CN112822148A - Internet of things sensing layer terminal ARP man-in-the-middle attack protection design - Google Patents

Internet of things sensing layer terminal ARP man-in-the-middle attack protection design Download PDF

Info

Publication number
CN112822148A
CN112822148A CN202010828742.9A CN202010828742A CN112822148A CN 112822148 A CN112822148 A CN 112822148A CN 202010828742 A CN202010828742 A CN 202010828742A CN 112822148 A CN112822148 A CN 112822148A
Authority
CN
China
Prior art keywords
network
arp
internet
data
same
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010828742.9A
Other languages
Chinese (zh)
Other versions
CN112822148B (en
Inventor
顾铠羟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Credit Information Technology Co ltd
Original Assignee
Beijing Credit Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Credit Information Technology Co ltd filed Critical Beijing Credit Information Technology Co ltd
Priority to CN202010828742.9A priority Critical patent/CN112822148B/en
Publication of CN112822148A publication Critical patent/CN112822148A/en
Application granted granted Critical
Publication of CN112822148B publication Critical patent/CN112822148B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Abstract

The invention relates to the field of computer terminal access security, in particular to an ARP (address resolution protocol) man-in-the-middle attack protection design of a sensing layer terminal of the Internet of things, which comprises the following two parts: 1. network data and ARP data messages in the same network segment sent by the terminal of the Internet of things are led to walk through a network subsystem Net filter module of a Linux kernel, and ARP communication message data in the same IP network segment are captured; 2. the invention realizes the detection and the safety isolation of the kernel layer of the ARP data in the same network segment by using an MTK SOC scheme based on an MIPS framework and modifying the kernel module of a Linux network subsystem, realizes the ARP man-in-the-middle attack protection, simultaneously has cheap SOC chips of an MTK7621 system, an MTK7628 system and an MKT7620 system, and can be deployed on the edge layer of the Internet of things in large quantity.

Description

Internet of things sensing layer terminal ARP man-in-the-middle attack protection design
Technical Field
The invention relates to the field of computer terminal access security, in particular to a design for protecting Internet of things perception layer terminal ARP man-in-the-middle attack.
Background
With the development of computer networks and the growth of industrial internet and internet of things, the network environment safety puts higher safety requirements on equipment in the network; thing networking perception layer: in particular to an internet of things network environment, terminal equipment which is located at the most marginal layer of a network and used for information acquisition and instruction execution is the most tail end of the whole network environment, cannot be connected with downstream network equipment, and is often deployed in an unattended environment, such as an intelligent camera, a road monitoring device, an intelligent street lamp, a community electronic propaganda screen and the like.
The current market implementation:
1. the method is realized by a three-layer switch, the devices with different network types and familiar networks are divided into different IP network segments, in the example of IP address attack, if the IP address of A is 192.168.40.a, and the IP address of B is 192.168.1.B, the middle part is forwarded through a route or NAT, so that the network discovery between AB is a scene which is not played through a route protocol, and further ARP middle person attacks. The problem with such implementations: because the sensing terminals are large in number and long in deployment and planning time, which is a long-term process, the scheme provides each terminal with an independent IP segment, increases the complexity of network topology and implementation cost, and is not sustainable (each time a deployment terminal is newly added, IP network segments are newly divided and designed, the engineering quantity is huge, and the method is basically infeasible), so the method is mainly used in a convergence layer, and is basically infeasible in an internet of things sensing layer.
2. Through the gateway implementation with the lateral isolation function, most of the devices are implemented on an X86 architecture chip of Intel, and very few of the devices are implemented on self-developed chips (such as hua shi), so that the devices are expensive (more than 4000 yuan), and are difficult to be massively deployed at the upstream of each internet of things perception layer terminal. But also for the convergence layer. Some terminals of the sensing layer of the Internet of things are deployed in remote areas and are powered by a solar panel and a storage battery,
and the power supply of a gateway with high power cannot be supported.
A large number of common gateways deployed at the edge layer of the Internet of things are large in number, but do not have the security defense function of ARP man-in-the-middle attack, so that a method for sensing the ARP man-in-the-middle attack of a layer terminal and carrying out corresponding protection and control needs to be provided.
Disclosure of Invention
The invention aims to solve the defects in the prior art, and provides a design for protecting against man-in-the-middle attack in an ARP (address resolution protocol) of a sensing layer terminal of the Internet of things.
In order to achieve the above purposes, the technical scheme adopted by the invention is as follows: the design for protecting the Internet of things perception layer terminal ARP man-in-the-middle attack comprises the following two parts:
(1) the method comprises the following steps that network data and ARP data messages in the same network segment sent by an Internet of things terminal are led to a network subsystem Net filter module of a Linux kernel network, and ARP communication message data in the same IP network segment are captured;
(i) taking an SOC chip supporting a plurality of network ports, wherein the SOC chip is specifically one of SOC chips of an MTK7621 system, an MTK7628 system and an MKT7620 system, and each network port of the SOC chip is divided into a virtual local area network;
(ii) mounting each virtual local area network into the same network bridge;
(iii) sending the network data and ARP data message in the same network segment to a network subsystem Net filter module of a Linux kernel;
(iv) the Net filter sends the processed network data and ARP data message in the same network segment to the network bridge, and sends the processed communication flow to other network ports except the sending network port through the network bridge;
(2) executing an ARP man-in-the-middle attack behavior judgment function in the Net filter, and detecting the ARP man-in-the-middle attack behavior, wherein the specific implementation steps are as follows:
(i) after passing through a network filter module of a Linux kernel network subsystem, mounting a hook function at an NF _ ARP _ FORWARD node of the network filter, capturing an ARP frame type protocol, and further capturing and separating the ARP network message;
(ii) the Net filter module carries out protocol analysis on the captured ARP message and analyzes whether the IP bound by the MAC address carried by the ARP message in broadcasting and communication is a real IP or not;
(iii) and if the IP analyzed by the Net filter module is a non-real IP, the Net filter module immediately blocks communication.
Furthermore, the IP of the terminal of the internet of things is kept unchanged, and the IP under the same LAN is in the same network segment, wherein the terminal of the internet of things is deployed under the same network segment without re-dividing the network segment of the IP.
Compared with the prior art, the invention has the following beneficial effects:
1. the cost is reduced, and a large amount of the system can be deployed at the edge layer of the Internet of things;
2. the power consumption is reduced. The power consumption of the MTK SOC is far lower than that of the scheme such as X86;
3. realizing ARP attack detection and blocking control in the same IP network segment and defending against ARP man-in-the-middle attack. The edge layer of the Internet of things is deployed on the same IP network segment, so that the deployment requirement is met, the long-period and sustainable deployment is met.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention may be realized and attained by the means of the instrumentalities and combinations particularly pointed out hereinafter.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below, and it is obvious that the described embodiments are a part of the embodiments of the present invention, but not all of the embodiments.
In the above description of the invention, it is noted that the orientation or positional relationship conventionally used in the manufacture of the invention is for convenience in describing and simplifying the invention, and is not intended to indicate or imply that the device or element so referred to must have a particular orientation, be constructed and operated in a particular orientation, and is therefore not to be construed as limiting the invention. Furthermore, the terms "first," "second," and the like are used merely to distinguish one description from another, and are not to be construed as indicating or implying relative importance.
Further, the term "identical" and the like do not mean that the components are absolutely required to be identical, but may have slight differences. The term "perpendicular" merely means that the positional relationship between the components is more perpendicular than "parallel", and does not mean that the structure must be perfectly perpendicular, but may be slightly inclined.
The following description is presented to disclose the invention so as to enable any person skilled in the art to practice the invention. The preferred embodiments in the following description are given by way of example only, and other obvious variations will occur to those skilled in the art.
The design for protecting the Internet of things perception layer terminal ARP man-in-the-middle attack comprises the following two parts:
(1) the method comprises the following steps that network data and ARP data messages in the same network segment sent by an Internet of things terminal are led to a network subsystem Net filter module of a Linux kernel network, and ARP communication message data in the same IP network segment are captured;
(v) taking an SOC chip supporting a plurality of network ports, wherein the SOC chip is specifically one of SOC chips of an MTK7621 system, an MTK7628 system and an MKT7620 system, and each network port of the SOC chip is divided into a virtual local area network;
(vi) mounting each virtual local area network into the same network bridge;
(vii) sending the network data and ARP data message in the same network segment to a network subsystem Net filter module of a Linux kernel;
(viii) the Net filter sends the processed network data and ARP data message in the same network segment to the network bridge, and sends the processed communication flow to other network ports except the sending network port through the network bridge;
(2) executing an ARP man-in-the-middle attack behavior judgment function in the Net filter, and detecting the ARP man-in-the-middle attack behavior, wherein the specific implementation steps are as follows:
(iv) after passing through a network filter module of a Linux kernel network subsystem, mounting a hook function at an NF _ ARP _ FORWARD node of the network filter, capturing an ARP frame type protocol, and further capturing and separating the ARP network message;
(v) the Net filter module carries out protocol analysis on the captured ARP message and analyzes whether the IP bound by the MAC address carried by the ARP message in broadcasting and communication is a real IP or not;
(vi) and if the IP analyzed by the Net filter module is a non-real IP, the Net filter module immediately blocks communication.
The IP of the terminal of the Internet of things is kept unchanged, and the IP under the same LAN is in the same network segment, wherein the terminal of the Internet of things is deployed under the same network segment without re-dividing the network segment of the IP.
The foregoing shows and describes the general principles, essential features, and advantages of the invention.
It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are merely illustrative of the principles of the invention, but that various changes and modifications may be made without departing from the spirit and scope of the invention, which fall within the scope of the invention as claimed.
The scope of the invention is indicated by the appended claims and their equivalents.

Claims (2)

1. The design for protecting the Internet of things perception layer terminal ARP man-in-the-middle attack is characterized by comprising the following two parts:
(1) the method comprises the following steps that network data and ARP data messages in the same network segment sent by an Internet of things terminal are led to a network subsystem Net filter module of a Linux kernel network, and ARP communication message data in the same IP network segment are captured;
(i) taking an SOC chip supporting a plurality of network ports, wherein the SOC chip is specifically one of SOC chips of an MTK7621 system, an MTK7628 system and an MKT7620 system, and each network port of the SOC chip is divided into a virtual local area network;
(ii) mounting each virtual local area network into the same network bridge;
(iii) sending the network data and ARP data message in the same network segment to a network subsystem Net filter module of a Linux kernel;
(iv) the Net filter sends the processed network data and ARP data message in the same network segment to the network bridge, and sends the processed communication flow to other network ports except the sending network port through the network bridge;
(2) executing an ARP man-in-the-middle attack behavior judgment function in the Net filter, and detecting the ARP man-in-the-middle attack behavior, wherein the specific implementation steps are as follows:
(i) after passing through a network filter module of a Linux kernel network subsystem, mounting a hook function at an NF _ ARP _ FORWARD node of the network filter, capturing an ARP frame type protocol, and further capturing and separating the ARP network message;
(ii) the Net filter module carries out protocol analysis on the captured ARP message and analyzes whether the IP bound by the MAC address carried by the ARP message in broadcasting and communication is a real IP or not;
and if the IP analyzed by the Net filter module is a non-real IP, the Net filter module immediately blocks communication.
2. The design is characterized in that the IP of the Internet of things terminal is kept unchanged, and the IP under the same LAN is in the same network segment, wherein the Internet of things terminal is deployed under the same network segment without re-dividing the network segment of the IP.
CN202010828742.9A 2020-08-17 2020-08-17 Internet of things sensing layer terminal ARP man-in-the-middle attack protection design Active CN112822148B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010828742.9A CN112822148B (en) 2020-08-17 2020-08-17 Internet of things sensing layer terminal ARP man-in-the-middle attack protection design

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010828742.9A CN112822148B (en) 2020-08-17 2020-08-17 Internet of things sensing layer terminal ARP man-in-the-middle attack protection design

Publications (2)

Publication Number Publication Date
CN112822148A true CN112822148A (en) 2021-05-18
CN112822148B CN112822148B (en) 2023-02-21

Family

ID=75853212

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010828742.9A Active CN112822148B (en) 2020-08-17 2020-08-17 Internet of things sensing layer terminal ARP man-in-the-middle attack protection design

Country Status (1)

Country Link
CN (1) CN112822148B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140181972A1 (en) * 2012-04-18 2014-06-26 Zimperium, Inc. Preventive intrusion device and method for mobile devices
CN105262738A (en) * 2015-09-24 2016-01-20 上海斐讯数据通信技术有限公司 Router and method for preventing ARP attacks thereof
CN106982234A (en) * 2017-05-26 2017-07-25 杭州迪普科技股份有限公司 A kind of ARP attack defense methods and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140181972A1 (en) * 2012-04-18 2014-06-26 Zimperium, Inc. Preventive intrusion device and method for mobile devices
CN105262738A (en) * 2015-09-24 2016-01-20 上海斐讯数据通信技术有限公司 Router and method for preventing ARP attacks thereof
CN106982234A (en) * 2017-05-26 2017-07-25 杭州迪普科技股份有限公司 A kind of ARP attack defense methods and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈军 等: "基于Linux的ARP检测与防御系统", 《网络空间安全》 *

Also Published As

Publication number Publication date
CN112822148B (en) 2023-02-21

Similar Documents

Publication Publication Date Title
CN108429637B (en) System and method for dynamically detecting process layer network topology of intelligent substation
CN112866075B (en) In-band network telemetering method, system and related device for Overlay network
US20160202752A1 (en) Network Proxy for High-Performance, Low-Power Data Center Interconnect Fabric
CN107743109B (en) Protection method, control device, processing device and system for flow attack
CN104954367B (en) A kind of cross-domain ddos attack means of defence of internet omnidirectional
CN109768880A (en) A kind of network topology distant place visualizing monitor method towards electric power monitoring system
RU2006143768A (en) AROMATIC RESTRICTION OF THE NETWORK VIOLENT
CN107222462A (en) A kind of LAN internals attack being automatically positioned of source, partition method
CN102801738A (en) Distributed DoS (Denial of Service) detection method and system on basis of summary matrices
CN112578761A (en) Industrial control honey pot safety protection device and method
CN101238684B (en) System for cluster managing in the Ethernet switch layer and the method thereof
CN112272194B (en) Extensible DDoS defense method and system
CN102916874B (en) A kind of file transmitting method and equipment
CN112769785A (en) Network integration depth detection device and method based on rack switch equipment
CN116405281A (en) Real-time information detection network switching system
CN104219100A (en) Information acquiring method and device
CN102984202B (en) A kind of cross-over NAT equipment realizes the System and method for of Telnet webmaster
CN112822148B (en) Internet of things sensing layer terminal ARP man-in-the-middle attack protection design
CN201821163U (en) Intelligent transformer substation network performance analysis device
CN102131072A (en) System and method for realizing network video monitoring under internet platform
CN201657204U (en) System for realizing network video monitoring off internet platform
CN112822149B (en) Terminal access control design based on intelligent router physical port, MAC and IP
CN104967576A (en) Waterproof high-performance switch
CN214011787U (en) High-interaction honeypot device based on real industrial control environment
Chakraborty et al. A new intrusion prevention system for protecting Smart Grids from ICMPv6 vulnerabilities

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant