CN115604031B - Anti-attack method, device, equipment and medium for router - Google Patents
Anti-attack method, device, equipment and medium for router Download PDFInfo
- Publication number
- CN115604031B CN115604031B CN202211518241.6A CN202211518241A CN115604031B CN 115604031 B CN115604031 B CN 115604031B CN 202211518241 A CN202211518241 A CN 202211518241A CN 115604031 B CN115604031 B CN 115604031B
- Authority
- CN
- China
- Prior art keywords
- frame
- interval
- physical layer
- layer data
- data frame
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a router attack prevention method, device, equipment and medium, and relates to the technical field of secure transmission of digital information. The method comprises the steps of obtaining an air interface data packet of a target router; demodulating and decoding the air interface data packet of the target router to obtain a physical layer data frame; counting frame time sequence intervals of the data frames of the physical layer to obtain a first abnormal data frame set; the first abnormal data frame set comprises data frames of which the frame time sequence interval of the physical layer data frames is smaller than the standard frame time sequence interval; carrying out frame identification on the data frame of the physical layer to obtain a second abnormal data frame set; wherein the second set of anomalous data frames includes a disassociation data frame and a disassociation verification frame; and blocking data frames included by the intersection of the first abnormal data frame set and the second abnormal data frame set so as to prevent the target router from being attacked. The method and the device can identify the illegal attack frame more conveniently and more timely, so that the illegal attack frame can be more effectively processed.
Description
Technical Field
The present application relates to the field of secure transmission technology of digital information, and in particular, to a method, an apparatus, a device, and a medium for preventing a router from being attacked.
Background
A router is a hardware device that connects two or more networks, acts as a gateway between the networks, and is a dedicated intelligent network device that reads the address in each packet and then decides how to transmit. With the popularization of wireless networks, various security threats faced by the wireless networks are more and more serious, a router needs to be connected with wifi for use, the wifi router can be attacked illegally, and in order to make the use of the router safer, methods for preventing the router from being attacked are needed.
However, the method for protecting the router from the attack in the prior art cannot effectively process the illegal attack frame, thereby making the router easily exposed to many potential risks.
Disclosure of Invention
The application mainly aims to provide an anti-attack method, an anti-attack device, an anti-attack equipment and an anti-attack medium for a router, and aims to solve the technical problem that in the prior art, an illegal attack frame cannot be effectively processed, so that the router is easily exposed to a plurality of potential risks.
In order to achieve the above object, a first aspect of the present application provides a method for preventing a router from being attacked, where the method includes:
acquiring an air interface data packet of a target router;
demodulating and decoding the air interface data packet of the target router to obtain a physical layer data frame of the target router;
counting frame time sequence intervals of the physical layer data frames to obtain a first abnormal data frame set; wherein the first abnormal data frame set comprises data frames of which the frame timing interval of physical layer data frames of the target router is smaller than a standard frame timing interval;
carrying out frame identification on the data frame of the physical layer to obtain a second abnormal data frame set; wherein the second set of outlier data frames comprises a disassociation data frame and a deauthentication frame;
and blocking data frames included by the intersection of the first abnormal data frame set and the second abnormal data frame set so as to prevent the target router from being attacked.
Optionally, the performing a statistical frame timing interval on the physical layer data frames to obtain a first abnormal data frame set includes:
if the frame time sequence interval of the physical layer data frame meets the shortest frame interval condition, transmitting the frame time sequence interval of the physical layer data frame to a temporary storage module;
under the condition that the frame time sequence interval of the physical layer data frame does not meet the shortest frame interval condition, if the frame time sequence interval of the physical layer data frame meets the priority frame interval condition, transmitting the frame time sequence interval of the physical layer data frame to the temporary storage module;
under the condition that the frame time sequence interval of the physical layer data frame does not meet the shortest frame interval condition and the priority frame interval condition, if the frame time sequence interval of the physical layer data frame meets the distributed frame interval condition, transmitting the frame time sequence interval of the physical layer data frame to the temporary storage module;
and comparing the frame timing interval of the physical layer data frames accumulated in the temporary storage module with the shortest frame interval or the priority frame interval or the distributed frame interval to obtain a first abnormal data frame set.
Optionally, if the frame timing interval of the physical layer data frame meets the shortest frame interval condition, transmitting the frame timing interval of the physical layer data frame to the temporary storage module includes:
if the frame time sequence interval of the physical layer data frame is smaller than the shortest frame interval, transmitting the frame time sequence interval of the physical layer data frame to a temporary storage module;
under the condition that the frame timing interval of the physical layer data frame does not meet the shortest frame interval condition, if the frame timing interval of the physical layer data frame meets the priority frame interval condition, transmitting the frame timing interval of the physical layer data frame to the temporary storage module, including:
if the frame time sequence interval of the physical layer data frame is greater than or equal to the shortest frame interval and less than the priority frame interval, transmitting the frame time sequence interval of the physical layer data frame to the temporary storage module;
under the condition that the frame timing interval of the physical layer data frame does not meet the shortest frame interval condition and the priority frame interval condition, if the frame timing interval of the physical layer data frame meets the distributed frame interval condition, transmitting the frame timing interval of the physical layer data frame to the temporary storage module, including:
and if the frame time sequence interval of the physical layer data frame is greater than or equal to the shortest frame interval, greater than or equal to the priority frame interval and smaller than the distributed frame interval, transmitting the frame time sequence interval of the physical layer data frame to the temporary storage module.
Optionally, the comparing the frame timing interval of the physical layer data frame accumulated in the temporary storage module with the shortest frame interval or the priority frame interval or the distributed frame interval to obtain a first abnormal data frame set includes:
and if the frame time sequence interval of the physical layer data frames accumulated in the temporary storage module is smaller than the shortest frame interval or the priority frame interval or the distributed frame interval, acquiring a first abnormal data frame set.
Optionally, after the step of obtaining a first abnormal data frame set if the frame timing interval of the physical layer data frame accumulated in the temporary storage module is smaller than the shortest frame interval or the priority frame interval or the distributed frame interval, the method further includes:
and sending an alarm signal based on the first abnormal data frame set.
Optionally, the performing frame identification on the physical layer data frame to obtain a second abnormal data frame set includes:
performing field analysis on the physical layer data frame to start frame interval counting and frame counting; when the frame interval count is greater than a preset threshold value, the frame count is increased by an identification value;
and when the accumulated identification value of the frame count is more than the preset times, obtaining a second abnormal data frame set.
Optionally, the field parsing the physical layer data frame to start frame interval counting and frame counting includes:
performing field analysis on the physical layer data frame to obtain identification frame data;
when the identification frame data includes disassociation frame data and deauthentication frame data, a frame interval count and a frame count are initiated.
In a second aspect, the present application provides an anti-attack apparatus for a router, the apparatus comprising:
the acquisition module is used for acquiring an air interface data packet of the target router;
a first obtaining module, configured to demodulate and decode an air interface data packet of the target router to obtain a physical layer data frame of the target router;
a second obtaining module, configured to count a frame timing interval for the physical layer data frame to obtain a first abnormal data frame set; wherein the first set of abnormal data frames comprises data frames having a frame timing interval of physical layer data frames of the target router that is less than a standard frame timing interval;
a third obtaining module, configured to perform frame identification on the physical layer data frame to obtain a second abnormal data frame set; wherein the second set of outlier data frames comprises a disassociation data frame and a deauthentication frame;
and the blocking module is used for blocking the data frames included by the intersection of the first abnormal data frame set and the second abnormal data frame set so as to prevent the target router from being attacked.
In a third aspect, the present application provides a computer device, which includes a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the method described in the embodiment.
In a fourth aspect, the present application provides a computer-readable storage medium having a computer program stored thereon, wherein a processor executes the computer program to implement the method described in the embodiments.
Through above-mentioned technical scheme, this application has following beneficial effect at least:
the method, the device, the equipment and the medium for preventing the router from being attacked, which are provided by the embodiment of the application, comprise the steps of obtaining an air interface data packet of a target router; demodulating and decoding the air interface data packet of the target router to obtain a physical layer data frame of the target router; counting frame time sequence intervals of the physical layer data frames to obtain a first abnormal data frame set; wherein the first set of abnormal data frames comprises data frames having a frame timing interval of physical layer data frames of the target router that is less than a standard frame timing interval; carrying out frame identification on the physical layer data frame to obtain a second abnormal data frame set; wherein the second set of outlier data frames comprises a disassociation data frame and a deauthentication frame; and blocking data frames included by the intersection of the first abnormal data frame set and the second abnormal data frame set so as to prevent the target router from being attacked.
That is, in the process of preventing the target router from being attacked, the air interface data packet of the target router is obtained first, then the air interface data packet is demodulated and decoded to obtain the data frame of the physical layer, that is, the physical layer data frame, then the frame timing interval of the physical layer data frame is counted, and the data frame of which the frame timing interval of the physical layer data frame of the target router is smaller than the standard frame timing interval is found out and used as the first abnormal data frame set; meanwhile, the physical layer data frames of the target router are subjected to frame identification, the data frames comprising the association canceling data frames and the verification canceling frames are found out to be used as a second abnormal data frame set, and the data frames which are capable of being collected by the first abnormal data frame set and the second abnormal data frame set attack the target router, so that the data frames which are capable of being collected by the first abnormal data frame set and the second abnormal data frame set are prevented, and the target router can be prevented from being attacked.
That is, compared with the prior art that the illegal attack frame is identified only at the data link layer, the transport layer and the application layer of the router, at this time, the illegal attack frame essentially enters the protocol layer of the target router, so the router in the prior art is easily exposed to many potential risks, and brings a riding opportunity to the illegal attacker. Because the first abnormal data frame set and the second abnormal data frame set are identified on the physical layer of the target router by the method, the illegal attack frame on the physical layer does not reach the protocol layer of the router; and the first abnormal data frame set comprises data frames of which the frame time sequence interval of the physical layer data frames of the target router is smaller than the standard frame time sequence interval, and the second abnormal data frame set comprises a disassociation data frame and a disassociation verification frame, so that the illegal attack frames can be identified from more aspects. Therefore, the illegal attack frame can be more prepared and identified in time, so that the illegal attack frame can be more effectively processed, the router is not easy to be exposed in potential risks, and an opportunity is not easy to be brought to an illegal attacker.
Drawings
FIG. 1 is a schematic diagram of a computer device in a hardware operating environment according to an embodiment of the present application;
fig. 2 is a flowchart of a method for preventing a router from being attacked according to an embodiment of the present application;
fig. 3 is a flowchart illustrating a specific implementation method of step S12 provided in this embodiment;
fig. 4 is a schematic flowchart of a specific implementation method of step S13 provided in this embodiment;
fig. 5 is a schematic diagram of an anti-attack apparatus for a router according to an embodiment of the present application.
The implementation, functional features and advantages of the objectives of the present application will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
With the popularization of wireless networks, various security threats faced by wireless networks are also becoming more serious. At present, most of network security mechanisms work on a wireless network link layer, for example, an application layer adopts a user name and a digital certificate, a network layer adopts an IP address and a routing judgment, and a data link layer adopts an MAC address, access authentication and other modes, but the security mechanisms are easy to forge and attack. WIFI connections have found many security threats, for example authentication mechanisms like WEP, WPA and WPA2 have proven to be insecure and to some extent compromised. If the illegal attack frames can be identified and thrown away at the physical layer, the access authentication of the data link layer and the security mechanism are not affected. The existing wifi router takes security measures, and illegal attack frames are mainly processed at a data link layer, a transmission layer and an application layer. By adopting the method, the illegal attack frame essentially enters the protocol layer of the router, and the router is easy to expose a plurality of potential risks and bring a possible opportunity for an illegal attacker. In summary, the current methods for protecting routers from attacks cannot effectively process illegal attack frames, so that the routers are easily exposed to many potential risks.
In order to solve the above technical problems, the present application provides a method, an apparatus, a device, and a medium for preventing a router from being attacked, and before introducing a specific technical solution of the present application, a hardware operating environment related to the solution of the embodiment of the present application is introduced first.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a computer device in a hardware operating environment according to an embodiment of the present application.
As shown in fig. 1, the computer apparatus may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a Random Access Memory (RAM) Memory, or may be a Non-Volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in FIG. 1 does not constitute a limitation of a computer device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a storage medium, may include therein an operating system, a data storage module, a network communication module, a user interface module, and an electronic program.
In the computer device shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the computer device of the present application may be disposed in the computer device, and the computer device invokes the router attack prevention apparatus stored in the memory 1005 through the processor 1001 and executes the router attack prevention method provided in the embodiment of the present application.
Referring to fig. 2, based on the hardware environment of the foregoing embodiment, an embodiment of the present application provides a method for preventing a router from being attacked, where the method includes:
s10: and acquiring an air interface data packet of the target router.
In a specific implementation process, an air interface data packet refers to a data set of high-frequency data resources used for transmission between a router and a base station; the target router is a router which needs to be prevented from being attacked, and an air interface data packet of the target router can be obtained through a conventional mode.
S11: and demodulating and decoding the air interface data packet of the target router to obtain a physical layer data frame of the target router.
In the specific implementation process, the demodulation and decoding of the air interface Data packet need to be processed by a Preable domain, a Signal domain and a Data domain. The Preamble domain processing is to use a known Preamble sequence to perform the functions of signal synchronization, DC estimation compensation, IQ estimation compensation, coarse frequency offset estimation correction, fine frequency offset estimation correction, channel estimation and the like; signal domain processing utilizes pilot frequency inserted by OFDM symbols to carry out frequency offset correction, completes work of OFDM symbol demodulation, deinterleaving, decoding, parameter extraction and the like, and aims to process a Data domain; the Data domain processing is to use the pilot frequency inserted by the OFDM symbol to correct frequency offset, and use the parameters extracted by the Signal domain to demodulate, deinterleave, decode and so on the OFDM symbol, so as to extract the PSDU, namely the physical layer Data frame. The DC estimation compensation is to utilize each short preamble (time domain) with the statistical characteristic of zero mean value, to pre-estimate the DC offset by the mean value of the short preamble, and meanwhile, considering that the AGC delay is greater than 4.8us, not more than 4 short preambles (4 x 0.8 us) can be adopted for estimation, 4 short preambles are adopted in the system, and the output result of the function is used for the subsequent Kalman filtering to perform more accurate DC estimation. The basic principle of synchronization is to make cross-correlation between the received signal and the local training sequence by using the strong autocorrelation characteristic of the training sequence, and when the correlation quantity is maximum, the initial position of the target data is determined. Meanwhile, the position of the LTF can be obtained according to the appearance sequence and the size relation of the correlation peaks of the three correlation sequences. The air interface Signal is demodulated to obtain physical layer frame Data, the physical frame format of the IEEE802.11a Signal is composed of a leading Signal, a Signal domain Signal and a Data domain Signal, and other standards such as the IEEE802.11n/ac physical layer frame format are extended on the IEEE802.11a physical layer frame format but have the same leading Signal.
S12: counting frame time sequence intervals of the physical layer data frames to obtain a first abnormal data frame set; wherein the first set of abnormal data frames includes data frames having a frame timing interval of physical layer data frames of the target router that is less than a standard frame timing interval.
In the implementation process, the IEEE802.11 standard MAC layer protocol supports DCF (distributed coordination), PCF (point coordination), and HCF (hybrid coordination). In life, the router commonly used by us adopts a DCF mode, and the DCF mode is the basis of a standard CSMA/CD access mechanism. As with ethernet, before transmitting data, the station checks whether the radio link is clear, and to avoid collisions, the station randomly selects a backoff (backoff) time for each frame when a transmitter occupies the channel. In some cases, the DCF may utilize RTS/CTS clearing techniques to further reduce the likelihood of collisions. This checking is usually done by carrier sense, DCF mode supports both physical carrier sense and virtual carrier sense, and MAC reports this condition to higher layer protocols as long as one of the listening functions shows that the medium is busy. The frame time sequence interval refers to the time sequence interval between two frames, the standard frame time sequence interval refers to the interval between normal frames, namely the data frame which accords with the standard frame time sequence interval is generally regarded as a safe data frame; on the contrary, if the frame time sequence interval of the physical layer data frame of the target router is smaller than the standard frame time sequence interval, it indicates that the data frame is abnormal and is easy to be utilized by illegal personnel, and the abnormal data frame is the first abnormal data frame set.
S13: carrying out frame identification on the data frame of the physical layer to obtain a second abnormal data frame set; wherein the second set of outlier data frames includes a disassociation data frame and a deauthentication frame.
In the specific implementation process, the frame identification step mainly completes the work of identifying whether a disassociation packet and a de-authentication packet, namely a disassociation data frame and a de-authentication frame, are periodically sent. Wherein, the Disassociation data frame is an English name Disassociation frame, and establishes the association relationship of wifi connection for the termination; canceling the verification frame English name deAuth frame, and establishing the authentication of the wifi connection for termination. Since many hackers attack with both the disassociated data frame and the deauthentication frame, both frames need to be identified.
S14: and blocking data frames included by the intersection of the first abnormal data frame set and the second abnormal data frame set so as to prevent the target router from being attacked.
In a specific implementation process, because the frame timing interval of the data frames included in the intersection of the first abnormal data frame set and the second abnormal data frame set is smaller than the standard frame timing interval, the data frames included in the intersection of the first abnormal data frame set and the second abnormal data frame set have a higher risk, are illegal attack frames and are easy to be utilized by hackers, and therefore the data frames included in the intersection of the first abnormal data frame set and the second abnormal data frame set need to be prevented, so that the risk degree of the target router being attacked can be greatly reduced.
In this embodiment, in the process of preventing a target router from being attacked, an air interface data packet of the target router is obtained first, then the air interface data packet is demodulated and decoded to obtain a data frame of a physical layer, that is, a physical layer data frame, then the frame timing interval of the physical layer data frame is counted, and a data frame in which the frame timing interval of the physical layer data frame of the target router is smaller than the standard frame timing interval is found out and used as a first abnormal data frame set; meanwhile, the physical layer data frames of the target router are subjected to frame identification, the data frames comprising the association canceling data frames and the verification canceling frames are found out to be used as a second abnormal data frame set, and the data frames which are capable of being collected by the first abnormal data frame set and the second abnormal data frame set attack the target router, so that the data frames which are capable of being collected by the first abnormal data frame set and the second abnormal data frame set are prevented, and the target router can be prevented from being attacked. That is, compared with the prior art that the illegal attack frame is identified only at the data link layer, the transport layer and the application layer of the router, at this time, the illegal attack frame essentially enters the protocol layer of the target router, so the router in the prior art is easy to expose many potential risks, and bring a ride to the illegal attacker. Because the first abnormal data frame set and the second abnormal data frame set are identified on the physical layer of the target router by the method, the illegal attack frame on the physical layer does not reach the protocol layer of the router; and the first abnormal data frame set comprises data frames of which the frame time sequence interval of the physical layer data frame of the target router is smaller than the time sequence interval of the standard frame, and the second abnormal data frame set comprises a disassociation data frame and a disassociation verification frame, so that the illegal attack frames can be identified from more aspects, and therefore the illegal attack frames can be identified more conveniently and more timely, the illegal attack frames can be processed more effectively, the router is not easily exposed to potential risks, and the illegal attacker is not easily taken a ride.
In some embodiments, as shown in fig. 3, said step of statistically frame timing spacing said physical layer data frames to obtain a first abnormal set of data frames comprises:
s121: and if the frame time sequence interval of the physical layer data frame meets the shortest frame interval condition, transmitting the frame time sequence interval of the physical layer data frame to a temporary storage module.
In the specific implementation process, the shortest frame interval condition refers to a condition which accords with the shortest frame interval, the shortest frame interval refers to the distance between two shortest frames, the shortest frame interval is used for transmission occasions with high priority, such as RTS/CTS and ACK frames, after a period of SIFS, the transmission with high priority can be carried out, and once the transmission with high priority starts, the medium is in a busy state; the buffer module may be regarded as a time counting module for accumulating the frame timing interval of the physical layer data frame. The term "meeting the shortest frame interval condition" means that the frame timing interval of the physical layer data frame is smaller than the shortest frame interval, that is, if the frame timing interval of the physical layer data frame is smaller than the shortest frame interval, the frame timing interval of the physical layer data frame is transmitted to the temporary storage module.
S122: and under the condition that the frame time sequence interval of the physical layer data frame does not meet the shortest frame interval condition, if the frame time sequence interval of the physical layer data frame meets the priority frame interval condition, transmitting the frame time sequence interval of the physical layer data frame to the temporary storage module.
In the specific implementation process, the condition of the interval of the priority frames refers to the condition of meeting the interval of the priority frames, and the interval of the priority frames refers to the distance between two priority frames; the priority frame interval is used in contention-free operation, where stations with data waiting for transmission may wait for PIFS before transmitting, with priority over any contention-based transmission. The phrase "not satisfying the shortest frame interval condition" as referred to herein means that the frame timing interval of the physical layer data frame is equal to or greater than the shortest frame interval, and the phrase "satisfying the priority frame interval condition" means that the frame timing interval of the physical layer data frame is less than the priority frame interval. That is, if the frame timing interval of the physical layer data frame is greater than or equal to the shortest frame interval and less than the priority frame interval, the frame timing interval of the physical layer data frame is transmitted to the temporary storage module.
S123: and under the condition that the frame time sequence interval of the physical layer data frame does not meet the shortest frame interval condition and the priority frame interval condition, if the frame time sequence interval of the physical layer data frame meets the distributed frame interval condition, transmitting the frame time sequence interval of the physical layer data frame to the temporary storage module.
In a specific implementation process, the distributed frame interval condition refers to a condition that a distributed frame interval is met, and the distributed frame interval refers to a distance between two distributed frames; the distributed frame is the shortest medium idle time in the contention service. If the medium is idle longer than DIFS, the workstation can immediately access the medium. Here, "not satisfying the shortest frame interval condition" means that the frame timing interval of the physical layer data frame is greater than or equal to the shortest frame interval, "not satisfying the priority frame interval condition" means that the frame timing interval of the physical layer data frame is greater than or equal to the priority frame interval, "satisfying the distributed frame interval condition" means that the frame timing interval of the physical layer data frame is less than the distributed frame interval. That is, if the frame timing interval of the physical layer data frame is greater than or equal to the shortest frame interval, greater than or equal to the priority frame interval, and less than the distributed frame interval, the frame timing interval of the physical layer data frame is transmitted to the temporary storage module.
S124: and comparing the frame time sequence interval of the physical layer data frames accumulated in the temporary storage module with the shortest frame interval or the priority frame interval or the distributed frame interval to obtain a first abnormal data frame set.
In a specific implementation process, when the frame timing interval of the accumulated physical layer data frames stored in the temporary storage module is smaller than the shortest frame interval or the priority frame interval or the distributed frame interval, it indicates that the physical layer data frames are abnormal, and therefore the physical layer data frames are used as a first abnormal data frame set, that is, the first abnormal data frame set is the physical layer data frame of the target router corresponding to the frame timing interval smaller than the shortest frame interval or the priority frame interval or the distributed frame interval in the temporary storage module.
It can be seen from this embodiment that the "standard frame timing interval" referred to in the foregoing embodiment includes "shortest frame interval, priority frame interval, and distributed frame interval," and the frame timing interval of the physical layer data frame is compared with the shortest frame interval, priority frame interval, and distributed frame interval, respectively, to find out the physical layer data frame "meeting" the shortest frame interval, priority frame interval, and distributed frame interval, and the physical layer data frame is easily utilized by an illegal person, so the physical layer data frame has a high possibility of being an illegal data frame. All wifi routers and wifi terminals in a secure environment should follow a timing rule of a standard frame timing interval, some illegally-invaded frames often need to obtain higher priority, such a timing rule must be broken, and the broken frame is a first abnormal data frame packet. Thus, compared with the shortest frame interval, the priority frame interval and the distributed frame interval, the risky physical data frame can be more accurately found.
In some embodiments, the step of obtaining a first abnormal data frame set if the frame timing interval of the physical layer data frames accumulated in the temporary storage module is smaller than the shortest frame interval or the priority frame interval or the distributed frame interval further includes: and sending an alarm signal based on the first abnormal data frame set.
In this embodiment, the main task of the step of counting the frame timing interval is to count whether each frame sent out by the air interface complies with such a rule, and if there is a frame that does not comply with the standard frame timing interval rule, an alarm is given. When the demodulation and the decoding are finished, the statistical frame time sequence judges whether the requirements of the shortest frame interval, the priority frame interval and the distributed frame interval need to be met or not according to the protocol in sequence, if the requirements need to be met, the statistical frame time sequence enters a temporary storage module, and finally, whether the frame interval accumulated value of the temporary storage module is smaller than the shortest frame interval, the priority frame interval and the distributed frame interval or not is judged, if the frame interval accumulated value is smaller than the shortest frame interval, the priority frame interval and the distributed frame interval, an alarm signal is given out, and the alarm signal is sent to a message blocking module. By sending the alarm signal, the method can play a role of prompting relevant personnel, so that the relevant personnel can make corresponding operation, and the safety of the target router can be further improved.
In some embodiments, as shown in fig. 4, the step of performing frame recognition on the physical layer data frames to obtain a second abnormal data frame set includes:
s131: performing field analysis on the physical layer data frame to start frame interval counting and frame counting; and when the frame interval count is greater than a preset threshold value, the frame count is increased by an identification value.
In the specific implementation process, the association process defined by the IEEE802.11 standard MAC layer protocol is as follows, the communication process is initiated by the AP, the STA sends an inquiry request frame to the AP after receiving a Beacon frame sent by the AP, the AP sends an inquiry response frame back to the STA after responding, and the STA starts a link verification request after receiving the inquiry response frame. And after receiving the association request frame, the AP sends an association response frame to the STA to complete the whole association process. In many attacks aiming at the WIFI network, frames used in the association process all belong to management frames, and the process is interrupted through the management frames, for example, a solution verification frame is sent out to force the AP and the STA to break the connection and reconnect, then the attacker can grab a complete handshake packet while the attacker is still in the possession, and the WIFI password can be cracked and enters the system. Therefore, it is necessary to parse the physical layer data frame by field at the same time, when the parsing obtains the identification frame data, when the identification frame data includes the parsed data 001010 (disassociation frame data) and 001100 (deauthentication frame data), start the frame interval count and the frame count, and when the frame interval count is greater than the preset threshold, increase the frame count by an identification value. The preset threshold is a preset frame interval counting threshold, the identification value is an identification unit added in the frame counting, and the numerical value displayed in the frame counting is increased by 1 unit every time an identification value is added.
S132: and when the accumulated identification value of the frame count is more than the preset times, obtaining a second abnormal data frame set.
In a specific implementation process, the preset number of times refers to the number of times of a preset identification value, when the frame interval count is greater than a preset threshold, the next frame is waited to be received, and when the frame count is greater than the preset number of times, for example, 5, the corresponding physical layer data frame is used as a second abnormal data frame set, that is, the second abnormal data frame set is a physical layer data frame of the target router, which includes the disassociation data frame and the verification cancellation frame, and the accumulation of the identification value of the frame count is greater than the preset number of times. In addition, when the second abnormal data frame set is identified, an alarm is reported and sent to the message blocking module, so that the method is also beneficial to reminding related personnel.
In summary, the illegal management messages sent by the attacker are usually broadcast packets, are plain text, and in order to obtain higher priority and ensure the attack effect, the frame interval timing limitation is often broken, and the messages are sent periodically, and if the physical layer finds the above situation, the messages are prevented (thrown away) from entering the upper layer protocol. According to the scheme, the power spectral density, the cross-power spectral density and the second-order statistic of multiple groups of WIFI leading signals of the same transmitter are obtained as the fingerprint characteristics of the WIFI transmitter, the radio frequency self characteristics of the WIFI transmitter can be well represented, and the radio frequency fingerprint classifier identification rate is facilitated.
In another embodiment, as shown in fig. 5, based on the same inventive concept as the foregoing embodiments, an embodiment of the present application further provides an anti-attack apparatus for a router, where the apparatus includes:
the acquisition module is used for acquiring an air interface data packet of the target router;
a first obtaining module, configured to demodulate and decode an air interface data packet of the target router to obtain a physical layer data frame of the target router;
a second obtaining module, configured to count a frame timing interval for the physical layer data frame to obtain a first abnormal data frame set; wherein the first set of abnormal data frames comprises data frames having a frame timing interval of physical layer data frames of the target router that is less than a standard frame timing interval;
a third obtaining module, configured to perform frame identification on the physical layer data frame to obtain a second abnormal data frame set; wherein the second set of outlier data frames comprises a disassociation data frame and a deauthentication frame;
and the blocking module is used for blocking the data frames included by the intersection of the first abnormal data frame set and the second abnormal data frame set so as to prevent the target router from being attacked.
It should be noted that, in this embodiment, each module in the router attack prevention apparatus corresponds to each step in the router attack prevention method in the foregoing embodiment one to one, and therefore, the specific implementation manner and the achieved technical effect of this embodiment may refer to the implementation manner of the router attack prevention method, which is not described herein again.
Furthermore, in an embodiment, the present application also provides a computer device comprising a processor, a memory and a computer program stored in the memory, which when executed by the processor implements the method in the preceding embodiment.
Furthermore, in an embodiment, the present application further provides a computer storage medium having a computer program stored thereon, where the computer program is executed by a processor to implement the method in the foregoing embodiment.
In some embodiments, the computer-readable storage medium may be memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash, magnetic surface memory, optical disk, or CD-ROM; or may be various devices including one or any combination of the above memories. The computer may be a variety of computing devices including intelligent terminals and servers.
In some embodiments, executable instructions may be written in any form of programming language (including compiled or interpreted languages), in the form of programs, software modules, scripts or code, and may be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
By way of example, executable instructions may correspond, but do not necessarily have to correspond, to files in a file system, and may be stored in a portion of a file that holds other programs or data, such as in one or more scripts in a hypertext Markup Language (HTML) document, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).
By way of example, executable instructions may be deployed to be executed on one computing device or on multiple computing devices at one site or distributed across multiple sites and interconnected by a communication network.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present application are merely for description, and do not represent the advantages and disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., a rom/ram, a magnetic disk, an optical disk) and includes instructions for enabling a multimedia terminal (e.g., a mobile phone, a computer, a television receiver, or a network device) to execute the method according to the embodiments of the present application.
The above description is only a preferred embodiment of the present application, and not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the specification and the drawings of the present application, or which are directly or indirectly applied to other related technical fields, are included in the scope of the present application.
Claims (9)
1. A method for preventing a router from being attacked, which is characterized by comprising the following steps:
acquiring an air interface data packet of a target router;
demodulating and decoding the air interface data packet of the target router to obtain a physical layer data frame of the target router;
counting frame time sequence intervals of the physical layer data frames to obtain a first abnormal data frame set; wherein the first set of abnormal data frames comprises data frames having a frame timing interval of physical layer data frames of the target router that is less than a standard frame timing interval;
carrying out frame identification on the data frame of the physical layer to obtain a second abnormal data frame set; wherein the second set of anomalous data frames includes a disassociation data frame and a deauthentication frame;
blocking data frames included by the intersection of the first abnormal data frame set and the second abnormal data frame set to prevent the target router from being attacked;
the counting frame timing intervals for the physical layer data frames to obtain a first abnormal data frame set includes:
if the frame time sequence interval of the physical layer data frame meets the shortest frame interval condition, transmitting the frame time sequence interval of the physical layer data frame to a temporary storage module;
under the condition that the frame time sequence interval of the physical layer data frame does not meet the shortest frame interval condition, if the frame time sequence interval of the physical layer data frame meets the priority frame interval condition, transmitting the frame time sequence interval of the physical layer data frame to the temporary storage module;
under the condition that the frame time sequence interval of the physical layer data frame does not meet the shortest frame interval condition and the priority frame interval condition, if the frame time sequence interval of the physical layer data frame meets the distributed frame interval condition, transmitting the frame time sequence interval of the physical layer data frame to the temporary storage module;
and comparing the frame timing interval of the physical layer data frames accumulated in the temporary storage module with the shortest frame interval or the priority frame interval or the distributed frame interval to obtain a first abnormal data frame set.
2. The method according to claim 1, wherein if the frame timing interval of the physical layer data frame satisfies the shortest frame interval condition, transmitting the frame timing interval of the physical layer data frame to a buffer module comprises:
if the frame time sequence interval of the physical layer data frame is smaller than the shortest frame interval, transmitting the frame time sequence interval of the physical layer data frame to a temporary storage module;
under the condition that the frame timing interval of the physical layer data frame does not meet the shortest frame interval condition, if the frame timing interval of the physical layer data frame meets the priority frame interval condition, transmitting the frame timing interval of the physical layer data frame to the temporary storage module, including:
if the frame time sequence interval of the physical layer data frame is greater than or equal to the shortest frame interval and less than the priority frame interval, transmitting the frame time sequence interval of the physical layer data frame to the temporary storage module;
under the condition that the frame timing interval of the physical layer data frame does not meet the shortest frame interval condition and the priority frame interval condition, if the frame timing interval of the physical layer data frame meets the distributed frame interval condition, transmitting the frame timing interval of the physical layer data frame to the temporary storage module, including:
and if the frame time sequence interval of the physical layer data frame is greater than or equal to the shortest frame interval, greater than or equal to the priority frame interval and smaller than the distributed frame interval, transmitting the frame time sequence interval of the physical layer data frame to the temporary storage module.
3. The router attack prevention method according to claim 1, wherein the comparing the frame timing interval of the physical layer data frames accumulated in the temporary storage module with the shortest frame interval or the priority frame interval or the distributed frame interval to obtain a first abnormal data frame set comprises:
and if the frame time sequence interval of the physical layer data frames accumulated in the temporary storage module is smaller than the shortest frame interval or the priority frame interval or the distributed frame interval, acquiring a first abnormal data frame set.
4. The method according to claim 3, wherein after the step of obtaining the first abnormal data frame set if the frame timing interval of the physical layer data frames accumulated in the temporary storage module is smaller than the shortest frame interval or the priority frame interval or the distributed frame interval, the method further comprises:
and sending an alarm signal based on the first abnormal data frame set.
5. The router attack prevention method according to claim 1, wherein the performing frame recognition on the physical layer data frames to obtain a second abnormal data frame set comprises:
performing field analysis on the physical layer data frame to start frame interval counting and frame counting; when the frame interval count is greater than a preset threshold value, the frame count is increased by an identification value;
and when the accumulated identification value of the frame count is more than the preset times, obtaining a second abnormal data frame set.
6. The router attack prevention method of claim 5 wherein the field parsing the physical layer data frame to initiate frame interval counting and frame counting comprises:
performing field analysis on the physical layer data frame to obtain identification frame data;
when the identification frame data includes disassociation frame data and deauthentication frame data, a frame interval count and a frame count are initiated.
7. An anti-attack apparatus for a router, the apparatus comprising:
the acquisition module is used for acquiring an air interface data packet of the target router;
a first obtaining module, configured to demodulate and decode an air interface data packet of the target router to obtain a physical layer data frame of the target router;
a second obtaining module, configured to count a frame timing interval for the physical layer data frame to obtain a first abnormal data frame set; wherein the first set of abnormal data frames comprises data frames having a frame timing interval of physical layer data frames of the target router that is less than a standard frame timing interval;
a third obtaining module, configured to perform frame identification on the physical layer data frame to obtain a second abnormal data frame set; wherein the second set of outlier data frames comprises a disassociation data frame and a deauthentication frame;
a blocking module, configured to block data frames included in an intersection of the first abnormal data frame set and the second abnormal data frame set, so as to prevent the target router from being attacked;
the second obtaining module is further configured to transmit the frame timing interval of the physical layer data frame to the temporary storage module if the frame timing interval of the physical layer data frame meets the shortest frame interval condition; under the condition that the frame time sequence interval of the physical layer data frame does not meet the shortest frame interval condition, if the frame time sequence interval of the physical layer data frame meets the priority frame interval condition, transmitting the frame time sequence interval of the physical layer data frame to the temporary storage module; under the condition that the frame time sequence interval of the physical layer data frame does not meet the shortest frame interval condition and the priority frame interval condition, if the frame time sequence interval of the physical layer data frame meets the distributed frame interval condition, transmitting the frame time sequence interval of the physical layer data frame to the temporary storage module; and comparing the frame timing interval of the physical layer data frames accumulated in the temporary storage module with the shortest frame interval or the priority frame interval or the distributed frame interval to obtain a first abnormal data frame set.
8. A computer arrangement, characterized in that the computer arrangement comprises a memory in which a computer program is stored and a processor which executes the computer program for implementing the method as claimed in any one of claims 1-6.
9. A computer-readable storage medium, having a computer program stored thereon, which, when executed by a processor, performs the method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211518241.6A CN115604031B (en) | 2022-11-30 | 2022-11-30 | Anti-attack method, device, equipment and medium for router |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211518241.6A CN115604031B (en) | 2022-11-30 | 2022-11-30 | Anti-attack method, device, equipment and medium for router |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115604031A CN115604031A (en) | 2023-01-13 |
| CN115604031B true CN115604031B (en) | 2023-03-17 |
Family
ID=84852385
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211518241.6A Active CN115604031B (en) | 2022-11-30 | 2022-11-30 | Anti-attack method, device, equipment and medium for router |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115604031B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113938239A (en) * | 2021-10-13 | 2022-01-14 | 苏州浩曦微电子科技有限公司 | Method for improving anti-interference capability of wireless communication, communication equipment and storage medium |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7086089B2 (en) * | 2002-05-20 | 2006-08-01 | Airdefense, Inc. | Systems and methods for network security |
| JP2006013737A (en) * | 2004-06-24 | 2006-01-12 | Fujitsu Ltd | Device for eliminating abnormal traffic |
| CN105282144B (en) * | 2015-09-11 | 2018-11-30 | 三明学院 | Novel anti-802.11 wireless releases authentication frame flood Denial of Service attack methods |
| CN105471879B (en) * | 2015-12-04 | 2018-11-27 | 三明学院 | Novel based on rough set prevents wireless disassociation frame DoS attack method |
| CN106790212A (en) * | 2017-01-07 | 2017-05-31 | 北京坤腾畅联科技有限公司 | The method and terminal device of the analysis detection man-in-the-middle attack based on temporal characteristics |
| US10979906B2 (en) * | 2017-04-11 | 2021-04-13 | Qualcomm Incorporated | Detecting media access control (MAC) address spoofing in a wi-fi network using channel correlation |
| JP2021005821A (en) * | 2019-06-27 | 2021-01-14 | 矢崎総業株式会社 | Abnormality detection device |
| CN110365667B (en) * | 2019-07-03 | 2021-11-23 | 杭州迪普科技股份有限公司 | Attack message protection method and device and electronic equipment |
| US11418956B2 (en) * | 2019-11-15 | 2022-08-16 | Panasonic Avionics Corporation | Passenger vehicle wireless access point security system |
-
2022
- 2022-11-30 CN CN202211518241.6A patent/CN115604031B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113938239A (en) * | 2021-10-13 | 2022-01-14 | 苏州浩曦微电子科技有限公司 | Method for improving anti-interference capability of wireless communication, communication equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115604031A (en) | 2023-01-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7455220B2 (en) | Wireless intrusion prevention system, wireless network system including the same, and method of operating the wireless network system | |
| US8104091B2 (en) | System and method for wireless communication network having proximity control based on authorization token | |
| CN101897154B (en) | Congestion control in a communication network based on the CSMA/CA protocol | |
| Chen et al. | Protecting wireless networks against a denial of service attack based on virtual jamming | |
| EP2684385B1 (en) | Transmission of an alarm signal in a wireless communication system | |
| CN104580152A (en) | Protection method and system against wifi (wireless fidelity) phishing | |
| Vanhoef et al. | Protecting wi-fi beacons from outsider forgeries | |
| EP3588826B1 (en) | Transmission frame counter | |
| Pratas et al. | Massive machine-type communication (mMTC) access with integrated authentication | |
| CN102238049A (en) | Method for detecting denial of service (DoS) attacks in media access control (MAC) layer | |
| EP3376692A1 (en) | Terminal device and communication method | |
| Soryal et al. | IEEE 802.11 Denial of Service attack detection in MANET | |
| CN113766549B (en) | Access points, media, and methods for basic service set color based restriction and mitigation | |
| CN115604031B (en) | Anti-attack method, device, equipment and medium for router | |
| KR20170126879A (en) | Methods and apparatus for selective contention in a mixed wireless communication system | |
| Sawwashere et al. | Survey of RTS-CTS attacks in wireless network | |
| CN104333858B (en) | It is a kind of based on the channel resource control method for going association/de-authentication frames | |
| Zhao | Covert channels in 802.11 e wireless networks | |
| EP4106376A1 (en) | A method and system for authenticating a base station | |
| CN107969004B (en) | Networking system and networking method | |
| CN107231699B (en) | Method and device for transmitting data in wireless cellular network | |
| AT&T | ||
| Chen et al. | Development and implementation of anti phishing wi-fi and information security protection app based on android | |
| CN113132993B (en) | Data stealing identification system applied to wireless local area network and use method thereof | |
| CN111246412B (en) | Method and device for sending positioning information and method and device for verifying sender of positioning information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |