CN1992713A - Method and apparatus for preventing deception of media access control layer - Google Patents
Method and apparatus for preventing deception of media access control layer Download PDFInfo
- Publication number
- CN1992713A CN1992713A CNA2005101355238A CN200510135523A CN1992713A CN 1992713 A CN1992713 A CN 1992713A CN A2005101355238 A CNA2005101355238 A CN A2005101355238A CN 200510135523 A CN200510135523 A CN 200510135523A CN 1992713 A CN1992713 A CN 1992713A
- Authority
- CN
- China
- Prior art keywords
- access control
- control layer
- switch
- media access
- response data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention relates to a method for avoiding cheat at medium access control layer, and relative device, wherein said method comprises that: start step that in local network, exchanger records the former host medium access control layer address and the port information of former host on exchanger, then stores them at one chain layer transfer list; when exchanger receives the data pack with same address of former host medium access control layer from another port, it will generate one check start signal; the check step that: generating request data pack for making remote host automatically answer, and using at least one port of exchanger to send said data pact to the remote host with same address of former host medium access control layer; processing step that based on the response data of remote host, processing. The invention can improve network safety and improve accuracy.
Description
Technical field
The present invention relates to network communication field, particularly the Network Communicate Security field is a kind of method and device thereof that prevents deception of media access control layer concretely.
Background technology
Along with deepening continuously of national information construction, particularly national " using IT to propel industrialization " industrial policy of formulating, and expand domestic demand, increase the enforcement of infrastructure construction, strategy to develop western regions and the appearance of relevant policies, make domestic computer and network service market obtain lasting, healthy, development fast.
Rapid development of network impels the social informatization process to advance fast, and information projects such as telecommunications, electric power, E-Government, ecommerce are also being carried out in high gear.Yet along with network is progressively perfect, the virus that network faced, hacker threaten and are also growing with each passing day, and the perfect network security solution of a cover becomes pressing for of assurance all trades and professions network health development.
But according to investigations, present most network all suffered from inside and outside double attack, comprised to the harm of data message in the network with to the harm of the network equipment.Specifically, the main source of harm network security has: unauthorized access, promptly carry out improper use or go beyond one's commission use etc. the network equipment and information resources; Pretend to be validated user, promptly utilize the means of various personations or deception illegally to obtain the rights of using of validated user, to reach the purpose that takies the validated user resource; Destroy the integrality of data, promptly use illegal means to delete, revise, retransmit some important information, with the normal use of interference user and the normal operation of system; Virus and malicious attack, the virus that promptly spreads through the internet or malice Java, XActive etc.; Wiretapping, means are obtained invalid information promptly to utilize the electromagnetic leakage of communication media or wiretap etc.
In the TCP/IP network, computer often needs to be provided with behind the IP address could communication, yet in fact the communication between the computer is not by the IP address, but by means of the media access control layer address (MAC Address) of network interface card.The IP address just is used to inquire about the MAC Address of the purpose computer of desiring communication.
Address resolution protocol (ARP:Address Resolution Protocol) is to be used for notifying to the other side's computer, the network equipment MAC Address of own IP correspondence.In the arp cache of computer, comprise one or more tables, be used for storing IP address and ethernet mac address thereof through resolving.After the computer communication of a computer and another IP address, in arp cache, can keep corresponding M AC address.So MAC Address will be no longer inquired about in the computer communication of next and same IP address, but the MAC Address in the direct reference cache.
In switching network, switch is also safeguarded a mac address table (link layer is transmitted), and according to MAC Address, data is sent to the purpose computer.In local area network (LAN), switch is a kind of based on MAC Address identification, can finish the network equipment of encapsulate forwarded packet function.Switch can " be learnt " MAC Address and its corresponding switch ports themselves number, and it is left in the internal mac address table, by between the originator of Frame and target receiver, setting up interim switching path, make Frame directly arrive destination address by source address.This address table is not only periodic to be upgraded automatically, and some switches are also accepted renewal without permission.This has brought very big hidden danger to network security, the assailant can forge and simulate the MAC Address of other main frames and send to switch with this address, make switch learn to upgrade mac address table automatically, to change the pairing switch ports themselves of this MAC Address in the switch mac address table, assailant's computer can be cheated switch like this, make switch think that original host changed switch ports themselves, then change data transmission port, the data message that mails to original host is sent to assailant's computer in legal mode, send packet up to original host to switch, switch is more changeed back correct information by automatic learning process with current address table respective entries.
There are following three kinds of schemes available in the prior art, scheme 1 is the same with the function that scheme 2 realizes, promptly bind the MAC Address of specific main frame on concrete switch ports themselves, scheme 3 is the MAC Address and the IP addresses of binding specific main frame on concrete switch ports themselves simultaneously.
1. scheme 1---based on the MAC Address binding of port
Concrete MAC Address of certain port binding on the switch, have only this main frame can use network like this, if the network interface card of this main frame has been carried out changing or other PCs are want to use network all unavailable by this port, unless the deletion or revise the MAC Address of binding on this port, could normally use.
2. scheme 2---based on the extended access tabulation of MAC Address
It is based on the MAC Address Access Control List (ACL) restriction that port is done, and can limit particular source MAC Address and destination address scope.
3. scheme 3---the MAC Address binding of IP address
Can only with use 1 or 2 and IP-based Access Control List (ACL) make up to use just and can reach the IP-MAC binding function.
The above-mentioned application of mentioning 1 is based on the binding of host MAC address and switch ports themselves, and scheme 2 is based on the Access Control List (ACL) of MAC Address, and the function that preceding two kinds of schemes can realize is the same substantially.Can only realize according to scheme 3 if accomplish the binding of IP and MAC Address, can according to demand scheme 1 or scheme 2 be combined use to reach the effect of oneself wanting with IP access list.
Above method can play prevent local area network (LAN) inner other people forge and simulation original host MAC Address communicates, but need a large amount of manual operationss, all be dissatisfactory for cost and flexibility.
At present, can also pass through network security protocol (IPsec:Internet Protocol security) enciphered data, the switch that occurred assailant's Computer Fraud exactly and obtained being sent to the packet of original host but still can't be decrypted to packet, thus the content of this packet can't be obtained.But because IPsec is applied to VPN (virtual private network) (VPN) usually, and the application of IPsec also caused harmful effect for the work of LAN switch, also is to be difficult to configuration usually.
Summary of the invention
The object of the present invention is to provide a kind of method that prevents deception of media access control layer, utilize transmission to detect packet and verify whether be the change that original host has carried out port.
Another object of the present invention is to provide a kind of device that prevents deception of media access control layer, whether the port of realizing the check original host changes and takes corresponding operation to prevent the attack among the network.
A kind of method that prevents deception of media access control layer comprises the steps:
Setting up procedure, under LAN environment, switch record original host media access control layer address and original host on switch port information and deposit and be in a link layer and transmit, when switch receives the packet that sends from the main frame that another port is identical with existing original host media access control layer address in the network at least, produce one and detect enabling signal;
Detect step, behind setting up procedure, produce a request data package that remote host is automatically replied, and at least one port by switch has an original host media access control layer address in LAN at least one remote host sends this request data package;
Treatment step carries out respective handling according to the response data packet that at least one remote host automatically replies.
In treatment step, also comprise the steps:
Step 1, if switch only receives a response data packet at original host place port, and the media access control layer address, source of this response data packet is identical with original host media access control layer address, then keeps the link layer of original switch to transmit;
Step 2, if switch only receives a response data packet in the another port, and the media access control layer address, source of this response data packet is identical with original host media access control layer address, then upgrades the link layer of switch and transmits;
Step 3 when if switch receives at least two response data packet, then keeps the link layer of original switch to transmit.
Also comprise after described step 1 and the step 3: generate warning message and send to the step of network user.
Described request packet and response data packet are respectively the packet of request echo type and echo acknowledgement type.
The code of described request packet and response data packet protocol domain is any link layer protocol code.
A kind of device that prevents deception of media access control layer under LAN environment, comprising:
Start module, when switch receives the packet that sends from the main frame that another port is identical with existing original host media access control layer address in the network at least, produce one and detect enabling signal;
Detection module, be connected with described startup module, be used to produce a request data package that remote host is automatically replied, and at least one port by switch has an original host media access control layer address in LAN at least one remote host sends this request data package;
Processing module is connected with described detection module, is used for the response data packet that automatically replies according at least one remote host, the link layer of switch is transmitted carried out respective handling.
Also comprise a update module, be connected that the link layer that is used to upgrade switch is transmitted with described processing module.
Also comprise an alarm module, be connected, be used to generate warning message and send to network user with described processing module.
Beneficial effect of the present invention is, has solved the deception of media access control layer, and is simple in structure, do not need a large amount of manual operations, makes LAN safer.
Description of drawings
Figure 1A-Fig. 1 C is one embodiment of the invention schematic diagram;
Fig. 2 is a flow chart of the present invention;
Fig. 3 is the structural representation of apparatus of the present invention.
Embodiment
Below, carry out following detailed description for the present invention in conjunction with the accompanying drawings.
Figure 1A-Fig. 1 C is one embodiment of the invention schematic diagram.As shown in the figure, in LAN environment, dispose as follows:
The MAC Address of original host is 00:04:9A:AD:1C:0A, is made as MAC1, and the corresponding port on switch (SWITCH) is a port one;
The MAC Address of assailant's main frame is 00:E0:3C:43:0D:24, is made as MAC2, the corresponding port-for-port 2 on switch.
Figure 1A sends the deception packet for the MAC Address MAC1 that has forged original host when assailant's main frame to switch, the source MAC of this packet is MAC1, want the link layer on the switch is transmitted renewal, make switch that the port that other main frames and original host carry out exchanges data is changed into another port 2 from original port one, be assailant's main frame place port, so that the reception that assailant's main frame can be legal should be mail to the data message of original host.
Figure 1B is a switch start detection flow process, two ports by switch: port one and port 2, to having the detection packet of MAC1 address of host (comprising original host and assailant's main frame) transmission types for request echo (echo request), the destination address of this detection packet is MAC1, and source MAC is a switch corresponding ports MAC Address.
Fig. 1 C is that original host is replied the response data packet that the switch echo is replied (echo reply) type, switch receives the corresponding port or the port one of this response data packet, do not change, the source MAC of this response data packet is MAC1, and assailant's main frame does not return corresponding response data packet, so just can judge that the packet that switch received in Figure 1A is the deception packet, switch will not change mac address table.In preference, can also send warning message to the network manager.
Fig. 2 is a flow chart of the present invention.Step S21, switch transmits operate as normal such as data.Step S22, judge that whether switch receives the identical packet of a certain original host MAC Address in source MAC and the network at other ports (may be a plurality of ports), require to upgrade the switch mac address table, if requirement is upgraded the switch mac address table then is entered step S23, otherwise returns step S21.Step S23, start detection.Step S24, send the request data package that requires from dynamic response to port that sends this packet (may be a plurality of) and original host place port, the source MAC of this request data package is corresponding switch ports themselves MAC Address, and target MAC (Media Access Control) address is for producing the original host MAC Address of conflict.Step 25 is judged the response data packet that receives.Step S26, if switch is only received a response data packet, the source MAC of this response data packet is the MAC Address of original host, and is from original host place port, then enters step S29.Step S27 if switch receives response data packet at two or more port, then enters step S29.Step S28, if switch is only received a response data packet, the source MAC of this response data packet is the MAC Address of original host, and be from a new switch ports themselves, this proof switch is not cheated, just the port of this original host on switch changed, and this operation is reliably, then enters step S30.Step S29 does not upgrade the mac address table of switch, and generates a warning message, to the main frame transmission of keeper or setting.Step S30, the mac address table of renewal switch.Step 31, the detection of end process.
Can in the existing network link layer protocol, add detection method of the present invention, the protocol domain definition code of request data package and response data packet can use existing network link layer protocol code, for example can revise and expand ARP agreement etc., also can self-defined a kind of new link layer protocol, that is to say new protocol code of protocol domain definition at ethernet packet header, and can in data field, not comprise any data, perhaps also can only comprise a territory, show it is the packet of " request " or " response " type.
Fig. 3 is the structural representation of apparatus of the present invention.Start module and judge when switch receives the packet that sends from another port main frame identical with existing original host media access control layer address in the network, produce one and detect enabling signal; Detection module, be connected with described startup module, receive the enabling signal that the startup module is sent, and produce a request data package that remote host is automatically replied, at least one main frame that has original host media access control layer address in LAN sends this request data package; Processing module is connected with described detection module, receives above-mentioned response data packet, is used for judging whether to upgrade according to the response data packet that remote host automatically replies the mac address table of switch; Update module is connected with described processing module, upgrades the mac address table of switch under the control of processing module; Alarm module is connected with described processing module, generates warning message and send to network user under the control of processing module.
Beneficial effect of the present invention is, has solved the problem of MAC address spoofing, utilizes simple steps to realize the supervision that the switch mac address table upgrades in the local area network (LAN), has improved the fail safe of whole network, and has avoided a large amount of manual operationss, and accuracy is higher.
Above embodiment only is used to illustrate the present invention, but not is used to limit the present invention.
Claims (8)
1. a method that prevents deception of media access control layer is characterized in that comprising the steps:
Setting up procedure, under LAN environment, the media access control layer address of switch record original host and original host on switch port information and be stored in a link layer and transmit, when switch receives the packet that sends from the main frame that another port is identical with existing original host media access control layer address in the network at least, produce one and detect enabling signal;
Detect step, behind setting up procedure, produce a request data package that remote host is automatically replied, and at least one port by switch has an original host media access control layer address in LAN at least one remote host sends this request data package;
Treatment step carries out respective handling according to the response data packet that at least one remote host automatically replies.
2. a kind of method that prevents deception of media access control layer according to claim 1 is characterized in that also comprising the steps: in treatment step
Step 1, if switch only receives a response data packet at original host place port, and the media access control layer address, source of this response data packet is identical with original host media access control layer address, then keeps the link layer of original switch to transmit;
Step 2, if switch only receives a response data packet in the another port, and the media access control layer address, source of this response data packet is identical with original host media access control layer address, then upgrades the link layer of switch and transmits;
Step 3 when if switch receives at least two response data packet, then keeps the link layer of original switch to transmit.
3. a kind of method that prevents deception of media access control layer according to claim 2 is characterized in that also comprising after described step 1 and the step 3: generate warning message and send to the step of network user.
4. a kind of method that prevents deception of media access control layer according to claim 1 is characterized in that described request packet and response data packet are respectively the packet of request echo type and echo acknowledgement type.
5. a kind of method that prevents deception of media access control layer according to claim 4, the code that it is characterized in that described request packet and response data packet protocol domain are any link layer protocol code.
6. device that prevents deception of media access control layer under LAN environment, is characterized in that comprising:
Start module, when switch receives the packet that sends from the main frame that another port is identical with existing original host media access control layer address in the network at least, produce one and detect enabling signal;
Detection module, be connected with described startup module, be used to produce a request data package that remote host is automatically replied, and at least one port by switch has an original host media access control layer address in LAN at least one remote host sends this request data package;
Processing module is connected with described detection module, is used for the response data packet that automatically replies according at least one remote host, the link layer of switch is transmitted carried out respective handling.
7. a kind of device that prevents deception of media access control layer according to claim 6 is characterized in that also comprising a update module, is connected with described processing module, and the link layer that is used to upgrade switch is transmitted.
8. a kind of device that prevents deception of media access control layer according to claim 6 is characterized in that also comprising an alarm module, is connected with described processing module, is used to generate warning message and sends to network user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2005101355238A CN1992713A (en) | 2005-12-30 | 2005-12-30 | Method and apparatus for preventing deception of media access control layer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2005101355238A CN1992713A (en) | 2005-12-30 | 2005-12-30 | Method and apparatus for preventing deception of media access control layer |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1992713A true CN1992713A (en) | 2007-07-04 |
Family
ID=38214660
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2005101355238A Pending CN1992713A (en) | 2005-12-30 | 2005-12-30 | Method and apparatus for preventing deception of media access control layer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1992713A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101626343B (en) * | 2009-08-05 | 2012-04-04 | 华为技术有限公司 | Method and apparatus for exchanging data packet, and communication device |
| CN102546526A (en) * | 2010-12-11 | 2012-07-04 | 上海博达数据通信有限公司 | ACL (access control list) capable of simultaneously controlling access of IP (internet protocol) and MAC (multi-access computer) and filtering method |
| CN102546526B (en) * | 2010-12-11 | 2016-12-14 | 上海博达数据通信有限公司 | A kind of filter method controlled that simultaneously IP and MAC conducted interviews |
| CN107071085A (en) * | 2017-04-19 | 2017-08-18 | 新华三技术有限公司 | Network equipment MAC Address collocation method and device |
| CN111030971A (en) * | 2019-03-21 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Distributed access control method and device and storage equipment |
-
2005
- 2005-12-30 CN CNA2005101355238A patent/CN1992713A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101626343B (en) * | 2009-08-05 | 2012-04-04 | 华为技术有限公司 | Method and apparatus for exchanging data packet, and communication device |
| CN102546526A (en) * | 2010-12-11 | 2012-07-04 | 上海博达数据通信有限公司 | ACL (access control list) capable of simultaneously controlling access of IP (internet protocol) and MAC (multi-access computer) and filtering method |
| CN102546526B (en) * | 2010-12-11 | 2016-12-14 | 上海博达数据通信有限公司 | A kind of filter method controlled that simultaneously IP and MAC conducted interviews |
| CN107071085A (en) * | 2017-04-19 | 2017-08-18 | 新华三技术有限公司 | Network equipment MAC Address collocation method and device |
| CN111030971A (en) * | 2019-03-21 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Distributed access control method and device and storage equipment |
| CN111030971B (en) * | 2019-03-21 | 2023-07-11 | 安天科技集团股份有限公司 | Distributed access control method, device and storage equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104468865B (en) | Domain name mapping control, response method and corresponding device | |
| US8495738B2 (en) | Stealth network node | |
| CN1232080C (en) | Method of providing internal service apparatus in network for saving IP address | |
| US20090059940A1 (en) | Network address translation gateway for local area networks using local ip addresses and non-translatable port addresses | |
| US20090288158A1 (en) | Intelligent firewall | |
| Wu et al. | A source address validation architecture (SAVA) testbed and deployment experience | |
| Winter et al. | How china is blocking tor | |
| CN111314281A (en) | Method for forwarding attack traffic to honeypot | |
| WO2003021395A2 (en) | Method and apparatus for dynamic client-side load balancing system | |
| Dissanayake | DNS cache poisoning: A review on its technique and countermeasures | |
| Shue et al. | On building inexpensive network capabilities | |
| CN1585334A (en) | Server apparatus, and method of distributing a security policy in communication system | |
| CN103747005B (en) | The means of defence and equipment that DNS cache is poisoned | |
| Srinath et al. | Detection and Prevention of ARP spoofing using Centralized Server | |
| CN1863048A (en) | Method of internet key exchange consultation between user and cut-in apparatus | |
| Yan et al. | The road to DNS privacy | |
| CN102752266B (en) | Access control method and equipment thereof | |
| CN1863193A (en) | Method for implementing safety tactics of network safety apparatus | |
| CN1992713A (en) | Method and apparatus for preventing deception of media access control layer | |
| CN1859384A (en) | Method for controlling user's message passing through network isolation device | |
| CN1770761A (en) | Address renewing method based on network key exchange protocol | |
| CN1809061A (en) | Apparatus and method for traversing gateway device using a plurality of batons | |
| Kleberger et al. | Securing vehicle diagnostics in repair shops | |
| CN101031141A (en) | Safety telecommunication method | |
| RU2686023C1 (en) | Method of protecting computer networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20070704 |