CN110213761A - Multi-model puppet AP detection method and detection device based on two-way SYN reflection - Google Patents
Multi-model puppet AP detection method and detection device based on two-way SYN reflection Download PDFInfo
- Publication number
- CN110213761A CN110213761A CN201910446169.2A CN201910446169A CN110213761A CN 110213761 A CN110213761 A CN 110213761A CN 201910446169 A CN201910446169 A CN 201910446169A CN 110213761 A CN110213761 A CN 110213761A
- Authority
- CN
- China
- Prior art keywords
- syn
- fishing
- detection
- interface card
- network interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/06—Testing, supervising or monitoring using simulated traffic
Abstract
The invention discloses the multi-model puppet AP detection methods and detection device that are reflected based on two-way SYN, the detection method include: judge AP detection set that user specifies whether have there are two and more than two identical SSID AP, if so, determining the AP for target AP;It is separately connected the target AP using two cards of throwing the net, and obtains the IP address of distribution, executes two-way SYN reflection detection;After executing two-way SYN reflection detection; judged in target AP according to the case where SYN-ACK packet received with the presence or absence of fishing AP attack; simultaneously can it is separately detect go out WLAN in multi-model pseudo- AP attack; including series connection fishing AP challenge model and fishing AP challenge model, achieve the purpose that safeguard network security, protection privacy of user.
Description
Technical field
The invention belongs to technical field of communication safety and comprising, in particular to a kind of multi-model puppet AP inspection based on two-way SYN reflection
Survey method and detection device.
Background technique
With being widely used for WLAN (WLAN), safety problem becomes especially prominent and important, a certain accessing
Before wireless network, first have to judge whether the corresponding AP of the wireless network is suspicious AP.Suspicious AP may be that attacker is used to
It cheats wireless user to access and the pseudo- AP for the legal AP that disguises oneself as, such as common fishing AP, pseudo- AP phishing attack is wireless network
In one of serious security threat.
Fishing AP builds a fishing AP, then by carrying out Denial of Service attack to legal AP by copying normal AP
Hitting or provide signal more stronger than legal AP forces wireless client to be connected to fishing AP.In general, there are two types of wireless fishing AP
Challenge model, first is that series connection fishing AP model, second is that fishing AP challenge model in parallel.Series connection fishing AP attack is present mainstream
Attack pattern.When building series connection fishing AP, for wireless AP tool of going fishing there are two wireless network card, one of wireless network card is used for will
Fishing AP disguises oneself as legal AP, release signal, deception wireless user's connection, and then steals the sensitive information of user, in general, attack
Person is identical as the relevant information configuration of legal AP by relevant informations such as the SSID, channel, cipher mode of the AP that goes fishing;Another nothing
Gauze card connects corresponding legal AP for the legitimate user that disguises oneself as, by the data forwarding of user to legal AP.Building fishing
When AP in this case, wireless user and legal AP will not all perceive the presence of fishing AP.When building fishing AP, attack
Person needs a mobile AP (such as 4G router), and fishing AP eliminates the reliance on legal AP, but dependence mobile cellular network allow by
Evil person accesses internet, while the AP that goes fishing can also discharge wireless network signal (such as Wi-Fi signal) temptation victim's connection.Two
Under kind challenge model, victim is once connected to, and the information of all transmission can be by fishing AP eavesdropping.
The detection for fishing AP proposes kinds of schemes at present, as patent CN201210548689.2 discloses a kind of nothing
In gauze network go fishing AP identification and processing method, the BSSID information of itself uploaded by each wireless aps, SSID information,
Channel information, beacon interval information, vendor information and adjacent AP location information judge whether to belong to legal AP.Patent
CN201610173358 discloses a kind of puppet AP detection blocking-up method, wireless device and router, passes through broadcast transmission Beacon
Message receives the Beacon message of periphery access point broadcast, judges that the SSID carried in received Beacon message connects with itself
Whether the SSID of access point is identical;Judge whether carry encrypted fields in Beacon message, when there is no encryptions in Beacon message
When field, detect that the access point for sending Beacon message is pseudo- access point.Although above method can identify fishing AP,
Still no for the type judgement for the AP that goes fishing to propose solution, there are technologies for identification fishing AP attack type for the prior art
Obstacle.
SYN is that TCP/IP establishes the handshake used when connection.Normal TCP is established between client and server
When network connection, client computer issues a SYN message first, and server has received this using SYN+ACK response expression and disappears
Breath, last client computer are responded again with ACK message.Reliable TCP connection can just be set up between client and server in this way,
Data can just be transmitted between client and server.The present invention utilizes SYN response mechanism, proposes identification puppet AP and sentences simultaneously
The mechanism based on two-way SYN reflection detection of disconnected challenge model, provides reliable support for the blocking of Network Security Vulnerabilities.
Summary of the invention
In view of the deficienciess of the prior art, the present invention provides the multi-model puppet AP detection method reflected based on two-way SYN
And detection device, realize the identification of fishing AP and its judgement of attack type.
In order to solve the above-mentioned technical problem, the technical solution adopted by the present invention is that:
Multi-model puppet AP detection method based on two-way SYN reflection, comprising:
Judge AP detection set that user specifies whether have there are two and more than two identical SSID AP, if so,
Determine the AP for target AP;
It is separately connected the target AP using two cards of throwing the net, and obtains the IP address of distribution, executes two-way SYN reflection inspection
It surveys: executing positive SYN reflection detection using network interface card one, and execute reversed SYN reflection detection using network interface card two;
After executing two-way SYN reflection detection, judge to whether there is in target AP according to the case where SYN-ACK packet received
The AP that goes fishing is attacked and challenge model.
Further, the step of executing two-way SYN reflection detection is described including the use of the network interface card one construction IP address
The SYN packet of network interface card two, and it is sent to server, while whether receiving corresponding SYN-ACK packet using the network interface card two monitoring,
Complete forward direction SYN reflection detection;
And it is the SYN packet of the network interface card one using the network interface card two construction IP address, and be sent to server, make simultaneously
Corresponding SYN-ACK packet whether is received with the network interface card one monitoring, completes reversed SYN reflection detection.
Further, the step of positive SYN reflection detection includes:
A SYN packet for detection is constructed using network interface card one, is sent to network server, wherein the two of this SYN packet layer
Source physical address is the MAC Address of network interface card one, and three layers of source IP address are the address that network interface card two obtains, and destination-address is in network
Server, SYN packet source port number random selection, and by the position SYN be 1;
Two sniff function of network interface card is opened, continues to monitor and whether receives desired SYN-ACK packet, desired SYN-ACK packet
To receive the response bag comprising correct IP address and correct port numbers before the deadline.
Further, the step of reversed SYN reflection detection includes:
A SYN packet for detection is constructed using network interface card two, is sent to network server, wherein the two of this SYN packet layer
Source physical address is the MAC Address of network interface card two, and three layers of source IP address are the address that network interface card one obtains, and destination-address is in network
Server, SYN packet source port number random selection, and by the position SYN be 1;
One sniff function of network interface card is opened, continues to monitor and whether receives desired SYN-ACK packet, desired SYN-ACK packet
To receive the response bag comprising correct IP address and correct port numbers before the deadline.
Further, after executing two-way SYN reflection detection, target AP is judged according to the quantity of the SYN-ACK packet received
In with the presence or absence of fishing AP attack and challenge model;
If two cards of throwing the net can receive desired SYN-ACK packet, SYN-ACK packet quantity is two, then determines target
AP is legal AP;If only one card of throwing the net can receive desired SYN-ACK packet, SYN-ACK packet quantity is one, then sentences
It sets the goal in AP and there is series connection fishing AP, not receiving the AP that the network interface card of SYN-ACK packet is connected is the AP that goes fishing;If two throw the net card all
Fail to receive desired SYN-ACK, SYN-ACK packet quantity is zero, then determines there is fishing AP in parallel in target AP.
Further, the corresponding Wi-Fi of AP that user specifies is the detection range that user specifies according to demand, is entire nothing
All Wi-Fi of gauze network or some specified or several Wi-Fi.
Further, the method also includes: when judge to go fishing AP attack after, sent out to client and network administrator
It alerts out, prompt the Wi-Fi dangerous and/or user is forbidden to be connected into, and/or by the SSID for the AP that goes fishing and MAC Address to net
Network administrator.
Further, when judging to have series connection fishing AP attack, series connection AP attack is issued to client and network administrator
Alarm;When in the presence of parallel connection fishing AP attack, fishing AP in parallel is issued to client and network administrator and attacks alarm;Warning information
SSID, MAC Address and physical location including the AP that goes fishing.
Further, the multi-model puppet AP detection method based on two-way SYN reflection, further includes: when judging to fish
After fish AP, by the SSID for the AP that goes fishing and MAC Address to network administrator, AP is positioned in conjunction with the signal strength of fishing AP.
The present invention also provides a kind of computer readable storage mediums, are stored thereon with computer program, the computer journey
The step of aforementioned detection method is realized when sequence is executed by processor.
The present invention also provides a kind of computer program products, including the program that processor can be performed, the computer program
The step of aforementioned detection method is realized when being executed by processor.
The present invention also provides the detection devices of the multi-model puppet AP reflected based on two-way SYN, comprising:
Selecting module, for screen the AP detection set that user specifies whether have there are two and more than two identical SSID
AP, if so, determining the AP for target AP;
Reflecting module, for executing two-way SYN reflection detection, including construction SYN handshake packet execution forward direction SYN reflection inspection
It surveys, and construction SYN handshake packet executes reversed SYN reflection detection;
Judgment module, for judging to attack in target network with the presence or absence of fishing AP according to the case where SYN-ACK packet received
It hits and challenge model if receiving two desired SYN-ACK packets determines that target AP is legal AP, if receiving only
One desired SYN-ACK packet then determines there is series connection fishing AP attack in target AP, fails the net for receiving SYN-ACK packet
Card connection is fishing AP, if not receiving desired SYN-ACK packet, determines there is fishing AP attack in parallel in target AP.
Compared with prior art, the invention has the advantages that:
The present invention provides a kind of multi-model puppet AP detection method, and the standard of puppet AP is realized based on two-way SYN reflection detection technique
Really detection, can it is separately detect go out WLAN in multi-model pseudo- AP attack (including series connection fishing AP challenge model
With fishing AP challenge model), reach the purpose of maintenance network security, protection privacy of user, and the present invention can be in different nothings
It is measured in real time in line network environment (such as the wireless network for encrypting or opening), so as to the safe shape of network administrator's monitoring network
State avoids wireless user from accessing puppet AP.
In addition, the present invention also provides a kind of detection device, computer readable storage medium and computers for identifying puppet AP
Program product, to guarantee the implementation and application of the above method.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill of field, without any creative labor, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is the flow diagram of the multi-model puppet AP detection method based on two-way SYN reflection of the embodiment of the present invention 1.
Fig. 2 is the structural schematic diagram of the multi-model puppet AP detection device based on two-way SYN reflection of the embodiment of the present invention 2.
Fig. 3 is that computer program described in the embodiment of the present invention 3 is performed flow diagram.
Specific embodiment
To be solved below in conjunction with attached drawing and specific embodiment are further to the present invention convenient for the understanding of the present invention
Explanation is released, and each embodiment does not constitute the restriction to the embodiment of the present invention.
Embodiment 1
As shown in Figure 1, the multi-model puppet AP detection method based on two-way SYN reflection, comprising:
Step S110, judge AP detection set that user specifies whether have there are two and more than two identical SSID
AP, if so, determining the AP for target AP.
Specifically, judge whether comprising two and the two or more identical AP of SSID in wireless network environment to be detected,
If it is not, then showing that user can be with any AP of secure accessing there is no fishing risk in wireless network environment to be detected;If so,
Then illustrate that there are suspicious AP in wireless network environment to be detected, can have fishing risk after user accesses suspicious AP, need
Confirm whether user can access by further judging.
As an embodiment of the present invention, the corresponding Wi-Fi of AP that user specifies is the inspection that user specifies according to demand
Range is surveyed, for all Wi-Fi of entire wireless network or some specified or several Wi-Fi.If user is administrator, that
His demand may be the WiFi of detection whole network whether safe;If user is common wireless user, his demand can
Can only focus in some or certain several WFi whether safety (for the purpose of purpose or pure detection that connection uses).
Client (i.e. user) accesses before a certain Wi-Fi, judges that the corresponding AP of the Wi-Fi is first, in accordance with the above method
No is suspicious AP (i.e. target AP), if suspicious AP, does not then first allow client to access, needs to carry out the further of subsequent step
Judgement determines whether that client accesses;If not suspicious AP, then directly allow client to access this Wi-Fi.Client is
For the mobile radio terminal that will access WLAN, can be furnished with for smart phone, tablet computer or Portable notebook etc.
The mobile terminal of wireless network card.Alternatively, client can also carry out the corresponding AP of all Wi-Fi in entire WLAN
The screening of pseudo- AP.
As the improvement project of the present embodiment, the hot spot in WLAN, writing scan can be first scanned before step S110
As a result, generating Wi-Fi list, user selects the AP for thinking detection in lists.Equipment for scanning WLAN is that will access
The mobile radio terminal of WLAN can be smart phone, tablet computer or Portable notebook etc. equipped with wireless network card
Mobile terminal, those skilled in the art can be worked as using any equipment scanning that can acquire Wi-Fi information according to the actual situation
The preceding Wireless LAN for needing to detect.Since the same region may be covered by multiple hot spots, so Wi-Fi list may wrap
Wi-Fi Hotspot containing multiple channels, a Wi-Fi Hotspot may also include multiple MAC Address, as operator, China Mobile provides
Hot spot CMCC, the Large Chain Store the hot spot Starbucks, the personal hot spot that provide etc..
The Wi-Fi signal in current wireless Local Area Network network is scanned using the equipment that will access wireless network, is extracted related
Information, writing scan is as a result, scanning result includes service set SSID, basic service set identification BSSID and channel etc..
Step S102 is separately connected the target AP using two cards of throwing the net, and obtains the IP address of distribution, executes two-way
SYN reflection detection: positive SYN reflection detection is executed using network interface card one, and executes reversed SYN reflection detection using network interface card two.
Specifically, being the network interface card two using the network interface card one construction IP address to execute positive SYN reflection detection
SYN packet, and it is sent to server, while whether receiving corresponding SYN-ACK packet using the network interface card two monitoring, it completes positive
SYN reflection detection.
When constructing the progress forward direction SYN reflection detection of SYN packet, network interface card one is used to construct a SYN packet for detecting, hair
It send to network server, wherein the two of this SYN packet layer source physical address is the MAC Address of network interface card one, and three layers of source IP address are net
The address that card two obtains, destination-address are the server in network, and (synchronizing sequence number) position SYN is 1, port source port
Number for random client end slogan in 10000-65535, purpose IP address and destination slogan are at random in SYN packet.
The purpose for the arrangement is that attacker hides detection in order to prevent.Two sniff function of network interface card is opened, sends the SYN packet in network interface card one
Before, network interface card two persistently monitors whether receive desired SYN-ACK packet.Desired SYN-ACK packet is to connect before the deadline
Receive response bag (i.e. purpose IP address and port port numbers and above-mentioned structure comprising correct IP address and correct port numbers
The SYN packet details made is corresponding).In SYN reflection detection process, SYN packet is to be sent to internet clothes by gateway by network interface card one
SYN-ACK is sent to the gateway after server is made accordingly by business device, because gateway uses NAT technology, gateway
It can attempt the network interface card two for SYN-ACK packet being transmitted to record, with obtaining the corresponding MAC of IP of network interface card two by inquiry forwarding entry
Location.
It is the SYN packet of the network interface card one using the network interface card two construction IP address to execute reversed SYN reflection detection,
And it is sent to server, while whether receiving corresponding SYN-ACK packet using the network interface card one monitoring, it is anti-to complete reversed SYN
Penetrate detection.
When building SYN packet carries out reversed SYN reflection detection, network interface card two is used to construct the SYN packet for being used for detection, hair
It send to network server, wherein the two of this SYN packet layer source physical address is the MAC Address of network interface card two, and three layers of source IP address are net
The address that card one obtains, destination-address are the server in network, and (synchronizing sequence number) position SYN is 1, port source port
Number for random client end slogan in 10000-65535, purpose IP address and destination slogan are at random in SYN packet.
The purpose done so hides detection also for preventing attacker.One sniff function of network interface card is opened, continues to monitor and whether receives
To desired SYN-ACK packet, desired SYN-ACK packet is to be received before the deadline comprising correct IP address and correct
Port numbers response bag.
Step S103 judges target AP according to the quantity of the SYN-ACK packet received after executing two-way SYN reflection detection
In with the presence or absence of fishing AP attack and challenge model.
Specifically, in proper network structure, execute two-way SYN reflection detection, two throw the net card be all subjected to it is correct
SYN-ACK packet.Since in positive SYN reflection, the network interface card one is using information structurings SYN packets such as two IP of network interface card to network service
Device sends SYN handshake packet, when the SYN packet is by gateway, NAT router can extract in SYN packet source IP address (that is,
The address of network interface card two), the idle public IP of distribution and port numbers, and corresponding informance is recorded in mapping table.Internet service
After device receives the SYN packet that the gateway is sent, understand the SYN-ACK packet of response according to the IP address of the gateway and port numbers
Return to the gateway.The gateway inquires NAT mapping table after receiving SYN-ACK packet, by public ip address and port numbers
Translate into private IP address and port numbers.Because what is recorded in NAT mapping table is the IP of network interface card two, SYN-ACK packet meeting
It is transmitted to network interface card two.That is, network interface card one executes positive SYN reflection, network interface card two can receive SYN-ACK packet.Similarly, when two benefit of network interface card
Reversed SYN reflection detection is executed with information such as one IP of network interface card, network interface card one also can receive the SYN-ACK packet of expectation.To sum up institute
It states, when two target AP are legal AP, two cards of throwing the net execute two-way SYN and reflect the SYN-ACK packet that can all receive expectation, i.e.,
The SYN-ACK packet of 2 correct IP and port numbers.
Usually, in public network and private network, can there are a gateway, such as family in each tissue network
Front yard network, corporate networks, airport network, on public ip address of the host by sharing one or a set of gateway in local area network
Net, i.e. NAT technology.Therefore, the AP in proper network is connected on same gateway, and two-way SYN detection can be such that two clampings of throwing the net receive
To SYN-ACK frame.
In addition, in series connection fishing AP challenge model, two-way SYN reflection detection is executed, two, which throw the net in card, only has one to throw the net
Card can receive SYN-ACK frame.Series connection fishing AP challenge model refers to that attacker utilizes a wireless network card release signal,
Victim's connection is lured, another wireless network card pretends to be normal user and connect legal AP.That is, attacker utilizes one
Opening wireless network card connects victim, is provided the data forwarding of victim for victim to legal AP using another card of throwing the net
Internet service.In series connection fishing AP challenge model, fishing AP is arranged between legal AP and victim by attacker
Go-between, going fishing between AP and legal AP is concatenated structure.
Series connection fishing AP model in, the two of test side throw the net card be separately connected the fishing AP and fishing AP, execute pair
It reflects and detects to SYN, the network interface card of connection fishing AP cannot receive desired SYN-ACK packet.The fishing built due to attacker
For AP such as gateway, it distributes to the flow of the user of the IP forwarding internal network of fishing AP network interface card using legal AP to legal AP.
Assuming that the connection fishing AP of network interface card one, network interface card two connect legal AP.When executing forward direction SYN reflection detection, network interface card one utilizes network interface card
Two IP information structuring SYN packet is sent to fishing AP, the IP of fishing AP record network interface card two, and the source address of IP packet is substituted for conjunction
Method AP distributes to the IP address of fishing AP, and the SYN packet is then transmitted to legal AP, by the gateway forwards of legal AP to because
In spy's net.Internet server sends the SYN-ACK packet of response to the gateway of legal AP after receiving SYN packet, gateway according to
Map entry is transmitted to legal AP, is finally sent to fishing AP and pretends to be in the network interface card of normal users.Because in the NAT mapping of fishing AP
SYN-ACK packet needs to be sent to two IP address of network interface card in table, and fishing AP is the same with gateway, by the destination IP of SYN-ACK packet
Address translation and attempts to be sent to network interface card two at the IP of network interface card two.Again because fishing AP and network interface card two are in the same network,
The SYN-ACK packet can be sent to legal AP by fishing AP and be transmitted to network interface card two.Therefore, in series connection fishing AP challenge model
In, network interface card one (connection fishing AP) executes forward direction SYN reflection detection, and network interface card two can receive desired SYN-ACK packet.
In series connection fishing AP challenge model, when executing reversed SYN reflection detection, the network interface card (network interface card two) of connection fishing AP
Desired SYN-ACK packet cannot be received.Because being taken when network interface card two sends SYN packet using information such as the IP of network interface card one to internet
When business device, gateway can check whether the source IP address of the SYN packet is in this network segment, if belonging to this network segment, gateway can be by SYN packet
It translates and is sent to internet;If SYN packet source IP address is not belonging to this network segment, gateway due to safety concerns can be by the SYN packet
It abandons.Since in series connection fishing AP challenge model, the network segment of fishing AP release is different with legal AP release network segment.This shows net
After sending SYN packet using the IP address of network interface card one, the gateway of legal AP can abandon the SYN packet card two.Therefore, network interface card one
Desired SYN-ACK packet is not will receive.That is, when executing reversed SYN detection, network interface card one is not in series connection fishing AP challenge model
SYN-ACK packet can be received.In conclusion executing two-way SYN reflection detection in series connection fishing AP challenge model, only connecting
The network interface card of bonding method AP can receive desired SYN-ACK packet, and the network interface card connection for failing to receive SYN-ACK packet is fishing
AP。
In addition, executing two-way SYN reflection detection in parallel connection fishing AP challenge model, two detection network interface cards cannot all be connect
Receive SYN-ACK packet.Firstly, fishing AP challenge model in parallel refers to that attacker will connect using the gateway different from legal AP
Victim to fishing AP is linked into internet.Attacker is usually using mobile cellular network (such as 3G/4G) as fishing AP
Access network, and the access network of legal AP is usually Ethernet.That is, the gateway that legal gateway and attacker use is public
IP is different.When two detection network interface cards are separately connected after legal AP executes two-way SYN detection with fishing AP, (network interface card one connect conjunction
Method AP, the connection fishing of network interface card two AP), two detection network interface cards cannot all receive the SYN-ACK of response.It is reflected when executing forward direction SYN
When detection, network interface card one constructs SYN packet using the IP address of network interface card two, and legal gateway translates into the private address in IP packet public
IP address is sent to Internet server.Therefore, the SYN-ACK of server response will send back legal gateway, and network interface card two
Connection is fishing AP, that is to say, that legal gateway can not make the network interface card two of connection fishing AP receive the SYN-ACK of response
Packet.Similarly, when executing reversed SYN reflection detection, network interface card two constructs SYN packet using the IP address of network interface card one, and the AP that goes fishing is by IP
The public ip address that private address in packet translates into oneself is sent to Internet server.Therefore, the SYN- of server response
ACK will send back fishing AP, and the connection of network interface card one is legal AP, and fishing AP can not receive the network interface card one for connecting legal AP
To the SYN-ACK packet of response.Therefore, in parallel connection fishing AP challenge model, two-way SYN reflection detection, two detection nets are executed
Card cannot all receive desired SYN-ACK packet.
In conclusion can two-way SYN reflection detection can use receive desired SYN-ACK packet and received number
Amount judges in network to be detected with the presence or absence of fishing AP attack and challenge model.After executing two-way SYN reflection detection, if two
Card of throwing the net can receive desired SYN-ACK packet, and SYN-ACK packet quantity is two, then determine that target AP is that true AP (is closed
Method AP), user can normally connect;If only one card of throwing the net can receive desired SYN-ACK packet, SYN-ACK packet quantity is
One, then determine there is puppet AP in target AP, and go fishing AP for series connection, not receiving the AP that the network interface card of SYN-ACK packet is connected is
Go fishing AP;If two cards of throwing the net all fail to receive desired SYN-ACK, SYN-ACK packet quantity is zero, then determines in target AP
In the presence of parallel connection fishing AP.
As an embodiment of the present invention, it after judging fishing AP attack, is sent out to client and network administrator
It alerts out, prompt the Wi-Fi dangerous and/or user is forbidden to be connected into, and/or by the SSID for the AP that goes fishing and MAC Address to net
Network administrator.
As an embodiment of the present invention, when judging to have series connection fishing AP attack, to client and network administrator
It issues series connection AP and attacks alarm;When in the presence of parallel connection fishing AP attack, fishing AP in parallel is issued to client and network administrator and is attacked
Hit alarm;Warning information includes SSID, MAC Address and the physical location of fishing AP.
As an embodiment of the present invention, after judging fishing AP, by the SSID for the AP that goes fishing and MAC Address to net
Network administrator positions AP in conjunction with the signal strength of fishing AP.Wherein, signal strength positions the technology of AP and setting for non-present invention
Main points are counted, can realize that details are not described herein again according to the prior art.
Embodiment 2
Shown in Figure 2, the present invention provides the detection device based on the two-way SYN multi-model puppet AP reflected, comprising:
Selecting module, for screen the AP detection set that user specifies whether have there are two and more than two identical SSID
AP, if so, determining the AP for target AP;
Reflecting module, for executing two-way SYN reflection detection, including construction SYN handshake packet execution forward direction SYN reflection inspection
It surveys, and construction SYN handshake packet executes reversed SYN reflection detection;
Judgment module, for judging to attack in target network with the presence or absence of fishing AP according to the case where SYN-ACK packet received
It hits and challenge model if receiving two desired SYN-ACK packets determines that target AP is legal AP, if receiving only
One desired SYN-ACK packet then determines there is series connection fishing AP attack in target AP, fails the net for receiving SYN-ACK packet
Card connection is fishing AP, if not receiving desired SYN-ACK packet, determines there is fishing AP attack in parallel in target AP.
Implementation method about the device part may refer to embodiment 1, and details are not described herein again.
Embodiment 3
Shown in Figure 3, the present invention also provides a kind of computer readable storage mediums, are stored thereon with computer program,
The computer program realizes following steps when being executed by processor:
First pass through selecting module, the Wi-Fi or Wi-Fi to be detected that client selection needs to access, generate effectively to
Detect AP set.Effective AP to be detected refers to the different AP with identical SSID, i.e. target AP (suspicious AP).
Again by reflecting module, two-way SYN reflection detection is executed.The step specifically includes three operations.
First, two cards of throwing the net are separately connected two suspicious AP, and obtain IP address.
Second, network interface card one executes positive SYN reflection detection.At the same time, whether two sniff of network interface card has correct SYN-ACK
Packet reaches network interface card two.
Third, network interface card two execute reversed SYN reflection detection.At the same time, whether two sniff of network interface card has correct SYN-ACK
Packet reaches network interface card one.
Finally enter judgment module, according to two throw the net SYN-ACK packet that card receives the case where, judge to whether there is in network
Fishing AP attacks and judges attack type.Totally three kinds of scenes, the card of throwing the net of scene one: two can receive desired SYN-
ACK packet represents target AP then as true AP (legal AP), and the AP that do not go fishing attack, network security, user can normally connect.Scene
Two: two cards of throwing the net all fail to receive desired SYN-ACK, then represent in target AP and there is fishing AP in parallel, and network is dangerous.?
Scape three: only a card of throwing the net can receive desired SYN-ACK packet, then it is dangerous to represent network, there is series connection fishing AP and attack,
The AP that the network interface card of SYN-ACK packet is connected is not received as fishing AP.
Certainly, the present embodiment computer program can also carry out each process step of embodiment 1, and details are not described herein again.
As an embodiment of the present invention, the present invention also provides a kind of computer program products, including processor to hold
Every step of embodiment 1 and embodiment 2 may be implemented in capable program, the computer program when being executed by processor, herein not
It repeats again.
Same or similar part may refer to each other between each embodiment of description of the invention, each embodiment emphasis
What is illustrated is and other embodiments difference.Also, the structure of Installation practice is only schematical, wherein described can divide
Program module from part description, which may or may not be, to be physically separated, when practical application, can as needed selected section or
Whole modules achieve the purpose of the solution of this embodiment.
Through the above description of the embodiments, those skilled in the art can be understood that the present invention can be by
Software adds the mode of required hardware platform to realize, naturally it is also possible to all implemented by hardware, but in many cases before
Person is more preferably embodiment.Based on this understanding, technical solution of the present invention contributes to background technique whole or
Person part can be embodied in the form of software products, which can store in storage medium, such as
ROM/RAM, magnetic disk, CD etc., including some instructions are used so that a computer equipment (can be personal computer, service
Device or the network equipment etc.) execute method described in certain parts of each embodiment of the present invention or embodiment.
Certainly, the above description is not a limitation of the present invention, and the present invention is also not limited to the example above, the art
Those of ordinary skill, within the essential scope of the present invention, the variations, modifications, additions or substitutions made all should belong to the present invention
Protection scope.
Claims (12)
1. the multi-model puppet AP detection method based on two-way SYN reflection characterized by comprising
Judge AP detection set that user specifies whether have there are two and more than two identical SSID AP, if so, determining
The AP is target AP;
It is separately connected the target AP using two cards of throwing the net, and obtains the IP address of distribution, two-way SYN reflection detection is executed: making
Positive SYN reflection detection is executed with network interface card one, and executes reversed SYN reflection detection using network interface card two;
After executing two-way SYN reflection detection, judged in target AP according to the case where SYN-ACK packet received with the presence or absence of fishing
AP attack and challenge model.
2. the multi-model puppet AP detection method according to claim 1 based on two-way SYN reflection, it is characterised in that: execute
Two-way SYN reflection detection is the SYN packet of the network interface card two including the use of the network interface card one construction IP address, and is sent to service
Device, while corresponding SYN-ACK packet whether is received using the network interface card two monitoring, complete forward direction SYN reflection detection;
And it is the SYN packet of the network interface card one using the network interface card two construction IP address, and be sent to server, while using institute
It states whether the monitoring of network interface card one receives corresponding SYN-ACK packet, completes reversed SYN reflection detection.
3. the multi-model puppet AP detection method according to claim 1 based on two-way SYN reflection, which is characterized in that positive
SYN reflection detection the step of include:
A SYN packet for detection is constructed using network interface card one, is sent to network server, wherein the two of this SYN packet layer source object
The MAC Address that address is network interface card one is managed, three layers of source IP address are the address that network interface card two obtains, and destination-address is the clothes in network
Business device, the source port number random selection of SYN packet, and be 1 by the position SYN;
Open two sniff function of network interface card, continue to monitor and whether receive desired SYN-ACK packet, desired SYN-ACK packet for
The response bag comprising correct IP address and correct port numbers is received in the defined time.
4. the multi-model puppet AP detection method according to claim 3 based on two-way SYN reflection, which is characterized in that reversed
SYN reflection detection the step of include:
A SYN packet for detection is constructed using network interface card two, is sent to network server, wherein the two of this SYN packet layer source object
The MAC Address that address is network interface card two is managed, three layers of source IP address are the address that network interface card one obtains, and destination-address is the clothes in network
Business device, the source port number random selection of SYN packet, and be 1 by the position SYN;
Open one sniff function of network interface card, continue to monitor and whether receive desired SYN-ACK packet, desired SYN-ACK packet for
The response bag comprising correct IP address and correct port numbers is received in the defined time.
5. the multi-model puppet AP detection method according to claim 4 based on two-way SYN reflection, it is characterised in that: execute
After two-way SYN reflection detection, according to the quantity of the SYN-ACK packet received judge in target AP with the presence or absence of the AP that goes fishing attack with
And challenge model;
If two cards of throwing the net can receive desired SYN-ACK packet, SYN-ACK packet quantity is two, then determines that target AP is equal
For legal AP;If only one card of throwing the net can receive desired SYN-ACK packet, SYN-ACK packet quantity is one, then determines mesh
It marks in AP and there is series connection fishing AP, not receiving the AP that the network interface card of SYN-ACK packet is connected is the AP that goes fishing;If two cards of throwing the net all fail
Desired SYN-ACK is received, SYN-ACK packet quantity is zero, then determines there is fishing AP in parallel in target AP.
6. the multi-model puppet AP detection method according to claim 1 based on two-way SYN reflection, it is characterised in that: user
The detection range that the corresponding Wi-Fi of specified AP is specified according to demand for user is all Wi-Fi of entire wireless network or is referred to
Some fixed or several Wi-Fi.
7. the multi-model puppet AP detection method according to claim 1 based on two-way SYN reflection, which is characterized in that described
Method further include: after judging fishing AP attack, given a warning to client and network administrator, prompt the Wi-Fi not
Safety and/or user is forbidden to be connected into, and/or by the SSID for the AP that goes fishing and MAC Address to network administrator.
8. the multi-model puppet AP detection method according to claim 5 based on two-way SYN reflection, which is characterized in that judgement
When in the presence of series connection fishing AP attack, series connection AP is issued to client and network administrator and attacks alarm;It is attacked in the presence of parallel connection fishing AP
When hitting, fishing AP in parallel is issued to client and network administrator and attacks alarm;Warning information includes SSID, MAC of fishing AP
Address and physical location.
9. the multi-model puppet AP detection method according to claim 1 based on two-way SYN reflection, which is characterized in that described
Method further include: after judging fishing AP, by the SSID for the AP that goes fishing and MAC Address to network administrator, in conjunction with fishing AP
Signal strength position AP.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program
The step of being realized as claim in any one of claims 1 to 9 when being executed by processor.
11. a kind of computer program product, the program that can be performed including processor, which is characterized in that the computer program quilt
The step of being realized as claim in any one of claims 1 to 9 when processor executes.
12. the detection device of the multi-model puppet AP based on two-way SYN reflection characterized by comprising
Selecting module, for screen AP detection set that user specifies whether have there are two and more than two identical SSID
AP, if so, determining the AP for target AP;
Reflecting module, for executing two-way SYN reflection detection, including construction SYN handshake packet execution forward direction SYN reflection detection, with
And construction SYN handshake packet executes reversed SYN reflection detection;
Judgment module, for according to receive SYN-ACK packet the case where judge in target network with the presence or absence of go fishing AP attack with
And challenge model determines that target AP is legal AP if receiving two desired SYN-ACK packets, if receiving only one
Desired SYN-ACK packet, then determine there is series connection fishing AP attack in target AP, and the network interface card for failing to receive SYN-ACK packet connects
Connecing is fishing AP, if not receiving desired SYN-ACK packet, determines there is fishing AP attack in parallel in target AP.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910446169.2A CN110213761B (en) | 2019-05-27 | 2019-05-27 | Multi-model pseudo AP detection method and detection device based on bidirectional SYN reflection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910446169.2A CN110213761B (en) | 2019-05-27 | 2019-05-27 | Multi-model pseudo AP detection method and detection device based on bidirectional SYN reflection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110213761A true CN110213761A (en) | 2019-09-06 |
| CN110213761B CN110213761B (en) | 2020-06-02 |
Family
ID=67788774
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910446169.2A Active CN110213761B (en) | 2019-05-27 | 2019-05-27 | Multi-model pseudo AP detection method and detection device based on bidirectional SYN reflection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110213761B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112073968A (en) * | 2020-08-19 | 2020-12-11 | 青岛大学 | Full-model pseudo AP detection method and detection device based on phase error drift range |
| CN112565005A (en) * | 2020-11-26 | 2021-03-26 | 北京北信源软件股份有限公司 | Network serial line detection method and device, equipment and medium |
| CN113411809A (en) * | 2021-07-30 | 2021-09-17 | 浙江大华技术股份有限公司 | Method and device for preventing access pseudo AP and AP hijacking |
| CN115086207A (en) * | 2022-06-14 | 2022-09-20 | 深信服科技股份有限公司 | Network card detection method and device, electronic equipment and storage medium |
| CN116709338A (en) * | 2023-08-09 | 2023-09-05 | 深圳市南方硅谷半导体股份有限公司 | Wi-Fi access point capable of defending middleman MitM attack |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060098585A1 (en) * | 2004-11-09 | 2006-05-11 | Cisco Technology, Inc. | Detecting malicious attacks using network behavior and header analysis |
| US7984164B2 (en) * | 2008-01-08 | 2011-07-19 | Nec Corporation | Server, and packet transferring method and program therefor |
| CN103313429A (en) * | 2013-07-10 | 2013-09-18 | 江苏君立华域信息安全技术有限公司 | Processing method for recognizing fabricated WIFI (Wireless Fidelity) hotspot |
| CN105611534A (en) * | 2014-11-25 | 2016-05-25 | 阿里巴巴集团控股有限公司 | Method and device for recognizing pseudo WiFi network by wireless terminal |
| CN107197456A (en) * | 2017-06-16 | 2017-09-22 | 中国海洋大学 | A kind of client-based identification puppet AP detection method and detection means |
-
2019
- 2019-05-27 CN CN201910446169.2A patent/CN110213761B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060098585A1 (en) * | 2004-11-09 | 2006-05-11 | Cisco Technology, Inc. | Detecting malicious attacks using network behavior and header analysis |
| US7984164B2 (en) * | 2008-01-08 | 2011-07-19 | Nec Corporation | Server, and packet transferring method and program therefor |
| CN103313429A (en) * | 2013-07-10 | 2013-09-18 | 江苏君立华域信息安全技术有限公司 | Processing method for recognizing fabricated WIFI (Wireless Fidelity) hotspot |
| CN105611534A (en) * | 2014-11-25 | 2016-05-25 | 阿里巴巴集团控股有限公司 | Method and device for recognizing pseudo WiFi network by wireless terminal |
| CN107197456A (en) * | 2017-06-16 | 2017-09-22 | 中国海洋大学 | A kind of client-based identification puppet AP detection method and detection means |
Non-Patent Citations (2)
| Title |
|---|
| 金双齐等: "无线网络钓鱼AP攻击检测技术研究", 《计算机应用与软件》 * |
| 陈伟等: "无线钓鱼接入点攻击与检测技术研究综述", 《武汉大学学报(理学版)》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112073968A (en) * | 2020-08-19 | 2020-12-11 | 青岛大学 | Full-model pseudo AP detection method and detection device based on phase error drift range |
| CN112565005A (en) * | 2020-11-26 | 2021-03-26 | 北京北信源软件股份有限公司 | Network serial line detection method and device, equipment and medium |
| CN112565005B (en) * | 2020-11-26 | 2022-05-13 | 北京北信源软件股份有限公司 | Network serial line detection method and device, equipment and medium |
| CN113411809A (en) * | 2021-07-30 | 2021-09-17 | 浙江大华技术股份有限公司 | Method and device for preventing access pseudo AP and AP hijacking |
| CN115086207A (en) * | 2022-06-14 | 2022-09-20 | 深信服科技股份有限公司 | Network card detection method and device, electronic equipment and storage medium |
| CN116709338A (en) * | 2023-08-09 | 2023-09-05 | 深圳市南方硅谷半导体股份有限公司 | Wi-Fi access point capable of defending middleman MitM attack |
| CN116709338B (en) * | 2023-08-09 | 2023-11-03 | 深圳市南方硅谷半导体股份有限公司 | Wi-Fi access point capable of defending middleman MitM attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110213761B (en) | 2020-06-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7856656B1 (en) | Method and system for detecting masquerading wireless devices in local area computer networks | |
| AU2004298047B2 (en) | Method and system for monitoring a selected region of an airspace associated with local area networks of computing devices | |
| CN110213761A (en) | Multi-model puppet AP detection method and detection device based on two-way SYN reflection | |
| Lim et al. | Wireless intrusion detection and response | |
| US7536723B1 (en) | Automated method and system for monitoring local area computer networks for unauthorized wireless access | |
| US20150040194A1 (en) | Monitoring of smart mobile devices in the wireless access networks | |
| US7971253B1 (en) | Method and system for detecting address rotation and related events in communication networks | |
| CN105681272B (en) | The detection of mobile terminal fishing WiFi a kind of and resist method | |
| CN107197456B (en) | Detection method and detection device for identifying pseudo AP (access point) based on client | |
| Schmoyer et al. | Wireless intrusion detection and response: a classic study using main-in-the-middle attack | |
| Hsu et al. | A client-side detection mechanism for evil twins | |
| Hsu et al. | A solution to detect the existence of a malicious rogue AP | |
| Lu et al. | Client-side evil twin attacks detection using statistical characteristics of 802.11 data frames | |
| Tsakountakis et al. | Towards effective wireless intrusion detection in IEEE 802.11 i | |
| Kim et al. | LAPWiN: Location-aided probing for protecting user privacy in Wi-Fi networks | |
| Mateti | Hacking techniques in wireless networks hacking techniques in wireless networks | |
| Tao et al. | Detection of spoofed MAC addresses in 802.11 wireless networks | |
| Thakur et al. | RAPD algorithm: detection of rogue access point in wireless network | |
| Sushant et al. | EvilSpot: Detection and Mitigation in Multi Channel | |
| Korolkov et al. | Analysis of the wireless clients security from dos attacks | |
| Sinha et al. | Wireless intrusion protection system using distributed collaborative intelligence | |
| Schmoyer et al. | Wireless Intrusion Detection and Response | |
| Hasan et al. | Protecting Regular and Social Network Users in a Wireless Network by Detecting Rogue Access Point: Limitations and Countermeasures | |
| Thakur et al. | Review on RAP: Protecting Wi-Fi Networks from Rogue Access Points | |
| Rajib | Wireless LAN 802.11 security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Qu Haipeng Inventor after: Lu Qian Inventor after: Jiang Ruobing Inventor after: Ouyang Yuzhan Inventor after: Wang Xiaodong Inventor before: Lu Qian Inventor before: Qu Haipeng Inventor before: Jiang Ruobing Inventor before: Ouyang Yuzhan Inventor before: Wang Xiaodong |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |