CN1604586A - A method for preventing counterfeit host in IP Ethernet - Google Patents
A method for preventing counterfeit host in IP Ethernet Download PDFInfo
- Publication number
- CN1604586A CN1604586A CN03154461.4A CN03154461A CN1604586A CN 1604586 A CN1604586 A CN 1604586A CN 03154461 A CN03154461 A CN 03154461A CN 1604586 A CN1604586 A CN 1604586A
- Authority
- CN
- China
- Prior art keywords
- address
- arp
- main frame
- message
- ethernet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Small-Scale Networks (AREA)
Abstract
This invention discloses a method to prevent the message forgery host machine through ARP in Ethernet IP, which is characterized by the following steps: first, the host machine in Ethernet IP receives the ARP messages; second, the machine gets the relative true hardware address according to the ARP messages; third, the machine judges whether the hardware address is in accordance with the address in the ARP message, if yes, it updates the address received in the ARP message in the machine; if not, it shall not update the address.
Description
Technical field
The present invention relates to network safety filed, relate in particular to the method for palming off main frame in a kind of strick precaution Internet protocol (IP) Ethernet by the ARP message.
Background technology
Current, many new meanss of destruction have appearred in internet worm destructive more and more diversified.Attack for network reliability is exactly a kind of of these new meanss of destruction.This kind attack is not a purpose with the information of stealing, but at the leak in the network, the network equipment is attacked, destroy the normal communication of network, thereby cause network paralysis, and be a kind of common mode of this kind attack to the attack of Ethernet.The reason that Ethernet is subject to this kind attack is:
1, in the former network, Ethernet has more among the present Intranet, and traditional network management is thought, Intranet is very safe, therefore only is provided with network security for the outlet of Intranet and takes precautions against strategy, and the precautionary measures are not set in Intranet;
2,, cause network management department can't realize the network use of each user in the Intranet is monitored owing to the difference of client in the Intranet; And meanwhile, along with new means of destruction constantly appears in computer virus, and more uses of the low and middle-end networking products of much being attacked easily, cause the attack that is more prone to realize to this Ethernet;
3, along with the popularizing of the rise in broadband and novel business, Ethernet more and more is applied in the outer net with respect to network management department, and the broadband cell that Ethernet inserts is exactly an example wherein, and in such cases, Ethernet is more vulnerable to attack.
And for adopting this Ethernet to realize the user of communication, in case this Ethernet is under attack, cause network paralysis, even without losing any valued data, also can cause the very large loss that is directly proportional with the network paralysis time, and for utilizing Ethernet to carry out the company of Working service, this loss is often even more serious than losing data.
Below, introduce attack method at the Ethernet of Internet protocol (IP) agreement.
In the Ethernet of IP agreement, come node in the marked network by the IP address, realize transfer of data according to the hardware address of node in the network, therefore, in data transmission procedure, certainly exist the process that according to IP address resolution obtains hardware address.Each node in the Ethernet adopts the address (MAC) of Ethernet of IEEE802 protocol family location as hardware address more, when a main frame and another host communication, communication two party at first needs to obtain the other side's IP address, utilize ARP(Address Resolution Protocol) to carry out address resolution then, obtain and the corresponding hardware address MAC in this IP address, communication two party is according to obtaining the transmission of MAC Address at the enterprising line data message of Ethernet.In above-mentioned ARP agreement, exist two kinds of messages to realize the communication of this agreement, be respectively ARP request message and arp reply message, use these two kinds of messages to carry out the operation principle that the MAC of IP address is resolved to the ARP agreement below:
Main frame in Ethernet need be when an IP address sends message, use the ARP request message, this ARP request message adopts broadcast mode to send in Ethernet, the All hosts that comprises gateway in the Ethernet can both be received this ARP request message, in this ARP request message, comprise following information: the MAC Address of the IP address of sender's IP address, sender's MAC Address, request and request, because the current the unknown of MAC Address of being asked, so this is empty; The main frame that receives this ARP request can be kept at the IP address of the sender in the request message and sender's MAC Address in the ARP table of this main frame as a list item;
After main frame in Ethernet is received the ARP request message, can take out the IP address of the request in this request message and the IP address of oneself compares, if it is identical, then use the arp reply message that the MAC Address of this main frame is sent to the main frame that sends this ARP request message, specifically comprise: " MAC Address of request " item of ARP request message put into the MAC Address of oneself by this main frame, then current ARP request message is sent to the main frame that sends the ARP request message as the arp reply message, the main frame that receives this arp reply message is kept at " the IP address of request " in this arp reply message and " MAC Address of request " list item in its ARP table, thereby obtains and the corresponding MAC Address in IP address of being asked;
After finishing MAC parsing in the above described manner to the IP address, main frame in the Ethernet can be preserved corresponding IP address and MAC Address in the ARP table of himself, like this, main frame in Ethernet is when an IP address transmission data, can from the ARP table of himself, obtain and this corresponding MAC Address in IP address, and this MAC Address is filled up in the heading of data, these data just can be implemented in transmission on the Ethernet according to this MAC Address; Owing to the IP address of main frame in the Ethernet may thereby change owing to the former of the reason of artificial preparation or Random assignment, therefore, the corresponding relation of the IP address of main frame and MAC Address in view of the above will be different in the IP Ethernet, according to this kind situation, content in the ARP of the main frame in the Ethernet table is set to and can upgrades, to satisfy the needs that IP address that the IP address change caused and MAC Address corresponding relation change.
Malicious user in the Ethernet carries out in the MAC resolving of IP address Ethernet being attacked according to the above-mentioned ARP of utilization agreement usually, below in conjunction with object lesson its attack pattern is illustrated.
Referring to Fig. 1, be example with an IP agreement Ethernet that inserts the Internet (INTERNET), personal computer (PC) utilizes the normal access process of this Ethernet as follows:
With PC1 is example, when PC1 need visit external network, at first needs to know the IP address ip 1 of gateway 1, and the common static configuration in this IP address obtains, and also can obtain by other agreement; Then, PC1 utilizes ARP(Address Resolution Protocol) to comprise that in this Ethernet the All hosts of gateway 1 carries out ARP broadcasting, by ARP request message of this broadcast transmission, receiving each main frame of this ARP request can be with the IP address in this request message and during the corresponding hardware address ARP that is kept at self shows with it, according to above-mentioned MAC Address resolving, gateway in the IP Ethernet can receive the ARP request message that each main frame sent in the Ethernet, therefore, to preserve the IP address of each main frame and corresponding hardware address MAC with it in the ARP of this gateway table, gateway is according to these IP addresses and corresponding hardware address MAC and each main frame carry out communication with it.
Referring to Fig. 2, suppose the malicious user PC2 that in this Ethernet, has an attacking network, PC2 can utilize the main frame in the following method personation Ethernet, realizes the attack to the IP Ethernet:
PC2 forges and sends the ARP message of the corresponding IP1 of a hardware address MAC2, this message may be the ARP request message, it also can be the arp reply message, if the ARP request message, then " sender's the IP address " in this message and " sender's MAC Address " two contents are forged into " IP1 " and " MAC2 " respectively; If with the arp reply message as attack means, then " IP address of request " in this arp reply message and " MAC Address of request " two are forged into " IP1 " and " MAC2 " respectively; According to above-mentioned ARP agreement operation principle, after gateway is received this ARP message, with the content in the ARP list item on the new gateway more, with the pairing hardware address covering becoming of former IP1 MAC2, after carrying out aforesaid operations, the purpose hardware address of the data of the original designated PC1 of sending to just is modified to the hardware address MAC2 for malicious user on the gateway, thereby the data that cause sending to PC1 can be sent to PC2 mistakenly, the network data that causes PC1 normally not to be received from gateway being sent, thereby PC2 steals the data of PC1, and causes the communicating interrupt of PC1 and gateway.Equally, malicious user can adopt identical method that other main frame in the IP Ethernet is carried out the attack of above-mentioned personation main frame, and this attack also can cause the paralysis of Ethernet.
As mentioned above, attack method at personation main frame in the above-mentioned IP Ethernet, current also do not have an effective prevention method, and universal day by day along with network, and taking precautions against this kind will become the important problems that network safety filed faces at the attack of network self.
Summary of the invention
In view of this, main purpose of the present invention is to provide the method for personation main frame in a kind of IP of strick precaution Ethernet, and this method can prevent the attack that malicious user is carried out the IP Ethernet by the personation main frame, thereby guarantees the reliability and the fail safe of network.
The invention discloses a kind of method of palming off main frame in the Internet protocol IP Ethernet by ARP message of taking precautions against, it is characterized in that this method comprises:
Main frame in A, the IP Ethernet receives the ARP message;
IP address in the ARP message that B, this main frame receive according to steps A obtains the real hardware address of this pairing main frame in IP address in Ethernet;
C, this main frame judge that resulting real hardware address is whether consistent with the hardware address in the received ARP message of steps A, if then IP address in the ARP message that steps A is received and hardware address upgrade in the ARP of this main frame table; Otherwise the ARP table to this main frame does not upgrade.
Wherein, among the step C, if the hardware address in the received ARP message of described real hardware address and steps A is inconsistent, this method further comprises: to the give notice signal of attack that the personation main frame takes place of network manager.
Wherein, steps A further comprises:
Main frame is preserved IP address and the hardware address in the received ARP message;
Step B is that main frame takes out the IP address of preserving, and obtains the real hardware address of this pairing main frame in IP address in Ethernet according to this IP address.
Wherein, step B comprises:
Main frame sends an ARP request message by the All hosts of broadcasting in Ethernet, wherein, IP address in the ARP message of receiving for steps A in " the IP address of request " in this request message, after this pairing main frame in IP address is received this message, return the arp reply message to main frame, described real hardware address is sent to described main frame by this response message.
Wherein, among the step C, if the hardware address in the received ARP message of described real hardware address and steps A is consistent, this method further comprises:
Described main frame judges whether to receive other arp reply message of the ARP request message that is sent among the step B in the predefined time, if not, then carry out IP address in the described ARP message that steps A is received and hardware address and upgrade step in the ARP of this main frame table; Otherwise the ARP table to this main frame does not upgrade.
Wherein, if described main frame is received other ARP request response message in the predefined time, this method further comprises: to the give notice signal of attack that the personation main frame takes place of network manager.
As seen, in the present invention, main frame in the IP Ethernet is after receiving the ARP message, directly do not upgrade the ARP table of this main frame according to the ARP principle, but obtain pairing real hardware address, this IP address according to the IP address in this ARP message, judge then whether the hardware address in the ARP message of being received is consistent with this true address, if it is inconsistent, then determine the attack that has been subjected to the personation main frame, then the ARP that upgrades on this main frame not according to the ARP message of being received shows, and further the informing network keeper handles it.The present invention effectively the preventing malice user by the personation main frame to the attack of IP Ethernet.Use this method, can interrupt network in other users' normal discharge, and, can also be with the timely informing network keeper of the concrete condition of suffered attack, so that the network manager makes timely processing.This method can so that the availability of the network equipment farthest guaranteed, and then farthest guarantee the reliability of network communication.In addition, this method also can effectively be taken precautions against at the attack that malicious user adopts intelligent means to carry out.
Description of drawings
Fig. 1 is a normal access process schematic diagram in the IP agreement Ethernet.
Fig. 2 is the attack process schematic diagram in the IP agreement Ethernet.
Fig. 3 realizes taking precautions against the flow chart of personation main frame in the IP Ethernet for the present invention.
Embodiment
The present invention is a kind of method of palming off main frame in the IP Ethernet by the ARP message of taking precautions against, in the method, after main frame in the Ethernet is received the ARP message, obtain pairing real hardware address, this IP address according to the IP address in this message, judge that then this real hardware address is whether consistent with the hardware address in the received message, if it is inconsistent, then show the attack that has been subjected to malicious user personation main frame, no longer IP address in the ARP message of receiving and hardware address are upgraded in the ARP table, and the informing network keeper does further processing.
Describe the present invention below in conjunction with accompanying drawing.
With the gateway is example, supposes to have malicious user in the Ethernet, and this malicious user will reach the purpose of palming off main frame by attacking gateway, and then for gateway, referring to Fig. 3, the present invention realizes that the method for palming off main frame may further comprise the steps:
Step 303: gateway is according to the IP address of being preserved in step 302, All hosts broadcast arp request message in this IP Ethernet, wherein, the IP address of " the IP address of request " item in this ARP request message for being preserved in the step 302, after this pairing main frame in IP address is received this ARP request message, return the hardware address MAC of this main frame to gateway by the arp reply message; By this step, gateway has obtained this IP address pairing real hardware address MAC according to the IP address of preserving;
Step 304: gateway judges whether the hardware address MAC that is received is consistent with the hardware address MAC that is preserved in step 302 in step 303, wherein, the IP address that these two hardware address are corresponding identical, if consistent, if then execution in step 306 and subsequent step are inconsistent, show that ARP message received in the step 301 is a counterfeit message, have malicious user to plan to utilize this message to be implemented in the Ip Ethernet and palm off main frame, thereby Ethernet is attacked, then execution in step 305;
Step 305: gateway sends for example signal of the signal of telecommunication, light signal etc. to the network manager, the current attack that has taken place Ethernet of informing network keeper, the network manager carries out respective handling with prompting, and, gateway and not according to IP address in the ARP message received in the step 301 and hardware address MAC being upgraded in the ARP of gateway table for the normal process method of ARP message, after carrying out above-mentioned steps, finish whole strick precaution process, gateway still sends or receiving data packets according to the IP address in the ARP table of himself and the corresponding relation of MAC Address; Wherein, the respective handling that above-mentioned network manager carried out comprises: the network manager adopts modes such as well known to a person skilled in the art packet capturing to obtain pairing real hardware address, IP address, and with this real hardware address configuration in the ARP table;
Wherein, the purpose of carrying out above-mentioned steps 306 is: the malicious user in the Ethernet might adopt intelligent means realization more to attack, this kind adopts the attack that intelligent means realized to be generally: after malicious user is asked the ARP request message of the pairing real MAC address in IP address in being used to of receiving that gateway sends, can send the arp reply message of having forged IP address and MAC Address corresponding relation once more to gateway, the host hardware address of personation is sent on the gateway, thereby continue to reach the purpose of personation main frame, but because in embodiments of the present invention, the main frame of being palmed off is certain to send the ARP request response message to gateway, therefore, adopt the assailant under the situation of the intelligent attack means of this kind, gateway can be received at least two ARP request response message, this step is by judging whether also to receive other ARP request response message in the predefined time, judge whether gateway is subjected to the attack that malicious user adopts this kind aptitude manner to be carried out, if within the predefined time, receive two or more ARP request response message, represent that then gateway has been subjected to this kind attack, if do not receive, then expression is not subjected to this kind attack.
Concrete steps when the above specific embodiment is applied on the gateway for the present invention, same, the present invention also can be applicable in the IP Ethernet on each main frame of other except gateway, and its application process is identical with the application process on gateway.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (6)
1, a kind of method of palming off main frame in the Internet protocol IP Ethernet by ARP message of taking precautions against is characterized in that this method comprises:
Main frame in A, the IP Ethernet receives the ARP message;
IP address in the ARP message that B, this main frame receive according to steps A obtains the real hardware address of this pairing main frame in IP address in Ethernet;
C, this main frame judge that resulting real hardware address is whether consistent with the hardware address in the received ARP message of steps A, if then IP address in the ARP message that steps A is received and hardware address upgrade in the ARP of this main frame table; Otherwise the ARP table to this main frame does not upgrade.
2, method according to claim 1, it is characterized in that among the step C, if the hardware address in the received ARP message of described real hardware address and steps A is inconsistent, this method further comprises: to the give notice signal of attack that the personation main frame takes place of network manager.
3, method according to claim 1 is characterized in that, steps A further comprises:
Main frame is preserved IP address and the hardware address in the received ARP message;
Step B is that main frame takes out the IP address of preserving, and obtains the real hardware address of this pairing main frame in IP address in Ethernet according to this IP address.
4, method according to claim 1 is characterized in that, step B comprises:
Main frame sends an ARP request message by the All hosts of broadcasting in Ethernet, wherein, IP address in the ARP message of receiving for steps A in " the IP address of request " in this request message, after this pairing main frame in IP address is received this message, return the arp reply message to main frame, described real hardware address is sent to described main frame by this response message.
5, method according to claim 4 is characterized in that among the step C, if the hardware address in the received ARP message of described real hardware address and steps A is consistent, this method further comprises:
Described main frame judges whether to receive other arp reply message of the ARP request message that is sent among the step B in the predefined time, if not, then carry out IP address in the described ARP message that steps A is received and hardware address and upgrade step in the ARP of this main frame table; Otherwise the ARP table to this main frame does not upgrade.
6, method according to claim 5 is characterized in that, if described main frame is received other ARP request response message in the predefined time, this method further comprises: to the give notice signal of attack that the personation main frame takes place of network manager.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031544614A CN100484132C (en) | 2003-09-29 | 2003-09-29 | A method for preventing counterfeit host in IP Ethernet |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031544614A CN100484132C (en) | 2003-09-29 | 2003-09-29 | A method for preventing counterfeit host in IP Ethernet |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1604586A true CN1604586A (en) | 2005-04-06 |
| CN100484132C CN100484132C (en) | 2009-04-29 |
Family
ID=34659994
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031544614A Expired - Fee Related CN100484132C (en) | 2003-09-29 | 2003-09-29 | A method for preventing counterfeit host in IP Ethernet |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100484132C (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101094235B (en) * | 2007-07-04 | 2010-11-24 | 中兴通讯股份有限公司 | Method for preventing attack of address resolution protocol |
| CN1878056B (en) * | 2006-07-13 | 2011-07-20 | 杭州华三通信技术有限公司 | Method for identifying whether there is false network apparatus in local area network or not |
| CN102196054A (en) * | 2010-03-11 | 2011-09-21 | 正文科技股份有限公司 | Routing device and related control circuit |
| CN102595250A (en) * | 2012-03-05 | 2012-07-18 | 山东泰信电子有限公司 | Method for digital television front end equipment to resist ARP attack |
| CN101741855B (en) * | 2009-12-16 | 2012-11-28 | 中兴通讯股份有限公司 | Maintenance method of address resolution protocol cache list and network equipment |
| CN104219339A (en) * | 2014-09-17 | 2014-12-17 | 北京金山安全软件有限公司 | Method and device for detecting address resolution protocol attack in local area network |
| CN104883410A (en) * | 2015-05-21 | 2015-09-02 | 深圳颐和网络科技有限公司 | Network transmission method and network transmission device |
-
2003
- 2003-09-29 CN CNB031544614A patent/CN100484132C/en not_active Expired - Fee Related
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1878056B (en) * | 2006-07-13 | 2011-07-20 | 杭州华三通信技术有限公司 | Method for identifying whether there is false network apparatus in local area network or not |
| CN101094235B (en) * | 2007-07-04 | 2010-11-24 | 中兴通讯股份有限公司 | Method for preventing attack of address resolution protocol |
| CN101741855B (en) * | 2009-12-16 | 2012-11-28 | 中兴通讯股份有限公司 | Maintenance method of address resolution protocol cache list and network equipment |
| CN102196054A (en) * | 2010-03-11 | 2011-09-21 | 正文科技股份有限公司 | Routing device and related control circuit |
| CN102595250A (en) * | 2012-03-05 | 2012-07-18 | 山东泰信电子有限公司 | Method for digital television front end equipment to resist ARP attack |
| CN102595250B (en) * | 2012-03-05 | 2013-11-06 | 山东泰信电子股份有限公司 | Method for digital television front end equipment to resist ARP attack |
| CN104219339A (en) * | 2014-09-17 | 2014-12-17 | 北京金山安全软件有限公司 | Method and device for detecting address resolution protocol attack in local area network |
| CN104883410A (en) * | 2015-05-21 | 2015-09-02 | 深圳颐和网络科技有限公司 | Network transmission method and network transmission device |
| CN104883410B (en) * | 2015-05-21 | 2018-03-02 | 上海沪景信息科技有限公司 | A kind of network transfer method and network transmission device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100484132C (en) | 2009-04-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100425025C (en) | Security system and method using server security solution and network security solution | |
| US7506360B1 (en) | Tracking communication for determining device states | |
| US7757285B2 (en) | Intrusion detection and prevention system | |
| US9246926B2 (en) | Packet validation using watermarks | |
| JP4174392B2 (en) | Network unauthorized connection prevention system and network unauthorized connection prevention device | |
| US7836501B2 (en) | Client compliancy with self-policing clients | |
| CN101589595B (en) | A containment mechanism for potentially contaminated end systems | |
| CN101617516B (en) | Method and apparatus to control application messages between a client and a server having a private network address | |
| EP1722535A2 (en) | Method and apparatus for identifying and disabling worms in communication networks | |
| US7215777B2 (en) | Sending notification through a firewall over a computer network | |
| JP2003527793A (en) | Method for automatic intrusion detection and deflection in a network | |
| US20060059552A1 (en) | Restricting communication service | |
| US7251692B1 (en) | Process to thwart denial of service attacks on the internet | |
| CN1893375A (en) | System and method for detection and mitigation of distributed denial of service attacks | |
| CN105262738A (en) | Router and method for preventing ARP attacks thereof | |
| CN1968272A (en) | Application layer ingress filtering | |
| CN101022343A (en) | Network invading detecting/resisting system and method | |
| CN1612538A (en) | Method for binding hardware address and port for Ethernet two-hier exchange equipment | |
| WO2002013486A2 (en) | System and method for processing network accounting information | |
| US7469418B1 (en) | Deterring network incursion | |
| CN100493009C (en) | Method for preventing main computer from being counterfeited in IP ethernet | |
| CN1604586A (en) | A method for preventing counterfeit host in IP Ethernet | |
| CN1152517C (en) | Method of guarding network attack | |
| US8819285B1 (en) | System and method for managing network communications | |
| US8307415B2 (en) | Safe hashing for network traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090429 Termination date: 20180929 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |