CN112822148A - Internet of things sensing layer terminal ARP man-in-the-middle attack protection design - Google Patents
Internet of things sensing layer terminal ARP man-in-the-middle attack protection design Download PDFInfo
- Publication number
- CN112822148A CN112822148A CN202010828742.9A CN202010828742A CN112822148A CN 112822148 A CN112822148 A CN 112822148A CN 202010828742 A CN202010828742 A CN 202010828742A CN 112822148 A CN112822148 A CN 112822148A
- Authority
- CN
- China
- Prior art keywords
- network
- arp
- internet
- data
- same
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Abstract
The invention relates to the field of computer terminal access security, in particular to an ARP (address resolution protocol) man-in-the-middle attack protection design of a sensing layer terminal of the Internet of things, which comprises the following two parts: 1. network data and ARP data messages in the same network segment sent by the terminal of the Internet of things are led to walk through a network subsystem Net filter module of a Linux kernel, and ARP communication message data in the same IP network segment are captured; 2. the invention realizes the detection and the safety isolation of the kernel layer of the ARP data in the same network segment by using an MTK SOC scheme based on an MIPS framework and modifying the kernel module of a Linux network subsystem, realizes the ARP man-in-the-middle attack protection, simultaneously has cheap SOC chips of an MTK7621 system, an MTK7628 system and an MKT7620 system, and can be deployed on the edge layer of the Internet of things in large quantity.
Description
Technical Field
The invention relates to the field of computer terminal access security, in particular to a design for protecting Internet of things perception layer terminal ARP man-in-the-middle attack.
Background
With the development of computer networks and the growth of industrial internet and internet of things, the network environment safety puts higher safety requirements on equipment in the network; thing networking perception layer: in particular to an internet of things network environment, terminal equipment which is located at the most marginal layer of a network and used for information acquisition and instruction execution is the most tail end of the whole network environment, cannot be connected with downstream network equipment, and is often deployed in an unattended environment, such as an intelligent camera, a road monitoring device, an intelligent street lamp, a community electronic propaganda screen and the like.
The current market implementation:
1. the method is realized by a three-layer switch, the devices with different network types and familiar networks are divided into different IP network segments, in the example of IP address attack, if the IP address of A is 192.168.40.a, and the IP address of B is 192.168.1.B, the middle part is forwarded through a route or NAT, so that the network discovery between AB is a scene which is not played through a route protocol, and further ARP middle person attacks. The problem with such implementations: because the sensing terminals are large in number and long in deployment and planning time, which is a long-term process, the scheme provides each terminal with an independent IP segment, increases the complexity of network topology and implementation cost, and is not sustainable (each time a deployment terminal is newly added, IP network segments are newly divided and designed, the engineering quantity is huge, and the method is basically infeasible), so the method is mainly used in a convergence layer, and is basically infeasible in an internet of things sensing layer.
2. Through the gateway implementation with the lateral isolation function, most of the devices are implemented on an X86 architecture chip of Intel, and very few of the devices are implemented on self-developed chips (such as hua shi), so that the devices are expensive (more than 4000 yuan), and are difficult to be massively deployed at the upstream of each internet of things perception layer terminal. But also for the convergence layer. Some terminals of the sensing layer of the Internet of things are deployed in remote areas and are powered by a solar panel and a storage battery,
and the power supply of a gateway with high power cannot be supported.
A large number of common gateways deployed at the edge layer of the Internet of things are large in number, but do not have the security defense function of ARP man-in-the-middle attack, so that a method for sensing the ARP man-in-the-middle attack of a layer terminal and carrying out corresponding protection and control needs to be provided.
Disclosure of Invention
The invention aims to solve the defects in the prior art, and provides a design for protecting against man-in-the-middle attack in an ARP (address resolution protocol) of a sensing layer terminal of the Internet of things.
In order to achieve the above purposes, the technical scheme adopted by the invention is as follows: the design for protecting the Internet of things perception layer terminal ARP man-in-the-middle attack comprises the following two parts:
(1) the method comprises the following steps that network data and ARP data messages in the same network segment sent by an Internet of things terminal are led to a network subsystem Net filter module of a Linux kernel network, and ARP communication message data in the same IP network segment are captured;
(i) taking an SOC chip supporting a plurality of network ports, wherein the SOC chip is specifically one of SOC chips of an MTK7621 system, an MTK7628 system and an MKT7620 system, and each network port of the SOC chip is divided into a virtual local area network;
(ii) mounting each virtual local area network into the same network bridge;
(iii) sending the network data and ARP data message in the same network segment to a network subsystem Net filter module of a Linux kernel;
(iv) the Net filter sends the processed network data and ARP data message in the same network segment to the network bridge, and sends the processed communication flow to other network ports except the sending network port through the network bridge;
(2) executing an ARP man-in-the-middle attack behavior judgment function in the Net filter, and detecting the ARP man-in-the-middle attack behavior, wherein the specific implementation steps are as follows:
(i) after passing through a network filter module of a Linux kernel network subsystem, mounting a hook function at an NF _ ARP _ FORWARD node of the network filter, capturing an ARP frame type protocol, and further capturing and separating the ARP network message;
(ii) the Net filter module carries out protocol analysis on the captured ARP message and analyzes whether the IP bound by the MAC address carried by the ARP message in broadcasting and communication is a real IP or not;
(iii) and if the IP analyzed by the Net filter module is a non-real IP, the Net filter module immediately blocks communication.
Furthermore, the IP of the terminal of the internet of things is kept unchanged, and the IP under the same LAN is in the same network segment, wherein the terminal of the internet of things is deployed under the same network segment without re-dividing the network segment of the IP.
Compared with the prior art, the invention has the following beneficial effects:
1. the cost is reduced, and a large amount of the system can be deployed at the edge layer of the Internet of things;
2. the power consumption is reduced. The power consumption of the MTK SOC is far lower than that of the scheme such as X86;
3. realizing ARP attack detection and blocking control in the same IP network segment and defending against ARP man-in-the-middle attack. The edge layer of the Internet of things is deployed on the same IP network segment, so that the deployment requirement is met, the long-period and sustainable deployment is met.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention may be realized and attained by the means of the instrumentalities and combinations particularly pointed out hereinafter.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below, and it is obvious that the described embodiments are a part of the embodiments of the present invention, but not all of the embodiments.
In the above description of the invention, it is noted that the orientation or positional relationship conventionally used in the manufacture of the invention is for convenience in describing and simplifying the invention, and is not intended to indicate or imply that the device or element so referred to must have a particular orientation, be constructed and operated in a particular orientation, and is therefore not to be construed as limiting the invention. Furthermore, the terms "first," "second," and the like are used merely to distinguish one description from another, and are not to be construed as indicating or implying relative importance.
Further, the term "identical" and the like do not mean that the components are absolutely required to be identical, but may have slight differences. The term "perpendicular" merely means that the positional relationship between the components is more perpendicular than "parallel", and does not mean that the structure must be perfectly perpendicular, but may be slightly inclined.
The following description is presented to disclose the invention so as to enable any person skilled in the art to practice the invention. The preferred embodiments in the following description are given by way of example only, and other obvious variations will occur to those skilled in the art.
The design for protecting the Internet of things perception layer terminal ARP man-in-the-middle attack comprises the following two parts:
(1) the method comprises the following steps that network data and ARP data messages in the same network segment sent by an Internet of things terminal are led to a network subsystem Net filter module of a Linux kernel network, and ARP communication message data in the same IP network segment are captured;
(v) taking an SOC chip supporting a plurality of network ports, wherein the SOC chip is specifically one of SOC chips of an MTK7621 system, an MTK7628 system and an MKT7620 system, and each network port of the SOC chip is divided into a virtual local area network;
(vi) mounting each virtual local area network into the same network bridge;
(vii) sending the network data and ARP data message in the same network segment to a network subsystem Net filter module of a Linux kernel;
(viii) the Net filter sends the processed network data and ARP data message in the same network segment to the network bridge, and sends the processed communication flow to other network ports except the sending network port through the network bridge;
(2) executing an ARP man-in-the-middle attack behavior judgment function in the Net filter, and detecting the ARP man-in-the-middle attack behavior, wherein the specific implementation steps are as follows:
(iv) after passing through a network filter module of a Linux kernel network subsystem, mounting a hook function at an NF _ ARP _ FORWARD node of the network filter, capturing an ARP frame type protocol, and further capturing and separating the ARP network message;
(v) the Net filter module carries out protocol analysis on the captured ARP message and analyzes whether the IP bound by the MAC address carried by the ARP message in broadcasting and communication is a real IP or not;
(vi) and if the IP analyzed by the Net filter module is a non-real IP, the Net filter module immediately blocks communication.
The IP of the terminal of the Internet of things is kept unchanged, and the IP under the same LAN is in the same network segment, wherein the terminal of the Internet of things is deployed under the same network segment without re-dividing the network segment of the IP.
The foregoing shows and describes the general principles, essential features, and advantages of the invention.
It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are merely illustrative of the principles of the invention, but that various changes and modifications may be made without departing from the spirit and scope of the invention, which fall within the scope of the invention as claimed.
The scope of the invention is indicated by the appended claims and their equivalents.
Claims (2)
1. The design for protecting the Internet of things perception layer terminal ARP man-in-the-middle attack is characterized by comprising the following two parts:
(1) the method comprises the following steps that network data and ARP data messages in the same network segment sent by an Internet of things terminal are led to a network subsystem Net filter module of a Linux kernel network, and ARP communication message data in the same IP network segment are captured;
(i) taking an SOC chip supporting a plurality of network ports, wherein the SOC chip is specifically one of SOC chips of an MTK7621 system, an MTK7628 system and an MKT7620 system, and each network port of the SOC chip is divided into a virtual local area network;
(ii) mounting each virtual local area network into the same network bridge;
(iii) sending the network data and ARP data message in the same network segment to a network subsystem Net filter module of a Linux kernel;
(iv) the Net filter sends the processed network data and ARP data message in the same network segment to the network bridge, and sends the processed communication flow to other network ports except the sending network port through the network bridge;
(2) executing an ARP man-in-the-middle attack behavior judgment function in the Net filter, and detecting the ARP man-in-the-middle attack behavior, wherein the specific implementation steps are as follows:
(i) after passing through a network filter module of a Linux kernel network subsystem, mounting a hook function at an NF _ ARP _ FORWARD node of the network filter, capturing an ARP frame type protocol, and further capturing and separating the ARP network message;
(ii) the Net filter module carries out protocol analysis on the captured ARP message and analyzes whether the IP bound by the MAC address carried by the ARP message in broadcasting and communication is a real IP or not;
and if the IP analyzed by the Net filter module is a non-real IP, the Net filter module immediately blocks communication.
2. The design is characterized in that the IP of the Internet of things terminal is kept unchanged, and the IP under the same LAN is in the same network segment, wherein the Internet of things terminal is deployed under the same network segment without re-dividing the network segment of the IP.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010828742.9A CN112822148B (en) | 2020-08-17 | 2020-08-17 | Internet of things sensing layer terminal ARP man-in-the-middle attack protection design |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010828742.9A CN112822148B (en) | 2020-08-17 | 2020-08-17 | Internet of things sensing layer terminal ARP man-in-the-middle attack protection design |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112822148A true CN112822148A (en) | 2021-05-18 |
CN112822148B CN112822148B (en) | 2023-02-21 |
Family
ID=75853212
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010828742.9A Active CN112822148B (en) | 2020-08-17 | 2020-08-17 | Internet of things sensing layer terminal ARP man-in-the-middle attack protection design |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112822148B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140181972A1 (en) * | 2012-04-18 | 2014-06-26 | Zimperium, Inc. | Preventive intrusion device and method for mobile devices |
CN105262738A (en) * | 2015-09-24 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Router and method for preventing ARP attacks thereof |
CN106982234A (en) * | 2017-05-26 | 2017-07-25 | 杭州迪普科技股份有限公司 | A kind of ARP attack defense methods and device |
-
2020
- 2020-08-17 CN CN202010828742.9A patent/CN112822148B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140181972A1 (en) * | 2012-04-18 | 2014-06-26 | Zimperium, Inc. | Preventive intrusion device and method for mobile devices |
CN105262738A (en) * | 2015-09-24 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Router and method for preventing ARP attacks thereof |
CN106982234A (en) * | 2017-05-26 | 2017-07-25 | 杭州迪普科技股份有限公司 | A kind of ARP attack defense methods and device |
Non-Patent Citations (1)
Title |
---|
陈军 等: "基于Linux的ARP检测与防御系统", 《网络空间安全》 * |
Also Published As
Publication number | Publication date |
---|---|
CN112822148B (en) | 2023-02-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108429637B (en) | System and method for dynamically detecting process layer network topology of intelligent substation | |
CN112866075B (en) | In-band network telemetering method, system and related device for Overlay network | |
US20160202752A1 (en) | Network Proxy for High-Performance, Low-Power Data Center Interconnect Fabric | |
CN107743109B (en) | Protection method, control device, processing device and system for flow attack | |
CN104954367B (en) | A kind of cross-domain ddos attack means of defence of internet omnidirectional | |
CN109768880A (en) | A kind of network topology distant place visualizing monitor method towards electric power monitoring system | |
RU2006143768A (en) | AROMATIC RESTRICTION OF THE NETWORK VIOLENT | |
CN107222462A (en) | A kind of LAN internals attack being automatically positioned of source, partition method | |
CN102801738A (en) | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices | |
CN112578761A (en) | Industrial control honey pot safety protection device and method | |
CN101238684B (en) | System for cluster managing in the Ethernet switch layer and the method thereof | |
CN112272194B (en) | Extensible DDoS defense method and system | |
CN102916874B (en) | A kind of file transmitting method and equipment | |
CN112769785A (en) | Network integration depth detection device and method based on rack switch equipment | |
CN116405281A (en) | Real-time information detection network switching system | |
CN104219100A (en) | Information acquiring method and device | |
CN102984202B (en) | A kind of cross-over NAT equipment realizes the System and method for of Telnet webmaster | |
CN112822148B (en) | Internet of things sensing layer terminal ARP man-in-the-middle attack protection design | |
CN201821163U (en) | Intelligent transformer substation network performance analysis device | |
CN102131072A (en) | System and method for realizing network video monitoring under internet platform | |
CN201657204U (en) | System for realizing network video monitoring off internet platform | |
CN112822149B (en) | Terminal access control design based on intelligent router physical port, MAC and IP | |
CN104967576A (en) | Waterproof high-performance switch | |
CN214011787U (en) | High-interaction honeypot device based on real industrial control environment | |
Chakraborty et al. | A new intrusion prevention system for protecting Smart Grids from ICMPv6 vulnerabilities |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |