CN112714133A - ND attack prevention method and device suitable for DHCPv6 server - Google Patents
ND attack prevention method and device suitable for DHCPv6 server Download PDFInfo
- Publication number
- CN112714133A CN112714133A CN202110004986.XA CN202110004986A CN112714133A CN 112714133 A CN112714133 A CN 112714133A CN 202110004986 A CN202110004986 A CN 202110004986A CN 112714133 A CN112714133 A CN 112714133A
- Authority
- CN
- China
- Prior art keywords
- dhcpv6
- security policy
- message
- table entry
- dhcpv6 server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses an ND attack prevention method suitable for a DHCPv6 server, which comprises the following steps: the DHCPv6 server receives an unsolicited NA message sent by a DHCPv6 client, wherein the unsolicited NA message is subjected to DAD detection by the DHCPv6 client after acquiring an IPv6 address and is sent to the DHCPv6 server after the detection is successful; the DHCPv6 server generates a security policy table entry for the first time according to the information carried by the unsolicited NA and the interface access information; the DHCPv6 server performs NUD detection after the DHCPv6 client is on line, and updates the security policy table entry according to the detection result; when receiving the ND message, the DHCPv6 server selects a security policy mode according to the current network scene to filter out illegal attack messages. The invention solves the practical problem that the client can not be on-line or can not be on-line after being off-line due to receiving the ND message attack in the scene that the OLT device is used as the DHCPv6 server, and provides a feasible scheme for preventing the ND message cheating attack. The invention also provides a corresponding ND attack prevention device suitable for the DHCPv6 server.
Description
Technical Field
The invention belongs to the technical field of communication, and particularly relates to an ND attack prevention method and device suitable for a DHCPv6 server.
Background
In a communication network, an IPv6(Internet Protocol Version 6, Version 6 of the Internet Protocol) network is important. The IPv6 protocol has the characteristic of huge address space, but at the same time, the IPv6 address as long as 128 bits requires an efficient and reasonable automatic address allocation and management strategy. The automatic Configuration of the stateful address by using the DHCPv6(Dynamic Host Configuration Protocol For Ipv6, version six) technology is a popular Ipv6 automatic Configuration mode at present. Compared with other IPv6 address allocation modes (manual configuration, stateless automatic configuration of network prefixes in messages advertised by routers, etc.), the DHCPv6 has the following advantages:
the distribution of IPv6 addresses is better controlled, and the DHCPv6 mode can not only record the addresses distributed to IPv6 hosts, but also distribute specific addresses to specific IPv6 hosts so as to facilitate network management; the DHCPv6 supports the distribution of IPv6 prefixes for network equipment, thereby facilitating the automatic configuration and network level management of the whole network; besides allocating IPv6 address/prefix for IPv6 host, network configuration parameters such as DNS server IPv6 address can be allocated.
With the continuous enrichment of network applications and services, in the current network, an OLT (Optical Line Terminal) device often serves as a DHCPv6 server, and the number of hosts hung below the device, especially the number of DHCPv6 clients, also increases rapidly.
When a DHCPv6 client, which is a DHCPv6 client, acquires a legal IPv6 address through an automatic configuration mode of a DHCPv6 protocol, the DHCPv6 client can be online through an ND (Neighbor Discovery) address analysis mode, and at this time, a user ND table entry corresponding to the address is generated on the OLT device. At this time, if there is a flooding attack on the DHCPv6 server in the network, an attacker sends a large amount of NS (Neighbor Solicitation) or RS (Router Solicitation) messages to cause the ND table entry to overflow, which may cause that the DHCPv6 client cannot be normally brought online or cannot be brought online again after being brought offline.
Disclosure of Invention
Aiming at the defects or improvement requirements of the prior art, the invention provides an ND attack prevention scheme suitable for a DHCPv6 server, a security policy table item is accurately generated in a mode of combining an unsolicited NA (Neighbor Advertisement) message and a NUD (Neighbor Unreachability Detection), and the ND message validity can be flexibly and intelligently checked through security policy mode adjustment.
To achieve the above object, according to an aspect of the present invention, there is provided an ND attack prevention method for a DHCPv6 server, including:
the DHCPv6 server receives an unsolicited NA message sent by a DHCPv6 client, wherein the unsolicited NA message is subjected to DAD detection by the DHCPv6 client after acquiring an IPv6 address and is sent to the DHCPv6 server after the detection is successful;
the DHCPv6 server generates a security policy table entry for the first time according to the information carried by the unsolicited NA and the interface access information;
the DHCPv6 server performs NUD detection after the DHCPv6 client is on line, and updates the security policy table entry according to the detection result;
when receiving the ND message, the DHCPv6 server selects a security policy mode according to the current network scene to filter out illegal attack messages.
In an embodiment of the present invention, the information carried by the unsolicited NA at least includes a source IPv6 address of the DHCPv6 client, and the ingress interface information at least includes a VPN index of the DHCPv6 server.
In one embodiment of the invention, the security policy table entry at least comprises a VPN index and a source IPv6 address.
In an embodiment of the present invention, the valid flag bit of the security policy table entry is 0 when the security policy table entry is first generated.
In an embodiment of the present invention, performing NUD detection by the DHCPv6 server after the DHCPv6 client is online includes:
after the NUD detection is triggered, the ND table entry of the user is transferred to a DELAY state from a STALE state, the state of the table entry is transferred to a PROBE state when the DELAY state lasts for a preset time, and the DHCPv6 server side sends NS messages to the DHCPv6 client side three times in the PROBE state; if the DHCPv6 client responds to the NA message, the detection is considered to be successful, and the DHCPv6 server refreshes the ND table entry of the user to be in a REACH state after receiving the NA message responded by the DHCPv6 client; if the DHCPv6 client does not respond, the detection is regarded as failed, and the DHCPv6 server deletes the ND table entry of the user.
In an embodiment of the present invention, the ND entry of the user is specifically:
when the client sends the data message, the DHCPv6 performs address resolution online on the destination address, at this time, the DHCPv6 client sends the NS message to the DHCPv6 server, and the DHCPv6 server generates the ND entry of the user after receiving the NS message sent by the DHCPv6 client, and at this time, the entry state is stable.
In an embodiment of the present invention, updating the security policy table entry according to the detection result includes:
after the NUD detection is finished, if the ND table entry of the user is refreshed to be in a REACH state, the effective mark position 1 of the corresponding safety strategy table entry is marked; if the ND table entry of the user is deleted, deleting the corresponding security policy table entry; and when the aging timer of the security policy table entry is overtime, aging and deleting all the security policy table entries of which the valid mark positions are not set to be 1.
In an embodiment of the present invention, the security policy entry aging timer is specifically:
when the first security policy table entry is generated for the first time, a security policy table entry aging timer is created, the timer is set to be a cycle timer, and the aging time is set to be the highest threshold of the time required by the maximum DHCPv6 client number allowed to be accessed by the DHCPv6 to be online all.
In an embodiment of the present invention, when receiving the ND packet, the DHCPv6 server flexibly selects a security policy mode according to a current network scenario to filter out an illegal attack packet, where the security policy mode includes a weak correlation mode and a strong correlation mode, where:
in the weak correlation mode, when the security policy is applied, only the VPN index and the source IPv6 address are checked, and all addresses which are not in the security policy table are considered as illegal addresses;
the strong correlation patterns include:
simultaneously, the check of the VPN index, the source IPv6 address, the source MAC address and the interface index is applied, and only if the four conditions are matched, the message is considered to be a legal message;
checking the VPN index, the source IPv6 address and the source MAC address, and considering that the refreshing of the interface index and the VLAN TAG is legal;
the VPN index, source IPv6 address, interface index and VLAN TAG are checked and the refresh of the MAC address is considered legitimate.
According to another aspect of the present invention, there is also provided an ND attack prevention apparatus suitable for a DHCPv6 server, including an unsolicited NA message receiving module, a security policy table entry generating module, a security policy table entry updating module, and an illegal attack message filtering module, wherein:
the REE NA message receiving module is used for receiving an unsolicited NA message sent by the DHCPv6 client, wherein the unsolicited NA message is acquired by the DHCPv6 client after acquiring an IPv6 address, is subjected to DAD detection and is sent to the DHCPv6 server after the detection is successful;
the security policy table entry generating module is used for generating a security policy table entry for the first time according to the information carried by the unsolicited NA and the access interface information;
the security policy table item updating module is used for carrying out NUD detection after the DHCPv6 client is on-line, and updating the security policy table item according to the detection result;
and the illegal attack message filtering module is used for filtering the illegal attack message according to the current network scene selection security strategy mode when the ND message is received.
Generally, compared with the prior art, the technical scheme of the invention has the following beneficial effects:
the method provided by the invention solves the actual problem that the client cannot be on-line or cannot be on-line after being off-line due to receiving ND message attack in the scene that the OLT equipment is used as the DHCPv6 server, and provides a feasible scheme for preventing ND message cheating attack. The scheme does not increase the burden of a CPU, does not need to be deployed at the opposite end, and belongs to a lightweight solution. And various verification schemes are designed for the application of the security policy table, so that various service scenes can be flexibly dealt with.
Drawings
FIG. 1 is a schematic diagram of the functional structure and interface of the security policy management module of the present invention with external modules;
FIG. 2 is a schematic flow chart of the ND attack prevention method applied to the DHCPv6 server side according to the present invention;
FIG. 3 is a flow chart of security policy table entry generation and refresh in an embodiment of the present invention;
FIG. 4 is a diagram illustrating state transition of a user ND entry during NUD detection according to an embodiment of the present invention;
FIG. 5 is a flow chart of security policy application in an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an ND attack prevention device suitable for the DHCPv6 server in the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The root cause of the ND attack is that the ND message cannot be verified, so that the correct binding relationship between the client IP, MAC, and the port cannot be known, and therefore, the abnormal ND message cannot be filtered. The prior art generally alleviates this problem in three directions:
firstly, the specification of the ND table item is limited: the method can not solve the problem provided by the scene of the invention, and can only relieve the problem of high CPU utilization rate caused by flooding attack;
secondly, ND deployment safety: according to RFC3971, the SEND (Secure Neighbor Discovery) Protocol is an enhanced mechanism for NDP (Neighbor Discovery Protocol), and uses CGA (Cryptographically Generated Address), digital signature, timestamp, etc. to protect NDP messages. However, the method for checking the validity of the ND message has the following disadvantages: the SEND protocol needs to use an encryption algorithm to perform encryption calculation on the message for multiple times, so that CPU resources are consumed very much, and the SEND protocol is not suitable for large-scale ND table item scenes; the SEND protocol needs deployment configuration at both ends, and in the current network scene, a condition that one end is friend equipment and flexible deployment is not available often exists;
and thirdly, generating binding table entries of IP, MAC and PORT of the DHCPv6 client by ND SNOOPING or DHCP SNOOPING or manually. The SNOOPING mode has the problems that the generated table entry is not accurate, and the SNOOPING table entry can be attacked by a forged protocol message; the manual mode is complicated in configuration and is not suitable for large-scale table entries.
As shown in fig. 1, the technical solution for solving the technical problem is as follows: a software module capable of flexibly and intelligently checking the ND message legality is designed at a DHCPv6 server side: and the security policy management module consists of a security policy table and a security policy application module. Fig. 1 is a schematic diagram of the functional structure and interface of the security policy management module of the present invention with external modules, described as follows:
an attacker: an attacker forges the NS message or the RS message to carry out flooding attack on the DHCPv6 server, so that the ND table item overflows, and the legal DHCPv6 client cannot be on-line. Such attacks can be prevented by applying filtering through the security policy.
DHCPv6 client: and acquiring a legal IPv6 address from the server, wherein after the IPv6 address is detected by DAD, the IPv6 protocol state of the interface negotiates OK, and the protocol state is UP. When the IPv6 protocol state of the interface is UP, the DHCPv6 client sends an unsolicited NA (unsolicited Neighbor advertisements) message.
The DHCPv6 server: the OLT device serves as a DHCPv6 server and is used for distributing legal IPv6 addresses and other network parameters to the DHCPv6 client and adding a security policy management module, wherein the security policy management module is used for filtering illegal ND messages, so that the legal DHCPv6 client can be safely on line.
A security policy management module: the security policy management module includes a security policy table and a security policy application module.
Security policy table: the security policy table comprises security policy table entries, each security policy table entry comprises a VPN index, a source IPv6 address, a source MAC address, an interface index, a VLAN TAG and a valid TAG bit, and the security policy table entries are used for determining an IPv6 legal DHCPv6 client. The security policy table entry is generated for the first time according to information (at least including a source IPv6 address of the DHCPv6 client and also including a source MAC address of the DHCPv6 client) carried by an unsolicited NA message sent by the DHCPv6 client and information (at least including a VPN index of the DHCPv6 server and also including an interface index of the DHCPv6 server and a VLAN TAG of the DHCPv6 server) acquired from a local message ingress interface. In the scenario of using the present invention, the refresh timing of the security policy is after performing NUD detection on the ND entry of the user generated by the DHCPv6 server. And refreshing the safety strategy table entry again according to the detection result of the NUD, so that the accuracy of the safety strategy table can be improved.
A security policy application module: the ND message processing flow directly uses an interface calling mode to apply the security strategy. The security policy application module provides two application modes, including four types of applications, and the DHCPv6 client can be flexibly selected and used according to actual service scenarios.
An ND module: after the DHCPv6 client is on line, a user ND table item is generated at the Server, Neighbor Unreachability Detection (NUD) is carried out on the user ND table item, after detection is finished, the state of the real legal user ND table item is refreshed to REACH, and the security policy table is refreshed according to the refresh, so that the accurate range of the legal DHCPv6 client can be further reduced, and the security filtering is more accurate.
The safety strategy table entry aging timer: and the invalid security policy table entry is deleted at regular time, so that the security policy application is more accurate.
As shown in fig. 2, the present invention provides an ND attack prevention method suitable for a DHCPv6 server, including:
s1, after acquiring the IPv6 Address, the DHCPv6 client detects DAD (Duplicate Address Detection), and sends an unsolicited NA message to the DHCPv6 server after the Detection is successful;
s2, the DHCPv6 server side generates a security policy table entry for the first time according to the information carried by the unsolicited NA and the interface entry information;
s3, carrying out NUD detection by the DHCPv6 server after the DHCPv6 client is on line, and updating the security policy table entry according to the detection result;
and S4, when the DHCPv6 server receives the ND message, selecting a security strategy mode according to the current network scene to filter the illegal attack message.
It should be noted that, according to RFC4861, only NS, NA, and RS may generate or refresh the ND table entry, and the step S4 refers to these three ND messages.
Fig. 3 is a flowchart of generating and refreshing a security policy table entry in an embodiment of the present invention, which specifically includes the following steps:
s11, the DHCPv6 server (OLT device) allocates an IPv6 address to the DHCPv6 client, and the DHCPv6 client takes a legal IPv6 address.
And S12, the DHCPv6 client carries out DAD detection on the acquired IPv6 address, sets the IPv6 address to be in an available state after the detection is successful, declares that the IPv6 protocol is available and sends an unsolicited NA message to the DHCPv6 server.
The S13 and the DHCPv6 server receive the unsolicited NA packet sent by the DHCPv6 client, and generate a security policy entry for the first time locally according to information (including at least a source IPv6 address of the DHCPv6 client and also including a source MAC address of the DHCPv6 client) and entry interface information (including at least a VPN (Virtual Private Network) index and also including an interface index and a VLAN TAG) carried in the unsolicited NA packet, where the entry specifically includes fields as shown in the following table:
| VPN index | Interface index | Source IPv6 address | Source MAC address | VLAN TAG | Valid flag bit |
At this time, the valid flag bit of the security policy table entry is 0. It should be noted that the ND table entry takes the VPN index and the source IPv6 address as KEY, and the MAC address of the neighbor can be changed, so the source MAC address is not an optional field.
S14, when the first security policy table entry is generated for the first time, creating a security policy table entry aging timer, wherein the timer is set as a cycle timer, and the aging time is set as the highest threshold of the time required by the maximum DHCPv6 client number allowed to be accessed by the DHCPv6 to be online.
S15, generally, when the DHCPv6 client sends a data packet, the DHCPv6 client sends an NS packet to the DHCPv6 server by performing address resolution on a destination address. The DHCPv6 server generates the ND table entry of the user after receiving the NS message sent by the DHCPv6 client, and the state of the table entry is STALE.
S16, according to the protocol specification of RFC4861, when the user ND table item in STALE state reaches aging time or has data traffic trigger, NUD detection is carried out. After the NUD detection is triggered, the ND table entry of the user is migrated from the STALE state to the DELAY state, according to the RFC4861, the state of the table entry is migrated to the PROBE state when the DELAY state lasts for a preset time (5s), and in the PROBE state, the DHCPv6 server side sends three NS messages to the DHCPv6 client side (generally, at an interval of 1s every time). If the DHCPv6 client responds to the NA message, the detection is considered to be successful, and the DHCPv6 server refreshes the ND table entry of the user to be in a REACH state after receiving the NA message responded by the DHCPv6 client; if the DHCPv6 client does not respond, the detection is regarded as failed, and the DHCPv6 server deletes the ND table entry of the user. The state transition change of the user ND table entry under the scenario of the present invention is shown in fig. 4.
S17, after the NUD detection is finished, if the ND table entry of the user is refreshed to be in a REACH state, the effective mark position 1 of the corresponding safety strategy table entry is marked; if the ND table entry of the user is deleted, deleting the corresponding security policy table entry; and when the aging timer of the security policy table entry is overtime, aging and deleting all the security policy table entries of which the valid mark positions are not set to be 1.
And S18, if the deleted security policy table entry is the last table entry, stopping running the security policy table entry aging timer, then deleting the security policy table entry aging timer, and releasing the timer resource.
And when the S19 and the DHCPv6 server side receive the ND message, applying a security strategy to filter the attack of the illegal message.
Fig. 5 is a flowchart of a security policy application in an embodiment of the present invention, which specifically includes the following steps:
in a typical application scenario of DHCPv6, after acquiring a legal IPv6 address, a DHCPv6 client triggers a DHCPv6 server to learn an ND entry of a user through address resolution, which is generally referred to as "user online".
When the DHCPv6 client is on-line, an NS request message is sent to the DHCPv6 server, and the flooding attack of an attacker on the DHCPv6 server is also sent to the DHCPv6 server by forging ND messages such as NS, NA, RS and the like. When the DHCPv6 server receives the ND message, the local security policy is applied to check whether the received message is a legal DHCPv6 client message.
The security policy application provides two modes, namely four types of applications, so that the DHCPv6 client can flexibly select the applications according to different scenes.
Weak correlation mode, when applying security policy, only checking source IPv6 address, all addresses not in the security policy table are considered illegal addresses.
There are three types of applications for the strongly correlated mode:
a. meanwhile, the check of the VPN index, the source IPv6 address, the source MAC address and the interface index is applied, and only if the four conditions are matched, the message is considered to be a legal message;
b. checking the VPN index, the source IPv6 address and the source MAC address, and considering that the refreshing of the interface index and the VLAN TAG is legal;
c. the VPN index, source IPv6 address, interface index and VLAN TAG are checked and the refresh of the source MAC address is considered legitimate.
After the security policy is applied, checking the validity, generating a user ND table item, and refreshing the security policy table in reverse by the table item in the REACH state; if the generated table entry is not REACH, NUD detection is carried out, and the security policy table is refreshed according to the detection result;
after the security policy is applied, the ND message should be discarded if the security policy is checked to be illegal.
It should be noted that the meaning of weak correlation is to check that the matching condition is loose, but to match an ND entry, at least to match KEY, so at least to match VPN index and source IPv6 address, another optional field is only used for valid flag, and does not participate in matching. The strong correlation means that the matching condition is more severe, so that fields other than the KEY field need to be matched.
Further, as shown in fig. 6, the present invention also provides an ND attack prevention device suitable for the DHCPv6 server, which includes an unsolicited NA message receiving module, a security policy table entry generating module, a security policy table entry updating module, and an illegal attack message filtering module, wherein:
the unsolicited NA message receiving module is used for receiving an unsolicited NA message sent by a DHCPv6 client, wherein the unsolicited NA message is acquired by the DHCPv6 client after acquiring an IPv6 address, is subjected to DAD detection and is sent to a DHCPv6 server after the detection is successful;
the security policy table entry generating module is used for generating a security policy table entry for the first time according to the information carried by the unsolicited NA and the access interface information;
the security policy table item updating module is used for carrying out NUD detection after the DHCPv6 client is on-line, and updating the security policy table item according to the detection result;
and the illegal attack message filtering module is used for filtering the illegal attack message according to the current network scene selection security strategy mode when the ND message is received.
Further, the information carried by the unsolicited NA at least includes a source IPv6 address of the DHCPv6 client, and the ingress interface information at least includes a VPN index of the DHCPv6 server.
Further, the security policy table entry contains at least a VPN index and a source IPv6 address.
Further, the valid flag bit of the security policy table entry is 0 when the security policy table entry is generated for the first time.
Further, the performing, by the DHCPv6 server, the NUD detection after the DHCPv6 client is online includes:
after the NUD detection is triggered, the ND table entry of the user is transferred to a DELAY state from a STALE state, the state of the table entry is transferred to a PROBE state when the DELAY state lasts for a preset time, and the DHCPv6 server side sends NS messages to the DHCPv6 client side three times in the PROBE state; if the DHCPv6 client responds to the NA message, the detection is considered to be successful, and the DHCPv6 server refreshes the ND table entry of the user to be in a REACH state after receiving the NA message responded by the DHCPv6 client; if the DHCPv6 client does not respond, the detection is regarded as failed, and the DHCPv6 server deletes the ND table entry of the user.
Further, the ND entry of the user is specifically:
when the client sends the data message, the DHCPv6 performs address resolution online on the destination address, at this time, the DHCPv6 client sends the NS message to the DHCPv6 server, and the DHCPv6 server generates the ND entry of the user after receiving the NS message sent by the DHCPv6 client, and at this time, the entry state is stable.
Further, updating the security policy table entry according to the detection result includes:
after the NUD detection is finished, if the ND table entry of the user is refreshed to be in a REACH state, the effective mark position 1 of the corresponding safety strategy table entry is marked; if the ND table entry of the user is deleted, deleting the corresponding security policy table entry; and when the aging timer of the security policy table entry is overtime, aging and deleting all the security policy table entries of which the valid mark positions are not set to be 1.
Further, the security policy table entry aging timer is specifically:
when the first security policy table entry is generated for the first time, a security policy table entry aging timer is created, the timer is set to be a cycle timer, and the aging time is set to be the highest threshold of the time required by the maximum DHCPv6 client number allowed to be accessed by the DHCPv6 to be online all.
Further, when receiving the ND message, the DHCPv6 server flexibly selects a security policy mode according to the current network scenario to filter out illegal attack messages, including a weak correlation mode and a strong correlation mode, wherein:
in the weak correlation mode, when the security policy is applied, only the VPN index and the source IPv6 address are checked, and all addresses which are not in the security policy table are considered as illegal addresses;
the strong correlation patterns include:
simultaneously, the check of the VPN index, the source IPv6 address, the source MAC address and the interface index is applied, and only if the four conditions are matched, the message is considered to be a legal message;
checking the VPN index, the source IPv6 address and the source MAC address, and considering that the refreshing of the interface index and the VLAN TAG is legal;
the VPN index, source IPv6 address, interface index and VLAN TAG are checked and the refresh of the MAC address is considered legitimate.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method for preventing ND attack suitable for a DHCPv6 server side is characterized by comprising the following steps:
the DHCPv6 server receives an unsolicited NA message sent by a DHCPv6 client, wherein the unsolicited NA message is subjected to DAD detection by the DHCPv6 client after acquiring an IPv6 address and is sent to the DHCPv6 server after the detection is successful;
the DHCPv6 server generates a security policy table entry for the first time according to the information carried by the unsolicited NA and the interface access information;
the DHCPv6 server performs NUD detection after the DHCPv6 client is on line, and updates the security policy table entry according to the detection result;
when receiving the ND message, the DHCPv6 server selects a security policy mode according to the current network scene to filter out illegal attack messages.
2. The ND attack prevention method applicable to the DHCPv6 server of claim 1, wherein the information carried by the unsolicited NA at least includes a source IPv6 address of the DHCPv6 client, and the incoming interface information at least includes a VPN index of the DHCPv6 server.
3. The method of claim 2, wherein the security policy table entry comprises at least a VPN index and a source IPv6 address.
4. The method of claim 3, wherein the valid flag bit of the security policy entry is 0 when it is first generated.
5. The method for preventing ND attack on the DHCPv6 server as claimed in claim 1 or 2, wherein the performing NUD detection by the DHCPv6 server after the DHCPv6 client is on-line comprises:
after the NUD detection is triggered, the ND table entry of the user is transferred to a DELAY state from a STALE state, the state of the table entry is transferred to a PROBE state when the DELAY state lasts for a preset time, and the DHCPv6 server side sends NS messages to the DHCPv6 client side three times in the PROBE state; if the DHCPv6 client responds to the NA message, the detection is considered to be successful, and the DHCPv6 server refreshes the ND table entry of the user to be in a REACH state after receiving the NA message responded by the DHCPv6 client; if the DHCPv6 client does not respond, the detection is regarded as failed, and the DHCPv6 server deletes the ND table entry of the user.
6. The method for preventing the ND attack applicable to the DHCPv6 server as claimed in claim 5, wherein the ND entry of the user is specifically:
when the client sends the data message, the DHCPv6 performs address resolution online on the destination address, at this time, the DHCPv6 client sends the NS message to the DHCPv6 server, and the DHCPv6 server generates the ND entry of the user after receiving the NS message sent by the DHCPv6 client, and at this time, the entry state is stable.
7. The method of claim 5, wherein the updating the security policy table entry according to the detection result comprises:
after the NUD detection is finished, if the ND table entry of the user is refreshed to be in a REACH state, the effective mark position 1 of the corresponding safety strategy table entry is marked; if the ND table entry of the user is deleted, deleting the corresponding security policy table entry; and when the aging timer of the security policy table entry is overtime, aging and deleting all the security policy table entries of which the valid mark positions are not set to be 1.
8. The method for preventing ND attack applicable to the DHCPv6 server of claim 7, wherein the security policy table entry aging timer is specifically:
when the first security policy table entry is generated for the first time, a security policy table entry aging timer is created, the timer is set to be a cycle timer, and the aging time is set to be the highest threshold of the time required by the maximum DHCPv6 client number allowed to be accessed by the DHCPv6 to be online all.
9. The method for preventing ND attack on the DHCPv6 server as claimed in claim 1 or 2, wherein the DHCPv6 server flexibly selects a security policy mode to filter out illegal attack messages according to the current network scenario when receiving the ND message, the security policy mode including a weak correlation mode and a strong correlation mode, wherein:
in the weak correlation mode, when the security policy is applied, only the VPN index and the source IPv6 address are checked, and all addresses which are not in the security policy table are considered as illegal addresses;
the strong correlation patterns include:
simultaneously, the check of the VPN index, the source IPv6 address, the source MAC address and the interface index is applied, and only if the four conditions are matched, the message is considered to be a legal message;
checking the VPN index, the source IPv6 address and the source MAC address, and considering that the refreshing of the interface index and the VLAN TAG is legal;
the VPN index, source IPv6 address, interface index and VLAN TAG are checked and the refresh of the MAC address is considered legitimate.
10. An ND attack prevention device suitable for a DHCPv6 server side is characterized by comprising an unsolicited NA message receiving module, a security policy table entry generating module, a security policy table entry updating module and an illegal attack message filtering module, wherein:
the REE NA message receiving module is used for receiving an unsolicited NA message sent by the DHCPv6 client, wherein the unsolicited NA message is acquired by the DHCPv6 client after acquiring an IPv6 address, is subjected to DAD detection and is sent to the DHCPv6 server after the detection is successful;
the security policy table entry generating module is used for generating a security policy table entry for the first time according to the information carried by the unsolicited NA and the access interface information;
the security policy table item updating module is used for carrying out NUD detection after the DHCPv6 client is on-line, and updating the security policy table item according to the detection result;
and the illegal attack message filtering module is used for filtering the illegal attack message according to the current network scene selection security strategy mode when the ND message is received.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110004986.XA CN112714133B (en) | 2021-01-04 | 2021-01-04 | ND attack prevention method and device suitable for DHCPv6 server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110004986.XA CN112714133B (en) | 2021-01-04 | 2021-01-04 | ND attack prevention method and device suitable for DHCPv6 server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112714133A true CN112714133A (en) | 2021-04-27 |
| CN112714133B CN112714133B (en) | 2022-04-19 |
Family
ID=75548244
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110004986.XA Active CN112714133B (en) | 2021-01-04 | 2021-01-04 | ND attack prevention method and device suitable for DHCPv6 server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112714133B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101651696A (en) * | 2009-09-17 | 2010-02-17 | 杭州华三通信技术有限公司 | Method and device for preventing neighbor discovery (ND) attack |
| CN101753458A (en) * | 2009-12-30 | 2010-06-23 | 杭州华三通信技术有限公司 | Method and device for processing ND neighbor table entry |
| CN102546428A (en) * | 2012-02-03 | 2012-07-04 | 神州数码网络(北京)有限公司 | System and method for internet protocol version 6 (IPv6) message switching based on dynamic host configuration protocol for IPv6 (DHCPv6) interception |
| US20130291117A1 (en) * | 2012-04-30 | 2013-10-31 | Cisco Technology, Inc. | Protecting address resolution protocol neighbor discovery cache against denial of service attacks |
| CN106878326A (en) * | 2017-03-21 | 2017-06-20 | 中国人民解放军信息工程大学 | The guard method of IPv6 neighbor caches and its device based on inverse detection |
| CN107547496A (en) * | 2017-05-08 | 2018-01-05 | 新华三技术有限公司 | A kind of processing method and processing device of neighbor entry |
| CN107612937A (en) * | 2017-10-26 | 2018-01-19 | 武汉理工大学 | Detection to DHCP extensive aggressions and defence method under a kind of SDN |
-
2021
- 2021-01-04 CN CN202110004986.XA patent/CN112714133B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101651696A (en) * | 2009-09-17 | 2010-02-17 | 杭州华三通信技术有限公司 | Method and device for preventing neighbor discovery (ND) attack |
| CN101753458A (en) * | 2009-12-30 | 2010-06-23 | 杭州华三通信技术有限公司 | Method and device for processing ND neighbor table entry |
| CN102546428A (en) * | 2012-02-03 | 2012-07-04 | 神州数码网络(北京)有限公司 | System and method for internet protocol version 6 (IPv6) message switching based on dynamic host configuration protocol for IPv6 (DHCPv6) interception |
| US20130291117A1 (en) * | 2012-04-30 | 2013-10-31 | Cisco Technology, Inc. | Protecting address resolution protocol neighbor discovery cache against denial of service attacks |
| CN106878326A (en) * | 2017-03-21 | 2017-06-20 | 中国人民解放军信息工程大学 | The guard method of IPv6 neighbor caches and its device based on inverse detection |
| CN107547496A (en) * | 2017-05-08 | 2018-01-05 | 新华三技术有限公司 | A kind of processing method and processing device of neighbor entry |
| CN107612937A (en) * | 2017-10-26 | 2018-01-19 | 武汉理工大学 | Detection to DHCP extensive aggressions and defence method under a kind of SDN |
Non-Patent Citations (2)
| Title |
|---|
| 孙雅娟等: "关于高校IPv6校园网络中ND协议安全的研究", 《华北电力大学学报(社会科学版)》 * |
| 魏延辉: "《基于IPv6园区接入层的安全防御系统的设计与实现》", 《中国优秀硕士学位论文全文库》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112714133B (en) | 2022-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2919444B1 (en) | Method, relay device, and system for acquiring internet protocol address in network | |
| US11968174B2 (en) | Systems and methods for blocking spoofed traffic | |
| US20100313265A1 (en) | Method and Apparatus for Preventing Spoofed Packet Attacks | |
| Ullrich et al. | {IPv6} security: Attacks and countermeasures in a nutshell | |
| US9118721B1 (en) | Socket-based internet protocol for wireless networks | |
| US8478891B1 (en) | Employing socket ranges to ascertain layer 2 addresses | |
| EP2442521A1 (en) | Method for obtaining ip address of dynamic host configuration protocol version 6 server, dynamic host configuration protocol version 6 server and dynamic host configuration protocol version 6 communication system | |
| CN114422474B (en) | User IPv6 address generating method based on RADIUS server | |
| CN107690004B (en) | Method and device for processing address resolution protocol message | |
| US20220174072A1 (en) | Data Processing Method and Device | |
| CN104901953A (en) | Distributed detection method and system for ARP (Address Resolution Protocol) cheating | |
| KR20130005973A (en) | A network security system and network security method | |
| Yaibuates et al. | A combination of ICMP and ARP for DHCP malicious attack identification | |
| CN106878481B (en) | Method, device and system for acquiring Internet Protocol (IP) address | |
| US8995429B1 (en) | Socket-based internet protocol for wired networks | |
| US8788823B1 (en) | System and method for filtering network traffic | |
| CN102752266B (en) | Access control method and equipment thereof | |
| Syed et al. | Analysis of Dynamic Host Control Protocol Implementation to Assess DoS Attacks | |
| CN112714133B (en) | ND attack prevention method and device suitable for DHCPv6 server | |
| CN103458060B (en) | The transmission method and device of hostid under a kind of multistage network address conversion | |
| Nuhu et al. | Mitigating DHCP starvation attack using snooping technique | |
| Baig et al. | A trust-based mechanism for protecting IPv6 networks against stateless address auto-configuration attacks | |
| Naaz et al. | Investigating DHCP and DNS Protocols Using Wireshark | |
| EP3407553B1 (en) | Pppoe message transmission method and pppoe server | |
| US11171915B2 (en) | Server apparatus, client apparatus and method for communication based on network address mutation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |