CN109039989B - Address resolution protocol spoofing detection method, host and computer-readable storage medium - Google Patents

Address resolution protocol spoofing detection method, host and computer-readable storage medium Download PDF

Info

Publication number
CN109039989B
CN109039989B CN201710427619.4A CN201710427619A CN109039989B CN 109039989 B CN109039989 B CN 109039989B CN 201710427619 A CN201710427619 A CN 201710427619A CN 109039989 B CN109039989 B CN 109039989B
Authority
CN
China
Prior art keywords
address
arp
mac address
host
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710427619.4A
Other languages
Chinese (zh)
Other versions
CN109039989A (en
Inventor
江沛合
徐雄威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201710427619.4A priority Critical patent/CN109039989B/en
Publication of CN109039989A publication Critical patent/CN109039989A/en
Application granted granted Critical
Publication of CN109039989B publication Critical patent/CN109039989B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]

Abstract

The invention discloses an ARP spoofing detection method and device, and belongs to the technical field of network security. The method comprises the following steps: monitoring ARP messages received in a network layer of a host; detecting whether the IP address of the network interconnection protocol in the ARP message is the same as the IP address of the target gateway or not; the target gateway is a gateway connected with the host in the local area network; detecting whether a Media Access Control (MAC) address in the ARP message is the same as an MAC address in a memory; the MAC address in the memory is a MAC address corresponding to the IP address of the target gateway which is received and stored historically; and when the IP address in the ARP message is the same as the IP address of the target gateway and the MAC address in the ARP message is different from the MAC address in the memory, determining that ARP spoofing exists in the target gateway. The method solves the problems that in a related scheme, only the ARP cache table needs to be read to detect whether ARP spoofing exists, the detection of the ARP spoofing is not real-time enough, and the network is still unsafe.

Description

Address resolution protocol spoofing detection method, host and computer-readable storage medium
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to an ARP (Address Resolution Protocol) cheating detection method and device.
Background
ARP is a TCP (Transmission Control Protocol)/IP Protocol that acquires a MAC (Media Access Control) address from an IP (Internet Protocol) address.
Because the ARP is established on the basis that each device in the local area network trusts each other, after the host receives the ARP reply, the authenticity of the ARP reply will not be detected, i.e., the source IP address and the source MAC address in the ARP reply are stored in the ARP cache table in the memory in a related manner, so that when an attacker sends a pseudo ARP reply corresponding to the gateway in the local area network to the host (i.e., the gateway has ARP spoofing), i.e., when the ARP reply carries a forged MAC address of the gateway, the subsequent host communicates with other hosts in the local area network through the forged gateway, thereby threatening the communication security. When a source IP address and a source MAC address are stored in an ARP cache table, if the incidence relation stored in the ARP cache table does not include the incidence relation corresponding to the source IP address in the ARP response, the source IP address and the source MAC address are directly stored; and if the incidence relation corresponding to the source IP address in the ARP response is stored in each incidence relation stored in the ARP cache table, if the source MAC address in the ARP response is different from the MAC address in the stored incidence relation, the source MAC address in the ARP response is used for refreshing the MAC address in the stored incidence relation.
In practical implementation, in order to ensure network security, the related art provides an ARP spoofing detection method, which includes: the upper application program reads the content in the ARP cache table and detects whether the MAC address of the non-gateway is the same as the MAC address of the target gateway in the read content; if the MAC address exists, at least one of the MAC address of the non-gateway and the MAC address of the target gateway detected in the ARP cache table is a forged MAC address, namely the MAC address of the target gateway is possibly forged, and at this time, in order to ensure that the network security host can determine that ARP spoofing exists in the target gateway. The target gateway is a gateway connected with a host in a local area network.
Because the upper application program needs to read the ARP cache table from the memory and then perform detection according to the read content, it is known that reading the content of the ARP cache table requires a certain time, and during this time, the content in the ARP cache table may have been refreshed by the correspondence between the IP address and the MAC address in the newly received ARP reply, so that the above scheme may have a problem that the existing ARP spoofing cannot be detected in real time, that is, the detection is not real-time enough, and the network is still unsafe.
Disclosure of Invention
The method aims to solve the problems that in the related art, only after an ARP cache table needs to be read, whether ARP spoofing exists can be detected, the detection of the ARP spoofing is not real-time enough, and the network is still unsafe; the embodiment of the invention provides an ARP spoofing detection method and device. The technical scheme is as follows:
according to a first aspect of embodiments of the present invention, there is provided an ARP spoofing detection method, used in a host, the method including:
monitoring ARP messages received in a network layer of the host;
detecting whether the IP address of the network interconnection protocol in the ARP message is the same as the IP address of the target gateway or not; the target gateway is a gateway connected with the host in a local area network;
detecting whether a Media Access Control (MAC) address in the ARP message is the same as an MAC address in a memory; the MAC address in the memory is a MAC address corresponding to the IP address of the target gateway which is received and stored historically;
and when the IP address in the ARP message is the same as the IP address of the target gateway and the MAC address in the ARP message is different from the MAC address in the memory, determining that ARP spoofing exists in the target gateway.
According to a second aspect of the embodiments of the present invention, there is provided a host, including a processor and a memory, where the memory stores at least one instruction, and the instruction is loaded and executed by the processor to implement the following operations:
monitoring ARP messages received in a network layer of the host;
detecting whether the IP address of the network interconnection protocol in the ARP message is the same as the IP address of the target gateway or not; the target gateway is a gateway connected with the host in a local area network;
detecting whether a Media Access Control (MAC) address in the ARP message is the same as an MAC address in a memory; the MAC address in the memory is a MAC address corresponding to the IP address of the target gateway which is received and stored historically;
and when the IP address in the ARP message is the same as the IP address of the target gateway and the MAC address in the ARP message is different from the MAC address in the memory, determining that ARP spoofing exists in the target gateway.
According to a third aspect of embodiments of the present invention, there is provided a computer-readable storage medium having at least one instruction stored therein, the instruction being loaded and executed by a processor to implement the following operations:
monitoring ARP messages received in a network layer of the host;
detecting whether the IP address of the network interconnection protocol in the ARP message is the same as the IP address of the target gateway or not; the target gateway is a gateway connected with the host in a local area network;
detecting whether a Media Access Control (MAC) address in the ARP message is the same as an MAC address in a memory; the MAC address in the memory is a MAC address corresponding to the IP address of the target gateway which is received and stored historically;
and when the IP address in the ARP message is the same as the IP address of the target gateway and the MAC address in the ARP message is different from the MAC address in the memory, determining that ARP spoofing exists in the target gateway.
The technical scheme provided by the embodiment of the invention has the following beneficial effects:
the method comprises the steps that ARP information received in a network layer is directly monitored, and ARP spoofing is detected when the IP address in the monitored ARP information is the same as the IP address of a target gateway but the MAC address in the ARP information is different from the MAC address corresponding to the IP address stored in a memory; the target gateway is a gateway connected with the host in the local area network, and the MAC address in the memory is a MAC address corresponding to the IP address of the target gateway which is received and stored historically; the method and the device achieve the effects of directly monitoring each ARP message received in a network layer, further directly detecting whether ARP spoofing exists according to the MAC address carried in the ARP message with the IP address as the IP address of the target gateway and the MAC address corresponding to the IP address of the target gateway stored in the memory, and do not need to waste a large amount of time to read the content in the ARP cache table for detection, thereby achieving the effects of detecting the ARP spoofing in real time and ensuring the network safety.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of an implementation environment related to an ARP spoofing detection method provided by various embodiments of the present invention;
FIG. 2 is a flow chart of a method for ARP spoofing detection provided by one embodiment of the present invention;
FIG. 3 is a flowchart illustrating obtaining Root rights for an operating system according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of query information presented by a host according to one embodiment of the present invention;
FIG. 5 is a diagram illustrating a host-presented hint message, according to an embodiment of the present invention;
fig. 6 is a schematic diagram of an ARP spoofing detection apparatus provided by an embodiment of the present invention;
fig. 7 is a schematic diagram of a host according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
Referring to fig. 1, a schematic diagram of an implementation environment related to an ARP spoofing detection method according to various embodiments of the present invention is shown, as shown in fig. 1, where the implementation environment includes n hosts 110 and a target gateway 120, and n is an integer greater than or equal to 2. The target gateway 120 provides a local area network, and the n hosts 110 can communicate via the local area network.
The host 110 refers to a terminal such as a desktop computer, a tablet computer, or an e-reader, and the host 110 may be connected to the target gateway 120 through a wired or wireless network. The figure illustrates that the host 110 includes 4.
The target gateway 120 refers to a device that provides a lan service to each host 110. Alternatively, the target gateway 120 may be a router or the like.
In each embodiment described below, while storing an ARP cache table in a storage manner in a related scheme, a host monitors an ARP message received in a network layer, and detects whether an IP address in the ARP message is the same as an IP address of a target gateway; the target gateway is a gateway connected with the host in the local area network; detecting whether the MAC address corresponding to the IP address in the ARP message is the same as the MAC address corresponding to the IP address already stored in a memory; if the IP address in the ARP message is the same as the IP address of the target gateway and the MAC address in the ARP message is different from the MAC address in the memory, at least one MAC address in the two MAC addresses corresponding to the IP address of the target gateway is forged, and at the moment, the host can determine that ARP spoofing exists in the target gateway; and if the same, the host may determine that the target gateway may be normal. And the MAC address in the memory is the MAC address corresponding to the IP address of the target gateway which is received and stored by the host computer in history. Therefore, the host does not need to consume a large amount of time to read the content from the ARP cache table of the memory and then detect according to the read content, but only needs to detect according to the ARP message in the network layer monitored in real time and the MAC address stored in the memory, so that the effects of detecting ARP spoofing in real time and ensuring network safety are achieved.
Referring to fig. 2, a flowchart of a method for detecting ARP spoofing according to an embodiment of the present invention is shown, where the embodiment uses the ARP detection method in any host shown in fig. 1. As shown in fig. 2, the ARP spoofing detection method may include:
step 201, the ARP message received in the network layer of the host is monitored.
The host runs a management program for managing the host state, and the host can monitor the ARP message received in the network layer through the management program. The ARP message in this embodiment may include an ARP request or an ARP reply.
Optionally, this step may include at least one of the following two implementations:
the first implementation mode is that a first ARP request is sent, wherein the first ARP request carries the IP address of the target equipment; and monitoring an ARP response fed back by the target equipment received in the network layer, wherein the ARP response carries the IP address and the MAC address of the target equipment.
The host may send a first ARP request when the host needs to query the MAC address of the destination device. The first ARP request carries an active IP address, a source MAC address, a destination IP address and a destination MAC address. The source IP address is the IP address of the host, the source MAC address is the MAC address of the host, the destination IP address is the IP address of the destination equipment, and the destination MAC address is the address which can be received and analyzed by each equipment in the local area network. For example, the destination MAC address may be 0 xFFFFFFFF.
Alternatively, the host may directly read and obtain its own IP address and MAC address, and read the IP address of the destination device through an API (Application Programming Interface), and then send a first ARP request carrying the read address. Optionally, the destination device may include a target gateway, where the target gateway is a gateway in the lan that provides lan services for the hosts. In practical implementation, the destination device may also include other hosts in the local area network.
Each device in the local area network can receive the first ARP request and detect whether a target IP address in the first ARP request, namely the IP address of the target device is the same as the IP address of the device per se or not; if the detection result is the same as the IP address of the target device, the target device feeds back an ARP response to the host, wherein the ARP response carries the IP address of the target device and the MAC address of the target device; accordingly, the host may receive the ARP reply; and if the detection result is different from the own IP address, discarding the first ARP request.
For example, when the destination device is a target gateway, after the target gateway receives a first ARP request sent by the host, the target gateway may feed back an ARP reply carrying its own IP address and MAC address to the host. Accordingly, the host may receive the ARP reply fed back by the target gateway.
In a second implementation manner, a second ARP request sent by another device and received in the network layer is monitored, where the second ARP request carries an IP address and an MAC address of the device.
Similar to the first implementation manner, other devices in the local area network may also actively send a second ARP request, and correspondingly, the host may receive the second ARP request, that is, may monitor the second ARP request received in the network layer. The other devices mentioned here may be target gateways in the lan or other hosts in the lan, but there are also cases where the actual implementation is a counterfeit gateway for use by a lawbreaker.
It should be noted that, in order to monitor the message received in the network layer, the hypervisor may first obtain the Root authority of the operating system, and monitor the ARP message received in the network layer after obtaining the Root authority. As shown in fig. 3, the step of obtaining the Root right includes:
step 201a, detecting whether the Root authority of the operating system is provided.
The hypervisor may detect whether there is a Su (Switch user) file, and if there is a Su file, it indicates that the host has already been Root passed, and at this time, the hypervisor may continue to detect whether the host has Root permission of the operating system. Optionally, if there is no Su file in the host, it indicates that the host is not Root-passed, and the process ends at this time.
Optionally, the Root authority of the hypervisor may be set with a certain validity period, for example, the Root authority granted to the hypervisor for one week, the host may detect whether the validity period of the Root authority of the hypervisor is expired, and if the validity period of the Root authority of the hypervisor is not expired, it is determined that the hypervisor has the Root authority, otherwise, the hypervisor does not have the Root authority.
Optionally, after the host is started, whether the management program has Root authority can be detected; or after connecting with a target gateway in the local area network, detecting whether the management program has Root authority; or, after the hypervisor is started, whether the Root authority is provided or not is detected, and the execution timing of this step is not limited in this embodiment. The target gateway is a gateway connected with the host in the local area network.
Step 201b, when the Root right is not provided, the inquiry information is displayed; the inquiry information is used to inquire whether Root rights are granted.
If the detection result is that the hypervisor does not have Root rights, the host may present query information, for example, present a query box shown in fig. 4. As shown in fig. 4, the query box includes query information 41 for querying whether to grant the Root rights of the hypervisor, a confirmation option 42 for confirming the grant of the Root rights of the hypervisor, and a denial option 43 for denying the grant of the Root rights of the hypervisor. Of course, in practical implementation, the validation option 42 may include a plurality of validation options, and the duration of the Root authority corresponding to each validation option is different. For example, the confirmation options 42 may include "a confirmation option for confirming that the Root authority of the manager is granted for one week", "a confirmation option for confirming that the Root authority is granted for 3 hours to the manager", and "a confirmation option for confirming that the Root authority of the manager is always granted", which will not be described herein again. The provided candidate validity period of the Root authority is also referred to as a default time period in the host, or a time period which is given by the user in advance, namely the week, 3 hours or always, and is not limited to this.
It should be noted that fig. 4 only shows the query information in the text format as an example, in practical implementation, the host may also play the query information in the voice format, for example, the query information whose content is "whether Root right is granted" is played.
Step 201c, receiving a confirmation instruction for confirming the grant of Root authority.
After viewing the displayed confirmation information, the user may apply a confirmation instruction for confirming the Root authority granted to the hypervisor, and accordingly, the host may receive the confirmation instruction. For example, in connection with FIG. 4, the host may receive a selection instruction to select the confirmation option 42.
Alternatively, when the host receives a rejection instruction for rejecting the grant of the Root right to the hypervisor, for example, the host receives a selection instruction for selecting the rejection option 42, the process ends. Optionally, when the host receives a rejection instruction for rejecting granting the Root right, the host may further detect whether the target gateway has ARP spoofing through another detection method.
It should be noted that, when the presented inquiry information is voice information, the confirmation instruction may also be a voice instruction. For example, after the host plays the query information, when the host collects the command of "grant" through the microphone, the host recognizes the received command as a confirmation command; similarly, if the host collects a "reject" command via the microphone, the host recognizes the received command as a confirmation command.
By displaying the inquiry information in the voice format and collecting the confirmation instruction in the voice format, convenience is provided for the user, and particularly, convenience is provided for the user with low cultural degree or inconvenient actions.
Step 201d, after receiving the confirmation instruction, acquiring Root authority.
Optionally, before this step, the host may further display prompt information for prompting identity authentication, for example, the host may display "please perform fingerprint verification" or "please input a device password", and the like, receive authentication information input by the user, authenticate the authentication information, and obtain the Root right after the authentication is passed. For example, after receiving the confirmation instruction, the host displays a "please input a fingerprint", receives a fingerprint input by a user, detects whether the received fingerprint is matched with a preset fingerprint, if so, determines that the authentication is successful, and the management program obtains the Root authority of the operating system.
When the Root authority of the operating system is acquired, the management program can directly monitor the ARP message received in the network layer through an interface provided by the system. Alternatively, the hypervisor may listen in real-time for ARP messages received in the network layer.
Step 202, detecting whether the IP address in the ARP message is the same as the IP address of the target gateway.
After listening for the ARP message, the hypervisor may detect whether the IP address in the ARP message is the same as the IP address of the target gateway.
Alternatively, this step may include the following two possible cases:
first, when the ARP message is an ARP request sent by itself, the ARP request is discarded.
And secondly, when the ARP message is an ARP request sent by other equipment, detecting whether a source IP address in the ARP request is the same as the IP address of the target gateway or not.
Thirdly, when the ARP message is an ARP response, whether the source IP address in the ARP response is the same as the IP address of the target gateway or not is detected.
Step 203, when the IP address in the ARP message is the same as the IP address of the target gateway, it is detected whether the MAC address corresponding to the IP address of the target gateway is already stored in the memory.
After monitoring the ARP message, the hypervisor may detect whether the MAC corresponding to the IP address of the target gateway is already stored in the memory.
Optionally, if the IP address in the ARP message is different from the IP address of the target gateway, the process ends at this time.
In step 204, if the MAC address corresponding to the IP address of the target gateway is not stored in the memory, the MAC address in the ARP message that is monitored is stored in the memory as the MAC address corresponding to the IP address.
When the MAC address corresponding to the IP address of the target gateway is not stored in the memory, since it is detected in step 202 that the IP address in the ARP message is the IP address of the target gateway, that is, the MAC address corresponding to the IP address in the ARP message is the MAC address of the target gateway, the host may store the MAC address corresponding to the IP address in the ARP message, which is monitored, as the MAC address corresponding to the IP address of the target gateway in the memory. Optionally, when the ARP message is an ARP request sent by another device, the source MAC address in the ARP request is stored in the memory; and when the ARP message is an ARP response sent by other equipment, storing the source MAC address in the ARP response into the memory.
Alternatively, the host may store the IP address and MAC address association of the target gateway in memory and thereafter continue to listen for ARP messages received in the network layer.
It should be added that, in actual implementation, the steps 203 and 204 are optional steps, and are performed in the first flow, and in the subsequent flow, the step 205 is performed directly. In addition, this embodiment is only illustrated by first executing step 202, during actual implementation, step 202 may also be executed at any step before step 204, and when step 203 and step 204 are not executed, the host may also execute step 205 first and then execute step 202, or execute step 202 and step 205 at the same time, which is not described herein again.
In step 205, if the MAC address corresponding to the IP address of the target gateway is stored in the memory, it is detected whether the MAC address in the ARP message is the same as the MAC address in the memory.
The MAC address in the memory is the MAC address corresponding to the IP address of the target gateway which is received and stored in history. Optionally, it may be detected whether the MAC address corresponding to the IP address of the target gateway in the ARP message is the same as the MAC address in the memory. That is, when the ARP message is an ARP request sent by other equipment, whether the source MAC address is the same as the MAC address in the memory is detected; and when the ARP message is an ARP response sent by other equipment, detecting whether the source MAC address is the same as the MAC address in the memory.
In step 206, when the MAC address in the ARP message is different from the MAC address in the memory, it is detected that ARP spoofing exists in the target gateway.
When the detection result is different, it indicates that at least one of the MAC address in the ARP message currently being monitored and the MAC address stored in the memory is a forged MAC address, so the host can determine that ARP spoofing occurs at this time.
Step 207, when the MAC address in the ARP message is the same as the MAC address in the memory, the duration after the ARP message whose IP address is the IP address of the target gateway is received for the first time is counted.
When the detection results are the same, the host may count a time period since the ARP message whose IP address is the IP address of the target gateway is first received. Optionally, when the host monitors the ARP message whose IP address is the IP address of the target gateway for the first time, a timer may be started, and when it is detected that the MAC address in the ARP message is the same as the MAC address in the memory, the time length obtained by the timer is obtained.
And step 208, when the duration does not reach the preset duration, performing the operation of monitoring the ARP message received in the network layer of the host again.
The preset duration is a default duration in the host, or a user-defined duration, which is not described herein again.
When the counted time length does not reach the preset time length, in order to ensure the accuracy of monitoring the ARP spoofing of the host on the local area network, the host may perform step 201 again, for example, the host may send an ARP request carrying the IP address of the host, the MAC address, the IP address of the target gateway, and the destination address again, and monitor an ARP reply fed back by the target gateway.
And step 209, ending the process when the duration reaches the preset duration.
If the counted time length reaches the preset time length, it indicates that no ARP spoofing occurs in the local area network after the monitoring of the preset time length, that is, the local area network is safe, and at this time, the host may end the process in order to reduce the processing complexity. In actual implementation, in order to further ensure network security, the host may further monitor the ARP message received in the network layer again after a predetermined time interval, that is, cyclically execute the above procedure, which is not described herein again.
It should be noted that step 207 to step 209 are optional steps, and in actual implementation, when the MAC address in the ARP message is the same as the MAC address in the memory, the host may monitor the ARP message received in the network layer in real time, or directly end the process.
The second point to be noted is that, when detecting that there is ARP spoofing, the host may generate and present a prompt message for prompting that there is ARP spoofing, for example, the prompt message may be "may the current local area network be attacked, whether to continue using? Optionally, the host may also expose a disconnect option to trigger disconnection of the lan and a trust option to trust the lan. For example, referring to FIG. 5, the host may display the display interface shown in the figure. After the display interface shown in fig. 5 is displayed, the host can perform the related operations according to the received trigger command. Certainly, in actual implementation, in order to ensure the internet access security, the host may directly disconnect the connection with the target gateway, which is not limited to this.
The third point to be supplemented is that, in the above embodiment, only taking the case that the hypervisor first acquires the Root authority of the operating system and then monitors the ARP message received in the network layer as an example, in actual implementation, if the hypervisor can also achieve the purpose of monitoring the message in the network layer through other manners, the hypervisor may not acquire the Root authority of the operating system.
In summary, in the ARP spoofing detection method provided in this embodiment, by directly monitoring the ARP message received in the network layer, when the IP address in the monitored ARP message is the same as the IP address of the target gateway but the MAC address in the ARP message is different from the MAC address corresponding to the IP address stored in the memory, ARP spoofing is detected; the target gateway is a gateway connected with the host in the local area network, and the MAC address in the memory is a MAC address corresponding to the IP address of the target gateway which is received and stored historically; the method and the device achieve the effects of directly monitoring each ARP message received in a network layer, further directly detecting whether ARP spoofing exists according to the MAC address carried in the ARP message with the IP address as the IP address of the target gateway and the MAC address corresponding to the IP address of the target gateway stored in the memory, and do not need to waste a large amount of time to read the content in the ARP cache table for detection, thereby achieving the effects of detecting the ARP spoofing in real time and ensuring the network safety.
When the same MAC address of the target gateway is received for multiple times, only the ARP message received by the network layer within the preset time length is monitored, so that the processing complexity of the host is reduced.
To summarize, the ARP spoofing detection method may include:
1. and obtaining the Root authority of the operating system.
2. And monitoring the ARP message received in the network layer according to the Root authority.
3. And detecting ARP spoofing when the IP address in the ARP message is the same as the IP address of the target gateway and the MAC address in the ARP message is different from the MAC address stored in the memory.
And the MAC address stored in the memory is the MAC address corresponding to the IP address of the target gateway.
4. And when the condition in 3 is not met, continuing monitoring the ARP message received in the network layer according to the Root authority.
Referring to fig. 6, which shows a schematic structural diagram of an ARP spoofing detecting apparatus according to an embodiment of the present invention, as shown in fig. 6, the ARP spoofing detecting apparatus may include: a listening module 610, a detection module 620, and a result module 630.
A monitoring module 610, configured to monitor an ARP message received in a network layer of the host;
the detecting module 620 is further configured to detect whether an internet protocol IP address in the ARP message is the same as an IP address of a target gateway; the target gateway is a gateway connected with the host in a local area network;
the detecting module 620 is further configured to detect whether a media access control MAC address in the ARP message is the same as a MAC address in the memory; the MAC address in the memory is a MAC address corresponding to the IP address of the target gateway which is received and stored historically;
a result module 630, configured to determine that ARP spoofing exists in the target gateway when the IP address in the ARP message is the same as the IP address of the target gateway and the MAC address in the ARP message is different from the MAC address in the memory.
In summary, the ARP spoofing detection apparatus provided in this embodiment directly monitors the ARP message received in the network layer, and then detects that ARP spoofing exists when the IP address in the monitored ARP message is the same as the IP address of the target gateway but the MAC address in the ARP message is different from the MAC address corresponding to the IP address stored in the memory; the target gateway is a gateway connected with the host in the local area network, and the MAC address in the memory is a MAC address corresponding to the IP address of the target gateway which is received and stored historically; the method and the device achieve the effects of directly monitoring each ARP message received in a network layer, further directly detecting whether ARP spoofing exists according to the MAC address carried in the ARP message with the IP address as the IP address of the target gateway and the MAC address corresponding to the IP address of the target gateway stored in the memory, and do not need to waste a large amount of time to read the content in the ARP cache table for detection, thereby achieving the effects of detecting the ARP spoofing in real time and ensuring the network safety.
Based on the ARP spoofing detection apparatus provided in the foregoing embodiment, optionally, the monitoring module 610 is further configured to:
broadcasting a first ARP request, wherein the first ARP request carries an IP address of a target device; monitoring a received ARP response fed back by the target equipment, wherein the ARP response carries an IP address and an MAC address of the target equipment;
and/or the presence of a gas in the gas,
monitoring a received second ARP request sent by other equipment, wherein the second ARP request carries the IP address and the MAC address of the equipment.
Optionally:
the ARP spoofing detecting apparatus further includes: a storage module;
and the storage module is used for storing the MAC address in the monitored ARP message as the MAC address corresponding to the IP address of the target gateway to the memory when the IP address in the ARP message is the same as the IP address of the target gateway and the MAC address corresponding to the IP address of the target gateway is not stored in the memory, and executing the operation of monitoring the ARP message received in the network layer of the host again.
Optionally: the ARP spoofing detecting apparatus further includes: a counting module and an ending module;
the statistical module is further configured to, when the MAC address in the ARP message is the same as the MAC address in the memory, count a duration after an ARP message whose IP address is the IP address of the target gateway is received for the first time;
the monitoring module is further configured to perform the operation of monitoring the ARP message received in the network layer of the host again when the duration does not reach a preset duration;
and the ending module is also used for ending the flow when the duration reaches the preset duration.
Optionally: the ARP spoofing detecting apparatus further includes: the device comprises a display module, a receiving module and an acquisition module;
the display module is used for displaying the inquiry information when the Root right of the operating system is not available; the inquiry information is used for inquiring whether the Root authority is granted or not;
the receiving module is used for receiving a confirmation instruction for confirming the grant of the Root authority;
and the obtaining module is used for obtaining the Root authority after receiving the confirmation instruction and executing the operation of monitoring the ARP message received in the network layer of the host.
The ARP spoofing detecting apparatus further includes: a generation module;
the generating module is used for generating and displaying prompt information when the target gateway is detected to have ARP spoofing, and the prompt information is used for prompting the target gateway to have the ARP spoofing.
It should be noted that: the ARP spoofing detecting apparatus provided in the foregoing embodiment is only illustrated by dividing the functional modules, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the server is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the ARP spoofing detection apparatus and the ARP spoofing detection method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
Embodiments of the present invention also provide a computer-readable storage medium, which may be a computer-readable storage medium contained in a memory; or it may be a separate computer-readable storage medium not incorporated in the terminal. The computer-readable storage medium stores at least one instruction which is loaded and executed by one or more processors to perform operations comprising:
monitoring ARP messages received in a network layer of the host;
detecting whether the IP address of the network interconnection protocol in the ARP message is the same as the IP address of the target gateway or not; the target gateway is a gateway connected with the host in a local area network;
detecting whether a Media Access Control (MAC) address in the ARP message is the same as an MAC address in a memory; the MAC address in the memory is a MAC address corresponding to the IP address of the target gateway which is received and stored historically;
and when the IP address in the ARP message is the same as the IP address of the target gateway and the MAC address in the ARP message is different from the MAC address in the memory, determining that ARP spoofing exists in the target gateway.
Optionally, the instructions stored in the memory are loaded and executed by the processor to implement the following operations:
broadcasting a first ARP request, wherein the first ARP request carries an IP address of a target device; monitoring a received ARP response fed back by the target equipment, wherein the ARP response carries an IP address and an MAC address of the target equipment;
and/or the presence of a gas in the gas,
monitoring a received second ARP request sent by other equipment, wherein the second ARP request carries the IP address and the MAC address of the equipment.
Optionally, the instructions stored in the memory are loaded and executed by the processor to implement the following operations:
and if the IP address in the ARP message is the same as the IP address of the target gateway and the MAC address corresponding to the IP address of the target gateway is not stored in the memory, storing the monitored MAC address in the ARP message as the MAC address corresponding to the IP address of the target gateway in the memory, and executing the operation of monitoring the ARP message received in the network layer of the host again.
Optionally, the instructions stored in the memory are loaded and executed by the processor to implement the following operations:
when the MAC address in the ARP message is the same as the MAC address in the memory, counting the time length after the ARP message with the IP address as the IP address of the target gateway is received for the first time;
when the duration does not reach the preset duration, the operation of monitoring the ARP message received in the network layer of the host is executed again;
and when the duration reaches the preset duration, ending the process.
Optionally, the instructions stored in the memory are loaded and executed by the processor to implement the following operations:
when the Root authority of the operating system is not available, showing inquiry information; the inquiry information is used for inquiring whether the Root authority is granted or not;
receiving a confirmation instruction for confirming that the Root authority is granted;
and after receiving the confirmation instruction, acquiring the Root authority, and executing the operation of monitoring the ARP message received in the network layer of the host.
Optionally, the instructions stored in the memory are loaded and executed by the processor to implement the following operations:
and when the target gateway is detected to have ARP spoofing, generating and displaying prompt information, wherein the prompt information is used for prompting the target gateway to have the ARP spoofing.
Fig. 7 is a block diagram of a host 700 provided by an embodiment of the invention, which may include Radio Frequency (RF) circuitry 701, a memory 702 including one or more computer-readable storage media, an input unit 703, a display unit 704, a sensor 705, audio circuitry 706, a Wireless Fidelity (WiFi) module 707, a processor 708 including one or more processing cores, and a power supply 709. Those skilled in the art will appreciate that the host architecture shown in FIG. 7 does not constitute a limitation of the host, and may include more or fewer components than shown, or some components in combination, or a different arrangement of components. Wherein:
the RF circuit 701 may be used for receiving and transmitting signals during a message transmission or communication process, and in particular, for receiving downlink information of a base station and then sending the received downlink information to the one or more processors 708 for processing; in addition, data relating to uplink is transmitted to the base station. In general, the RF circuitry 701 includes, but is not limited to, an antenna, at least one Amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, RF circuit 701 may also communicate with networks and other devices via wireless communications. The wireless communication may use any communication standard or protocol, including but not limited to Global System for Mobile communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, Short Message Service (SMS), and the like.
The memory 702 may be used to store software programs and modules, and the processor 708 executes various functional applications and data processing by operating the software programs and modules stored in the memory 702. The memory 702 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the host computer, etc. Further, the memory 702 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 702 may also include a memory controller to provide the processor 708 and the input unit 703 access to the memory 702.
The input unit 703 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control. In particular, in a particular embodiment, the input unit 703 may include a touch-sensitive surface as well as other input devices. The touch-sensitive surface, also referred to as a touch display screen or a touch pad, may collect touch operations by a user (e.g., operations by a user on or near the touch-sensitive surface using a finger, a stylus, or any other suitable object or attachment) thereon or nearby, and drive the corresponding connection device according to a predetermined program. Alternatively, the touch sensitive surface may comprise two parts, a touch detection means and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, sends the touch point coordinates to the processor 708, and can receive and execute commands sent by the processor 708. In addition, touch sensitive surfaces may be implemented using various types of resistive, capacitive, infrared, and surface acoustic waves. The input unit 703 may include other input devices in addition to the touch-sensitive surface. In particular, other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.
The display unit 704 may be used to display information input by or provided to the user and various graphical user interfaces of the host computer, which may be made up of graphics, text, icons, video, and any combination thereof. The Display unit 704 may include a Display panel, and optionally, the Display panel may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like. Further, the touch-sensitive surface may overlay the display panel, and when a touch operation is detected on or near the touch-sensitive surface, the touch operation is communicated to the processor 708 to determine the type of touch event, and the processor 708 provides a corresponding visual output on the display panel according to the type of touch event. Although in FIG. 7 the touch-sensitive surface and the display panel are two separate components to implement input and output functions, in some embodiments the touch-sensitive surface may be integrated with the display panel to implement input and output functions.
The host may also include at least one sensor 705, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor that adjusts the brightness of the display panel according to the brightness of ambient light, and a proximity sensor that turns off the display panel and/or the backlight when the host moves to the ear. As one of the motion sensors, the gravity acceleration sensor can detect the magnitude of acceleration in each direction (generally, three axes), can detect the magnitude and direction of gravity when the mobile phone is stationary, and can be used for applications of recognizing the posture of the mobile phone (such as horizontal and vertical screen switching, related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer and tapping), and the like; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, an infrared sensor and the like which can be configured by the host, detailed description is omitted here.
Audio circuitry 706, a speaker, and a microphone may provide an audio interface between the user and the host. The audio circuit 706 can transmit the electrical signal converted from the received audio data to a loudspeaker, and the electrical signal is converted into a sound signal by the loudspeaker and output; on the other hand, the microphone converts the collected sound signal into an electric signal, which is received by the audio circuit 706 and converted into audio data, which is then processed by the audio data output processor 708, and then sent to, for example, another host via the RF circuit 701, or output to the memory 702 for further processing. The audio circuitry 706 may also include an earbud jack to provide communication of peripheral headphones with the host.
WiFi belongs to short-range wireless transmission technology, and the host can help the user send and receive e-mail, browse web pages, access streaming media, etc. through the WiFi module 707, which provides wireless broadband internet access for the user. Although fig. 7 shows the WiFi module 707, it is understood that it does not belong to the essential constitution of the host, and may be omitted entirely as needed within the scope not changing the essence of the invention.
The processor 708 is the control center of the host, connects various parts of the entire handset using various interfaces and lines, and performs various functions of the host and processes data by running or executing software programs and/or modules stored in the memory 702 and calling data stored in the memory 702, thereby performing overall monitoring of the handset. Optionally, processor 708 may include one or more processing cores; preferably, the processor 708 may integrate an application processor, which primarily handles operating systems, user interfaces, applications, etc., and a modem processor, which primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into processor 708.
The host also includes a power source 709 (e.g., a battery) for powering the various components, which may preferably be logically coupled to the processor 708 via a power management system, such that the power management system may manage charging, discharging, and power consumption. The power supply 709 may also include any component of one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.
Although not shown, the host may further include a camera, a bluetooth module, etc., which will not be described herein. Specifically, in this embodiment, the processor 708 in the host loads and executes at least one instruction stored in the memory 702, thereby implementing the following operations:
monitoring ARP messages received in a network layer of the host;
detecting whether the IP address of the network interconnection protocol in the ARP message is the same as the IP address of the target gateway or not; the target gateway is a gateway connected with the host in a local area network;
detecting whether a Media Access Control (MAC) address in the ARP message is the same as an MAC address in a memory; the MAC address in the memory is a MAC address corresponding to the IP address of the target gateway which is received and stored historically;
and when the IP address in the ARP message is the same as the IP address of the target gateway and the MAC address in the ARP message is different from the MAC address in the memory, determining that ARP spoofing exists in the target gateway.
Optionally, the instructions stored in the memory are loaded and executed by the processor to implement the following operations:
broadcasting a first ARP request, wherein the first ARP request carries an IP address of a target device; monitoring a received ARP response fed back by the target equipment, wherein the ARP response carries an IP address and an MAC address of the target equipment;
and/or the presence of a gas in the gas,
monitoring a received second ARP request sent by other equipment, wherein the second ARP request carries the IP address and the MAC address of the equipment.
Optionally, the instructions stored in the memory are loaded and executed by the processor to implement the following operations:
and if the IP address in the ARP message is the same as the IP address of the target gateway and the MAC address corresponding to the IP address of the target gateway is not stored in the memory, storing the monitored MAC address in the ARP message as the MAC address corresponding to the IP address of the target gateway in the memory, and executing the operation of monitoring the ARP message received in the network layer of the host again.
Optionally, the instructions stored in the memory are loaded and executed by the processor to implement the following operations:
when the MAC address in the ARP message is the same as the MAC address in the memory, counting the time length after the ARP message with the IP address as the IP address of the target gateway is received for the first time;
when the duration does not reach the preset duration, the operation of monitoring the ARP message received in the network layer of the host is executed again;
and when the duration reaches the preset duration, ending the process.
Optionally, the instructions stored in the memory are loaded and executed by the processor to implement the following operations:
when the Root authority of the operating system is not available, showing inquiry information; the inquiry information is used for inquiring whether the Root authority is granted or not;
receiving a confirmation instruction for confirming that the Root authority is granted;
and after receiving the confirmation instruction, acquiring the Root authority, and executing the operation of monitoring the ARP message received in the network layer of the host.
Optionally, the instructions stored in the memory are loaded and executed by the processor to implement the following operations:
and when the target gateway is detected to have ARP spoofing, generating and displaying prompt information, wherein the prompt information is used for prompting the target gateway to have the ARP spoofing.
It should be understood that, as used herein, the singular forms "a," "an," "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (11)

1. An address resolution protocol spoofing detection method, for use in a host, the method comprising:
monitoring ARP messages received in a network layer of the host; detecting whether the IP address of the network interconnection protocol in the ARP message is the same as the IP address of the target gateway or not; the target gateway is a gateway connected with the host in a local area network;
if the IP address in the ARP message is the same as the IP address of the target gateway, if the Media Access Control (MAC) address corresponding to the IP address of the target gateway is not stored in a memory, the MAC address in the ARP message is used as the MAC address corresponding to the IP address of the target gateway and is stored in the memory; if the MAC address corresponding to the IP address of the target gateway is stored in the memory, detecting whether the MAC address in the ARP message is the same as the MAC address in the memory;
when the MAC address in the ARP message is different from the MAC address in the memory, determining that ARP spoofing exists in the target gateway;
when the MAC address in the ARP message is the same as the MAC address in the memory, counting the time length after the ARP message with the IP address as the IP address of the target gateway is received for the first time; when the duration does not reach the preset duration, the operation of monitoring the ARP message received in the network layer of the host is executed again; when the time length reaches the preset time length, ending the process;
the monitoring ARP messages received in the network layer of the host includes: sending a first ARP request, wherein the first ARP request carries an IP address of a target device; and monitoring the received ARP response fed back by the target equipment, wherein the ARP response carries the IP address and the MAC address of the target equipment, and the target equipment comprises other hosts in the local area network or the target gateway.
2. The method of claim 1, wherein the listening for the ARP message received in the network layer of the host comprises:
monitoring a received second ARP request sent by other equipment, wherein the second ARP request carries the IP address and the MAC address of the other equipment.
3. The method according to claim 1, wherein after storing the MAC address in the ARP message as a MAC address corresponding to the IP address of the target gateway in the memory, the method further comprises:
and executing the operation of monitoring the ARP message received in the network layer of the host again.
4. The method of any of claims 1 to 3, further comprising:
when the Root authority of the operating system is not available, showing inquiry information; the inquiry information is used for inquiring whether the Root authority is granted or not;
receiving a confirmation instruction for confirming that the Root authority is granted;
and after receiving the confirmation instruction, acquiring the Root authority, and executing the operation of monitoring the ARP message received in the network layer of the host.
5. The method of any of claims 1 to 3, further comprising:
and when the target gateway is detected to have ARP spoofing, generating and displaying prompt information, wherein the prompt information is used for prompting the target gateway to have the ARP spoofing.
6. A host comprising a processor and a memory, the memory having stored therein at least one instruction that is loaded and executed by the processor to perform operations comprising:
monitoring ARP messages received in a network layer of the host; detecting whether the IP address of the network interconnection protocol in the ARP message is the same as the IP address of the target gateway or not; the target gateway is a gateway connected with the host in a local area network;
if the IP address in the ARP message is the same as the IP address of the target gateway, if the Media Access Control (MAC) address corresponding to the IP address of the target gateway is not stored in a memory, the MAC address in the ARP message is used as the MAC address corresponding to the IP address of the target gateway and is stored in the memory; if the MAC address corresponding to the IP address of the target gateway is stored in the memory, detecting whether the MAC address in the ARP message is the same as the MAC address in the memory;
when the MAC address in the ARP message is different from the MAC address in the memory, determining that ARP spoofing exists in the target gateway;
when the MAC address in the ARP message is the same as the MAC address in the memory, counting the time length after the ARP message with the IP address as the IP address of the target gateway is received for the first time; when the duration does not reach the preset duration, the operation of monitoring the ARP message received in the network layer of the host is executed again; when the time length reaches the preset time length, ending the process;
the instructions are loaded and executed by the processor to perform operations comprising: broadcasting a first ARP request, wherein the first ARP request carries an IP address of a target device; monitoring a received ARP response fed back by the target equipment, wherein the ARP response carries an IP address and an MAC address of the target equipment; the destination device comprises other hosts in the local area network or the target gateway.
7. The host of claim 6, wherein the instructions stored in the memory are loaded and executed by the processor to:
monitoring a received second ARP request sent by other equipment, wherein the second ARP request carries the IP address and the MAC address of the other equipment.
8. The host of claim 6, wherein the instructions stored in the memory are loaded and executed by the processor to:
and after the MAC address in the monitored ARP message is used as the MAC address corresponding to the IP address of the target gateway and is stored in the memory, the operation of monitoring the ARP message received in the network layer of the host is executed again.
9. The host of any one of claims 6 to 8, wherein the instructions stored in the memory are loaded and executed by the processor to perform operations comprising:
when the Root authority of the operating system is not available, showing inquiry information; the inquiry information is used for inquiring whether the Root authority is granted or not;
receiving a confirmation instruction for confirming that the Root authority is granted;
and after receiving the confirmation instruction, acquiring the Root authority, and executing the operation of monitoring the ARP message received in the network layer of the host.
10. The host of any one of claims 6 to 8, wherein the instructions stored in the memory are loaded and executed by the processor to perform operations comprising:
and when the target gateway is detected to have ARP spoofing, generating and displaying prompt information, wherein the prompt information is used for prompting the target gateway to have the ARP spoofing.
11. A computer-readable storage medium having stored therein at least one instruction, which is loaded and executed by a processor to perform operations comprising:
monitoring ARP messages received in a network layer of the host; detecting whether the IP address of the network interconnection protocol in the ARP message is the same as the IP address of the target gateway or not; the target gateway is a gateway connected with the host in a local area network;
if the IP address in the ARP message is the same as the IP address of the target gateway, if the Media Access Control (MAC) address corresponding to the IP address of the target gateway is not stored in a memory, the MAC address in the ARP message is used as the MAC address corresponding to the IP address of the target gateway and is stored in the memory; if the MAC address corresponding to the IP address of the target gateway is stored in the memory, detecting whether the MAC address in the ARP message is the same as the MAC address in the memory;
when the IP address in the ARP message is the same as the IP address of the target gateway and the MAC address in the ARP message is different from the MAC address in the memory, determining that ARP spoofing exists in the target gateway;
when the MAC address in the ARP message is the same as the MAC address in the memory, counting the time length after the ARP message with the IP address as the IP address of the target gateway is received for the first time; when the duration does not reach the preset duration, the operation of monitoring the ARP message received in the network layer of the host is executed again; when the time length reaches the preset time length, ending the process;
the instructions are loaded and executed by a processor to perform the following operations: sending a first ARP request, wherein the first ARP request carries an IP address of a target device; and monitoring the received ARP response fed back by the target equipment, wherein the ARP response carries the IP address and the MAC address of the target equipment, and the target equipment comprises other hosts in the local area network or the target gateway.
CN201710427619.4A 2017-06-08 2017-06-08 Address resolution protocol spoofing detection method, host and computer-readable storage medium Active CN109039989B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710427619.4A CN109039989B (en) 2017-06-08 2017-06-08 Address resolution protocol spoofing detection method, host and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710427619.4A CN109039989B (en) 2017-06-08 2017-06-08 Address resolution protocol spoofing detection method, host and computer-readable storage medium

Publications (2)

Publication Number Publication Date
CN109039989A CN109039989A (en) 2018-12-18
CN109039989B true CN109039989B (en) 2021-02-26

Family

ID=64629555

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710427619.4A Active CN109039989B (en) 2017-06-08 2017-06-08 Address resolution protocol spoofing detection method, host and computer-readable storage medium

Country Status (1)

Country Link
CN (1) CN109039989B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111327592B (en) * 2020-01-19 2022-11-18 陈建慧 Network monitoring method and related device
CN111726429B (en) * 2020-06-12 2023-04-25 海信视像科技股份有限公司 Communication method, device, equipment and medium
CN116880319B (en) * 2023-08-04 2024-04-09 浙江齐安信息科技有限公司 Method, system, terminal and medium for identifying upper computer in industrial control system
CN116846687B (en) * 2023-08-30 2023-11-21 北京格尔国信科技有限公司 Network security monitoring method, system, device and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546658A (en) * 2012-02-20 2012-07-04 神州数码网络(北京)有限公司 Method and system for preventing address resolution protocol (ARP) gateway spoofing
CN104363243A (en) * 2014-11-27 2015-02-18 福建星网锐捷网络有限公司 Method and device for preventing gateway deceit

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1233135C (en) * 2002-06-22 2005-12-21 华为技术有限公司 Method for preventing IP address deceit in dynamic address distribution

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546658A (en) * 2012-02-20 2012-07-04 神州数码网络(北京)有限公司 Method and system for preventing address resolution protocol (ARP) gateway spoofing
CN104363243A (en) * 2014-11-27 2015-02-18 福建星网锐捷网络有限公司 Method and device for preventing gateway deceit

Also Published As

Publication number Publication date
CN109039989A (en) 2018-12-18

Similar Documents

Publication Publication Date Title
CN107094294B (en) Network connection method and device
CN105933904B (en) Network connection method and device
US10326861B2 (en) Method for controlling cooperation of multiple intelligent devices and apparatus thereof
WO2015090248A1 (en) Server overload protection method and device
US10304461B2 (en) Remote electronic service requesting and processing method, server, and terminal
CN106658489B (en) Terminal application processing method and device and mobile terminal
CN108040091B (en) Data processing method, device and storage medium
WO2016150270A1 (en) Method and apparatus for processing group session message
US20160105418A1 (en) Method, system, device, and terminal for network initialization of multimedia playback device
WO2017008569A1 (en) Message updating method, apparatus, and terminal
CN106973330B (en) Screen live broadcasting method, device and system
CN106371964B (en) Method and device for prompting message
CN106936676B (en) Household equipment control method and device
CN109039989B (en) Address resolution protocol spoofing detection method, host and computer-readable storage medium
WO2015043338A1 (en) Identify verifying method, account acquiring method, mobile terminal, and storage medium
TWI568222B (en) Method and device for managing a router
CN113986167A (en) Screen projection control method and device, storage medium and display equipment
CN111431882B (en) Data processing method, device and storage medium
CN108270764B (en) Application login method, server and mobile terminal
CN106470234B (en) Equipment discovery method and device
CN115174418A (en) Communication environment safety early warning method and device, electronic equipment and storage medium
CN109067751B (en) ARP spoofing detection method and device under non-Root environment and terminal
CN109600340B (en) Operation authorization method, device, terminal and server
CN107872791B (en) Access point connection method and device
WO2015062241A1 (en) Method, device and terminal for protecting application program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant