WO2011140795A1 - 一种防止介质访问控制地址欺骗攻击的方法和交换设备 - Google Patents
一种防止介质访问控制地址欺骗攻击的方法和交换设备 Download PDFInfo
- Publication number
- WO2011140795A1 WO2011140795A1 PCT/CN2010/078957 CN2010078957W WO2011140795A1 WO 2011140795 A1 WO2011140795 A1 WO 2011140795A1 CN 2010078957 W CN2010078957 W CN 2010078957W WO 2011140795 A1 WO2011140795 A1 WO 2011140795A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- dhcp
- mac address
- message
- packet
- user
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
Definitions
- the present invention relates to the field of communications technologies, and in particular, to a method and a switching device for preventing a MAC access control (MAC, Media Access Control) address spoofing attack.
- MAC MAC access control
- Background technique MAC, Media Access Control
- DHCP Dynamic Host Configuration Protocol
- a DHCP server (Server) is usually used to complete IP address allocation.
- the DHCP protocol itself is not secure. There is a risk of being attacked in the network environment where the DHCP protocol is applied.
- the attacker can use the analog sending software to send a large number of packets falsified by the source MAC.
- the content addressable memory (CAM) of the switch is quickly congested by the attacker and overflows.
- the new MAC address cannot be learned.
- the message will be in the virtual local area network (VLAN). All ports generate broadcasts. The attacker can use the broadcast of all the ports on the VLAN to perform traffic monitoring, scan the useful information, and spread the broadcast storm from the attacker through the MAC address attack, so that the switch works as a hub (HUB), thereby achieving the purpose of DoS. Security risks.
- VLAN virtual local area network
- the attacker can also pretend to be a legitimate user's MAC address to send data packets.
- the switching device will learn the MAC address of the malicious user. This will cause the legal user MAC address to learn and migrate, and the device will be forwarded. Users cannot access the network normally. Summary of the invention
- the present invention provides a method and a switching device for preventing a MAC address spoofing attack, which solves the problem that a security risk exists in a DHCP in the prior art, so that a normal user is at risk of being attacked.
- the present invention provides a method for preventing a MAC address spoofing attack.
- the method includes: when receiving a non-DHCP message sent by a user port, the switching device detects the non-DHCP based on a pre-configured static MAC address table. The legality of the packet is discarded when the non-DHCP text is invalid.
- the static MAC address table includes: a MAC address corresponding to the user who has completed the IP address application through DHCP, and a user port number bound to the MAC address.
- the non-DHCP packet is invalid:
- the source MAC address of the non-DHCP packet is not in the pre-configured static MAC address table; or the source MAC address of the non-DHCP packet is in the static MAC address table, but the receiving port number of the non-DHCP packet It does not correspond to the user port number in the static MAC address entry.
- the method further includes: when the switching device receives the non-DHCP message sent by the DHCP server or the aggregation switch, determining whether the source MAC address of the non-DHCP message is a dynamic MAC maintained by the switching device In the address table, if yes, forwarding the non-DHCP message; otherwise, learning the source MAC address of the non-DHCP message to the port receiving the message, and forwarding the non-DHCP message.
- the method further includes: when the DHCP device receives the DHCP message, the DHCP user information binding table is created, updated, or deleted based on the type of the DHCP message, and the DHCP message is completed. Forwarding.
- the configuration of the static MAC address table includes:
- the switching device updates the created ACK message based on the ACK message when receiving the DHCP message and the type of the DHCP message is an ACK (ACK) character
- the DHCP user information binding table is configured, and the user MAC address and the user port number in the updated DHCP user information binding table are configured into the static MAC address table.
- the configuration of the static MAC address table includes:
- the type of the DHCP message received by the switching device is a release message (Release) or a reject message (Decline), or when the lease term expires in the DHCP user information binding table, And deleting the MAC address information of the corresponding user in the static MAC address table.
- the present invention further provides a switching device, including: a message receiving module, and a non-DHCP message forwarding/filtering module;
- a packet receiving module configured to trigger a non-DHCP packet forwarding/filtering module when receiving a non-DHCP message sent by the user port side;
- the non-DHCP message forwarding/filtering module is configured to detect the validity of the non-DHCP message based on the pre-configured static MAC address table, and discard the non-DHCP message when the non-DHCP message is invalid. .
- the switching device further includes a MAC address table module for storing a static MAC address table.
- the non-DHCP packet in the non-DHCP packet forwarding/filtering module is invalid:
- the source MAC address of the non-DHCP packet is not in the pre-configured static MAC address table; or the source MAC address of the non-DHCP packet is in the static MAC address table, but the receiving port number of the non-DHCP packet It does not correspond to the user port number in the static MAC address entry.
- the switching device further includes: a DHCP packet listening module;
- the packet receiving module is further configured to trigger the DHCP packet listening module when receiving a DHCP message.
- the DHCP packet listening module is configured to perform DHCP based on the type of the DHCP packet. Create, update, or delete the user information binding table, and complete the forwarding of the DHCP message.
- the DHCP message listening module updates the created DHCP user information binding table based on the ACK message when the DHCP message type is an ACK message, and updates the updated DHCP user information.
- the user MAC address and user port number in the binding table are configured into the static MAC address table.
- the method provided by the present invention performs source MAC address filtering on the packet from the user port side according to the static MAC address table, and discards the packet whose source MAC address is not in the static MAC address table, thereby preventing the access device.
- MAC address spoofing and effectively avoids the migration of the MAC address protocol on the switching device, causing data forwarding disorder and causing users to suffer DoS attacks.
- FIG. 1 is a schematic diagram of a basic structure of an access network
- FIG. 3 is a schematic structural diagram of a switching device provided by the present invention
- FIG. 4 is a schematic flowchart of processing a DHCP packet by a DHCP snooping module according to the present invention
- FIG. 5 is a flow of processing a non-DHCP packet by a non-DHCP packet forwarding/filtering module according to the present invention
- Schematic diagram Schematic diagram. detailed description
- the present invention provides a method and switching device for preventing MAC address spoofing attacks.
- the access network to which the method is applied is first described briefly, as shown in FIG. 1, which is a basic structure diagram of the access network.
- the access network includes a user terminal, a switching device, and a DHCP server.
- the user terminal generally a PC, obtains an IP address and other configuration information through a DHCP protocol as a DHCP client.
- the switching device forwards the packet according to the MAC address.
- the DHCP server processes the DHCP request of the user terminal and assigns it to the DHCP client to include configuration information such as IP, gateway, and DNS.
- the method of the present invention is to set the port of the switching device to the user terminal as an untrusted port; and set the port connected to the legal DHCP server or the uplink port connected to the aggregation switch as a trusted port.
- the untrusted port the MAC address learning is disabled, and the source MAC address is checked for packets other than DHCP.
- the trusted port dynamic MAC address learning is performed, and the source MAC address is not checked.
- Step S201 The switching device receives the non-DHCP sent by the user port side (ie, the untrusted port). Message
- the method further includes: when the DHCP device receives the DHCP message, the DHCP user information binding table is created, updated, or deleted according to the type of the DHCP message, and the DHCP message is forwarded; for example: When the type of the DHCP message is an ACK message, the created DHCP user information binding table is updated based on the ACK message, and the user MAC address and the user port number in the updated DHCP user information binding table are configured. In the static MAC address table, when the type of the DHCP message is Release or Decline, or when the lease of an entry in the DHCP user information binding table expires, delete the corresponding in the static MAC address table. User's MAC address information.
- the step further includes: when the switching device receives the non-DHCP message sent by the DHCP server or the aggregation switch, determining whether the source MAC address of the non-DHCP message is in the dynamic MAC address table maintained by the switching device, if And forwarding the non-DHCP message; otherwise, the source MAC address of the non-DHCP message is learned to the port that receives the message, and the non-DHCP message is forwarded.
- Step S202 Detect the validity of the non-DHCP message based on the pre-configured static MAC address table. If yes, go to step S203; otherwise, go to step S204.
- the static MAC address table includes: a MAC address corresponding to the user who has completed the IP address application through DHCP, and a user port number bound to the MAC address;
- the source MAC address of the non-DHCP message is not in the pre-configured static MAC address table; or the source MAC address of the non-DHCP message is in the static MAC address table.
- the receiving port number of the non-DHCP packet does not correspond to the user port number in the static MAC address entry.
- step S203 the destination MAC address of the non-DHCP message is searched, and if it is found, the forwarding is performed according to the destination MAC address; if not found, the forwarding is completed by using the broadcast mode.
- Step S204 Discard the non-DHCP message.
- the method provided by the present invention effectively prevents MAC address spoofing of the access device, and effectively avoids the migration of the MAC address protocol on the switching device, causing data forwarding disorder and causing the user to suffer a Dos attack.
- the method of the present invention will be described below in conjunction with the specific structure of the switching device, so that it can better illustrate the specific implementation process of the method provided by the present invention.
- the switching device includes: a packet receiving module 310, a non-DHCP packet forwarding/filtering module 320, a MAC address table module 330, and a DHCP packet.
- Listening module 340 wherein:
- the packet receiving module 310 Receives the packet sent by the trusted port and the untrusted port, and extracts the DHCP packet from the received packet according to the characteristics of the DHCP protocol packet, and the DHCP packet and its corresponding user port are received. The information is transmitted to the DHCP snooping module 340. The non-DHCP message and its corresponding user port information are transmitted to the non-DHCP packet forwarding/filtering module 320.
- the non-DHCP packet forwarding/filtering module 320 detects the user port information of the packet when receiving the non-DHCP packet, and if the user port information is an untrusted port, based on the static MAC address entry in the MAC address table module 330, The source MAC address of the non-DHCP packet is checked for validity. If the non-DHCP packet is invalid, the non-DHCP packet is discarded. Otherwise, the destination MAC address of the non-DHCP packet is obtained.
- the destination MAC address looks up the MAC forwarding table stored in the switching device, and forwards the received packet according to the port corresponding to the MAC address stored in the MAC forwarding table; however, if the destination MAC address is not found in the MAC forwarding table, The message is forwarded by broadcast to all ports except the receiving port.
- the non-DHCP packet is invalid.
- the source MAC address of the non-DHCP packet does not exist in the static MAC address entry in the MAC address table module 330, or the source MAC address of the non-DHCP packet is in the static state.
- the receiving port of the non-DHCP packet does not correspond to the user port number recorded in the static MAC address entry.
- the user port information is a trusted port, it is determined whether the source MAC address of the non-DHCP message is in the dynamic MAC address table in the MAC address table module 330, and if so, according to the destination MAC address and the switching device.
- the stored MAC forwarding table forwards the packet; otherwise, the source MAC address of the non-DHCP packet is learned to the port receiving the packet, and the MAC address table stored in the switching device is based on the destination MAC address of the packet. Forward the message.
- the message is forwarded to all ports except the receiving port by broadcasting.
- the MAC address table module 330 The module is a non-DHCP message forwarding/filtering module 320 packet forwarding and filtering basis; a static MAC address table and a dynamic MAC address table are saved, and the dynamic MAC address is a non-DHCP packet forwarding/filtering module 320.
- the trusted MAC address table is configured by the DHCP snooping module according to the DHCP user information binding table.
- the DHCP packet listening module 340 After the DHCP message is received, the DHCP user information binding table is created, updated, or deleted based on the type of the DHCP message, and the DHCP message is forwarded. Preferably, the DHCP packet listening module further configures the static MAC address table in the MAC address table module 330 based on the created DHCP user information binding table.
- the DHCP packet listening module 340 includes: a DHCP packet parsing module 341, a DHCP user information binding table module 342, and a DHCP packet forwarding module 343.
- the DHCP packet parsing module 341 is configured to parse the received DHCP packet and obtain user configuration information, which is used to create and maintain a DHCP user information binding table.
- the configuration information includes an IP address, a MAC address, user port information, and a lease duration.
- the DHCP user information binding table module 342 generates, maintains, or updates a binding table according to the user configuration information obtained by the DHCP packet parsing module 341, where the binding table includes: an IP address, a lease period, User port, MAC address. Each entry in the binding table has a timer that ages according to the lease period.
- the following describes the process of creating, maintaining, and updating a DHCP user information binding table in combination with the type of the DHCP message.
- the DHCP user information binding table is used to describe the configuration process of the static MAC address table. The details include:
- the DHCP user information binding table is created based on the configuration information of the packet, and the user MAC address is entered.
- the user port is set to 60 seconds. There is no user IP at this time, and the IP is set to 0.
- the received DHCP message is a request message (Request)
- If the received DHCP message is a request message (Request), check whether there is a corresponding DHCP user information binding table. If it does not exist, create a DHCP user information binding table. Otherwise, maintain the current DHCP user. Information binding table.
- the binding table is updated, and the IP address assigned to the user is set to the corresponding DHCP user information binding table.
- set the lease period to the lease period in the packet set the user MAC and user port in the binding table to the static MAC address table, and bind the MAC address to the user port.
- the received DHCP message is Release or Decline, delete the DHCP user information binding entry of the user and delete the user MAC address information in the static MAC address table to remove the binding relationship between the user MAC address and the user port.
- the corresponding user binding table is deleted, and the user MAC address information in the static MAC address table is deleted, and the association between the user MAC address and the user port is released.
- DHCP packet forwarding module 343 To increase the security of the DHCP protocol application, and reduce the transmission of the broadcast packets of the Layer 2 network, and save the network bandwidth resources.
- the DHCP packet forwarding is forwarded according to the created DHCP user information binding table. Specifically, for the DHCP request message, the root According to the attribute of the interface, only the trusted port is forwarded.
- the DHCP user information binding table is queried according to the MAC address of the user host obtained from the packet, and the DHCP is forwarded to the user port in the DHCP user information binding table. Message.
- Step S401 The DHCP snooping module receives the DHCP message transmitted from the packet receiving module.
- Step S402 Parse the DHCP packet to obtain user configuration information.
- Step S403 Determine whether the type of the DHCP message is a request message or a response message. If the request message is a request message, step S404 is performed; if the response message is a response message, step S408 is performed.
- Step S404 Determine whether it is a Discover or Request message, if yes, go to step S405; if not, request the message to be a Release or Decline message, and go to step S406.
- Step S405 For the Discover or Request message, check whether the corresponding DHCP user information binding table exists. If the DHCP user information binding table does not exist, the DHCP user information binding table is created, and the packet is forwarded to the trusted port, and the process ends.
- Step S406 For the Release or Decline message, delete the DHCP user information binding entry of the corresponding user, delete the user MAC address in the static MAC address table, and release the binding relationship with the user port.
- Step S407 Forwarding the packet to the trusted port, and the process ends.
- Step S408 Determine, according to the response packet, whether the packet receiving port is a trusted port, if it is a non-trusted port, go to step S409; if it is a trusted port, go to step S410.
- Step S409 discarding the text.
- Step S410 Perform an update or delete operation on the DHCP user information binding table according to the type of the response packet, and complete the packet forwarding according to the MAC address in the packet.
- the response packet is an ACK packet
- the related information is obtained from the packet, and the update is performed.
- the DHCP user information binding table (that is, the IP address and lease information in the update entry) sets the user MAC address and user port in the updated DHCP user information binding table to the static MAC address table to make the MAC address. Binding to the user port; and forwarding the ACK packet according to the user MAC address and the user port in the updated DHCP user information binding table;
- the Offer packet is forwarded according to the user MAC and the user access port in the DHCP user information binding table.
- the NAK packet is forwarded according to the user MAC address and the user access port in the DHCP user information binding table, and the DHCP user information binding entry corresponding to the user is deleted, and the static MAC address is deleted.
- User MAC address in the table, and the binding relationship with the user port is released.
- the process of processing the packet by the non-DHCP packet forwarding/filtering module includes the following steps:
- Step S501 Receive a non-DHCP message.
- Step S502 Determine whether the received non-DHCP message port is a trusted port or an untrusted port. If the port is a trusted port, go to step S506. If the port is a non-trusted port, go to step S503.
- Step S503 If the packet from the untrusted port is based on the static MAC address table, check whether the non-DHCP message is legal. If yes, go to step S505; otherwise, go to step S504.
- Step S504 Discard the non-DHCP message, and the process ends.
- Step S505 Perform packet forwarding, and the process ends.
- Step S506 Check whether the source MAC address of the packet is in the MAC forwarding table of the switching device for the packet from the trusted port. If yes, go to step S508; otherwise, go to step S507.
- Step S507 Perform dynamic MAC address learning on the source MAC address of the packet, and then perform step S508.
- Step S508 performing " ⁇ text forwarding.
- the method and apparatus provided by the present invention are based on a configured static MAC address table for users from users
- the non-DHCP text on the port is filtered.
- By checking the validity of the source MAC address of the packet only users who apply for an IP address through DHCP can access the network. This prevents the MAC address spoofing of the access device and effectively avoids it.
- the MAC address protocol on the switching device is migrated, causing data forwarding disorder and causing users to suffer DoS attacks.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
本发明公开了一种防止MAC地址欺骗攻击的方法和装置,所述方法包括:交换设备在接收到用户端口侧发送的非动态主机配置协议DHCP报文时,基于预先配置的静态MAC地址表,检测所述非DHCP报文的合法性,当所述非DHCP报文不合法时,丢弃该报文。所述装置包括:报文接收模块和非DHCP报文转发/过滤模块。本发明提供的方法防止了接入设备的MAC地址欺骗,并且有效的避免了交换设备上的MAC地址协议发生迁移,造成数据转发紊乱,使用户遭受Dos攻击的情况。
Description
一种防止介质访问控制地址欺骗攻击的方法和交换设备 技术领域
本发明涉及通信技术领域, 尤其涉及一种防止介质访问控制 (MAC, Media Access Control )地址欺骗攻击的方法和交换设备。 背景技术
随着网络规模的扩大和网络复杂度的提高, 网络配置越来越复杂, 经 常出现计算机位置变化(如便携机或无线网络)和计算机数量超过可分配 的 IP ( Internet Protocol )地址的情况。 动态主机配置协议 ( DHCP, Dynamic Host Configuration Protocol )就是为满足这些需求而发展起来的, 在网络规 模较大的情况下, 通常釆用 DHCP服务器(Server ) 来完成 IP地址分配。
DHCP协议本身不具有安全性, 应用 DHCP协议的网络环境中存在被 攻击的风险。 攻击者可以利用模拟发包软件,发送大量伪造源 MAC变化的 报文。 交换机的内容可寻址存储器( CAM, Content Addressable Memory ) 表很快被攻击者发出的海量 MAC拥塞并溢出, 无法学习新的 MAC地址, 报文将在虚拟局域网 (VLAN, Virtual Local Area Network ) 内所有端口产 生广播。 攻击者利用 VLAN上所有端口的广播可以进行流量监听, 扫描其 中有用信息,从攻击者通过 MAC地址攻击实现广播风暴的蔓延,使交换机 以集线器 (HUB ) 的方式工作, 从而达到 DoS的目的而产生安全隐患。 攻 击者还可以冒充另一个合法用户的 MAC地址发送数据报文,交换设备就会 把 MAC地址学习到恶意用户的端口上, 从而造成合法用户 MAC地址学习 迁移, 扰乱设备的报文转发, 使合法用户无法正常访问网络。
发明内容
本发明提供一种防止 MAC地址欺骗攻击的方法和交换设备,用以解决 现有技术中 DHCP存在安全隐患, 使得正常用户存在被攻击风险的问题。
具体的,本发明提供一种防止 MAC地址欺骗攻击的方法,该方法包括: 交换设备在接收到用户端口侧发送的非 DHCP报文时, 基于预先配置 的静态 MAC地址表, 检测所述非 DHCP报文的合法性, 当所述非 DHCP 文不合法时, 丟弃该 文。
所述方法中 , 静态 MAC地址表中包括: 已通过 DHCP完成 IP地址申 请的用户所对应的 MAC地址及与该 MAC地址绑定的用户端口号。
所述方法中, 非 DHCP报文不合法为:
所述非 DHCP报文的源 MAC地址不在预先配置的静态 MAC地址表 中; 或者, 所述非 DHCP报文的源 MAC地址在所述静态 MAC地址表中, 但非 DHCP报文的接收端口号与所述静态 MAC地址表项中用户端口号不 对应。
所述方法中, 该方法进一步包括: 所述交换设备接收到 DHCP服务器 或者汇聚交换机发送的非 DHCP报文时,判断所述非 DHCP报文的源 MAC 地址是否在所述交换设备维护的动态 MAC 地址表中, 若是, 转发所述非 DHCP报文; 否则,将所述非 DHCP报文的源 MAC地址学习到接收该报文 的端口上, 并转发所述非 DHCP 文。
所述方法中, 该方法进一步包括: 交换设备在接收到 DHCP报文时, 基于所述 DHCP报文的类型进行 DHCP用户信息绑定表的创建、 更新或删 除, 并完成对所述 DHCP报文的转发。
所述方法中, 静态 MAC地址表的配置方式包括:
所述交换设备在接收到 DHCP报文且所述 DHCP报文的类型为确认字 符( ACK, ACKnowledge Character )报文时, 基于所述 ACK消息更新已创
建的 DHCP用户信息绑定表, 并将更新后的 DHCP用户信息绑定表中的用 户 MAC地址和用户端口号配置到所述静态 MAC地址表中。
所述方法中, 静态 MAC地址表的配置方式包括:
所述交换设备在接收到的所述 DHCP报文的类型为释放报文( Release ) 或拒绝报文(Decline ) 时, 或者在所述 DHCP用户信息绑定表中有表项租 期到期时, 删除所述静态 MAC地址表中对应用户的 MAC地址信息。
本发明还提供一种交换设备, 包括: 报文接收模块、 非 DHCP报文转 发 /过滤模块; 其中,
报文接收模块, 用于在接收到用户端口侧发送的非 DHCP报文时, 触 发非 DHCP报文转发 /过滤模块;
非 DHCP报文转发 /过滤模块,用于基于预先配置的静态 MAC地址表, 检测所述非 DHCP报文的合法性, 当所述非 DHCP报文不合法时, 丟弃所 述非 DHCP报文。
上述方案中,该交换设备还包括 MAC地址表模块,用于保存静态 MAC 地址表。
上述方案中, 所述非 DHCP报文转发 /过滤模块中非 DHCP报文不合法 为:
所述非 DHCP报文的源 MAC地址不在预先配置的静态 MAC地址表 中; 或者, 所述非 DHCP报文的源 MAC地址在所述静态 MAC地址表中, 但非 DHCP报文的接收端口号与所述静态 MAC地址表项中用户端口号不 对应。
上述方案中, 所述交换设备还包括: DHCP报文侦听模块;
所述报文接收模块, 还用于在接收到 DHCP报文时, 触发所述 DHCP 报文侦听模块
DHCP报文侦听模块, 用于基于所述 DHCP报文的类型进行 DHCP用
户信息绑定表的创建、 更新或删除, 并完成对所述 DHCP报文的转发。 上述方案中, 所述 DHCP报文侦听模块在所述 DHCP报文的类型为 ACK报文时, 基于所述 ACK消息更新已创建的 DHCP用户信息绑定表, 并将更新后的 DHCP用户信息绑定表中的用户 MAC地址和用户端口号配 置到所述静态 MAC地址表中。
上述方案中, 所述 DHCP报文侦听模块在接收到的所述 DHCP报文的 类型为 Release或 Decline 文时, 或者在所述 DHCP用户信息绑定表中有 表项租期到期时,删除所述静态 MAC地址表中对应用户的 MAC地址信息。
与现有技术相比, 本发明有益效果如下:
本发明提供的方法,根据静态 MAC地址表,对来自用户端口侧的报文 进行源 MAC地址过滤, 丟弃掉报文源 MAC地址不在静态 MAC地址表中 的报文,从而防止了接入设备的 MAC地址欺骗, 并且有效的避免了交换设 备上的 MAC地址协议发生迁移,造成数据转发紊乱,使用户遭受 Dos攻击 的情况。 附图说明
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对 实施例或现有技术描述中所需要使用的附图作一简单地介绍, 显而易见地, 下面描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员 来讲, 在不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的 附图。
图 1为接入网络基本结构示意图; 图 3为本发明提供的交换设备的结构示意图;
图 4为本发明中 DHCP侦听模块进行 DHCP报文的处理流程示意图; 图 5为本发明中非 DHCP报文转发 /过滤模块对非 DHCP报文的处理流
程示意图。 具体实施方式
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进 行清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没 有做出创造性劳动前提下所获得的所有其他实施例, 都属于本发明保护的 范围。
为了解决现有技术中存在的问题,本发明提供了一种防止 MAC地址欺 骗攻击的方法和交换设备。
在进行方法阐述前, 首先对所述方法应用的接入网络进行简单说明, 如图 1 所示, 为接入网络的基本结构图。 具体的, 该接入网络包括用户终 端、 交换设备和 DHCP服务器。
其中, 用户终端 , 一般是 PC , 作为 DHCP Client通过 DHCP协议获取 IP地址及其他配置信息;
交换设备, 根据 MAC地址进行报文转发;
DHCP服务器, 处理用户终端的 DHCP请求, 分配给 DHCP Client包 括 IP, 网关, DNS等配置信息。
本发明所述方法为了解决现有技术中存在的问题, 将上述交换设备接 用户终端的端口设置为非信任端口; 将连接合法 DHCP服务器的端口或者 连接汇聚交换机的上行端口设置为信任端口。 对于不信任端口, 关闭 MAC 地址学习 , 并对除 DHCP外的报文进行源 MAC地址检查; 对于信任端口 , 进行动态 MAC地址学习 , 不进行源 MAC地址检查。
基于上述的原理性表述,下面给出本发明提供的防止 MAC地址欺骗攻 击方法的具体实现过程, 如图 2所示, 包括以下步骤:
步骤 S201、交换设备接收用户端口侧 (即非信任端口)发送的非 DHCP
报文;
本步骤还包括: 交换设备在接收到 DHCP报文时, 基于所述 DHCP报 文的类型进行 DHCP用户信息绑定表的创建、 更新或删除, 并完成对所述 DHCP报文的转发; 如: 所述 DHCP报文的类型为 ACK报文时, 基于所述 ACK消息更新已创建的 DHCP用户信息绑定表,并将更新后的 DHCP用户 信息绑定表中的用户 MAC地址和用户端口号配置到静态 MAC地址表中; 所述 DHCP报文的类型为 Release或 Decline报文时, 或者在所述 DHCP用 户信息绑定表中某一表项租期到期时,删除静态 MAC地址表中对应用户的 MAC地址信息。
本步骤进一步包括: 所述交换设备接收到 DHCP服务器或者汇聚交换 机发送的非 DHCP报文时, 判断所述非 DHCP报文的源 MAC地址是否在 所述交换设备维护的动态 MAC地址表中, 若是, 转发所述非 DHCP报文; 否则, 将所述非 DHCP报文的源 MAC地址学习到接收该报文的端口上, 并转发所述非 DHCP报文。
步骤 S202、 基于预先配置的静态 MAC地址表检测所述非 DHCP报文 的合法性, 若合法, 执行步骤 S203; 否则, 执行步骤 S204。
其中, 静态 MAC地址表中包括: 已通过 DHCP完成 IP地址申请的用 户所对应的 MAC地址及与该 MAC地址绑定的用户端口号;
所述非 DHCP ^艮文不合法是指: 所述非 DHCP 文的源 MAC地址不 在预先配置的静态 MAC地址表中; 或者, 所述非 DHCP报文的源 MAC地 址在所述静态 MAC地址表中, 但非 DHCP报文的接收端口号与所述静态 MAC地址表项中用户端口号不对应。
步骤 S203、 查找所述非 DHCP报文的目的 MAC地址, 若查找到, 根 据目的 MAC地址, 完成 ^艮文转发; 若未查找到, 通过广播的方式完成 转发。
步骤 S204、 丟弃所述非 DHCP报文。
本发明提供的方法,有效的防止了接入设备的 MAC地址欺骗, 并且有 效的避免了交换设备上的 MAC地址协议发生迁移,造成数据转发紊乱,使 用户遭受 Dos攻击的情况。 为了更清楚的表述本发明, 下面结合交换设备的具体结构, 对本发明 所述方法进行描述, 使其能够更好地说明本发明提供方法的具体实现过程。
如图 3 所示, 为本发明提供的交换设备的结构示意图, 具体的, 该交 换设备包括: 报文接收模块 310、 非 DHCP报文转发 /过滤模块 320、 MAC 地址表模块 330、 DHCP报文侦听模块 340; 其中:
报文接收模块 310: 接收信任端口和非信任端口发送的报文, 根据 DHCP协议报文的特征,从接收到的报文中,提取出 DHCP报文,将 DHCP 报文及其对应的用户端口信息传递给 DHCP侦听模块 340; 将非 DHCP报 文及其对应的用户端口信息传递给非 DHCP报文转发 /过滤模块 320。
非 DHCP报文转发 /过滤模块 320: 接收到非 DHCP报文时, 检测报文 的用户端口信息, 如果用户端口信息是非信任端口,基于 MAC地址表模块 330中的静态 MAC地址表项 , 对所述非 DHCP报文的源 MAC地址进行合 法性检查, 当非 DHCP报文不合法时, 丟弃该非 DHCP报文; 否则, 获取 所述非 DHCP报文的目的 MAC地址,并根据获取到的目的 MAC地址查找 交换设备中存储的 MAC转发表, 根据该 MAC转发表中存储的与 MAC地 址相应的端口转发接收的报文; 然而, 若在 MAC 转发表中查找不到目的 MAC地址, 则将该 ^艮文通过广播的方式向除接收端口外的所有端口转发。
其中, 非 DHCP报文不合法是指: 非 DHCP报文的源 MAC地址, 在 MAC地址表模块 330中的静态 MAC地址表项中不存在, 或者非 DHCP报 文的源 MAC地址在所述静态 MAC地址表中 ,但该非 DHCP报文的接收端 口与静态 MAC地址表项中记录的用户端口号不对应。
另一种情况, 如果用户端口信息为信任端口, 判断非 DHCP报文的源 MAC地址是否在 MAC地址表模块 330中的动态 MAC地址表中 , 若是, 根据该报文目的 MAC地址及交换设备中存储的 MAC转发表转发该报文; 否则, 将所述非 DHCP报文的源 MAC地址学习到接收该报文的端口上, 并根据该报文目的 MAC地址及交换设备中存储的 MAC转发表转发该报 文。
需要说明的是, 上述报文转发过程中, 若在交换设备的 MAC转发表中 查找不到目的 MAC地址,则将该 文通过广播的方式向除接收端口外的所 有端口转发。
MAC地址表模块 330:该模块是非 DHCP报文转发 /过滤模块 320报文 转发和过滤的依据; 保存有静态 MAC地址表和动态 MAC地址表, 动态 MAC地址是非 DHCP报文转发 /过滤模块 320从信任端口学习到的; 静态 MAC地址表是 DHCP侦听模块根据 DHCP用户信息绑定表配置的。
DHCP报文侦听模块 340: 在接收到 DHCP报文时, 基于所述 DHCP 报文的类型进行 DHCP用户信息绑定表的创建、 更新或删除, 并完成对所 述 DHCP报文的转发。 优选的, 该 DHCP报文侦听模块还会基于创建的 DHCP用户信息绑定表对 MAC地址表模块 330中的静态 MAC地址表进行 配置。
具体的, 该 DHCP报文侦听模块 340包括: DHCP报文解析模块 341、 DHCP用户信息绑定表模块 342和 DHCP报文转发模块 343。
DHCP报文解析模块 341 : 用于对接收到的 DHCP报文进行解析,获取 用户配置信息, 用来进行 DHCP用户信息绑定表的创建和维护。 其中, 配 置信息包括 IP地址、 MAC地址、 用户端口信息和租期。
DHCP用户信息绑定表模块 342:根据 DHCP报文解析模块 341获取的 用户配置信息, 生成、 维护或更新绑定表, 绑定表包括: IP地址, 租期,
用户端口, MAC地址。 绑定表中的每个表项都有一个根据租期进行老化的 定时器, 超过这个周期时进行表项老化删除。
下面结合 DHCP报文的类型对 DHCP用户信息绑定表的创建、 维护和 更新过程进行说明, 并结合获取的 DHCP用户信息绑定表对静态 MAC地 址表的配置过程进行说明, 具体包括:
如果接收到的 DHCP报文为请求报文一发现报文(Discover ), 则基于 报文的配置信息建立 DHCP用户信息绑定表, 填入用户 MAC地址, 用户 端口, 租期设置为 60秒, 这时没有用户 IP, IP设置为 0。
如果接收到的 DHCP报文为请求报文一要求报文( Request ) ,查看是否 存在相应的 DHCP用户信息绑定表,不存在则创建 DHCP用户信息绑定表, 否则, 维护当前存在的 DHCP用户信息绑定表。
如果接收到的 DHCP报文为响应报文 ACK, 从报文中获取分配的 IP 地址和租期等信息, 更新绑定表, 将分配给用户的 IP 地址设置到对应的 DHCP 用户信息绑定表项中, 把租期设置为报文中的租期; 并将绑定表中 的用户 MAC和用户端口设置到静态 MAC地址表中, 使 MAC地址和用户 端口绑定。
如果接收到的 DHCP报文为 Release或 Decline, 删除该用户的 DHCP 用户信息绑定表项,同时删除静态 MAC地址表中的该用户 MAC地址信息, 解除用户 MAC地址和用户端口的绑定关系。
如果 DHCP用户信息绑定表中某表项的租期到了, 则删除对应用户绑 定表, 同时删除静态 MAC地址表中的该用户 MAC地址信息, 解除用户 MAC地址和用户端口的关联。
DHCP报文转发模块 343 : 为增加 DHCP协议应用的安全性, 同时减少 二层网络的广播报文发送, 节省网络带宽资源, DHCP 报文转发是根据已 创建的 DHCP用户信息绑定表转发的; 具体的, 对于 DHCP请求报文, 根
据接口属性, 只向信任端口转发; 对于 DHCP响应报文, 根据从报文中获 取到的用户主机 MAC地址 , 查询 DHCP用户信息绑定表, 向 DHCP用户 信息绑定表中的用户端口转发 DHCP报文。 下面通过图 4对 DHCP侦听模块进行 DHCP 4艮文的处理流程进行进一 步说明, 如图 4所示, 该过程包括以下步骤:
步骤 S401、 DHCP侦听模块接收到从报文接收模块传递过来的 DHCP 报文。
步骤 S402、 解析 DHCP报文, 获取用户配置信息。
步骤 S403、 判断 DHCP报文的类型是请求报文还是响应报文, 若为请 求报文, 执行步骤 S404; 若为响应报文, 执行步骤 S408。
步骤 S404、判断是否是 Discover或 Request报文,若是,执行步骤 S405; 若不是, 则请求报文为 Release或 Decline报文, 执行步骤 S406。
步骤 S405、对于 Discover或 Request报文,查看是否存在相应的 DHCP 用户信息绑定表, 不存在则创建 DHCP用户信息绑定表, 并向信任端口转 发报文, 流程结束。
步骤 S406、对于 Release或 Decline报文, 删除对应用户的 DHCP用户 信息绑定表项、 删除静态 MAC地址表中的用户 MAC地址, 解除和用户端 口的绑定关系。
步骤 S407、 向信任端口转发报文, 流程结束。
步骤 S408、 对于响应报文, 判断报文接收端口是否是信任端口, 若是 非信任端口, 执行步骤 S409; 若是信任端口, 执行步骤 S410。
步骤 S409、 丟弃 4艮文。
步骤 S410、 根据响应报文的类型, 进行 DHCP用户信息绑定表的更新 或删除操作, 并根据报文中的 MAC地址完成报文的转发;
具体的, 在响应报文是 ACK报文时, 从报文中获取相关信息, 更新
DHCP用户信息绑定表(即更新表项中的 IP地址和租期信息),将更新后的 DHCP用户信息绑定表中的用户 MAC地址和用户端口设置到静态 MAC地 址表中, 使 MAC地址和用户端口绑定; 同时, 根据更新后的 DHCP用户 信息绑定表中的用户 MAC地址和用户端口转发该 ACK报文;
在响应报文是 Offer报文时,根据 DHCP用户信息绑定表中的用户 MAC 和用户接入端口转发该 Offer报文;
在响应报文是 Nak报文时,根据 DHCP用户信息绑定表中的用户 MAC 和用户接入端口转发该 Nak报文, 并删除该用户对应的 DHCP用户信息绑 定表项、 删除静态 MAC地址表中的用户 MAC地址, 解除和用户端口的绑 定关系。 如图 5所示, 为非 DHCP报文转发 /过滤模块对报文的处理流程, 包括 以下步骤:
步骤 S501、 接收非 DHCP报文。
步骤 S502、 判断接收到的非 DHCP报文端口是信任端口还是非信任端 口, 若是信任端口, 执行步骤 S506; 若是非信任端口, 执行步骤 S503。
步骤 S503、 对于来自非信任端口的报文, 基于静态 MAC地址表, 检 测非 DHCP报文是否合法, 若是, 执行步骤 S505; 否则, 执行步骤 S504。
步骤 S504、 丟弃该非 DHCP报文, 流程结束。
步骤 S505、 进行报文转发, 流程结束。
步骤 S506、 对于来自信任端口的报文, 检测报文的源 MAC是否在交 换设备的 MAC转发表中, 若在, 执行步骤 S508; 否则, 执行步骤 S507。
步骤 S507、对报文的源 MAC地址进行动态 MAC地址学习,然后执行 步骤 S508。
步骤 S508、 进行 "^文转发。
本发明提供的方法和装置,基于配置的静态 MAC地址表,对来自用户
端口侧的非 DHCP 文进行过滤, 通过对 文的源 MAC地址这一合法性 检查, 使得只有通过 DHCP申请 IP地址的用户才能访问网络, 从而防止了 接入设备的 MAC地址欺骗, 并且有效的避免了交换设备上的 MAC地址协 议发生迁移, 造成数据转发紊乱, 使用户遭受 Dos攻击的情况。 本发明的精神和范围。 这样, 倘若本发明的这些修改和变型属于本发明权 利要求及其等同技术的范围之内, 则本发明也意图包含这些改动和变型在 内。
Claims
1、一种防止介质访问控制( MAC )地址欺骗攻击的方法,其特征在于 , 该方法包括:
交换设备在接收到用户端口侧发送的非动态主机配置协议( DHCP )报 文时, 基于预先配置的静态 MAC地址表, 检测所述非 DHCP报文的合法 性, 当所述非 DHCP报文不合法时, 丟弃该报文。
2、 如权利要求 1所述的方法, 其特征在于, 所述静态 MAC地址表中 包括: 已通过 DHCP完成 IP地址申请的用户所对应的 MAC地址及与该 MAC地址绑定的用户端口号。
3、 如权利要求 2所述的方法, 其特征在于, 所述非 DHCP报文不合法 为:
所述非 DHCP报文的源 MAC地址不在预先配置的静态 MAC地址表 中; 或者, 所述非 DHCP报文的源 MAC地址在所述静态 MAC地址表中, 但非 DHCP报文的接收端口号与所述静态 MAC地址表项中用户端口号不 对应。
4、 如权利要求 1、 2或 3所述的方法, 其特征在于, 该方法进一步包 括: 所述交换设备接收到 DHCP服务器或者汇聚交换机发送的非 DHCP报 文时, 判断所述非 DHCP报文的源 MAC地址是否在所述交换设备维护的 动态 MAC地址表中,若是,转发所述非 DHCP报文;否则,将所述非 DHCP 报文的源 MAC地址学习到接收该报文的端口上, 并转发所述非 DHCP报 文。
5、 如权利要求 1所述的方法, 其特征在于, 该方法进一步包括: 所述 交换设备在接收到 DHCP报文时, 基于所述 DHCP报文的类型进行 DHCP 用户信息绑定表的创建、 更新或删除, 并完成对所述 DHCP报文的转发。
6、 如权利要求 5所述的方法, 其特征在于, 所述静态 MAC地址表的 配置方式包括:
所述交换设备在接收到 DHCP报文且所述 DHCP报文的类型为确认字 符( ACK )报文时,基于所述 ACK消息更新已创建的 DHCP用户信息绑定 表, 并将更新后的 DHCP用户信息绑定表中的用户 MAC地址和用户端口 号配置到所述静态 MAC地址表中。
7、 如权利要求 5所述的方法, 其特征在于, 所述静态 MAC地址表的 配置方式包括:
所述交换设备在接收到的所述 DHCP报文的类型为释放报文( Release ) 或拒绝报文(Decline ) 时, 或者在所述 DHCP用户信息绑定表中有表项租 期到期时, 删除所述静态 MAC地址表中对应用户的 MAC地址信息。
8、 一种交换设备, 其特征在于, 包括: 报文接收模块、 非 DHCP报文 转发 /过滤模块; 其中,
报文接收模块, 用于在接收到用户端口侧发送的非 DHCP报文时, 触 发非 DHCP报文转发 /过滤模块;
非 DHCP报文转发 /过滤模块,用于基于预先配置的静态 MAC地址表, 检测所述非 DHCP报文的合法性, 当所述非 DHCP报文不合法时, 丟弃所 述非 DHCP报文。
9、 如权利要求 8 所述的交换设备, 其特征在于, 该交换设备还包括 MAC地址表模块, 用于保存静态 MAC地址表。
10、 如权利要求 9所述的交换设备, 其特征在于, 所述非 DHCP报文 转发 /过滤模块中非 DHCP报文不合法为:
所述非 DHCP报文的源 MAC地址不在预先配置的静态 MAC地址表 中; 或者, 所述非 DHCP报文的源 MAC地址在所述静态 MAC地址表中, 但非 DHCP报文的接收端口与所述静态 MAC地址表项中用户端口号不对 应。
11、 如权利要求 8所述的交换设备, 其特征在于, 该交换设备还包括: DHCP报文侦听模块;
所述报文接收模块, 还用于在接收到 DHCP报文时, 触发所述 DHCP 报文侦听模块;
DHCP报文侦听模块, 基于所述 DHCP报文的类型进行 DHCP用户信 息绑定表的创建、 更新或删除, 并完成对所述 DHCP报文的转发。
12、 如权利要求 11所述的交换设备, 其特征在于,
所述 DHCP报文侦听模块在所述 DHCP报文的类型为 ACK报文时, 基于所述 ACK消息更新已创建的 DHCP用户信息绑定表, 并将更新后的 DHCP用户信息绑定表中的用户 MAC 地址和用户端口号配置到所述静态 MAC地址表中。
13、 如权利要求 11所述的交换设备, 其特征在于, 所述 DHCP报文侦 听模块在接收到的所述 DHCP报文的类型为 Release或 Decline报文时, 或 者在所述 DHCP用户信息绑定表中有表项租期到期时,删除所述静态 MAC 地址表中对应用户的 MAC地址信息。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010171167.6 | 2010-05-13 | ||
CN201010171167A CN101834870A (zh) | 2010-05-13 | 2010-05-13 | 一种防止mac地址欺骗攻击的方法和装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011140795A1 true WO2011140795A1 (zh) | 2011-11-17 |
Family
ID=42718799
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2010/078957 WO2011140795A1 (zh) | 2010-05-13 | 2010-11-22 | 一种防止介质访问控制地址欺骗攻击的方法和交换设备 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN101834870A (zh) |
WO (1) | WO2011140795A1 (zh) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103171277A (zh) * | 2011-12-21 | 2013-06-26 | 北大方正集团有限公司 | 印刷设备的授权方法和装置 |
CN105471615A (zh) * | 2014-09-12 | 2016-04-06 | 中兴通讯股份有限公司 | 一种动态主机配置协议dhcp信息异常的处理方法及装置 |
CN110557397A (zh) * | 2019-09-12 | 2019-12-10 | 贵州电网有限责任公司 | 一种基于混沌理论分析的DDoS攻击检测方法 |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101834870A (zh) * | 2010-05-13 | 2010-09-15 | 中兴通讯股份有限公司 | 一种防止mac地址欺骗攻击的方法和装置 |
CN101984693A (zh) * | 2010-11-16 | 2011-03-09 | 中兴通讯股份有限公司 | 终端接入局域网的监控方法和监控装置 |
CN102137109B (zh) * | 2011-03-18 | 2013-08-28 | 华为技术有限公司 | 一种访问控制方法、接入设备及系统 |
CN102710811B (zh) * | 2012-06-14 | 2016-02-03 | 杭州华三通信技术有限公司 | 实现dhcp地址安全分配的方法和交换机 |
CN104009967A (zh) * | 2013-02-27 | 2014-08-27 | 上海斐讯数据通信技术有限公司 | 防止非信任服务器攻击的方法 |
CN103491081B (zh) * | 2013-09-16 | 2017-01-04 | 北京星网锐捷网络技术有限公司 | 检测dhcp攻击源的方法和装置 |
CN103685257B (zh) * | 2013-12-06 | 2018-04-06 | 上海斐讯数据通信技术有限公司 | 一种dhcp网络防护系统及方法 |
CN104837138B (zh) * | 2015-03-27 | 2019-03-01 | Oppo广东移动通信有限公司 | 一种终端硬件标识的检测方法及装置 |
CN107547667A (zh) * | 2016-06-24 | 2018-01-05 | 中兴通讯股份有限公司 | 一种报文处理方法及装置 |
CN107786679A (zh) * | 2016-08-25 | 2018-03-09 | 大连楼兰科技股份有限公司 | 保证arp报文安全性的方法及装置 |
CN108429823B (zh) * | 2018-02-28 | 2021-06-29 | 迈普通信技术股份有限公司 | Dhcp网络中防止mac地址漂移的方法及交换设备 |
CN112688940A (zh) * | 2020-12-23 | 2021-04-20 | 新华三技术有限公司 | 报文处理方法及装置 |
CN115766434A (zh) * | 2021-09-03 | 2023-03-07 | 中国移动通信集团山东有限公司 | Vxlan的配置方法和设备 |
CN114520800B (zh) * | 2022-01-07 | 2024-04-16 | 锐捷网络股份有限公司 | Mac地址表的更新方法及装置 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1466341A (zh) * | 2002-06-22 | 2004-01-07 | ��Ϊ��������˾ | 一种动态地址分配中防止ip地址欺骗的方法 |
US20060114863A1 (en) * | 2004-12-01 | 2006-06-01 | Cisco Technology, Inc. | Method to secure 802.11 traffic against MAC address spoofing |
KR100807933B1 (ko) * | 2006-11-28 | 2008-03-03 | 엘지노텔 주식회사 | 에이알피 스푸핑 감지 시스템 및 감지 방법과 그 방법이저장된 컴퓨터 판독가능 저장매체 |
CN101415012A (zh) * | 2008-11-06 | 2009-04-22 | 杭州华三通信技术有限公司 | 一种防御地址解析协议报文攻击的方法和系统 |
CN101635731A (zh) * | 2009-08-31 | 2010-01-27 | 杭州华三通信技术有限公司 | 一种抵御mac地址欺骗攻击的方法及设备 |
CN101834870A (zh) * | 2010-05-13 | 2010-09-15 | 中兴通讯股份有限公司 | 一种防止mac地址欺骗攻击的方法和装置 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1310467C (zh) * | 2003-06-24 | 2007-04-11 | 华为技术有限公司 | 基于端口的网络访问控制方法 |
CN100586106C (zh) * | 2007-05-22 | 2010-01-27 | 华为技术有限公司 | 报文处理方法、系统和设备 |
CN101115063B (zh) * | 2007-08-30 | 2011-11-30 | 中兴通讯股份有限公司 | 宽带接入设备中防止mac地址/ip地址欺骗的方法 |
CN101179583B (zh) * | 2007-12-17 | 2010-12-08 | 杭州华三通信技术有限公司 | 一种防止用户假冒上网的方法及设备 |
-
2010
- 2010-05-13 CN CN201010171167A patent/CN101834870A/zh active Pending
- 2010-11-22 WO PCT/CN2010/078957 patent/WO2011140795A1/zh active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1466341A (zh) * | 2002-06-22 | 2004-01-07 | ��Ϊ��������˾ | 一种动态地址分配中防止ip地址欺骗的方法 |
US20060114863A1 (en) * | 2004-12-01 | 2006-06-01 | Cisco Technology, Inc. | Method to secure 802.11 traffic against MAC address spoofing |
KR100807933B1 (ko) * | 2006-11-28 | 2008-03-03 | 엘지노텔 주식회사 | 에이알피 스푸핑 감지 시스템 및 감지 방법과 그 방법이저장된 컴퓨터 판독가능 저장매체 |
CN101415012A (zh) * | 2008-11-06 | 2009-04-22 | 杭州华三通信技术有限公司 | 一种防御地址解析协议报文攻击的方法和系统 |
CN101635731A (zh) * | 2009-08-31 | 2010-01-27 | 杭州华三通信技术有限公司 | 一种抵御mac地址欺骗攻击的方法及设备 |
CN101834870A (zh) * | 2010-05-13 | 2010-09-15 | 中兴通讯股份有限公司 | 一种防止mac地址欺骗攻击的方法和装置 |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103171277A (zh) * | 2011-12-21 | 2013-06-26 | 北大方正集团有限公司 | 印刷设备的授权方法和装置 |
CN105471615A (zh) * | 2014-09-12 | 2016-04-06 | 中兴通讯股份有限公司 | 一种动态主机配置协议dhcp信息异常的处理方法及装置 |
CN110557397A (zh) * | 2019-09-12 | 2019-12-10 | 贵州电网有限责任公司 | 一种基于混沌理论分析的DDoS攻击检测方法 |
Also Published As
Publication number | Publication date |
---|---|
CN101834870A (zh) | 2010-09-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2011140795A1 (zh) | 一种防止介质访问控制地址欺骗攻击的方法和交换设备 | |
US8966075B1 (en) | Accessing a policy server from multiple layer two networks | |
US8832820B2 (en) | Isolation and security hardening among workloads in a multi-tenant networked environment | |
US9060019B2 (en) | Out-of band IP traceback using IP packets | |
US9413727B2 (en) | Method and apparatus for content filtering on SPDY connections | |
EP2175603A1 (en) | Dynamic access control policy with port restrictions for a network security appliance | |
US9882904B2 (en) | System and method for filtering network traffic | |
EP2724508B1 (en) | Preventing neighbor-discovery based denial of service attacks | |
WO2009033402A1 (fr) | Procédé et dispositif pour éviter l'usurpation et l'attaque d'une adresse arp | |
JP2006191537A (ja) | 統合ホストプロトコルスタック管理を使用するセキュアなインターネットプロトコル(ispec)オフロードのための方法および装置 | |
US20070192593A1 (en) | Method and system for transparent bridging and bi-directional management of network data | |
WO2010022574A1 (zh) | 单一地址反向传输路径转发的实现方法及装置 | |
WO2011020254A1 (zh) | 防范网络攻击的方法和装置 | |
WO2012075850A1 (zh) | 一种防止mac地址欺骗的方法、系统及交换机 | |
WO2011147371A1 (zh) | 一种实现虚拟机间数据传输的方法和系统 | |
WO2008131658A1 (fr) | Procédé et dispositif pour fureter le dhcp | |
WO2014173365A1 (zh) | Ftp的应用层报文过滤方法及装置、计算机存储介质 | |
WO2013056628A1 (zh) | 实现心跳机制的方法、应用服务器、网络数据库及系统 | |
WO2014101661A1 (zh) | 业务流镜像方法及镜像设备 | |
WO2014056200A1 (zh) | 网络数据流检测状态的同步方法和设备 | |
US7343485B1 (en) | System and method for maintaining protocol status information in a network device | |
WO2014075485A1 (zh) | 网络地址转换技术的处理方法、nat设备及bng设备 | |
US7551559B1 (en) | System and method for performing security actions for inter-layer binding protocol traffic | |
WO2012088934A1 (zh) | 一种报文过滤方法和交换设备 | |
WO2010130181A1 (zh) | 防止IPv6地址被欺骗性攻击的装置与方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10851299 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 10851299 Country of ref document: EP Kind code of ref document: A1 |