CN109561111A - A kind of determination method and device of attack source - Google Patents

A kind of determination method and device of attack source Download PDF

Info

Publication number
CN109561111A
CN109561111A CN201910069170.8A CN201910069170A CN109561111A CN 109561111 A CN109561111 A CN 109561111A CN 201910069170 A CN201910069170 A CN 201910069170A CN 109561111 A CN109561111 A CN 109561111A
Authority
CN
China
Prior art keywords
message
request message
arp request
counter
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910069170.8A
Other languages
Chinese (zh)
Other versions
CN109561111B (en
Inventor
韩冰
聂树伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Information Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201910069170.8A priority Critical patent/CN109561111B/en
Publication of CN109561111A publication Critical patent/CN109561111A/en
Application granted granted Critical
Publication of CN109561111B publication Critical patent/CN109561111B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a kind of determination method and device of attack source, this method can include: accounting message is made a summary the quantity of identical Address Resolution Protocol ARP request message;If it is determined that the quantity of the identical target ARP request message of the message digest received in the first preset duration is greater than or equal to the first preset threshold, corresponding target arp reply message then is generated for the target ARP request message, and returns to the target arp reply message to the first transmitting terminal for sending the target ARP request message;The source MAC of the target arp reply message is default MAC Address;After returning to the target arp reply message to first transmitting terminal, however, it is determined that the quantity for receiving the target ARP request message in the second preset duration is greater than or equal to the second preset threshold, then first transmitting terminal is determined as attack source.Using method provided by the present application, attack source can be more accurately determined.

Description

A kind of determination method and device of attack source
Technical field
This application involves network communication technology field more particularly to a kind of determination method and devices of attack source.
Background technique
ARP (Address Resolution Protocol, address resolution protocol) is the base of the data link layers such as Ethernet Plinth agreement is responsible for completing IP (Internet Protocol, Internet protocol) address to MAC (Media Access Control, medium access control) address mapping.The working mechanism of ARP is as follows:
It, can broadcast transmission ARP request message when first network equipment will parse the corresponding MAC Address of an IP address. Second network equipment is after receiving ARP request message, if the IP address of the purpose IP address of the ARP request message and this equipment It is identical, then it can be returned to the transmitting terminal and carry the IP address of this equipment and the arp reply message of MAC Address, meanwhile, according to The IP address of first network equipment and the corresponding relationship of MAC Address establish ARP entry in ARP request message.First network equipment It, equally can be by the IP address of second network equipment in arp reply message and MAC Address after receiving arp reply message Mapping relations are recorded, and ARP entry is generated.
However, attacker is frequently utilized that ARP technology attacks network since the realization of ARP technology is simple, is widely used It hits, and the type of ARP attack is varied, therefore, when defending ARP attack, how accurately and efficiently to determine attack source, The problem of persistently being inquired into as industry.
Summary of the invention
In view of this, the application provides a kind of determination method and device of attack source, to realize the determination of attack source.
Specifically, the application is achieved by the following technical solution:
According to a first aspect of the present application, a kind of determination method of attack source is provided, the method is applied to forwarding device, Include:
Accounting message is made a summary the quantity of identical Address Resolution Protocol ARP request message;
If it is determined that the quantity of the identical target ARP request message of the message digest received in the first preset duration is greater than Or be equal to the first preset threshold, then corresponding target arp reply message is generated for the target ARP request message, and to hair The first transmitting terminal of the target ARP request message is sent to return to the target arp reply message;The target arp reply message Source MAC be default MAC Address;
After returning to the target arp reply message to first transmitting terminal, however, it is determined that inscribed in the second preset duration The quantity for receiving the target ARP request message is greater than or equal to the second preset threshold, then is determined as first transmitting terminal Attack source.
Optionally, the method also includes:
After returning to target arp reply message to first transmitting terminal, however, it is determined that received in the second preset duration The target ARP request message quantity less than the second preset threshold, it is determined that first transmitting terminal is not attack source.
Optionally, the accounting message make a summary the quantity of identical ARP request message the step of include:
After receiving an ARP request message, the message digest of one ARP request message is extracted;
Determine the local corresponding counter of message digest for whether safeguarding one ARP request message;
If so, the value of the counter is added 1;
If it is not, counter corresponding with the message digest of one ARP request message is then created, by the first of the counter Initial value adds 1, and safeguards the message digest of one ARP request message and the corresponding relationship of the counter.
Optionally, the identical target ARP request message of the message digest that the determination receives in the first preset duration Quantity be greater than or equal to the first preset threshold the step of include:
In the message digest of maintenance and the corresponding relationship of counter, the message for searching the target ARP request message is plucked Want corresponding first counter;
If the value of first counter is greater than or equal to the first preset threshold, it is determined that inscribed in the first preset duration The quantity of the identical target ARP request message of the message digest received is greater than or equal to the first preset threshold;The corresponding relationship In counter can be reset periodically;
It is described to the first transmitting terminal for sending the target ARP request message return the target arp reply message it Afterwards, the method also includes:
By first counter resets.
Optionally, the method also includes:
In the third preset duration being determined as first transmitting terminal behind attack source, barrage reception target ARP is asked Ask the port of message.
According to a second aspect of the present application, a kind of determining device of attack source is provided, described device is applied to forwarding device, Include:
Statistic unit is made a summary the quantity of identical Address Resolution Protocol ARP request message for accounting message;
Return unit, for if it is determined that the identical target ARP request of the message digest received in the first preset duration The quantity of message is greater than or equal to the first preset threshold, then generates corresponding target ARP for the target ARP request message and answer Message is answered, and returns to the target arp reply message to the first transmitting terminal for sending the target ARP request message;The mesh The source MAC of mark arp reply message is default MAC Address;
Determination unit, for after returning to the target arp reply message to first transmitting terminal, however, it is determined that second The quantity that the target ARP request message is received in preset duration is greater than or equal to the second preset threshold, then by described first Transmitting terminal is determined as attack source.
Optionally, the determination unit is also used to after returning to target arp reply message to first transmitting terminal, if Determine the quantity of the target ARP request message received in the second preset duration less than the second preset threshold, it is determined that First transmitting terminal is not attack source.
Optionally, the statistic unit, specifically for extracting one ARP after receiving an ARP request message The message digest of request message;Determine the local corresponding counting of message digest for whether safeguarding one ARP request message Device;If so, the value of the counter is added 1;If it is not, then creating corresponding with the message digest of one ARP request message Counter, the initial value of the counter is added 1, and safeguard one ARP request message message digest and the counter Corresponding relationship.
Optionally, the return unit is determining the identical target of message digest received in the first preset duration When the quantity of ARP request message is greater than or equal to the first preset threshold, specifically for the message digest and counter in maintenance In corresponding relationship, corresponding first counter of message digest of the target ARP request message is searched;If first counter Value be greater than or equal to the first preset threshold, it is determined that the identical target of the message digest received in the first preset duration The quantity of ARP request message is greater than or equal to the first preset threshold;Counter in the corresponding relationship can be reset periodically;
The return unit is also used to returning to the mesh to the first transmitting terminal for sending the target ARP request message After marking arp reply message, by first counter resets.
Optionally, described device further include:
Blocking unit, in the third preset duration being determined as first transmitting terminal behind attack source, obstruction to be connect Receive the port of the target ARP request message.
Seen from the above description, the application uses and is detecting the target ARP request received in the first preset duration When the quantity of message is greater than or equal to the first preset threshold, it is default MAC that forwarding device, which returns to source MAC to the first transmitting terminal, What the target arp reply message of address and detection received in the second preset duration after sending target arp reply message Whether the quantity of target ARP request message, which is greater than or equal to the second preset threshold, is come distinguishing attack source and by attacker.
Specifically, after this equipment sends target arp reply message, however, it is determined that the mesh received in the second preset duration The quantity for marking ARP request message is greater than or equal to the second preset threshold, it is determined that first transmitting terminal is attacker.If it is determined that The quantity of the target ARP request message received in second preset duration then can determine first hair less than the second preset threshold Sending end not instead of attack source, by attacker, so as to prevent that the production of the erroneous judgement problem of attack source will be determined as by attacker It is raw therefore more accurate using the attack source that method provided by the present application is determined.
Detailed description of the invention
Fig. 1 a is a kind of schematic diagram of a scenario of ARP extensive aggression shown in the embodiment of the present application;
Fig. 1 b is the schematic diagram of a scenario of another ARP extensive aggression shown in the embodiment of the present application;
Fig. 2 is the flow chart that a kind of attack source shown in the embodiment of the present application determines method;
Fig. 3 is a kind of block diagram of attack source determining device shown in the embodiment of the present application;
Fig. 4 is a kind of hardware structure diagram of forwarding device shown in the embodiment of the present application.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application. It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".
ARP attack has multiple types, such as the attack of counterfeit gateway, counterfeit user attack, ARP extensive aggression etc..In ARP In extensive aggression, usually there are two kinds of situations.
The first, the transmitting terminal of ARP request message is attack source.
Specifically, the transmitting terminal of ARP request message broadcasts a large amount of ARP request message to other network equipments.When other After the network equipment receives the ARP request message that a large amount of attack sources are sent, other network equipments can constantly learn the attack source The ARP request message of transmission, this allows for ARP table resource on other network equipments and cpu resource is seriously occupied, sternly Study of other network equipments for normal ARP entry is interfered again.
For example, as shown in Figure 1a, Fig. 1 a is a kind of schematic diagram of a scenario of ARP extensive aggression shown in the embodiment of the present application.
Assuming that the network equipment 101 is attack source, the network equipment 101 constantly sends ARP request message to interchanger.Interchanger Constantly by ARP request message broadcasting to the network equipment 102 and the network equipment 103.The network equipment 102 and the network equipment 103 are continuous Learn the ARP request message of attack source transmission, this allow for cpu resource on the network equipment 102 and the network equipment 103 and ARP table resource is seriously occupied, and the severe jamming network equipment 102 and the network equipment 103 learn normal ARP entry.
Second, the transmitting terminal of ARP request message is by attacker.
Specifically, attack source sends the IP packet that a large amount of purpose IP address cannot parse to by attacker, is existed by attacker After receiving the IP packet that a large amount of purpose IP address cannot parse, (mesh is obtained to parse the purpose IP address of IP packet The corresponding MAC Address of IP address), the ARP request message for each IP packet can largely be broadcasted by attacker, to cause Make the ARP table resource of other network equipments in network and a large amount of ARP request message that cpu resource is sent by attacker shared by With seriously affecting the study of normal ARP entry.
For example, as shown in Figure 1 b, Fig. 1 b is the scene signal of another ARP extensive aggression shown in the embodiment of the present application Figure.
Assuming that the network equipment 111 is attack source, the network equipment 112 is by attacker, IP address 1.0.0.1, and network is set Standby 113 IP address is 1.0.0.2, and the IP address of the network equipment 114 is 1.0.0.3.
The destination IP address, which cannot parse, to be referred to: having for being not present in the corresponding broadcast domain of the network equipment 112 should With the purpose IP address in the equipment for the purpose IP address that cannot be parsed or the corresponding broadcast domain of the network equipment 112 Equipment is not also online.For example, in this example, it can be 1.0.0.4 that this, which cannot parse purpose IP address,.
The network equipment 111 sends the IP packet that purpose IP address is 1.0.0.4, the network equipment to the network equipment 112 for the first time 112 do not find the corresponding MAC Address of 1.0.0.4 in local ARP table, then sending purpose IP address is 1.0.0.4's ARP request message can be broadcast to the network equipment 113 and network after receiving the ARP request message to interchanger, interchanger Equipment 114.
Due in the broadcast domain of the network equipment 112 be not present IP address be 1.0.0.4 equipment, then without the network equipment to The network equipment 112 returns to the corresponding MAC Address of the purpose IP address, causes the network equipment 112 corresponding to 1.0.0.4 without calligraphy learning MAC Address, cause in the ARP table of the network equipment 112 always that there is no the corresponding MAC Address of 1.0.0.4.
Then, the network equipment 111 sends the IP packet that purpose IP address is 1.0.0.4 to the network equipment 112 always, due to The corresponding MAC Address of 1.0.0.4 is not present in the ARP table of the network equipment 112 always, so the network equipment 112 is always to other Network equipment broadcast ARP request message causes the network equipment 113 and the network equipment 114 to receive a large amount of network equipment 112 and sends out The ARP request message sent.
The mode of existing determining attack source is: the source MAC received in switch statistic data preset duration is identical The total quantity of ARP request message, if the total quantity is greater than preset threshold, it is determined that the corresponding equipment of the source MAC is attack Source.
However, when a certain network equipment is attack source or is attacked it can be seen from above two ARP extensive aggression mode When the person of hitting, a large amount of ARP request message can be broadcasted, so the mode of existing determining attack source will accidentally can be determined by attacker For attack source, the erroneous judgement of attack source is caused.
In view of this, the application, which provides a kind of attack source, determines method, can prevent from accidentally being determined as attacking by attacker The generation of this erroneous judgement problem in source.
Method, which is described in detail, to be determined to attack source provided by the present application below.
Referring to fig. 2, Fig. 2 is the flow chart that a kind of attack source shown in the embodiment of the present application determines method, and the attack source is true The method of determining can be applicable on forwarding device (such as interchanger etc.), it may include step as follows.
Step 201: accounting message is made a summary the quantity of identical Address Resolution Protocol ARP request message.
Wherein, above-mentioned message digest refers to the message characteristic information of ARP request message, the message digest can include: ARP is asked The source IP address of message, purpose IP address and source MAC are asked, certain message digest also may include in ARP request message Other information, here only message digest is illustratively illustrated, without specifically defined.
In one embodiment, after forwarding device receives an ARP request message, forwarding device can extract this one The message digest of a ARP request message.Then, forwarding device can determine locally whether safeguard an ARP request message The corresponding counter of message digest.
If local maintenance has the corresponding counter of the message digest of an ARP request message, by taking for the counter Value plus 1.If local do not safeguard the corresponding counter of the message digest of an ARP request message, creates an ARP and ask The corresponding counter of the message digest of message is sought, and the initial value of the counter of the creation is added 1, and safeguards that an ARP is asked Ask the message digest of message and the corresponding relationship of the counter.
In addition, forwarding device can also periodically by counter resets in above-mentioned each corresponding relationship, in other words, Counter in above-mentioned each corresponding relationship is reset at the end of corresponding current period, again when next cycle starts It is counted.
In addition, having aging mechanism for each above-mentioned correspondence setting, reach in the aging duration of the corresponding relationship When, delete the corresponding relationship.
Step 202: if it is determined that the identical target ARP request message of the message digest received in the first preset duration Quantity is greater than or equal to the first preset threshold, then generates corresponding target arp reply report for the target ARP request message Text, and the target arp reply message is returned to the first transmitting terminal for sending the target ARP request message;The target ARP The source MAC of response message is default MAC Address.
In the embodiment of the present application, forwarding device can be in the message digest of the above-mentioned ARP request message recorded, counter In corresponding relationship, corresponding first counter of message digest of the target ARP request message is searched.If first counter takes Value is greater than or equal to the first preset threshold, then forwarding device can determine that the message digest received in the first preset duration is identical Target ARP request message quantity be greater than or equal to the first preset threshold.
In one embodiment, forwarding device determines the identical mesh of message digest received in the first preset duration The quantity for marking ARP request message is greater than or equal to the mode of the first preset threshold are as follows: forwarding device is asked often receiving an ARP Message is sought, the message digest of an ARP request message is extracted, then updates the corresponding counting of the message digest of local maintenance The value (i.e. value adds 1) of device, then judges whether the value of the counter is greater than or equal to the first preset threshold, to judge Whether the quantity of the ARP request message received in the first preset duration is greater than or equal to the first preset threshold.
In another embodiment, forwarding device determines that the message digest received in the first preset duration is identical The quantity of target ARP request message is greater than or equal to the mode of the first preset threshold are as follows: forwarding device is often receiving an ARP Request message extracts the message digest of an ARP request message, then updates the corresponding meter of the message digest of local maintenance The value of number device (i.e. value adds 1).Before counter current statistic end cycle and each counter resets, each counter is judged Value whether be greater than or equal to the first preset threshold, to judge that each counter received in the first preset duration is corresponding Whether the quantity of ARP request message is greater than or equal to the first preset threshold.
In the embodiment of the present application, when forwarding device determines the identical mesh of message digest received in the first preset duration When marking the quantity of ARP request message more than or equal to the first preset threshold, forwarding device can be raw for the target ARP request message At corresponding target arp reply message.Wherein, the source MAC of the target arp reply message of generation is default MAC Address;Mesh The target MAC (Media Access Control) address of mark arp reply message is the source MAC of the target ARP request message;The mesh of target arp reply message IP address be the target ARP request message source IP address;The source IP address of target arp reply message is that target ARP is asked Seek the purpose IP address of message.
The target arp reply message of generation can be sent to the first hair for sending the target ARP request message by forwarding device Sending end.
In addition, forwarding device, after returning to target arp reply message to first transmitting terminal, forwarding device can be by the first meter Number device resets.
Step 203: after returning to the target arp reply message to first transmitting terminal, however, it is determined that default second The quantity that the target ARP request message is received in duration is greater than or equal to the second preset threshold, then sends described first End is determined as attack source.
Step 204: after returning to target arp reply message to first transmitting terminal, however, it is determined that in the second preset duration The quantity of the target ARP request message inside received is less than the second preset threshold, it is determined that first transmitting terminal is not Attack source.
In the embodiment of the present application, forwarding device can detect after returning to the target arp reply message to first transmitting terminal Whether the value of the first counter is more than or equal to the second preset value, presets if the value of first counter is more than or equal to second Value, it is determined that the quantity that this equipment receives the target ARP request message in the second preset duration is greater than or equal to second Preset threshold, and first transmitting terminal is labeled as attack source.
Forwarding device is after returning to target arp reply message to first transmitting terminal, if the value of first counter More than or equal to the second preset value, it is determined that the quantity of the target ARP request message received in the second preset duration is small In the second preset threshold, and determine that first transmitting terminal is not attack source.
It should be noted that above-mentioned first preset duration and the second preset duration may be the same or different, above-mentioned One preset threshold and above-mentioned second preset threshold can be the same or different.
It should be noted that: by the description above with respect to ARP extensive aggression it is found that working as the transmitting terminal of ARP request message When for attack source, after transmitting terminal receives the arp reply message for the ARP request message, since transmitting terminal is attacker, hair Sending end can still send a large amount of ARP request message.
When the transmitting terminal of ARP request message is by attacker, when transmitting terminal is received for the ARP request message After arp reply message, transmitting terminal is corresponding based on the purpose IP address that the ARP request message has been arrived in arp reply message study MAC Address can be directly based upon local study after transmitting terminal receives the IP packet of the purpose IP address of attacker's transmission again To the corresponding MAC Address of the purpose IP address forward the IP packet, and no longer a large amount of send for requesting the purpose IP address ARP request message.
So the application is using big in the quantity for detecting the target ARP request message received in the first preset duration When the first preset threshold, forwarding device returns to the target that source MAC is default MAC Address to the first transmitting terminal The target ARP request that arp reply message and detection receive in the second preset duration after sending target arp reply message Whether the quantity of message, which is greater than or equal to the second preset threshold, is come distinguishing attack source and by attacker.
Specifically, after this equipment sends target arp reply message, however, it is determined that the mesh received in the second preset duration The quantity for marking ARP request message is greater than or equal to the second preset threshold, it is determined that first transmitting terminal is attacker.If it is determined that The quantity of the target ARP request message received in second preset duration then can determine first hair less than the second preset threshold Sending end not instead of attack source, by attacker, so as to prevent that the production of the erroneous judgement problem of attack source will be determined as by attacker It is raw.
In addition, in the embodiment of the present application, third of the forwarding device after first transmitting terminal to be determined as to attack source is pre- If in duration, the port of the barrage reception target ARP request message, i.e., after first transmitting terminal to be determined as to attack source It, will be from all ARP request reports of the first transmitting terminal (sending the transmitting terminal of target ARP request message) in three preset durations Text abandons.
In addition it is also necessary to explanation, above-mentioned default MAC Address is the MAC Address of administrator configurations, the default MAC Location is not the real corresponding MAC Address of purpose IP address of target ARP request message.
When possess the equipment of purpose IP address of the target ARP request message it is online when, gratuitous ARP packet can be sent, made The target ARP request message source is obtained by the corresponding relationship of the purpose IP address recorded and the default MAC Address, modification For the MAC Address of the purpose IP address and the online equipment.
So after the purpose IP address equipment for possessing the target ARP request message is online, the hair of target ARP request message Purpose IP address will not be the equipment that the IP packet of the IP address of the new online equipment is sent to default MAC Address by sending end, and The online equipment, thus using it is provided by the present application " interchanger to the transmitting terminal of target ARP request message return source MAC Address is the target arp reply message of default MAC Address " this mode, in the destination IP with the target ARP request message After equipment is online, the forwarding of the IP packet of the online equipment will not be influenced.
Below by specifically example, determining attack source method provided by the present application is described in detail.
Table is monitored configured with ARP on interchanger, each of ARP monitoring table ARP monitoring list item all has recorded respectively Message digest, the counter corresponding relationship of the ARP request message received.It is as shown in table 1 that the ARP monitors table.
Source IP address Source MAC Purpose IP address Counter
Table 1
Wherein, source IP address, source MAC, purpose IP address be with each meaning the source IP address of ARP request message, source MAC Location, purpose IP address.These three addresses constitute the message digest of ARP request message.
In addition, exchange opportunity is periodically by each counter resets in above-mentioned corresponding relationship.
In addition, interchanger is directed to each corresponding relationship (i.e. each of table 1 list item), interchanger is detecting that this is right When should be related to arrival aging duration, which is deleted.
It is assumed that the source IP address of ARP request message 1 is 1.0.0.1, source MAC 0000-0000-0001, destination IP Address is 1.0.0.2.Assuming that the first preset value is 10, the second preset value is 5, it is assumed that the first preset duration and second is preset Duration is equal, it is assumed that is 10 seconds.Interchanger can be with 10 seconds for the period, periodically by the counter resets in table 2.Assuming that default MAC Address is 0000-0000-0002.
Current ARP monitoring table is as shown in table 2,
Source IP address Source MAC Purpose IP address Counter
1.0.0.1 0000-0000-0001 1.0.0.2 9
Table 2
When interchanger receives ARP request message 1 (assuming that the transmitting terminal for sending the ARP request message 1 is equipment 1), Interchanger can obtain the source MAC (i.e. 0000-0000-0001) of the ARP request message 1, source IP address (i.e. 1.0.0.1), Purpose IP address (1.0.0.2) searches whether that there are the corresponding countings of message digest 1 then in table 2 as message digest 1 Device 1.
If 1) the corresponding counter 1 of message digest 1 and preset field 1 are not present in table 2, interchanger can be created and is somebody's turn to do The corresponding counter 1 of message digest 1 of ARP request message 1, forwarding device can set counter 1 to 1 (assuming that counter 1 Initial value is that 0), then interchanger can add the corresponding relationship of message digest 1, counter 1 in table 1.
2) in this example, there are the corresponding counter 1 of message digest 1 in table 2, the value of the counter 1 is currently 9, is handed over 10 can be updated to for the value of counter 1 by changing planes.The updated ARP monitoring table of 1 value of counter is as shown in table 3.
Source IP address Source MAC Purpose IP address Counter
1.0.0.1 0000-0000-0001 1.0.0.2 10
Table 3
Then, whether the value that interchanger can detect the corresponding counter 1 of ARP request message 1 is more than or equal to first Preset threshold.
In this example, if the value (i.e. 10) of counter 1 is equal to the first preset threshold (i.e. 10), interchanger is asked for ARP Message 1 is asked to generate corresponding arp reply message 1.
Wherein, the source MAC of the arp reply message 1 is default MAC Address (i.e. 0000-0000-0002);Arp reply The target MAC (Media Access Control) address of message 1 is the source MAC (i.e. 0000-0000-0001) of the ARP request message 1;Arp reply message 1 Purpose IP address be the ARP request message 1 source IP address (i.e. 1.0.0.1);The source IP address of arp reply message 1 is this The purpose IP address (i.e. 1.0.0.2) of ARP request message 1.
Then, interchanger can send the arp reply message 1 to the equipment 1 for sending the ARP request message 1.
Meanwhile interchanger can reset counter 1, the ARP monitoring table after reset is as shown in table 4.
Source IP address Source MAC Purpose IP address Counter
1.0.0.1 0000-0000-0001 1.0.0.2 0
Table 4
After returning to arp reply message 1 to equipment 1, if interchanger receives ARP request message 1 again, interchanger can also " ARP request message 1 is received, counter adds 1 " mode to be counted, and which is not described herein again according to above-mentioned.
It is assumed that it is as shown in table 5 that the ARP monitors table after returning to a period of time after arp reply message 1 to equipment 1.
Table 5
After returning to arp reply message 1 to equipment 1, if interchanger detects that the value (i.e. 5) of nonce counter 1 is equal to Second preset threshold (i.e. 5), then be determined as attack source for equipment 1.If interchanger detects that the value of counter 1 is always less than Two preset thresholds will then determine that equipment 1 is not attack source.
In the third preset duration being determined as equipment 1 behind attack source, the port of barrage reception ARP request message 1 is (i.e. The port that equipment 1 connects), i.e., in the third preset duration being determined as equipment 1 behind attack source, equipment 1 will be received and sent All ARP request packet loss.
It is the description that method is determined to attack source above.
Optionally, in the embodiment of the present application, interchanger is in addition to safeguarding there is corresponding counting respectively for each message digest Except device, corresponding preset field can also have been safeguarded, which is used to characterize the ARP for sending and carrying the message digest The state of the transmitting terminal (the corresponding transmitting terminal of the message digest can be interpreted as) of request message, for example, if a message is plucked Want corresponding preset field value be 0 when, illustrate the message digest pair that interchanger counts in the first preset duration The value for the counter answered is less than the first preset threshold;When the corresponding preset field value of a message digest is 1, explanation The value for the corresponding counter of a message digest that the interchanger counts in the first preset duration is greater than or equal to the One preset threshold, and interchanger has been directed to a message digest and has constructed corresponding arp reply message, and returns to this The corresponding transmitting terminal of message digest;Then interchanger can be by the corresponding counter resets of a message digest, and continue to unite The quantity for counting the corresponding ARP request message of each message digest, when what interchanger confirmation counted in the second preset duration is somebody's turn to do When the value of the corresponding counter of one message digest is greater than or equal to the second preset threshold, a message digest can be determined Corresponding transmitting terminal is attack source, at this point it is possible to which the corresponding preset field of a message is revised as 2.I.e. preset field is 2 The corresponding transmitting terminal of each message digest be attack source.
Certainly, also can be set attack source list in interchanger, interchanger when determining a transmitting terminal is attack source, The terminal iidentification of the transmitting terminal is added in the list of attack source.
The embodiment of the present application also provides determine the corresponding attack source determining device of method with above-mentioned attack source.
It is a kind of block diagram of attack source determining device shown in the embodiment of the present application referring to Fig. 3, Fig. 3.The device can be applied On forwarding device, it may include unit as follows.
Statistic unit 301 is made a summary the quantity of identical Address Resolution Protocol ARP request message for accounting message;
Return unit 302, for if it is determined that the identical target ARP of the message digest received in the first preset duration is asked It asks the quantity of message to be greater than or equal to the first preset threshold, then generates corresponding target ARP for the target ARP request message Response message, and the target arp reply message is returned to the first transmitting terminal for sending the target ARP request message;It is described The source MAC of target arp reply message is default MAC Address;
Determination unit 303, for after returning to the target arp reply message to first transmitting terminal, however, it is determined that The quantity that the target ARP request message is received in second preset duration is greater than or equal to the second preset threshold, then will be described First transmitting terminal is determined as attack source.
Optionally, the determination unit 303 is also used to after returning to target arp reply message to first transmitting terminal, If it is determined that the quantity of the target ARP request message received in the second preset duration is less than the second preset threshold, then really Fixed first transmitting terminal is not attack source.
Optionally, the statistic unit 301, specifically for extracting one after receiving an ARP request message The message digest of ARP request message;Determine the local corresponding meter of message digest for whether safeguarding one ARP request message Number device;If so, the value of the counter is added 1;If it is not, then creating the message digest pair with one ARP request message The initial value of the counter is added 1 by the counter answered, and safeguards message digest and the counting of one ARP request message The corresponding relationship of device.
Optionally, the return unit 302 is determining the identical mesh of message digest received in the first preset duration When marking the quantity of ARP request message more than or equal to the first preset threshold, specifically for the message digest and counter in maintenance Corresponding relationship in, search corresponding first counter of message digest of the target ARP request message;If described first counts The value of device is greater than or equal to the first preset threshold, it is determined that the identical mesh of the message digest received in the first preset duration The quantity for marking ARP request message is greater than or equal to the first preset threshold;Counter in the corresponding relationship can be by periodically multiple Position;
The return unit 302 is also used to described in return to the first transmitting terminal for sending the target ARP request message After target arp reply message, by first counter resets.
Optionally, described device further include:
Blocking unit 304, for blocking in the third preset duration being determined as first transmitting terminal behind attack source Receive the port of the target ARP request message.
In addition, present invention also provides a kind of hardware structure diagrams of forwarding device.
Referring to fig. 4, Fig. 4 is a kind of hardware structure diagram of forwarding device shown in the embodiment of the present application.
The forwarding device includes: communication interface 401, processor 402, machine readable storage medium 403 and bus 404;Its In, communication interface 401, processor 402 and machine readable storage medium 403 complete mutual communication by bus 404.Processing Device 402 can be held by reading and executing machine corresponding with the control logic of attack source is determined in machine readable storage medium 403 Row instruction, can be performed above-described attack source and determines method.
Machine readable storage medium 403 referred to herein can be any electronics, magnetism, optics or other physical stores Device may include or store information, such as executable instruction, data, etc..For example, machine readable storage medium may is that easily Lose memory, nonvolatile memory or similar storage medium.Specifically, machine readable storage medium 403 can be RAM (Radom Access Memory, random access memory), flash memory, memory driver (such as hard disk drive), solid state hard disk, Any kind of storage dish (such as CD, DVD) perhaps similar storage medium or their combination.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying Out in the case where creative work, it can understand and implement.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.

Claims (10)

1. a kind of determination method of attack source, which is characterized in that the method is applied to forwarding device, comprising:
Accounting message is made a summary the quantity of identical Address Resolution Protocol ARP request message;
If it is determined that the quantity of the identical target ARP request message of the message digest received in the first preset duration is greater than or waits In the first preset threshold, then corresponding target arp reply message is generated for the target ARP request message, and to sending institute The first transmitting terminal for stating target ARP request message returns to the target arp reply message;The source of the target arp reply message MAC Address is default MAC Address;
After returning to the target arp reply message to first transmitting terminal, however, it is determined that received in the second preset duration The quantity of the target ARP request message is greater than or equal to the second preset threshold, then is determined as attacking by first transmitting terminal Source.
2. the method according to claim 1, wherein the method also includes:
After returning to target arp reply message to first transmitting terminal, however, it is determined that the institute received in the second preset duration The quantity of target ARP request message is stated less than the second preset threshold, it is determined that first transmitting terminal is not attack source.
3. the identical ARP request message the method according to claim 1, wherein the accounting message is made a summary The step of quantity includes:
After receiving an ARP request message, the message digest of one ARP request message is extracted;
Determine the local corresponding counter of message digest for whether safeguarding one ARP request message;
If so, the value of the counter is added 1;
If it is not, counter corresponding with the message digest of one ARP request message is then created, by the initial value of the counter Add 1, and safeguards the message digest of one ARP request message and the corresponding relationship of the counter.
4. according to the method described in claim 3, it is characterized in that, the message that the determination receives in the first preset duration Make a summary identical target ARP request message quantity be greater than or equal to the first preset threshold the step of include:
In the message digest of maintenance and the corresponding relationship of counter, the message digest pair of the target ARP request message is searched The first counter answered;
If the value of first counter is greater than or equal to the first preset threshold, it is determined that received in the first preset duration The identical target ARP request message of message digest quantity be greater than or equal to the first preset threshold;In the corresponding relationship Counter can be reset periodically;
After the first transmitting terminal return target arp reply message to the transmission target ARP request message, institute State method further include:
By first counter resets.
5. the method according to claim 1, wherein the method also includes:
In the third preset duration being determined as first transmitting terminal behind attack source, the barrage reception target ARP request report The port of text.
6. a kind of determining device of attack source, which is characterized in that described device is applied to forwarding device, comprising:
Statistic unit is made a summary the quantity of identical Address Resolution Protocol ARP request message for accounting message;
Return unit, for if it is determined that the identical target ARP request message of the message digest received in the first preset duration Quantity be greater than or equal to the first preset threshold, then generate corresponding target arp reply report for the target ARP request message Text, and the target arp reply message is returned to the first transmitting terminal for sending the target ARP request message;The target ARP The source MAC of response message is default MAC Address;
Determination unit, for after returning to the target arp reply message to first transmitting terminal, however, it is determined that default second The quantity that the target ARP request message is received in duration is greater than or equal to the second preset threshold, then sends described first End is determined as attack source.
7. device according to claim 6, which is characterized in that the determination unit is also used to send to described first After end returns to target arp reply message, however, it is determined that the number of the target ARP request message received in the second preset duration Amount is less than the second preset threshold, it is determined that first transmitting terminal is not attack source.
8. device according to claim 6, which is characterized in that the statistic unit, specifically for receiving an ARP After request message, the message digest of one ARP request message is extracted;It determines and locally whether has safeguarded that one ARP is asked Seek the corresponding counter of the message digest of message;If so, the value of the counter is added 1;If it is not, then creation with it is one The initial value of the counter is added 1, and safeguards one ARP request by the corresponding counter of the message digest of ARP request message The message digest of message and the corresponding relationship of the counter.
9. device according to claim 8, which is characterized in that the return unit is determining in the first preset duration When the quantity of the identical target ARP request message of the message digest received is greater than or equal to the first preset threshold, it is specifically used for In the message digest of maintenance and the corresponding relationship of counter, the message digest for searching the target ARP request message is corresponding First counter;If the value of first counter is greater than or equal to the first preset threshold, it is determined that in the first preset duration The quantity of the identical target ARP request message of the message digest inside received is greater than or equal to the first preset threshold;The correspondence Counter in relationship can be reset periodically;
The return unit is also used to returning to the target ARP to the first transmitting terminal for sending the target ARP request message After response message, by first counter resets.
10. device according to claim 6, which is characterized in that described device further include:
Blocking unit, in the third preset duration being determined as first transmitting terminal behind attack source, barrage reception should The port of target ARP request message.
CN201910069170.8A 2019-01-24 2019-01-24 Method and device for determining attack source Active CN109561111B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910069170.8A CN109561111B (en) 2019-01-24 2019-01-24 Method and device for determining attack source

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910069170.8A CN109561111B (en) 2019-01-24 2019-01-24 Method and device for determining attack source

Publications (2)

Publication Number Publication Date
CN109561111A true CN109561111A (en) 2019-04-02
CN109561111B CN109561111B (en) 2021-07-23

Family

ID=65873618

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910069170.8A Active CN109561111B (en) 2019-01-24 2019-01-24 Method and device for determining attack source

Country Status (1)

Country Link
CN (1) CN109561111B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110474931A (en) * 2019-09-29 2019-11-19 国家计算机网络与信息安全管理中心 A kind of the networking alarm method and system of attack source
CN111147524A (en) * 2020-02-19 2020-05-12 深圳市腾讯计算机系统有限公司 Message sending end identification method and device and computer readable storage medium
CN112019520A (en) * 2020-08-07 2020-12-01 广州华多网络科技有限公司 Request interception method, device, equipment and storage medium
CN113542012A (en) * 2021-06-23 2021-10-22 江苏云洲智能科技有限公司 Fault detection method, fault detection device and electronic equipment
CN113992363A (en) * 2021-10-11 2022-01-28 杭州迪普科技股份有限公司 IEC104 protocol communication method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060015635A1 (en) * 2004-06-17 2006-01-19 International Business Machines Corporation Method and apparatus for handling address resolution protocol requests for a device having multiple interfaces
CN101247217A (en) * 2008-03-17 2008-08-20 北京星网锐捷网络技术有限公司 Method, unit and system for preventing address resolution protocol flux attack
CN101895543A (en) * 2010-07-12 2010-11-24 江苏华丽网络工程有限公司 Method for effectively defending flood attack based on network switching equipment
US20130332109A1 (en) * 2012-06-07 2013-12-12 Verisign, Inc. Methods and systems for statistical aberrant behavior detection of time-series data
US8683063B1 (en) * 2010-01-21 2014-03-25 Sprint Communications Company L.P. Regulating internet traffic that is communicated through anonymizing gateways
CN106027551A (en) * 2016-06-30 2016-10-12 大连楼兰科技股份有限公司 Network flooding attack detection, storage and display system and method
CN107086965A (en) * 2017-06-01 2017-08-22 杭州迪普科技股份有限公司 A kind of generation method of ARP, device and interchanger
CN107770113A (en) * 2016-08-15 2018-03-06 台山市金讯互联网络科技有限公司 A kind of accurate flood attack detection method for determining attack signature

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060015635A1 (en) * 2004-06-17 2006-01-19 International Business Machines Corporation Method and apparatus for handling address resolution protocol requests for a device having multiple interfaces
CN101247217A (en) * 2008-03-17 2008-08-20 北京星网锐捷网络技术有限公司 Method, unit and system for preventing address resolution protocol flux attack
US8683063B1 (en) * 2010-01-21 2014-03-25 Sprint Communications Company L.P. Regulating internet traffic that is communicated through anonymizing gateways
CN101895543A (en) * 2010-07-12 2010-11-24 江苏华丽网络工程有限公司 Method for effectively defending flood attack based on network switching equipment
US20130332109A1 (en) * 2012-06-07 2013-12-12 Verisign, Inc. Methods and systems for statistical aberrant behavior detection of time-series data
CN106027551A (en) * 2016-06-30 2016-10-12 大连楼兰科技股份有限公司 Network flooding attack detection, storage and display system and method
CN107770113A (en) * 2016-08-15 2018-03-06 台山市金讯互联网络科技有限公司 A kind of accurate flood attack detection method for determining attack signature
CN107086965A (en) * 2017-06-01 2017-08-22 杭州迪普科技股份有限公司 A kind of generation method of ARP, device and interchanger

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110474931A (en) * 2019-09-29 2019-11-19 国家计算机网络与信息安全管理中心 A kind of the networking alarm method and system of attack source
CN111147524A (en) * 2020-02-19 2020-05-12 深圳市腾讯计算机系统有限公司 Message sending end identification method and device and computer readable storage medium
CN111147524B (en) * 2020-02-19 2022-06-07 深圳市腾讯计算机系统有限公司 Message sending end identification method and device and computer readable storage medium
CN112019520A (en) * 2020-08-07 2020-12-01 广州华多网络科技有限公司 Request interception method, device, equipment and storage medium
CN113542012A (en) * 2021-06-23 2021-10-22 江苏云洲智能科技有限公司 Fault detection method, fault detection device and electronic equipment
CN113542012B (en) * 2021-06-23 2023-01-10 江苏云洲智能科技有限公司 Fault detection method, fault detection device and electronic equipment
CN113992363A (en) * 2021-10-11 2022-01-28 杭州迪普科技股份有限公司 IEC104 protocol communication method and device
CN113992363B (en) * 2021-10-11 2024-02-27 杭州迪普科技股份有限公司 IEC104 protocol communication-based method and device

Also Published As

Publication number Publication date
CN109561111B (en) 2021-07-23

Similar Documents

Publication Publication Date Title
CN109561111A (en) A kind of determination method and device of attack source
CN110445770B (en) Network attack source positioning and protecting method, electronic equipment and computer storage medium
CN101800746B (en) Method, device and system for detecting domain name of control host machine in botnets
CN100563149C (en) A kind of DHCP monitor method and device thereof
CN101702660A (en) Abnormal domain name detection method and system
CN106506242A (en) A kind of Network anomalous behaviors and the accurate positioning method and system of flow monitoring
CN101827136A (en) Defense method for domain name system server buffer infection and network outlet equipment
Martinez-Bea et al. Real-time malicious fast-flux detection using DNS and bot related features
CN106357660B (en) Method and device for detecting forged source IP in DDOS defense system
US20060224886A1 (en) System for finding potential origins of spoofed internet protocol attack traffic
CN101674312B (en) Method for preventing source address spoofing in network transmission and device thereof
US10326794B2 (en) Anycast-based spoofed traffic detection and mitigation
US20190238573A1 (en) Indicating malware generated domain names using digits
CN111756713A (en) Network attack identification method and device, computer equipment and medium
CN105939321A (en) DNS (Domain Name System) attack detection method and device
Cai et al. A behavior-based method for detecting DNS amplification attacks
Katiyar et al. Detection and discrimination of DDoS attacks from flash crowd using entropy variations
RU2622788C1 (en) Method for protecting information-computer networks against cyber attacks
CN1878056B (en) Method for identifying whether there is false network apparatus in local area network or not
Sivabalan et al. Detecting IoT zombie attacks on web servers
Thing et al. Locating network domain entry and exit point/path for DDoS attack traffic
CN107888624B (en) Method and device for protecting network security
KR101400127B1 (en) Method and apparatus for detecting abnormal data packet
CN110365635B (en) Access control method and device for illegal endpoint
JP2021044657A (en) Device and method for address monitoring

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230612

Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466

Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right