CN108574674A - A kind of ARP message aggressions detection method and device - Google Patents

A kind of ARP message aggressions detection method and device Download PDF

Info

Publication number
CN108574674A
CN108574674A CN201710143095.6A CN201710143095A CN108574674A CN 108574674 A CN108574674 A CN 108574674A CN 201710143095 A CN201710143095 A CN 201710143095A CN 108574674 A CN108574674 A CN 108574674A
Authority
CN
China
Prior art keywords
address
arp
mac
client
attacker
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710143095.6A
Other languages
Chinese (zh)
Inventor
徐浩
马志远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Antian Information Technology Co Ltd
Original Assignee
Wuhan Antian Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Antian Information Technology Co Ltd filed Critical Wuhan Antian Information Technology Co Ltd
Priority to CN201710143095.6A priority Critical patent/CN108574674A/en
Publication of CN108574674A publication Critical patent/CN108574674A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of method and devices of ARP message aggressions detection, client constructs special ARP request packet, pass through the pattern of " fishing ", i.e. client know perfectly well the IP of certain safety equipment, MAC Address but still into network remaining device request safety equipment address, to allow attacker to submit, to realize that ARP message aggressions detect.Even if the purpose machine of attacker is not the client, but this client still can receive ARP message aggression packets, realize that accurately ARP message aggressions detect.The present invention is versatile, can be adapted for mobile terminal, the ends PC, the various clients such as lower level router can be quickly detected ARP message aggressions, higher accuracy rate is obtained with smaller cost, protect the privacy and property safety of user.

Description

A kind of ARP message aggressions detection method and device
Technical field
The present invention relates to the method and devices that field of information security technology more particularly to a kind of ARP message aggressions detect.
Background technology
ARP protocol (Address Resolution Protocol, address resolution protocol) is one in IPv4 protocol suites In network layer protocol, basic function is that the MAC Address of target device is inquired by the IP address of target device.For going through History reason, ARP protocol consider and not perfect at the beginning of formulation, lack necessary authentication mechanism, cause ARP protocol to become so-called " gentleman's agreement ", there is a large amount of means attacked using ARP protocol weakness and tool on network, caused to network environment Great threat.
ARP message aggressions are common one of attack means, and attacker utilizes the design loophole of ARP protocol, forges ARP Message aggression target terminal (table 1 shows ARP message structures).In conjunction with shown in Fig. 1, if machine A wants to communicate with customer end B, Machine A can send ARP request packet into network, and customer end B can reply an arp reply packet after receiving the request bag. Since the processing mode of arp reply lacks authentication mechanism, terminal all can when receiving any arp reply packet for meeting protocol specification Update the addresses the IP-Mac correspondence in oneself arp cache table.If at this point, there are attacker C, attacker's C meetings in network Pretend oneself to be customer end B, the malice for being attacker C as customer end B, the source addresses Mac to machine A transmission sources IP using certain frequency Arp reply packet covers the true addresses Mac of gateway in machine A.At this point, the addresses Mac that machine A can be mistakenly considered attacker C are mesh The addresses Mac for marking customer end B, can all reach attacker C from the data packet of this machine A outgoings, cause the misleading of flow.If attack Person C coordinates man-in-the-middle attack means that communicating pair is pretended to be then further may to steal its property using the privacy information of user again, Cause serious consequence.
Table 1
Currently, there is researcher to deploy corresponding ARP message aggressions respectively according to the characteristics of gateway and mobile terminal to examine Survey method has the characteristics that versatility is not strong, cannot meet the needs of users.
Invention content
The purpose of the present invention is to provide a kind of ARP detection method and device applied to client, have it is versatile, ARP message aggressions can be quickly detected, higher accuracy rate is obtained with smaller cost, protect the privacy and property peace of user Entirely.
The invention discloses a kind of ARP message aggressions detection methods, are applied to client, include the following steps:
Client constructs special ARP request packet, and the source IP address and source MAC of the special ARP request packet are respectively The IP address and MAC Address of the client, purpose IP address are the IP address of known safe machine, and target MAC (Media Access Control) address is broadcast The content of address, ARP operations is ARP request;
When the IP address that the source IP address in the response bag that client receives is the secure machine, source MAC is non-peace When the MAC Address of full machine, judge that there are ARP message aggressions in network.
The invention also discloses a kind of ARP message aggressions detection devices, are applied to client, which includes request Packet constructing module, detection module, wherein:
Request bag constructing module, for constructing special ARP request packet, the source IP of the special ARP request packet for client Address and source MAC are respectively the IP address and MAC Address of the client, and purpose IP address is the IP of known safe machine Location, target MAC (Media Access Control) address are broadcast address, and the content of ARP operations is ARP request;
Detection module, for when the IP address that the source IP address in the response bag that client receives is the secure machine, source When MAC Address is the MAC Address of non-security machine, judge that there are ARP message aggressions in network.
The advantageous effect of the present invention compared with prior art:The present invention be detect ARP message aggressions propose it is a kind of new Thinking, client construct special ARP request packet, and by the pattern of " fishing ", i.e. client knows IP, MAC of certain safety equipment perfectly well Address but still into network remaining device request safety equipment address, to allow attacker to submit, to realize ARP messages Attack detecting.Even if the purpose machine of attacker is not the client, but this client still can receive ARP message aggressions Packet realizes that accurately ARP message aggressions detect.The present invention is versatile, can be adapted for mobile terminal, the ends PC, subordinate The various clients such as router, can be quickly detected ARP message aggressions, and higher accuracy rate is obtained with smaller cost, protect Protect the privacy and property safety of user.
Description of the drawings
Fig. 1 is ARP message aggression principle schematics.
Fig. 2 is a kind of flow diagram of ARP detection methods applied to client of the invention.
Fig. 3 is a kind of structural schematic diagram of ARP detection devices applied to client of the invention.
Fig. 4 is a kind of structural schematic diagram of ARP detection devices applied to client of the invention.
Specific implementation mode
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention make into One step it is described in detail.
It will be appreciated by those skilled in the art that, as shown in table 1, ARP data packets include ARP operations, source MAC, source Several partial datas such as IP address, purpose IP address, target MAC (Media Access Control) address and ARP operations.
Table 1
For ARP request packet, source IP address and IP address and MAC Address that source MAC is initiator, purpose IP is the purpose IP address that requesting party thinks request, and target MAC (Media Access Control) address is filled with 0xFF, is indicated unknown.
For arp response packet, source IP address and source MAC are responder's IP address and MAC Address, destination IP The IP address and MAC Address for the requesting party that address and target MAC (Media Access Control) address are in response to.
Under normal conditions, it is broadcast to send ARP request, can only be by wide because not knowing the MAC Address of destination IP at this time Broadcast form transmission.Arp reply is then generally unicast.
Under normal conditions, arp reply only occurs in the ARP request packet that certain machine has received the MAC for asking oneself IP When respond.The non-request for itself can generally do discard processing.
After ARP request side receives response, IP address therein and MAC Address are recorded in system, follow-up all needles To the data of the IP address, the ARP recorded in direct inquiry system is recorded, is then sent.
In some embodiments, if preserving the IP address and MAC Address of confirmed secure machine in client, Client can carry out " fishing " using the address of the safety equipment, to detect the ARP message aggressions in network.
It should be understood that client generally may include mobile terminal, the ends PC, lower level router etc..Specifically, as schemed Shown in 2, it is applied to the ARP message aggression detection methods of client, includes the following steps:
S101, client construct special ARP request packet, the source IP address and source MAC point of the special ARP request packet Not Wei the client IP address and MAC Address, purpose IP address is the IP address of known safe machine, and target MAC (Media Access Control) address is The content of broadcast address, ARP operations is ARP request.
As shown in figure 3, preserving the IP address and MAC Address of known secure machine A in customer end B, customer end B is with wide The special ARP request packet is sent to the miscellaneous equipment (including machine A and attacker C) in network by the form broadcast, please acquire To the IP address and MAC Address of machine A.
S102, when the IP address that the source IP address in the response bag that client receives is the secure machine, source MAC is When the MAC Address of non-security machine, judge that there are ARP message aggressions in network.
For attacker C, it is broadly divided into and monitors ARP request, parsing ARP request and forgery three step of arp reply.Work as attacker C catches and finds that request bag asks the address of secure machine A by parsing after the request bag that customer end B is sent, then attacker C is forged The MAC Address of oneself is sent to customer end B by response bag by oneself disguise as secure machine A.Therefore when customer end B receives Response bag in source IP address be secure machine A IP address, source MAC be be not secure machine A MAC Address when, Then it can be found that there is the case where forging response bag in network, judge that there are ARP message aggressions in network.In the present embodiment, Source IP is the IP address of secure machine A in the response bag that client receives, and source MAC is the MAC Address of attacker C.
In the present invention, client constructs special ARP request packet, and by the pattern of " fishing ", i.e. client knows certain peace perfectly well The IP of full equipment, MAC Address but still into network remaining device request safety equipment address, to allow attacker just It is each to can be adapted for mobile terminal, the ends PC, lower level router etc. to realize that the ARP message aggressions detection present invention is versatile for model Kind of client, can be quickly detected ARP message aggressions, higher accuracy rate is obtained with smaller cost, protect that user's is hidden Private and property safety.
It should be understood that when judging there are after ARP message aggressions, it can be true by the MAC Address of the non-security machine Determine attacker.The information (MAC Address, IP address, gateway information etc.) for also collecting each equipment in network, uploads to for taking Card, the remote server analyzed, in case subsequent evidence obtaining or big data analysis, data branch is provided for network crime tracking and evidence obtaining It holds.It can be seen that disposing ARP attack detectings in the client, relevant place can be carried out immediately after finding ARP attacks Flow is set, preferably to protect the privacy and property safety of user.
Wherein, in order to obtain the IP address of attacker C, customer end B miscellaneous equipment into network sends broadcast message to obtain The IP address and MAC Address of each equipment are taken, if there is the MAC Address of equipment consistent with attacker address, and IP address is not to preserve Known safe machine IP address, it is determined that the IP address be attacker C IP address.
Correspondingly, the invention also discloses the ARP message aggression detection devices applied to client, as shown in figure 4, the dress It sets including request bag constructing module 11, detection module 12, wherein:
Request bag constructing module 11, for constructing special ARP request packet, the source IP of the special ARP request packet for gateway Address and source MAC are respectively the IP address and MAC Address of the gateway, and purpose IP address is the IP address of the secure machine, Target MAC (Media Access Control) address is broadcast address, and the content of ARP operations is ARP request.
Detection module 12, for as the IP address that the source IP address in the response bag that gateway receives is machine A, source MAC When location is the MAC Address of non-machine A, judge that there are ARP message aggressions in network.
In the present invention, client constructs special ARP request packet, and by the pattern of " fishing ", i.e. client knows certain peace perfectly well The IP of full equipment, MAC Address but still into network remaining device request safety equipment address, to allow attacker just Model, to realize that ARP message aggressions detect.Even if the purpose machine of attacker is not the client, but this client still can be with ARP message aggression packets are received, realize that accurately ARP message aggressions detect.The present invention is versatile, can be adapted for moving Terminal, the ends PC, the various clients such as lower level router, can be quickly detected ARP message aggressions, with smaller cost obtain compared with High accuracy rate protects the privacy and property safety of user.
In some embodiments, ARP message aggressions detection device further includes feedback module 13, for when judgement, there are ARP After message aggression, preserve the MAC Address of the non-security machine to determine attacker, and in collection network each equipment information, on Pass to the remote server for collecting evidence, analyzing.It can be seen that disposing ARP attack detectings in the client, can find Relevant disposal process is carried out after ARP attacks immediately, preferably to protect the privacy and property safety of user.
Wherein, in order to obtain the IP address of attacker C, feedback module 13 is additionally operable to the miscellaneous equipment into network and sends broadcast Information is to obtain the IP address and MAC Address of each equipment, if there is the MAC Address of equipment consistent with attacker address, and IP address It is not the IP address of the known safe machine preserved, it is determined that the IP address is the IP address of attacker.
Although the step in the present invention is arranged with label, it is not used to limit the precedence of step, unless Based on the execution of the order or certain step that specify step needs other steps, otherwise the relative rank of step is It is adjustable.
Several embodiments of the present invention have shown and described in above description, but as previously described, it should be understood that the present invention is not It is confined to form disclosed herein, is not to be taken as excluding other embodiments, and can be used for various other combinations, modification And environment, and can be carried out by the above teachings or related fields of technology or knowledge in the scope of the invention is set forth herein Change.And changes and modifications made by those skilled in the art do not depart from the spirit and scope of the present invention, then it all should be in institute of the present invention In attached scope of the claims.

Claims (8)

1. a kind of ARP message aggressions detection method is applied to client, which is characterized in that include the following steps:
Client constructs special ARP request packet, and the source IP address and source MAC of the special ARP request packet are respectively the visitor The IP address and MAC Address at family end, purpose IP address are the IP address of known safe machine, and target MAC (Media Access Control) address is broadcast address, The content of ARP operations is ARP request;
When the IP address that the source IP address in the response bag that client receives is the secure machine, source MAC is non-security machine When the MAC Address of device, judge that there are ARP message aggressions in network.
2. detection method as described in claim 1, which is characterized in that after judging there are ARP message aggressions, it is non-security to preserve this The MAC Address of machine to determine attacker, and in collection network each equipment information, upload to long-range for what is collected evidence, analyze Server.
3. detection method as claimed in claim 2, which is characterized in that the information of each equipment includes each equipment in the network IP address, MAC Address.
4. detection method as claimed in claim 3, which is characterized in that in collection network when the IP address of attacker, client The miscellaneous equipment into network is held to send broadcast message to obtain the IP address and MAC Address of each equipment, if there is the MAC Address of equipment It is consistent with attacker address, and IP address is not the IP address of the known safe machine preserved, then judges the IP address for attack The IP address of person.
5. a kind of ARP message aggressions detection device is applied to client, which is characterized in that the detection device includes request bag structure Modeling block, detection module, wherein:
Request bag constructing module, for constructing special ARP request packet, the source IP address of the special ARP request packet for client It is respectively the IP address and MAC Address of the client with source MAC, purpose IP address is the IP address of known safe machine, Target MAC (Media Access Control) address is broadcast address, and the content of ARP operations is ARP request;
Detection module, for as the IP address that the source IP address in the response bag that client receives is the secure machine, source MAC When location is the MAC Address of non-security machine, judge that there are ARP message aggressions in network.
6. detection device as claimed in claim 5, which is characterized in that the detection device further includes feedback module, for working as After judging there are ARP message aggressions, the MAC Address of the non-security machine is preserved to determine attacker, and respectively set in collection network Standby information uploads to the remote server for collecting evidence, analyzing.
7. detection device as claimed in claim 6, which is characterized in that the information of each equipment includes each equipment in the network IP address, MAC Address.
8. detection device as claimed in claim 7, which is characterized in that in collection network when the IP address of attacker, feedback Module is additionally operable to the miscellaneous equipment into network and sends broadcast message to obtain the IP address and MAC Address of each equipment, if there is equipment MAC Address it is with attacker address consistent, and IP address is not the IP address of the known safe machine preserved, it is determined that the IP Location is the IP address of attacker.
CN201710143095.6A 2017-03-10 2017-03-10 A kind of ARP message aggressions detection method and device Pending CN108574674A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710143095.6A CN108574674A (en) 2017-03-10 2017-03-10 A kind of ARP message aggressions detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710143095.6A CN108574674A (en) 2017-03-10 2017-03-10 A kind of ARP message aggressions detection method and device

Publications (1)

Publication Number Publication Date
CN108574674A true CN108574674A (en) 2018-09-25

Family

ID=63577949

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710143095.6A Pending CN108574674A (en) 2017-03-10 2017-03-10 A kind of ARP message aggressions detection method and device

Country Status (1)

Country Link
CN (1) CN108574674A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111405548A (en) * 2020-04-08 2020-07-10 国家电网有限公司信息通信分公司 Detection method and device for fishing wifi

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101345755A (en) * 2008-08-29 2009-01-14 中兴通讯股份有限公司 Method and system for preventing address analysis protocol message attack
CN101415012A (en) * 2008-11-06 2009-04-22 杭州华三通信技术有限公司 Method and system for defending address analysis protocol message aggression
WO2012108687A2 (en) * 2011-02-08 2012-08-16 Ahnlab., Inc. Method of detecting arp spoofing attacks using arp locking and computer-readable recording medium storing program for executing the method
KR101447469B1 (en) * 2013-12-31 2014-10-06 한국정보보호시스템(주) System and method of wireless intrusion prevention and wireless service
CN104363243A (en) * 2014-11-27 2015-02-18 福建星网锐捷网络有限公司 Method and device for preventing gateway deceit
CN104410642A (en) * 2014-12-11 2015-03-11 国家电网公司 Equipment access sensing method based on ARP protocol
CN104780139A (en) * 2014-01-09 2015-07-15 北京东土科技股份有限公司 Defense system based on MAC (Medium/Media Access Control) address attack and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101345755A (en) * 2008-08-29 2009-01-14 中兴通讯股份有限公司 Method and system for preventing address analysis protocol message attack
CN101415012A (en) * 2008-11-06 2009-04-22 杭州华三通信技术有限公司 Method and system for defending address analysis protocol message aggression
WO2012108687A2 (en) * 2011-02-08 2012-08-16 Ahnlab., Inc. Method of detecting arp spoofing attacks using arp locking and computer-readable recording medium storing program for executing the method
KR101447469B1 (en) * 2013-12-31 2014-10-06 한국정보보호시스템(주) System and method of wireless intrusion prevention and wireless service
CN104780139A (en) * 2014-01-09 2015-07-15 北京东土科技股份有限公司 Defense system based on MAC (Medium/Media Access Control) address attack and system
CN104363243A (en) * 2014-11-27 2015-02-18 福建星网锐捷网络有限公司 Method and device for preventing gateway deceit
CN104410642A (en) * 2014-12-11 2015-03-11 国家电网公司 Equipment access sensing method based on ARP protocol

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111405548A (en) * 2020-04-08 2020-07-10 国家电网有限公司信息通信分公司 Detection method and device for fishing wifi
CN111405548B (en) * 2020-04-08 2023-07-21 国家电网有限公司信息通信分公司 Fishing wifi detection method and device

Similar Documents

Publication Publication Date Title
CN107404465B (en) Network data analysis method and server
US9325706B2 (en) Methods, systems, and computer program products for determining an originator of a network packet using biometric information
US10642906B2 (en) Detection of coordinated cyber-attacks
WO2009093226A2 (en) A method and apparatus for fingerprinting systems and operating systems in a network
CN101621428A (en) Botnet detection method, botnet detection system and related equipment
CN103428200A (en) Method and system for detecting the presence of rogue domain name service providers through passive monitoring
CN109951419A (en) A kind of APT intrusion detection method based on attack chain attack rule digging
CN108574673A (en) ARP message aggression detection method and device applied to gateway
CN102130920A (en) Botnet discovery method and system thereof
Takeda User identification and tracking with online device fingerprints fusion
CN113691566A (en) Mail server secret stealing detection method based on space mapping and network flow statistics
Evers et al. Security measurement on a cloud-based cyber-physical system used for intelligent transportation
WO2014206152A1 (en) Network safety monitoring method and system
CN106790073B (en) Blocking method and device for malicious attack of Web server and firewall
Shahrestani et al. Architecture for applying data mining and visualization on network flow for botnet traffic detection
CN108574672A (en) The method and device of ARP attack perception applied to mobile terminal
CN111953810B (en) Method, device and storage medium for identifying proxy internet protocol address
CN109274551A (en) A kind of accurate efficient industry control resource location method
CN108574674A (en) A kind of ARP message aggressions detection method and device
Pashamokhtari PhD forum abstract: Dynamic inference on IoT network traffic using programmable telemetry and machine learning
US20090213752A1 (en) Detecting Double Attachment Between a Wired Network and At Least One Wireless Network
CN111756874A (en) Method and device for identifying type of DNS tunnel upper layer protocol
US20180026993A1 (en) Differential malware detection using network and endpoint sensors
CN105827627A (en) Method and apparatus for acquiring information
CN108092943A (en) A kind of method and system for defending APT attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180925

WD01 Invention patent application deemed withdrawn after publication