CN111866005A - ARP spoofing attack defense method, system and device based on block chain - Google Patents
ARP spoofing attack defense method, system and device based on block chain Download PDFInfo
- Publication number
- CN111866005A CN111866005A CN202010735869.6A CN202010735869A CN111866005A CN 111866005 A CN111866005 A CN 111866005A CN 202010735869 A CN202010735869 A CN 202010735869A CN 111866005 A CN111866005 A CN 111866005A
- Authority
- CN
- China
- Prior art keywords
- mac address
- arp
- host
- address
- block chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007123 defense Effects 0.000 title claims abstract description 42
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000004044 response Effects 0.000 claims abstract description 19
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012795 verification Methods 0.000 claims description 6
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 13
- 238000004891 communication Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000013500 data storage Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Abstract
The invention discloses a block chain-based ARP spoofing attack defense method, a system and a device, wherein the method comprises the following steps: acquiring an ARP request sent by a source host to a target host in a local area network, wherein the ARP request comprises: the IP address of the target host; acquiring an ARP response result returned by the target host to the source host, wherein the ARP response result comprises: a first MAC address of the target host; inquiring a second MAC address of the target host stored on the block chain network according to the IP address of the target host; judging whether the first MAC address is consistent with the second MAC address; and under the condition that the first MAC address is inconsistent with the second MAC address, sending the second MAC address to the source host, so that the source host communicates with the target host according to the second MAC address. The invention can discover and prevent ARP spoofing attack of the local area network in time.
Description
Technical Field
The invention relates to the field of network security, in particular to a block chain-based ARP spoofing attack defense method, system and device.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
With the popularization of the WIFI technology, various attacks based on the WIFI local area network are highly emergent, and particularly, ARP spoofing (namely ARP spoofing) based on the local area network has concealment and difficult precaution.
ARP spoofing is an attack technology aiming at an Ethernet Address Resolution Protocol (ARP), and by spoofing a gateway MAC address of an visitor PC in a local area network, the visitor PC mistakably considers that an MAC address changed by an attacker is the MAC of the gateway, so that the network is not communicated. ARP spoofing attacks enable attackers to obtain and even tamper with data packets on the lan, thereby rendering certain computers or all computers within the lan unable to connect properly.
Therefore, how to discover the ARP spoofing in the local area network in time is a technical problem which needs to be solved urgently to ensure the security of the local area network at present.
Disclosure of Invention
The embodiment of the invention provides a block chain-based ARP spoofing attack defense method, which is used for solving the technical problem that the network is not communicated due to ARP spoofing in the existing local area network and comprises the following steps: acquiring an ARP request sent by a source host to a target host in a local area network, wherein the ARP request comprises: the IP address of the target host; acquiring an ARP response result returned by the target host to the source host, wherein the ARP response result comprises: a first MAC address of the target host; inquiring a second MAC address of the target host stored on the block chain network according to the IP address of the target host; judging whether the first MAC address is consistent with the second MAC address; and under the condition that the first MAC address is inconsistent with the second MAC address, sending the second MAC address to the source host, so that the source host communicates with the target host according to the second MAC address.
The embodiment of the invention also provides an ARP spoofing attack defense system based on the block chain, which is used for solving the technical problem that the network is not communicated due to ARP spoofing in the existing local area network, and the system comprises: the block chain network is used for storing the IP address and the MAC address of each host in the local area network; the ARP defense server is used for acquiring an ARP request sent by a source host to a target host in a local area network and a first MAC address returned by the target host to the source host, further inquiring a second MAC address of the target host stored on a block link network according to the IP address of the target host contained in the ARP request, judging whether the first MAC address is consistent with the second MAC address, and sending the second MAC address to the source host under the condition that the first MAC address is inconsistent with the second MAC address, so that the source host communicates with the target host according to the second MAC address.
The embodiment of the invention also provides an ARP spoofing attack defense device based on the block chain, which is used for solving the technical problem that the network is not communicated due to ARP spoofing in the existing local area network, and the device comprises: an ARP request obtaining module, configured to obtain an ARP request sent by a source host to a target host in a local area network, where the ARP request includes: the IP address of the target host; an ARP response result obtaining module, configured to obtain an ARP response result returned by the target host to the source host, where the ARP response result includes: a first MAC address of the target host; the block chain query module is used for querying a second MAC address of the target host stored on the block chain network according to the IP address of the target host; the ARP spoofing attack judging module is used for judging whether the first MAC address is consistent with the second MAC address or not; and the ARP spoofing attack intercepting module is used for sending the second MAC address to the source host under the condition that the first MAC address is inconsistent with the second MAC address, so that the source host communicates with the target host according to the second MAC address.
The embodiment of the invention also provides computer equipment for solving the technical problem of network incapability caused by ARP spoofing in the existing local area network, the computer equipment comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, and the block chain-based ARP spoofing attack defense method is realized when the processor executes the computer program.
The embodiment of the invention also provides a computer readable storage medium, which is used for solving the technical problem that the network is not communicated due to ARP spoofing in the existing local area network.
Compared with the technical scheme of directly utilizing the ARP cache table information of each local cache of each device in the local area network to carry out communication in the prior art, the ARP cache table information (comprising the corresponding relation between the IP address and the MAC address) of all devices in the local area network is written into the block chain, and the ARP cache table information stored on the block chain is utilized to check whether the ARP cache table information of each local cache of each device in the local area network is tampered or not, so that the ARP spoofing attack of the local area network can be timely discovered and prevented.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. In the drawings:
fig. 1 is a flowchart of an ARP spoofing attack defense method based on a block chain according to an embodiment of the present invention;
fig. 2 is a flowchart of an optional block chain-based ARP spoofing attack defense method according to an embodiment of the present invention;
fig. 3 is a flowchart of an optional block chain-based ARP spoofing attack defense method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an ARP spoofing attack defense system based on a block chain according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an ARP spoofing attack defense apparatus based on a block chain according to an embodiment of the present invention;
fig. 6 is a schematic diagram of an optional block chain-based ARP spoofing attack defense apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
An embodiment of the present invention provides a block chain-based ARP spoofing attack defense method, and fig. 1 is a flowchart of the block chain-based ARP spoofing attack defense method provided in the embodiment of the present invention, and as shown in fig. 1, the method may include the following steps:
s101, an ARP request sent by a source host to a target host in a local area network is obtained, wherein the ARP request comprises: the IP address of the target host;
s102, an ARP response result returned by the target host to the source host is obtained, and the ARP response result comprises: a first MAC address of the target host;
s103, inquiring a second MAC address of the target host stored on the block chain network according to the IP address of the target host;
s104, judging whether the first MAC address is consistent with the second MAC address;
and S105, under the condition that the first MAC address is inconsistent with the second MAC address, sending the second MAC address to the source host, so that the source host communicates with the target host according to the second MAC address.
It should be noted that the host in the embodiment of the present invention may be any network device in the lan, including but not limited to a mobile phone, a notebook computer, a computer, and the like. The source host in S101 is a host that sends a data packet; the target host is a host that receives the data packet, wherein the target host may be a host that legally receives the data packet, or a host that illegally obtains the data packet, that is, a host of an attacker.
The MAC address is a unique address identifier for communication between devices, when a certain host A needs to communicate with a host B (not in an ARP table) in the LAN communication, only the IP address of the target host B is known, and when the MAC address of the target host is not known, an ARP request is usually initiated and broadcast in the LAN; when the host B receives the ARP request and finds that the host A is searching for the host B, the host B responds to the host A and sends the MAC address of the host A to the host A, so that the host A updates a local ARP cache table (used for storing the corresponding relation between the IP address and the MAC address) according to the received MAC address and communicates with the host B according to the updated ARP cache table.
Because the ARP request in the lan is sent in the form of broadcast, the attacker host C also receives the ARP request sent by the host a, and the attacker host C spoofs the host a and impersonates the host B to respond to the host a. After receiving the response of the host C of the attacker, the host A mistakenly assumes that the host C is the host B, and stores the MAC address of the host C in the local ARP cache table of the host A, so that the local ARP cache table of the host A is tampered.
In the embodiment of the invention, the IP address and the MAC address of each host in the local area network are stored in the block chain network in advance, so that the host A checks whether the ARP cache table information currently cached locally by each device in the local area network is falsified by using the ARP cache table information stored on the block chain after receiving the MAC address returned by the target host according to the ARP request sent by the target host, thereby discovering and preventing ARP spoofing attack of the local area network in time. Because the blockchain network has the characteristic of being not falsifiable, the embodiment of the invention can effectively defend the ARP spoofing attack problem of the local area network by the aid of the IP address and the MAC address which are statically stored on the blockchain network.
Optionally, when the first MAC address is inconsistent with the second MAC address, as shown in fig. 2, the block chain-based ARP spoofing attack defense method according to the embodiment of the present invention may further include the following steps:
and S106, outputting ARP spoofing early warning information.
It should be noted that, before executing the above S101, the method for defending against ARP spoofing attack based on a blockchain provided in the embodiment of the present invention needs to store the IP address and the MAC address of each host in the local area network to the blockchain network through the following steps: acquiring IP addresses and MAC addresses of one or more hosts in a local area network; and storing the IP address and the MAC address of each host in the local area network into the block chain network.
In the implementation, the IP address and the MAC address of each host in the local area network can be stored in the blockchain network by the following steps: verifying the IP address and the MAC address to be stored by each node in the block chain network; and when more than 51% of nodes on the block chain network pass the verification of the IP address and the MAC address of the host to be stored, storing the IP address and the MAC address of the host to be stored on the block chain of each node in the block chain network.
In the embodiment of the invention, the ARP information of each host in the local area network is stored by using the block chain network, which belongs to static storage, so that when new equipment or equipment in the local area network is changed, the IP address and the MAC address of the new equipment or the changed equipment can be verified by each node based on a consensus mechanism of the block chain network; and when more than 51% of nodes on the block chain network pass the verification of the IP address and the MAC address of the host to be stored, storing the IP address and the MAC address of the newly added or changed equipment to the block chain of each node in the block chain network. Therefore, the embodiment of the invention can update the ARP information of the local area network in time and realize the self-learning effect.
In an embodiment, as shown in fig. 3, the block chain-based ARP spoofing attack defense method provided in the embodiment of the present invention may further include the following steps:
s301, a first ARP cache table of each host in the local area network is obtained regularly, and the first ARP cache table comprises: a first MAC address corresponding to each IP address;
s302, inquiring a second ARP cache table stored in the blockchain network, wherein the second ARP cache table comprises: a second MAC address corresponding to each IP address;
s303, judging whether the first MAC address and the second MAC address corresponding to each IP address are consistent or not according to the first ARP cache table and the second ARP cache table;
s304, when the first MAC address corresponding to any IP address is inconsistent with the second MAC address, the second MAC address corresponding to the IP address is updated to the first ARP cache table.
Through the embodiment, the current ARP cache table information of each device in the network is periodically extracted from the routing device, legal ARP cache table information is requested from the block chain source data storage module, and the obtained information is sent to the judgment module. And judging, if the ARP cache tables are inconsistent, sending the legal ARP cache tables to corresponding devices with problems for updating, updating the ARP cache table information of the local area network in time, and actively defending against ARP spoofing attack of the local area network.
Based on the same inventive concept, the embodiment of the invention also provides an ARP spoofing attack defense system based on the block chain, as described in the following embodiments. Because the principle of the system for solving the problems is similar to the block chain-based ARP spoofing attack defense method, the implementation of the system can refer to the implementation of the block chain-based ARP spoofing attack defense, and repeated parts are not described again.
Fig. 4 is a schematic diagram of an ARP spoofing attack defense system based on a block chain according to an embodiment of the present invention, as shown in fig. 4, the system includes: an ARP defense server 41 and a blockchain network 42;
the block chain network 42 is configured to store IP addresses and MAC addresses of each host in the local area network;
the ARP defense server 41 is configured to obtain an ARP request sent by a source host to a target host in a local area network and a first MAC address returned by the target host to the source host, further query, according to an IP address of the target host included in the ARP request, a second MAC address of the target host stored on the block link network 42, determine whether the first MAC address is consistent with the second MAC address, and send the second MAC address to the source host when the first MAC address is inconsistent with the second MAC address, so that the source host communicates with the target host according to the second MAC address.
It should be noted that the ARP defense server 41 in the embodiment of the present invention may be arranged in an isolation area (DMZ) between two firewalls.
In one embodiment, the ARP defense server 41 is further configured to output ARP spoofing warning information in a case where the first MAC address is not consistent with the second MAC address.
In an embodiment, the ARP defense server 41 is further configured to periodically obtain a first ARP cache table of each host in the local area network, where the first ARP cache table includes: a first MAC address corresponding to each IP address; inquiring a second ARP cache table stored on the blockchain network, wherein the second ARP cache table comprises: a second MAC address corresponding to each IP address; judging whether a first MAC address and a second MAC address corresponding to each IP address are consistent or not according to the first ARP cache table and the second ARP cache table; and under the condition that the first MAC address corresponding to any one IP address is inconsistent with the second MAC address, updating the second MAC address corresponding to the IP address into the first ARP cache table.
In one embodiment, the ARP defense server 41 is further configured to obtain an IP address and a MAC address of one or more hosts in the local area network; and storing the IP address and the MAC address of each host in the local area network into the block chain network.
In one embodiment, the blockchain network 42 is further configured to verify the IP address and the MAC address to be stored; and under the condition that more than 51% of nodes on the block chain network pass the verification of the IP address and the MAC address of the host to be stored, storing the IP address and the MAC address of the host to be stored to the block chain of each node in the block chain network 42.
Taking fig. 4 as an example, a detailed description is given below of a specific process of the embodiment of the present invention, and as shown in fig. 4, the block chain-based ARP spoofing attack defense method provided in the embodiment of the present invention specifically includes the following steps:
firstly, an ARP defense server sends ARP cache information (namely the corresponding relation between IP and MAC) of all devices in a local area network to a block chain network to realize distributed storage;
when the host A needs to communicate with the host B, an ARP request is broadcasted to the local area network, and both the legal host B and the attacker host C receive the ARP request;
and thirdly, after receiving the ARP request, the host C pretends to be the host B and sends the MAC address of the host B to the host A.
And fourthly, after receiving the request of the host C, the host A updates the MAC address of the host C to the ARP cache table of the host C and sends the ARP cache table of the host to an attack judgment module in the ARP defense server.
After receiving the ARP cache table, an attack judgment module in the ARP defense server requests the MAC address corresponding to the IP address related in the cache table from the block chain network, and performs consistency comparison with the MAC address corresponding to the IP address in the ARP cache table sent by the host A;
sixthly, sending the comparison result and a legal ARP cache table to a data recovery module;
seventhly, if the data are tampered, the data recovery module gives an alarm and returns the result and a legal ARP cache table to the host A;
after receiving the legal ARP cache table, host A updates its own ARP cache table and carries out subsequent communication according to the table;
and ninthly, the monitoring and polling module periodically extracts the current ARP cache table information of each device in the network from the routing device, requests legal ARP cache table information from the block chain source data storage module, sends the obtained information to the attack judgment module for judgment, and sends the legal ARP cache table to the corresponding device with the problem for updating if the obtained information is inconsistent with the obtained information.
It should be noted that when a host is added or changed in the local area network, ARP information needs to be added to the block chain network, if a device addition ARP binding request is received, the request is sent to other machines in the block chain network for verification, and if the ARP binding relationship is agreed by more than 51%, whether the ARP binding relationship is updated to the block chain network is considered according to a statistical result.
Based on the same inventive concept, the embodiment of the present invention further provides a block chain-based ARP spoofing attack defense apparatus, as described in the following embodiments. Because the principle of the device for solving the problems is similar to the block chain-based ARP spoofing attack defense method, the implementation of the device can refer to the implementation of the block chain-based ARP spoofing attack defense method, and repeated parts are not described again.
Fig. 5 is a schematic diagram of an ARP spoofing attack defense apparatus based on a block chain according to an embodiment of the present invention, and as shown in fig. 5, the apparatus may include: an ARP request acquisition module 51, an ARP response result acquisition module 52, a block chain query module 53, an ARP spoofing attack judgment module 54, and an ARP spoofing attack interception module 55.
The ARP request obtaining module 51 is configured to obtain an ARP request sent by a source host to a target host in a local area network, where the ARP request includes: the IP address of the target host; an ARP response result obtaining module 52, configured to obtain an ARP response result returned by the target host to the source host, where the ARP response result includes: a first MAC address of the target host; a block chain query module 53, configured to query, according to the IP address of the target host, a second MAC address of the target host stored on the block chain network; an ARP spoofing attack determining module 54 configured to determine whether the first MAC address is consistent with the second MAC address; and the ARP spoofing attack intercepting module 55 is configured to send the second MAC address to the source host when the first MAC address is inconsistent with the second MAC address, so that the source host communicates with the target host according to the second MAC address.
Optionally, the ARP spoofing attack intercepting module 55 may be further configured to output ARP spoofing early warning information when the first MAC address is inconsistent with the second MAC address.
In an embodiment, as shown in fig. 6, the apparatus for defending against ARP spoofing attack based on a block chain provided in an embodiment of the present invention may further include: an ARP spoofing attack monitoring and polling module 56, configured to periodically obtain a first ARP cache table of each host in the lan, where the first ARP cache table includes: a first MAC address corresponding to each IP address; the block chain querying module 53 is further configured to query a second ARP cache table stored in the block chain network, where the second ARP cache table includes: a second MAC address corresponding to each IP address; the ARP spoofing attack determining module 54 is further configured to determine whether a first MAC address and a second MAC address corresponding to each IP address included in the first ARP cache table are consistent according to the first ARP cache table and the second ARP cache table; the ARP spoofing attack intercepting module 55 is further configured to update the second MAC address corresponding to any one IP address into the first ARP cache table when the first MAC address and the second MAC address corresponding to the IP address are inconsistent.
In an embodiment, as shown in fig. 6, the apparatus for defending against ARP spoofing attack based on a block chain provided in an embodiment of the present invention may further include: the block chain storage module 57 is configured to obtain IP addresses and MAC addresses of one or more hosts in the local area network, and store the IP addresses and MAC addresses of the hosts in the local area network in the block chain network.
Optionally, in the above embodiment, the blockchain storage module 57 may be further configured to verify the IP address and the MAC address to be stored by each node in the blockchain network, and store the IP address and the MAC address of the host to be stored on the blockchain of each node in the blockchain network when more than 51% of the nodes on the blockchain network pass the verification of the IP address and the MAC address of the host to be stored.
Based on the same inventive concept, the embodiment of the invention also provides a computer device, which is used for solving the technical problem that the network is not communicated due to ARP spoofing in the existing local area network.
Based on the same inventive concept, the embodiment of the invention also provides a computer readable storage medium, which is used for solving the technical problem that the network is not accessible due to ARP spoofing in the existing local area network.
In summary, embodiments of the present invention provide a method, a system, an apparatus, a computer device, and a computer-readable storage medium for defending against ARP spoofing attacks based on a block chain, where, compared with the technical solution in the prior art that the communication is performed directly by using the ARP cache table information locally cached by each device in a local area network, embodiments of the present invention write the ARP cache table information (including the correspondence between IP addresses and MAC addresses) of all devices in the local area network into the block chain, and verify whether the ARP cache table information locally cached by each device in the local area network is tampered with by using the ARP cache table information stored in the block chain, so as to discover and prevent ARP spoofing attacks of the local area network in time.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (13)
1. A block chain-based ARP spoofing attack defense method is characterized by comprising the following steps:
acquiring an ARP request sent by a source host to a target host in a local area network, wherein the ARP request comprises: the IP address of the target host;
acquiring an ARP response result returned by a target host to a source host, wherein the ARP response result comprises: a first MAC address of the target host;
inquiring a second MAC address of the target host stored on the block chain network according to the IP address of the target host;
judging whether the first MAC address is consistent with the second MAC address;
and under the condition that the first MAC address is inconsistent with the second MAC address, sending the second MAC address to the source host, so that the source host communicates with the target host according to the second MAC address.
2. The method of claim 1, wherein the method further comprises:
and outputting ARP spoofing early warning information under the condition that the first MAC address is inconsistent with the second MAC address.
3. The method of claim 1, wherein the method further comprises:
the method comprises the steps of obtaining a first ARP cache table of each host in a local area network regularly, wherein the first ARP cache table comprises: a first MAC address corresponding to each IP address;
querying a second ARP cache table stored in the blockchain network, wherein the second ARP cache table comprises: a second MAC address corresponding to each IP address;
judging whether a first MAC address and a second MAC address corresponding to each IP address are consistent or not according to a first ARP cache table and a second ARP cache table;
and under the condition that the first MAC address corresponding to any one IP address is inconsistent with the second MAC address, updating the second MAC address corresponding to the IP address into the first ARP cache table.
4. The method of any of claims 1 to 3, further comprising:
acquiring IP addresses and MAC addresses of one or more hosts in the local area network;
and storing the IP address and the MAC address of each host in the local area network into the block chain network.
5. The method of claim 4, wherein storing the IP address and MAC address of each host in the local area network to the blockchain network comprises:
verifying the IP address and the MAC address to be stored by each node in the block chain network;
and when more than 51% of nodes on the block chain network pass the verification of the IP address and the MAC address of the host to be stored, storing the IP address and the MAC address of the host to be stored on the block chain of each node in the block chain network.
6. A blockchain-based ARP spoofing attack defense system, comprising:
the block chain network is used for storing the IP address and the MAC address of each host in the local area network;
the ARP defense server is used for acquiring an ARP request sent by a source host to a target host in a local area network and a first MAC address returned by the target host to the source host, further inquiring a second MAC address of the target host stored on a block link network according to the IP address of the target host contained in the ARP request, judging whether the first MAC address is consistent with the second MAC address, and sending the second MAC address to the source host under the condition that the first MAC address is inconsistent with the second MAC address, so that the source host communicates with the target host according to the second MAC address.
7. An ARP spoofing attack defense device based on a block chain, comprising:
an ARP request obtaining module, configured to obtain an ARP request sent by a source host to a target host in a local area network, where the ARP request includes: the IP address of the target host;
an ARP response result obtaining module, configured to obtain an ARP response result returned by the target host to the source host, where the ARP response result includes: a first MAC address of the target host;
the block chain query module is used for querying a second MAC address of the target host stored on the block chain network according to the IP address of the target host;
the ARP spoofing attack judging module is used for judging whether the first MAC address is consistent with the second MAC address or not;
and the ARP spoofing attack intercepting module is used for sending the second MAC address to the source host under the condition that the first MAC address is inconsistent with the second MAC address, so that the source host communicates with the target host according to the second MAC address.
8. The apparatus of claim 7, wherein the ARP spoofing attack intercepting module is further configured to output ARP spoofing warning information in case the first MAC address is not consistent with the second MAC address.
9. The apparatus of claim 7, wherein the apparatus further comprises: an ARP spoofing attack monitoring and polling module, configured to periodically obtain a first ARP cache table of each host in a local area network, where the first ARP cache table includes: a first MAC address corresponding to each IP address;
the block chain query module is further configured to query a second ARP cache table stored in the block chain network, where the second ARP cache table includes: a second MAC address corresponding to each IP address; the ARP spoofing attack judging module is further used for judging whether a first MAC address corresponding to each IP address contained in the first ARP cache table is consistent with a second MAC address according to the first ARP cache table and the second ARP cache table; the ARP spoofing attack intercepting module is further used for updating the second MAC address corresponding to any one IP address into the first ARP cache table under the condition that the first MAC address is inconsistent with the second MAC address.
10. The apparatus of any of claims 7 to 9, further comprising:
and the block chain storage module is used for acquiring the IP addresses and the MAC addresses of one or more hosts in the local area network and storing the IP addresses and the MAC addresses of all the hosts in the local area network into the block chain network.
11. The apparatus of claim 10, wherein the blockchain storage module is further configured to verify the IP address and the MAC address to be stored by each node in a blockchain network, and store the IP address and the MAC address of the host to be stored on the blockchain of each node in the blockchain network when more than 51% of the nodes on the blockchain network verify the IP address and the MAC address of the host to be stored.
12. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method for defending against block chain based ARP spoofing attacks of any of claims 1 to 5 when executing the computer program.
13. A computer-readable storage medium storing a computer program for executing the block chain based ARP spoofing attack defense method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010735869.6A CN111866005A (en) | 2020-07-28 | 2020-07-28 | ARP spoofing attack defense method, system and device based on block chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010735869.6A CN111866005A (en) | 2020-07-28 | 2020-07-28 | ARP spoofing attack defense method, system and device based on block chain |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111866005A true CN111866005A (en) | 2020-10-30 |
Family
ID=72948856
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010735869.6A Pending CN111866005A (en) | 2020-07-28 | 2020-07-28 | ARP spoofing attack defense method, system and device based on block chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111866005A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110179486A1 (en) * | 2008-10-10 | 2011-07-21 | Plustech Inc. | Method for neutralizing the arp spoofing attack by using counterfeit mac addresses |
| CN107786499A (en) * | 2016-08-25 | 2018-03-09 | 大连楼兰科技股份有限公司 | For the method for early warning and device of ARP Attack by Gateway Spoofing |
| CN109067751A (en) * | 2018-08-14 | 2018-12-21 | 腾讯科技(深圳)有限公司 | ARP cheat detecting method, device and terminal under a kind of non-Root environment |
-
2020
- 2020-07-28 CN CN202010735869.6A patent/CN111866005A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110179486A1 (en) * | 2008-10-10 | 2011-07-21 | Plustech Inc. | Method for neutralizing the arp spoofing attack by using counterfeit mac addresses |
| CN107786499A (en) * | 2016-08-25 | 2018-03-09 | 大连楼兰科技股份有限公司 | For the method for early warning and device of ARP Attack by Gateway Spoofing |
| CN109067751A (en) * | 2018-08-14 | 2018-12-21 | 腾讯科技(深圳)有限公司 | ARP cheat detecting method, device and terminal under a kind of non-Root environment |
Non-Patent Citations (3)
| Title |
|---|
| 刘凡鸣等: ""基于区块链的ARP欺骗攻击防御方法"", 《网络与信息安全学报》 * |
| 夏德宏等: "网络流量侦测ARP欺骗攻击研究", 《硅谷》 * |
| 黄为: "局域网ARP欺骗的防范", 《网络安全技术与应用》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7992192B2 (en) | Alerting as to denial of service attacks | |
| US7471684B2 (en) | Preventing asynchronous ARP cache poisoning of multiple hosts | |
| US9258289B2 (en) | Authentication of IP source addresses | |
| EP3297248B1 (en) | System and method for generating rules for attack detection feedback system | |
| CN105991655B (en) | Method and apparatus for mitigating neighbor discovery-based denial of service attacks | |
| US20170264590A1 (en) | Preventing dns cache poisoning | |
| CN102137111A (en) | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| CN112688900B (en) | Local area network safety protection system and method for preventing ARP spoofing and network scanning | |
| CN109587122B (en) | System and method for realizing self-guarantee of Web subsystem security based on WAF system function | |
| CN111460458B (en) | Data processing method, related device and computer storage medium | |
| CN111431871B (en) | Processing method and device of TCP (Transmission control protocol) semi-transparent proxy | |
| KR20120121668A (en) | High Performance System and Method for Blocking Harmful Sites Access on the basis of Network | |
| Hu et al. | IDV: Internet Domain Name Verification Based on Blockchain. | |
| CN102752266B (en) | Access control method and equipment thereof | |
| CN101494536B (en) | Method, apparatus and system for preventing ARP aggression | |
| KR101494329B1 (en) | System and Method for detecting malignant process | |
| US11658995B1 (en) | Methods for dynamically mitigating network attacks and devices thereof | |
| US10623421B2 (en) | Detecting IP address theft in data center networks | |
| CN111866005A (en) | ARP spoofing attack defense method, system and device based on block chain | |
| CN103095858A (en) | Method, network equipment and system of processing messages of address resolution protocol (ARP) | |
| CN113691650B (en) | IPv4/IPv6 stateless segmented safety mapping method and control system | |
| CN113507476B (en) | Defense method, system, equipment and storage medium for ARP spoofing attack | |
| EP3989509A1 (en) | Method for realizing network dynamics, system, terminal device and storage medium | |
| KR20160115132A (en) | Method for providing security service in cloud system and the cloud system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201030 |