | 2007-07-11 | 华为技术有限公司 | Method for message access control, forwarding engine and communication device |
| CN104754070A (en) * | 2013-12-31 | 2015-07-01 | 华为技术有限公司 | Method and device for learning address resolution protocol table entries and network device |
| CN104283882A (en) * | 2014-10-11 | 2015-01-14 | 武汉烽火网络有限责任公司 | Intelligent safety protection method for router |
| CN105262738A (en) * | 2015-09-24 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Router and method for preventing ARP attacks thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107690004A (en) | 2018-02-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110445770B (en) | Network attack source positioning and protecting method, electronic equipment and computer storage medium | |
| CN112422481B (en) | Trapping method, system and forwarding equipment for network threats | |
| CN107690004B (en) | Method and device for processing address resolution protocol message | |
| EP2612488B1 (en) | Detecting botnets | |
| US10491561B2 (en) | Equipment for offering domain-name resolution services | |
| US9654494B2 (en) | Detecting and marking client devices | |
| US7823202B1 (en) | Method for detecting internet border gateway protocol prefix hijacking attacks | |
| US9197666B2 (en) | Method and apparatus for mitigating distributed denial of service attacks | |
| US20130212680A1 (en) | Methods and systems for protecting network devices from intrusion | |
| CN108737447B (en) | User datagram protocol flow filtering method, device, server and storage medium | |
| US20100095351A1 (en) | Method, device for identifying service flows and method, system for protecting against deny of service attack | |
| US11968174B2 (en) | Systems and methods for blocking spoofed traffic | |
| US12021836B2 (en) | Dynamic filter generation and distribution within computer networks | |
| EP2469787B1 (en) | Method and device for preventing network attacks | |
| CN107241313B (en) | Method and device for preventing MAC flooding attack | |
| US10397225B2 (en) | System and method for network access control | |
| CN108270722B (en) | Attack behavior detection method and device | |
| CN112134891A (en) | Configuration method, system and monitoring method for generating multiple honey pot nodes by single host based on linux system | |
| CN106878326A (en) | The guard method of IPv6 neighbor caches and its device based on inverse detection | |
| CN102347903B (en) | Data message forwarding method as well as device and system | |
| CN108650237B (en) | Message security check method and system based on survival time | |
| US10050937B1 (en) | Reducing impact of network attacks in access networks | |
| CN106067864B (en) | Message processing method and device | |
| CN110768983B (en) | Message processing method and device | |
| CN116015876B (en) | Access control method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |