CN108768937B - Method and equipment for detecting ARP spoofing in wireless local area network - Google Patents
Method and equipment for detecting ARP spoofing in wireless local area network Download PDFInfo
- Publication number
- CN108768937B CN108768937B CN201810331644.7A CN201810331644A CN108768937B CN 108768937 B CN108768937 B CN 108768937B CN 201810331644 A CN201810331644 A CN 201810331644A CN 108768937 B CN108768937 B CN 108768937B
- Authority
- CN
- China
- Prior art keywords
- mac address
- address information
- wireless
- area network
- local area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application aims to provide a method for detecting ARP spoofing in a wireless local area network, wherein the method comprises the following steps: when other equipment sharing an MAC address with gateway equipment does not exist in a wireless local area network where a wireless terminal is located, taking current MAC address information of the gateway equipment as reference MAC address information; detecting whether the current MAC address information of the gateway equipment is the same as the reference MAC address information or not in a delayed manner; and if the current MAC address information of the gateway equipment is different from the reference MAC address information, determining that ARP spoofing exists in the wireless local area network. According to the method and the device, the change of the MAC address is actively detected, the ARP spoofing can be detected in a short time, the time of a user is saved, the detection efficiency is improved, and better user experience is given to the user.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a technique for detecting ARP spoofing in a wireless local area network.
Background
Because the wireless network uses open media to transmit data signals by using common electromagnetic waves as carriers, two communication parties are not connected by cables. The risk of data transmission is greatly increased if the transmission link does not take appropriate encryption protection. Even if a security mechanism related to authentication and encryption is added in a wireless network, security risks, such as ARP spoofing, exist corresponding to users in the same wireless local area network.
The existing detection aiming at ARP spoofing mainly detects ARP data packets at the bottom layer of the mobile terminal or detects whether the data packets are corresponding data packets of legal requests or not, but the method has more complex process operation and is not suitable for vast mobile terminal users.
Disclosure of Invention
It is an object of the present application to provide a method and apparatus for detecting ARP spoofing in a wireless local area network.
According to one aspect of the present application, there is provided a method for detecting ARP spoofing in a wireless local area network by a wireless terminal, the method comprising:
when other equipment sharing an MAC address with gateway equipment does not exist in a wireless local area network where a wireless terminal is located, taking current MAC address information of the gateway equipment as reference MAC address information;
detecting whether the current MAC address information of the gateway equipment is the same as the reference MAC address information or not in a delayed manner;
and if the current MAC address information of the gateway equipment is different from the reference MAC address information, determining that ARP spoofing exists in the wireless local area network.
According to an aspect of the present application, there is provided an apparatus for detecting ARP spoofing in a wireless local area network by a wireless terminal, the apparatus comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform:
when other equipment sharing an MAC address with gateway equipment does not exist in a wireless local area network where a wireless terminal is located, taking current MAC address information of the gateway equipment as reference MAC address information;
detecting whether the current MAC address information of the gateway equipment is the same as the reference MAC address information or not in a delayed manner;
and if the current MAC address information of the gateway equipment is different from the reference MAC address information, determining that ARP spoofing exists in the wireless local area network.
According to yet another aspect of the application, there is provided a computer-readable medium comprising instructions that, when executed, cause a system to:
when other equipment sharing an MAC address with gateway equipment does not exist in a wireless local area network where a wireless terminal is located, taking current MAC address information of the gateway equipment as reference MAC address information;
detecting whether the current MAC address information of the gateway equipment is the same as the reference MAC address information or not in a delayed manner;
and if the current MAC address information of the gateway equipment is different from the reference MAC address information, determining that ARP spoofing exists in the wireless local area network.
Compared with the prior art, the method and the device have the advantages that whether the wireless local area network suffers ARP spoofing is judged by judging whether other devices sharing the MAC address with the gateway device exist in the wireless local area network where the wireless terminal is located, when other devices sharing the MAC address with the gateway device do not exist in the wireless local area network where the wireless terminal is located, the current MAC address information of the gateway device is used as the reference MAC address information, whether the current MAC address information of the gateway device is the same as the reference MAC address information is detected in a delayed mode, and if the current MAC address information of the gateway device is different from the reference MAC address information, the ARP spoofing exists in the wireless local area network. The method and the device can find out the ARP spoofing attack through detecting the change of the gateway address in the routing table, and are also applicable to the mobile terminal which does not acquire the highest authority.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
fig. 1 illustrates a system topology diagram for detecting ARP spoofing in a wireless local area network by a wireless terminal in accordance with an aspect of the subject application;
fig. 2 illustrates a flow chart of a method for detecting ARP spoofing in a wireless local area network by a wireless terminal in accordance with an aspect of the subject application.
The same or similar reference numbers in the drawings identify the same or similar elements.
Detailed Description
The present application is described in further detail below with reference to the attached figures.
In a typical configuration of the present application, the terminal, the device serving the network, and the trusted party each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
The device referred to in this application includes, but is not limited to, a user device, a network device, or a device formed by integrating a user device and a network device through a network. The user equipment includes, but is not limited to, any mobile electronic product, such as a smart phone, a tablet computer, etc., capable of performing human-computer interaction with a user (e.g., human-computer interaction through a touch panel), and the mobile electronic product may employ any operating system, such as an android operating system, an iOS operating system, etc. The network device includes an electronic device capable of automatically performing numerical calculation and information processing according to a preset or stored instruction, and hardware thereof includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like. The network device includes but is not limited to a computer, a network host, a single network server, a plurality of network server sets or a cloud of a plurality of servers; here, the Cloud is composed of a large number of computers or web servers based on Cloud Computing (Cloud Computing), which is a kind of distributed Computing, one virtual supercomputer consisting of a collection of loosely coupled computers. Including, but not limited to, the internet, a wide area network, a metropolitan area network, a local area network, a VPN network, a wireless Ad Hoc network (Ad Hoc network), etc. Preferably, the device may also be a program running on the user device, the network device, or a device formed by integrating the user device and the network device, the touch terminal, or the network device and the touch terminal through a network.
Of course, those skilled in the art will appreciate that the foregoing is by way of example only, and that other existing or future devices, which may be suitable for use in the present application, are also encompassed within the scope of the present application and are hereby incorporated by reference.
In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.
Fig. 1 illustrates an exemplary scenario in which a wireless terminal obtains gateway MAC address information and detects whether the MAC address changes to determine whether to be spoofed by ARP. For a general small lan, the gateway device includes a wireless router of the connected AP, but for a large lan, the gateway device also includes a professional device with higher processing capability. The wireless terminal in the present application includes a mobile terminal (e.g., a mobile phone, a PAD, etc.), a PC terminal, etc., and the embodiments are described herein by taking the mobile terminal as an example, and those skilled in the art will understand that the embodiments are also applicable to other wireless terminals, such as a PC terminal, etc. The mobile terminal comprises a non-highest-authority mobile terminal, such as a mobile terminal of a non-root-authority android system, a mobile terminal of an IOS system which does not cross prisons, and the like.
Fig. 2 illustrates a method for detecting ARP spoofing in a wireless local area network by a wireless terminal according to an aspect of the present application, the method including step S11, step S12, and step S13. In step S11, when there is no other device sharing the MAC address with the gateway device in the wireless lan where the wireless terminal is located, taking the current MAC address information of the gateway device as the reference MAC address information; in step S12, detecting whether the current MAC address information of the gateway device is the same as the reference MAC address information in a delayed manner; in step S13, if the current MAC address information of the gateway device is different from the reference MAC address information, it is determined that ARP spoofing exists in the wireless local area network.
Specifically, in step S11, when there is no other device sharing the MAC address with the gateway device in the wireless local area network where the wireless terminal is located, the current MAC address information of the gateway device is used as the reference MAC address information. For example, in a wireless local area network, the mobile terminal queries in the local ARP cache table to determine that there is no other device sharing the MAC address with the gateway device, the mobile terminal has a corresponding MAC address, the MAC address information of the mobile terminal includes MAC1, and at this time, the mobile terminal regards the current MAC address information of the gateway device as the reference MAC address information.
In step S12, the wireless terminal performs a delay check to determine whether the current MAC address information of the gateway device is the same as the reference MAC address information. For example, the time delay is a short period of time, for example, the time interval may be from one second to several minutes, and the following embodiment is described by taking 1 second as an example, although those skilled in the art will understand that other time intervals are also applicable to the following embodiment. And after 1 second, the mobile terminal detects the current MAC address of the gateway equipment and compares the current MAC address with the reference MAC address.
In step S13, if the current MAC address information of the gateway device is different from the reference MAC address information, the wireless terminal determines that ARP spoofing exists in the wireless local area network. For example, the mobile terminal determines the current MAC address information of the gateway device again, and in combination with the reference MAC address information, if the current MAC address information of the gateway device is different from the reference MAC address information, the mobile terminal determines that ARP spoofing exists in the current wireless local area network.
For example, in the same wireless local area network, the mobile terminal is a mobile phone, the MAC address and IP address information of the mobile phone a are MAC1 and IP1, respectively, the MAC address and IP address information of the mobile phone B are MAC2 and IP2, respectively, the MAC address and IP address information of the gateway device are MAC3 and IP3, respectively, the mobile phone a sends an ARP request packet in the wireless local area network, wherein the ARP request packet includes the IP address IP3 of the gateway device; and then, the mobile phone a receives an ARP reply frame returned by other devices, wherein the APR reply frame includes MAC address information MAC4 corresponding to the IP3, the MAC4 is used as reference MAC address information, the current MAC address information is obtained again one second later, the current MAC address information is obtained as MAC5, the risk of ARP spoofing is judged by comparing the current MAC address information MAC5 with the reference MAC address information MAC4, and if the MAC4 is different from the MAC5, the mobile terminal confirms that ARP spoofing exists in the wireless local area network.
In some embodiments, in step S13, if the current MAC address information of the gateway device is different from the reference MAC address information, the wireless terminal sends a request for MAC address information of the wireless access point to a corresponding server, and receives the MAC address information of the wireless access point returned by the server based on the request; and if the current MAC address information of the gateway equipment is different from the MAC address information of the wireless access point, determining that ARP spoofing exists in the wireless local area network. For example, when the reference MAC address information of the gateway device changes, the mobile terminal sends a request for the MAC address information of the wireless access point to a corresponding server through the wireless connection of the wireless access point, where the request includes the BSSID of the wireless access point; the server receives the request and sends the MAC address information of the wireless access point to the mobile terminal. And the mobile terminal receives the MAC address information returned by the server, compares the MAC address information with the current MAC address information, and determines that ARP spoofing exists in the current wireless local area network if the MAC address information is different from the current MAC address information. And the server returns the MAC address information of the wireless access point based on the request, and the MAC address information is reserved for communication between the network equipment and the server.
For example, the gateway device includes a router providing wireless connection, the mobile terminal obtains that the reference MAC address of the gateway device is MAC4, the current MAC address of the gateway device detected by the mobile terminal is MAC5, and MAC4 is different from MAC5, and it can be considered that ARP spoofing exists in the current wireless local area network, and in order to prevent false alarm, reconfirmation is performed, the mobile terminal sends a request for obtaining the MAC address corresponding to the wireless access point to the server, where the request includes the BSSID of the wireless access point, and the server receives the request, queries the database for MAC address information MAC3 corresponding to the BSSID of the wireless access point, and returns the MAC address information MAC3 to the mobile terminal. The mobile terminal determines whether ARP spoofing exists in the wireless local area network based on the comparison between the MAC3 and the MAC5, and if the MAC3 and the MAC5 are different, the mobile terminal determines that the ARP spoofing exists in the wireless local area network.
In some embodiments, in step S13, if the current MAC address information of the gateway device is the same as the MAC address information of the wireless access point, the wireless terminal determines that there is no ARP spoofing in the wireless local area network. The ARP spoofing is spoofing of a gateway MAC address, and the spoofing of the gateway MAC address can bring about the change of the gateway MAC address.
For example, the mobile terminal sends a request for acquiring the MAC address corresponding to the wireless access point to the server, where the request includes the BSSID of the wireless access point, and the server receives the request, and returns MAC address information MAC3 corresponding to the BSSID of the wireless access point in the database, and MAC3 to the mobile terminal. The mobile terminal determines whether ARP spoofing exists in the wireless local area network based on the comparison between the MAC3 and the MAC5, and determines that the ARP spoofing does not exist in the wireless local area network if the MAC3 and the MAC5 are the same.
In some embodiments, if the current MAC address information of the gateway device is the same as the reference MAC address information and the cumulative number of delay detections is less than or equal to the threshold information of the predetermined number of detections, returning to step S12, where the wireless terminal performs delay detection on whether the current MAC address information of the gateway device is the same as the reference MAC address information; otherwise, determining that ARP spoofing does not exist in the wireless local area network. When the current MAC address information of the gateway equipment is detected to be the same as the reference MAC address information for the first time, repeating the detection for less than or equal to a preset detection time threshold, wherein each detection is delayed for one second, and when the current MAC address information of the gateway equipment is obtained through multiple detections and is the same as the reference MAC address information, the wireless local area network can be considered to have no ARP spoofing.
For example, the gateway device includes a router providing wireless connection, current MAC address information of the router is MAC5, the reference MAC address information is MAC4, it is detected that MAC4 and MAC5 are equal for the first time, in order to prevent false alarm, current MAC address information MAC5 'is reacquired after delaying for 1 second, MAC4 and MAC 5' are detected to be equal for the second time, current MAC address information MAC5 is reacquired after delaying for 1 second again, MAC4 and MAC5 "are detected to be equal for the third time, and so on, the predetermined number of detection times is 10, and MAC4 and current MAC address spoofing information are the same after 10 detections, it is determined that ARP does not exist in the wireless local area network.
In some embodiments, in step S11, when there is no other device sharing the MAC address with the gateway device in the wireless lan where the wireless terminal is located, and the wireless connection between the wireless terminal and the connected wireless access point is an application connection, the wireless terminal uses the current MAC address information of the gateway device as the reference MAC address information. For example, the mobile terminals have their respective MACs in the same wireless lan, and the MAC of the gateway device is different from any one of the mobile terminals that is accessing the wireless network through the application connection software, taking the MAC address at that time as the reference MAC address.
For example, in a wireless local area network, after being queried in a local ARP cache table, the mobile terminal does not have two different IP addresses corresponding to the same MAC address information, the current mobile terminal is wirelessly accessed through networking related application software, a trusted MAC address can be wirelessly obtained through application connection access, and the mobile terminal determines that the current trusted gateway MAC address information is reference MAC address information MAC 4; alternatively, when the mobile terminal performs wireless access on the system, the application software related to networking still runs in the background, the current application software can detect the wireless connection, and the mobile terminal determines the currently trusted gateway MAC address information as the reference MAC address information MAC 4. The application software is trusted software of the system, and the application connection is connected based on the trust of the system.
In some embodiments, in step S11, when there is no other device sharing the MAC address with the gateway device in the wireless lan where the wireless terminal is located, and the wireless connection between the wireless terminal and the connected wireless access point is a system connection, the wireless terminal re-establishes the wireless connection between the wireless terminal and the connected wireless access point, and records the current MAC address information of the gateway device as the reference MAC address information. For example, the mobile terminals have their respective MACs in the same wireless lan, the MAC of the gateway device is different from any one of the mobile terminals that have performed wireless access through its own system, and reconnect the wireless network after disconnecting the current wireless connection, and the current MAC address information obtained at this time is used as the reference MAC address information.
For example, in a wireless local area network, after being queried in a local ARP cache table, a mobile terminal does not have two different IP addresses corresponding to the same MAC address information, the mobile terminal has a corresponding MAC address, the mobile terminal corresponds to MAC1, and a gateway device corresponds to MAC 3. The MAC1 and the MAC3 are different, and the mobile terminal a is a mobile phone, for example, the mobile phone actively accesses a wireless connection through a wireless setting interface in a self-contained system, disconnects the current wireless connection and immediately accesses the current wireless network again, when the mobile phone accesses the wireless network again, the ARP cache table is refreshed, at this time, the MAC address MAC4 is obtained, and the MAC4 is used as reference MAC address information. For example, the mobile phone automatically initiates wireless connection, the user immediately accesses the current wireless network again by disconnecting the current wireless connection through the user equipment, when the mobile phone accesses the wireless network again, the ARP cache table is refreshed, the MAC address MAC4 is obtained at this time, and the MAC4 is used as reference MAC address information.
In some embodiments, in step S11, when there is no other device sharing the MAC address with the gateway device in the wireless lan where the wireless terminal is located, the wireless terminal re-establishes the wireless connection between the mobile terminal and the connected wireless access point, and records the current MAC address information of the gateway device as the reference MAC address information. For example, the mobile terminals have their respective MACs in the same wireless lan, the MAC of the gateway device is different from any one of the mobile terminals, the mobile terminal reconnects the wireless network after disconnecting the current wireless connection, and the current MAC address information obtained at this time is used as the reference MAC address information.
For example, in a wireless local area network, the mobile terminal has a corresponding MAC address, the mobile terminal has a corresponding MAC1, and the gateway device has a corresponding MAC 3. The MAC1 is different from the MAC3, wherein the mobile terminal is a mobile phone, the current mobile phone does not acquire the highest authority, the mobile phone disconnects the current wireless connection and immediately accesses the current wireless network again, the MAC address MAC4 is acquired at the moment, and the MAC4 is used as reference MAC address information.
In some embodiments, when there is another device in the wireless local area network where the wireless terminal is located that shares a MAC address with the gateway device, the wireless terminal determines that ARP spoofing exists in the wireless local area network. For example, an attacker returns an incorrect mapping relationship between the IP and the MAC for an ARP request which is sent by the mobile phone A and comprises the IP of the gateway equipment; the mobile terminal detects that different IP addresses correspond to the same MAC address in an ARP cache table based on the received ARP reply frame, and determines that ARP spoofing exists in the wireless local area network.
For example, the mobile terminal is a mobile phone, the MAC address of the mobile phone a is MAC1, the MAC of the mobile phone B is MAC2, the mobile phone B returns an incorrect mapping relationship between the IP and the MAC, such as a mapping relationship between IP3 and MAC2, for an ARP request including the IP of the gateway device sent by the mobile phone a, in a wireless local area network, the mobile terminal has a corresponding APR cache including the mapping relationship between the IP and the MAC address, the mobile phone a queries in the ARP cache that the current gateway address is MAC2, and the current gateway address MAC2 corresponds to two IP addresses IP2 and IP3, and the mobile phone a determines that ARP spoofing exists in the wireless local area network.
In some embodiments, when other devices sharing the MAC address with the gateway device exist in the wireless local area network where the wireless terminal is located, the wireless terminal sends a request for MAC address information of the wireless access point to a corresponding server, and receives the MAC address information of the wireless access point returned by the server based on the request; when the current MAC address information of the gateway equipment is the same as the MAC address information of the wireless access point, determining that ARP spoofing does not exist in the wireless local area network; otherwise, determining that ARP spoofing exists in the wireless local area network. For example, if a mobile terminal in the same wireless lan has a different MAC address based on a different IP address, it may be assumed that ARP spoofing does not exist in the wireless lan, and in order to prevent false alarm, the mobile terminal requests the server for the MAC address information of the wireless access point again, and if the MAC address information of the wireless access point is identical to the current MAC address information, it is determined that ARP spoofing does not exist in the wireless lan.
For example, in a wireless local area network, after a mobile terminal queries in a local ARP cache table, two different IP addresses correspond to the same MAC address information, the same current MAC address of the gateway device obtained by the mobile terminal is MAC4, it can be considered that there is a risk of ARP spoofing in the current wireless local area network, in order to prevent false alarm, the mobile terminal performs reconfirmation, the mobile terminal sends a request for obtaining a MAC address corresponding to the wireless access point to a server, where the request includes a BSSID corresponding to the wireless access point, the server receives the request, queries, in a database, MAC address information MAC3 corresponding to the BSSID of the wireless access point, and returns the MAC address information MAC3 to the mobile terminal. The mobile terminal determines whether ARP spoofing exists in the wireless local area network based on the comparison between the MAC3 and the MAC4, and if the MAC3 and the MAC4 are different, the mobile terminal determines that the ARP spoofing exists in the wireless local area network.
In some embodiments, the wireless terminal acquires a plurality of devices in a wireless local area network in which the mobile network is located, and detects whether other devices sharing a MAC address with the gateway device exist in the plurality of devices. For example, each device generally has corresponding MAC address information, and each MAC address information is different from each other.
For example, a current local area network segment is obtained, the mobile terminal sends UDP packets to all IPs of the current local area network segment to scan devices in the current local area network, and after scanning, the corresponding relationship between multiple device IP addresses and MAC addresses in the current ARP cache table is obtained, so as to determine whether there is a situation that other devices and the gateway device share the MAC.
The present application also provides a computer readable storage medium having stored thereon computer code which, when executed, performs a method as in any one of the preceding.
The present application also provides a computer program product, which when executed by a computer device, performs the method of any of the preceding claims.
The present application further provides a computer device, comprising:
one or more processors;
a memory for storing one or more computer programs;
the one or more computer programs, when executed by the one or more processors, cause the one or more processors to implement the method of any preceding claim.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, implemented using Application Specific Integrated Circuits (ASICs), general purpose computers or any other similar hardware devices. In one embodiment, the software programs of the present application may be executed by a processor to implement the steps or functions described above. Likewise, the software programs (including associated data structures) of the present application may be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Additionally, some of the steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
In addition, some of the present application may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or techniques in accordance with the present application through the operation of the computer. Those skilled in the art will appreciate that the form in which the computer program instructions reside on a computer-readable medium includes, but is not limited to, source files, executable files, installation package files, and the like, and that the manner in which the computer program instructions are executed by a computer includes, but is not limited to: the computer directly executes the instruction, or the computer compiles the instruction and then executes the corresponding compiled program, or the computer reads and executes the instruction, or the computer reads and installs the instruction and then executes the corresponding installed program. Computer-readable media herein can be any available computer-readable storage media or communication media that can be accessed by a computer.
Communication media includes media by which communication signals, including, for example, computer readable instructions, data structures, program modules, or other data, are transmitted from one system to another. Communication media may include conductive transmission media such as cables and wires (e.g., fiber optics, coaxial, etc.) and wireless (non-conductive transmission) media capable of propagating energy waves such as acoustic, electromagnetic, RF, microwave, and infrared. Computer readable instructions, data structures, program modules, or other data may be embodied in a modulated data signal, for example, in a wireless medium such as a carrier wave or similar mechanism such as is embodied as part of spread spectrum techniques. The term "modulated data signal" means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. The modulation may be analog, digital or hybrid modulation techniques.
By way of example, and not limitation, computer-readable storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. For example, computer-readable storage media include, but are not limited to, volatile memory such as random access memory (RAM, DRAM, SRAM); and non-volatile memory such as flash memory, various read-only memories (ROM, PROM, EPROM, EEPROM), magnetic and ferromagnetic/ferroelectric memories (MRAM, FeRAM); and magnetic and optical storage devices (hard disk, tape, CD, DVD); or other now known media or later developed that can store computer-readable information/data for use by a computer system.
An embodiment according to the present application comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to perform a method and/or a solution according to the aforementioned embodiments of the present application.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Claims (11)
1. A method for detecting ARP spoofing in a wireless local area network by a wireless terminal, wherein the method comprises:
when other equipment sharing an MAC address with gateway equipment does not exist in a wireless local area network where a wireless terminal is located, taking current MAC address information of the gateway equipment as reference MAC address information;
detecting whether the current MAC address information of the gateway equipment is the same as the reference MAC address information or not in a delayed manner, wherein the current MAC address information of the gateway equipment is obtained in a local ARP cache table after the wireless terminal is delayed for a period of time;
if the current MAC address information of the gateway equipment is different from the reference MAC address information, determining that ARP spoofing exists in the wireless local area network; when there is no other device sharing the MAC address with the gateway device in the wireless lan where the wireless terminal is located, taking the current MAC address information of the gateway device as the reference MAC address information, including:
when other equipment sharing an MAC address with gateway equipment does not exist in a wireless local area network where a wireless terminal is located, wireless connection between the wireless terminal and a connected wireless access point is application connection, current MAC address information of the gateway equipment is used as reference MAC address information, wherein application software used for establishing the application connection is software with a trusty system, the reference MAC address information is credible gateway MAC address information, and the reference MAC address information is obtained by inquiring the wireless terminal in a local ARP cache table.
2. The method of claim 1, wherein the determining that ARP spoofing exists in the wireless local area network if the current MAC address information of the gateway device is different from the reference MAC address information comprises:
if the current MAC address information of the gateway equipment is different from the reference MAC address information, sending a request about the MAC address information of the wireless access point to a corresponding server, and receiving the MAC address information of the wireless access point returned by the server based on the request;
and if the current MAC address information of the gateway equipment is different from the MAC address information of the wireless access point, determining that ARP spoofing exists in the wireless local area network.
3. The method of claim 2, wherein the determining that ARP spoofing exists in the wireless local area network if the current MAC address information of the gateway device is different from the reference MAC address information further comprises:
and if the current MAC address information of the gateway equipment is the same as the MAC address information of the wireless access point, determining that ARP spoofing does not exist in the wireless local area network.
4. The method of any of claims 1-3, wherein the method further comprises:
if the current MAC address information of the gateway equipment is the same as the reference MAC address information and the accumulated time delay detection times are less than or equal to the threshold information of the preset detection times, returning to the time delay detection to detect whether the current MAC address information of the gateway equipment is the same as the reference MAC address information; if not, then,
determining that ARP spoofing is not present in the wireless local area network.
5. The method according to claim 1, wherein when there is no other device sharing a MAC address with the gateway device in the wireless local area network where the wireless terminal is located, the current MAC address information of the gateway device is used as the reference MAC address information, further comprising:
when other equipment sharing the MAC address with the gateway equipment does not exist in the wireless local area network where the wireless terminal is located, and the wireless connection between the wireless terminal and the connected wireless access point is system connection, reestablishing the wireless connection between the wireless terminal and the connected wireless access point, and recording the current MAC address information of the gateway equipment as reference MAC address information.
6. The method of claim 1, wherein when no other device sharing a MAC address with a gateway device exists in a wireless local area network in which the wireless terminal is located, taking current MAC address information of the gateway device as reference MAC address information comprises:
when other equipment sharing the MAC address with the gateway equipment does not exist in the wireless local area network where the wireless terminal is located, reestablishing the wireless connection between the wireless terminal and the connected wireless access point, and recording the current MAC address information of the gateway equipment as reference MAC address information.
7. The method of claim 1, wherein the method further comprises:
when other equipment sharing the MAC address with the gateway equipment exists in the wireless local area network where the wireless terminal is located, ARP spoofing exists in the wireless local area network.
8. The method of claim 7, wherein the determining that ARP spoofing exists in the wireless local area network when other devices sharing a MAC address with a gateway device exist in the wireless local area network where the wireless terminal is located comprises:
when other equipment sharing an MAC address with gateway equipment exists in a wireless local area network where a wireless terminal is located, sending a request about MAC address information of the wireless access point to a corresponding server, and receiving the MAC address information of the wireless access point returned by the server based on the request;
when the current MAC address information of the gateway equipment is the same as the MAC address information of the wireless access point, determining that ARP spoofing does not exist in the wireless local area network; otherwise, determining that ARP spoofing exists in the wireless local area network.
9. The method of claim 1, wherein the method further comprises:
the method comprises the steps of obtaining a plurality of devices in a wireless local area network where a mobile network is located, and detecting whether other devices sharing MAC addresses with a gateway device exist in the devices.
10. An apparatus for detecting ARP spoofing in a wireless local area network by a wireless terminal, wherein the apparatus comprises:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method of any of claims 1 to 9.
11. A computer-readable medium comprising instructions that, when executed, cause a system to perform the operations of any of the methods of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810331644.7A CN108768937B (en) | 2018-04-13 | 2018-04-13 | Method and equipment for detecting ARP spoofing in wireless local area network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810331644.7A CN108768937B (en) | 2018-04-13 | 2018-04-13 | Method and equipment for detecting ARP spoofing in wireless local area network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108768937A CN108768937A (en) | 2018-11-06 |
| CN108768937B true CN108768937B (en) | 2021-06-25 |
Family
ID=64010569
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810331644.7A Active CN108768937B (en) | 2018-04-13 | 2018-04-13 | Method and equipment for detecting ARP spoofing in wireless local area network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108768937B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112333146B (en) * | 2020-09-21 | 2023-04-18 | 南方电网海南数字电网研究院有限公司 | ARP security defense method for intelligent power transformation gateway and intelligent power transformation gateway |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104219339A (en) * | 2014-09-17 | 2014-12-17 | 北京金山安全软件有限公司 | Method and device for detecting address resolution protocol attack in local area network |
| CN106034302A (en) * | 2015-03-09 | 2016-10-19 | 腾讯科技(深圳)有限公司 | Safety monitoring method for hot spot of wireless local area network, device thereof and communication system |
| CN106376003A (en) * | 2015-07-23 | 2017-02-01 | 中移(杭州)信息技术有限公司 | Method and device for detecting wireless local area network connection and wireless local area network data transmission |
| KR20170080957A (en) * | 2015-12-31 | 2017-07-11 | (주)노르마 | ARP SPOOFING DEFENDING SYSTEM FOR IoT Security in IoT Network |
-
2018
- 2018-04-13 CN CN201810331644.7A patent/CN108768937B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104219339A (en) * | 2014-09-17 | 2014-12-17 | 北京金山安全软件有限公司 | Method and device for detecting address resolution protocol attack in local area network |
| CN106034302A (en) * | 2015-03-09 | 2016-10-19 | 腾讯科技(深圳)有限公司 | Safety monitoring method for hot spot of wireless local area network, device thereof and communication system |
| CN106376003A (en) * | 2015-07-23 | 2017-02-01 | 中移(杭州)信息技术有限公司 | Method and device for detecting wireless local area network connection and wireless local area network data transmission |
| KR20170080957A (en) * | 2015-12-31 | 2017-07-11 | (주)노르마 | ARP SPOOFING DEFENDING SYSTEM FOR IoT Security in IoT Network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108768937A (en) | 2018-11-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108566656B (en) | Method and equipment for detecting security of wireless network | |
| US10609564B2 (en) | System and method for detecting rogue access point and user device and computer program for the same | |
| US8972571B2 (en) | System and method for correlating network identities and addresses | |
| US10708226B2 (en) | Domain name resolution | |
| US9730075B1 (en) | Systems and methods for detecting illegitimate devices on wireless networks | |
| CN108430063B (en) | Method and equipment for monitoring ARP spoofing in wireless local area network | |
| US11057821B2 (en) | Method and device for connecting to hidden wireless access point | |
| Latif et al. | Distributed denial of service (DDoS) attack in cloud-assisted wireless body area networks: a systematic literature review | |
| US20060095961A1 (en) | Auto-triage of potentially vulnerable network machines | |
| TW201724894A (en) | Secure fine timing measurement protocol | |
| US10044736B1 (en) | Methods and apparatus for identifying and characterizing computer network infrastructure involved in malicious activity | |
| CN109413759B (en) | Method and equipment for wireless connection | |
| US9350754B2 (en) | Mitigating a cyber-security attack by changing a network address of a system under attack | |
| CN107396362B (en) | Method and equipment for carrying out wireless connection pre-authorization on user equipment | |
| WO2018201745A1 (en) | Risk warning method and device for wireless access point | |
| WO2018113732A1 (en) | Method and apparatus for detecting dns full traffic hijack risk | |
| CN108769086B (en) | Method and equipment for detecting man-in-the-middle attack through user equipment | |
| CN109150655B (en) | IPv4 firewall IPv6 bypassing detection method | |
| CN108768937B (en) | Method and equipment for detecting ARP spoofing in wireless local area network | |
| US9781601B1 (en) | Systems and methods for detecting potentially illegitimate wireless access points | |
| CN107623916B (en) | Method and equipment for WiFi network security monitoring | |
| US10547638B1 (en) | Detecting name resolution spoofing | |
| CN108848076B (en) | Method and equipment for detecting DNS hijacking through user equipment | |
| CN108282786B (en) | Method and equipment for detecting DNS spoofing attack in wireless local area network | |
| US11411887B2 (en) | Method and device for performing traffic control on user equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210419 Address after: 200131 Zone E, 9th floor, No.1 Lane 666, zhangheng Road, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai Applicant after: Shanghai Shangxiang Network Technology Co.,Ltd. Address before: 200120 Shanghai city Pudong New Area mud Town Road No. 979 Building 2 Hon Applicant before: SHANGHAI LIANSHANG NETWORK TECHNOLOGY Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |