WO2014173343A1 - Router advertisement attack prevention method, device, equipment and computer storage medium - Google Patents

Router advertisement attack prevention method, device, equipment and computer storage medium Download PDF

Info

Publication number
WO2014173343A1
WO2014173343A1 PCT/CN2014/077811 CN2014077811W WO2014173343A1 WO 2014173343 A1 WO2014173343 A1 WO 2014173343A1 CN 2014077811 W CN2014077811 W CN 2014077811W WO 2014173343 A1 WO2014173343 A1 WO 2014173343A1
Authority
WO
WIPO (PCT)
Prior art keywords
host
message
attacking
attack
prefix
Prior art date
Application number
PCT/CN2014/077811
Other languages
French (fr)
Chinese (zh)
Inventor
范亮
朱承旭
袁博
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2014173343A1 publication Critical patent/WO2014173343A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols

Definitions

  • the present invention relates to communications technologies, and in particular, to a router advertisement (RA, Router Advertisement) attack defense method, device, device, and computer storage medium.
  • RA Router Advertisement
  • IP Internet Protocol
  • IPv4 Internet Protocol version 4
  • NAT Network Address Translation
  • IPv6 IPv6
  • the current difficulties in limiting the popularity of IPv6 technology mainly focus on policy support, technical upgrade difficulties, and less application support.
  • the government is actively supporting the promotion of IPv6, and major content providers (ICPs, Internet Content Providers) and application developers are also upgrading their existing IPv4-based applications to support IPv6 on a large scale.
  • ICPs Internet Content Providers
  • application developers are also upgrading their existing IPv4-based applications to support IPv6 on a large scale.
  • the current cost pressure on IPv6 technology upgrades is one of the most important factors hindering the popularity of IPv6 technology. Which devices need to be upgraded to support IPv6 has become an important research topic for operators.
  • the access network is the largest and most expensive investment network in the carrier network. Which devices in the access network need to support IPv6 in priority, is one of the most concerned topics in the operator's IPv6 upgrade plan.
  • the general network topology consists of an IPv6 Broadband Network Gateway (BNG), a Layer 2 access device, and an IPv6 host.
  • BNG IPv6 Broadband Network Gateway
  • MTU Maximum Transmission Unit
  • the BNG sends a Router Advertisement (RA) message to the access network, including the IPv6 prefix and the Maximum Transmission Unit (MTU).
  • RA Router Advertisement
  • MTU Maximum Transmission Unit
  • the IPv6 host After receiving the RA, the IPv6 host generates an IPv6 address.
  • the default route points to the device that sends the RA message, BNG, so that IPv6 network communication can be performed.
  • the RA message includes the RA message sent by the malicious IPv6 host multicast, and the malicious IPv6 host receives the router request (RS, Router Solicitation) of other hosts in the broadcast domain and responds actively.
  • the unicast A message enables the IPv6 host to point the default route to the malicious IPv6 host, so that the user information of the host can be intercepted, which affects the network security. Moreover, the host may obtain an invalid address to connect to the network. In addition, the malicious host sends a large number of messages. The RA message to attack the network is prone to network paralysis.
  • the current common technical solution is to upgrade the Layer 2 access device to support the so-called secure RA technology, that is, the user side port of the Layer 2 access device refuses to receive the malicious RA message through command configuration.
  • secure RA technology that is, the user side port of the Layer 2 access device refuses to receive the malicious RA message through command configuration.
  • manually configuring the security RA function of the Layer 2 device also requires a large amount of operation and maintenance costs, which increases the implementation cost of the operator's IPv6 technology upgrade.
  • the embodiments of the present invention provide a method, a device, a device, and a computer storage medium for defending against RA attacks, which can solve the problem that the related technologies cannot effectively prevent RA attacks by malicious hosts.
  • the embodiment of the invention provides a method for preventing an RA attack, and the method includes: Determining the RA attacking host according to the received RA message; performing at least one of the following operations: advertising the information of the RA attacking host to a network management system (NMS);
  • NMS network management system
  • the specific prefix is a prefix carried by the RA message sent by the RA attacking host;
  • the access device that instructs the RA attacking host to prohibit the RA attacking host from accessing the network; simulating the RA attacking host to send a new RA message, where the lifetime of the new RA message carrying the prefix is smaller than that sent by the RA attacking host
  • the RA message carries the lifetime of the prefix.
  • the determining, according to the received RA message, the RA attacking the host includes:
  • VLAN virtual local area network
  • the host that actively sends the multicast RA message to the user-side port is determined to be the host that performs the A attack.
  • the sent RS message carries the same source MAC address and/or source MAC address prefix as the last sent RS message, or carries a different source MAC address and/or source MAC address prefix.
  • the information of the RA attacking host includes at least one of the following information: a MAC address of the RA attacking the host; a location information of the RA attacking the host; and a prefix carried by the RA attacking the RA message sent by the host.
  • the information of the RA attacking host includes at least one of the following information: user-side port information of the RA attacking host; user-side VLAN information of the RA attacking host; and access device of the RA attacking host And user side port information of the access device.
  • the method further includes:
  • the dynamic host configuration protocol version 6 (Option) 18 determining the access device of the RA attacking host and the user-side port information of the access device; or, peer-to-peer according to the RA attacking host before sending the RA message Agreement (PPP,
  • the access device of the RA attacking host and the user-side port information of the access device are determined by the PP-E-Phase.
  • the method further includes: notifying the host that sends the source IP address to the specific prefix, the information of the RA attack, and the corresponding processing policy, to the RA attacking host.
  • the attack behavior of the RA host and the corresponding processing policy are advertised.
  • the corresponding processing policy that is advertised to the host whose source IP address includes a specific prefix includes at least one of the following policies: prompting to set a masking function; releasing the configured IP address; restarting the host; dialing a service hotline;
  • the corresponding processing policy advertised to the RA attacking host includes at least one of the following: prompting to close the attack process; killing a Trojan or a virus; and dialing a service hotline.
  • the access device that indicates the RA attacking host prohibits the RA attacking host from accessing the network, including:
  • the access device of the RA attacking host is instructed by the Access Point Control Protocol (ANCP) signaling or the General Switch Management Protocol (GSMP) signaling to prohibit the RA attacking host from accessing the network.
  • the embodiment of the present invention further provides an RA attack defense apparatus, where the apparatus includes: a determining unit, a first processing unit, a second processing unit, a third processing unit, and a fourth processing unit; wherein the determining unit is configured to Determining an RA attacking host according to the received RA message, and triggering at least one of the first processing unit, the second processing unit, the third processing unit, and the fourth processing unit;
  • the first processing unit is configured to notify the NMS of the information of the RA attacking host;
  • the second processing unit is configured to block the source IP address from containing the specific prefix, and the determined RA attacking host sending the message. Forwarding to the network side, and redirecting the packet containing the specific prefix and the packet sent by the RA attacking host to the Portal server, where the specific prefix is a prefix carried by the RA message sent by the RA attacking host;
  • the third processing unit is configured to instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network;
  • the fourth processing unit is configured to simulate that the RA attacking host sends a new RA message, where the lifetime of the new RA message carrying the prefix is less than the lifetime of the prefix carried by the RA message sent by the RA attacking host.
  • the determining unit is further configured to send an RS message to the host of the VLAN corresponding to the user-side port by using the user-side port, and determine, by the host that returns the RA message to the user-side port, The host of the RA attack; or,
  • the host that actively sends the multicast RA message to the user-side port is determined to be the host that performs the A attack.
  • the determining unit sends an RS message to the host of the VLAN corresponding to the user-side port, carrying the same source MAC address and/or source MAC address prefix as the last sent RS message, or carrying a different source MAC address. Address and / or source MAC address prefix.
  • the first processing unit is further configured to notify at least one of the following information to the NMS: the MAC address of the RA attacking host; the location information of the RA attacking host; The RA carries the prefix carried by the RA message sent by the host.
  • the first processing unit is further configured to notify at least one of the following information to the NMS: the user side port of the RA attacking host; the user side VLAN information of the RA attacking host; Access device and user side port information of the access device.
  • the first processing unit is further configured to determine the access device and the access device according to the DHCPv4 Option 82 or the DHCPv6 Option 18 when the IP address is obtained through the DHCPv4 before the RA attacking host sends the RA message.
  • User-side port information or, the user-side port information of the access device and the access device is determined according to the PPPoE Circuit ID when the IP address is obtained by the PPP method before the RA attacking host sends the A message.
  • the second processing unit is further configured to: after redirecting the packet to the Portal server, notifying the host that sends the source IP address to the specific prefix to the information that is attacked by the RA and the corresponding processing policy, to the RA
  • the attacking host advertises the attack behavior of the RA host and the corresponding processing policy.
  • the second processing unit sends a corresponding processing policy to the host that sends the source IP address to include a specific prefix, including at least one of the following policies:
  • Prompt to set the masking function release the configured IP address; restart the host; dial the service hotline; and the corresponding processing policy advertised by the second processing unit to the RA attacking host, including at least one of the following policies:
  • Prompt user relationship attack process kill Trojan or virus; call service hotline.
  • the third processing unit is further configured to instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network by using ANCP signaling or GSMP signaling.
  • An embodiment of the present invention further provides a BNG, where the BNG includes the RA attack defense device described above.
  • An embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer executable instructions, where the computer executable instructions are used to execute the RA described above. Attack prevention method.
  • the information about the RA attacking host including the access device information and the user-side port information of the access device, is notified to the NMS when the RA that is the host that sends the RA message is attacked by the host. , it is convenient for the NMS to quickly and accurately locate the RA attacking host;
  • Disabling the packet whose source IP address contains the specific prefix and the determined packet of the RA attacking host forwards the packet to the network side, and redirects the packet to the Portal server.
  • the specific prefix is the RA message sent by the RA attacking host.
  • the host is configured to prevent the RA attacking host and the host that is attacked by the RA from responding to the RA attack in a timely manner.
  • the RA attacker is simulated to send a new RA message, and the lifetime of the new RA message carrying the prefix is smaller than the lifetime of the prefix carried by the RA message sent by the RA attacking host, so that the host that is attacked by the RA can be avoided. Configures the prefix carried by the RA message sent by the RA attacking host. As a result, the host information that is attacked by the RA is leaked.
  • FIG. 1 is a schematic flowchart of an implementation process of an RA attack defense method according to an embodiment of the present invention
  • FIG. 1B is a schematic flowchart 2 of an implementation method of an RA attack defense method according to an embodiment of the present invention
  • FIG. 1 is a schematic structural diagram of an implementation of an RA attack defense apparatus according to an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of an RA attack defense apparatus according to an embodiment of the present invention
  • Schematic diagram of the composition
  • FIG. 4a is a schematic diagram 1 of a networking topology of an RA attack defense according to an embodiment of the present invention
  • 4b is a schematic flowchart 5 of an implementation process of RA attack defense according to an embodiment of the present invention
  • FIG. 5a is a second schematic diagram of a network topology for RA attack defense according to an embodiment of the present invention.
  • FIG. 5b is a schematic flowchart 6 of an implementation process of RA attack defense according to an embodiment of the present invention.
  • 6a is a schematic diagram 3 of a networking topology of RA attack defense according to an embodiment of the present invention.
  • 6b is a schematic flowchart 7 of an implementation process of RA attack defense according to an embodiment of the present invention.
  • FIG. 7a is a schematic diagram 4 of a networking topology for defending against RA attacks according to an embodiment of the present invention.
  • FIG. 7b is a schematic diagram 8 of an implementation process of RA attack defense according to an embodiment of the present invention. detailed description
  • FIG. 1 is a schematic diagram of an implementation process of the RA attack prevention method according to the embodiment of the present invention. As shown in Figure la, it includes:
  • Step 101a Determine, according to the received RA message, that the RA attacks the host.
  • the host side port When the RA attacking host is determined according to the received RA message, the host side port sends an RS message to the host of the VLAN corresponding to the user side port, and the host that returns the RA message to the user side port for the RS message is determined as the host that performs the RA attack; or The host that actively sends the multicast RA message to the user-side port is determined to be the host that performs the A attack.
  • the user side port sends an RS message to the host of the VLAN corresponding to the user side port, and may carry a source MAC address and/or a source MAC address prefix different from the last sent RS message, so as to be disguised as Different hosts spoof potential RA attack hosts.
  • a source MAC address and/or a source MAC address prefix different from the last sent RS message, so as to be disguised as Different hosts spoof potential RA attack hosts.
  • it can also carry the same source MAC address and/or source MAC address prefix as the last RS message sent.
  • Step 102a Advertise the information of the RA attacking host to the NMS.
  • the information for advertising the RA attacking host to the NMS includes at least one of the following information: a MAC address of the RA attacking the host; a location information of the RA attacking the host; A attacking the R sent by the host.
  • the information of the RA attacking host includes at least one of the following information: the user side port and VLAN information of the RA attacking host; the access device of the RA attacking host and the user side port information of the access device;
  • the user-side port information of the access device and the access device may be determined according to D HCPv4 Option 82 or DHCPv6 Option 18 when the A-speech host obtains an IP address through DHCPv4 before sending an A message, or 4 attacks the host according to the RA
  • the PPPoE Circuit ID is determined when the IP address is obtained through PPP before the RA message is sent.
  • FIG. 1B is a schematic flowchart 2 of another implementation manner of the RA attack defense method according to the embodiment of the present invention. As shown in FIG. 1b, the method includes the following steps:
  • Step 101b Determine, according to the received RA message, that the RA attacks the host.
  • step 101b The processing of step 101b is the same as that of step 101a, and will not be described again.
  • Step 102b The source IP address is prohibited from being sent by the RA attack host, and the packet sent by the RA attack host is forwarded to the network server, and the specific prefix is sent by the RA attack host.
  • the prefix carried by the RA message is not limited to the RA attack host, and the packet sent by the RA attack host is forwarded to the network server, and the specific prefix is sent by the RA attack host. The prefix carried by the RA message.
  • the host that is in the same VLAN as the RA attacking host After receiving the RA message sent by the RA attacking host, the host that is in the same VLAN as the RA attacking host generates an IP address based on the prefix carried by the A message. Therefore, the source IP address of the packet sent by the host attacked by the RA includes the attacking host.
  • the prefix carried in the RA message intercepts the packet whose source IP address contains the prefix carried by the RA message sent by the RA attacking host (that is, the packet sent by the host attacked by the RA), and prohibits the intercepted The packet is forwarded to the network side, and the intercepted packet is redirected to the portal server page.
  • the information about the RA attack and the corresponding processing policy are received by the host that is attacked by the RA through the portal server page.
  • the policy includes at least one of the following policies: Set the masking function (for example, mask the packets from the attacking host) 'Release the configured IP address, restart the host' to dial the service hotline;
  • the packet sent by the attacking host is intercepted according to the source MAC address of the RA message sent by the attacking host.
  • the intercepted packet is forwarded to the network and the intercepted packet is redirected to the Portal server page.
  • the RA attacking host is advertised to the RA attacking host through the Portal server page and the corresponding processing policy.
  • the policy includes at least one of the following policies: prompting to close the attack process; killing the Trojan or virus; dialing the service hotline.
  • FIG. 1c is a schematic flowchart 3 of an implementation process of another RA attack defense method according to an embodiment of the present invention. As shown in FIG. 1c, the method includes the following steps:
  • Step 101c Determine, according to the received RA message, that the RA attacks the host.
  • step 101c The processing of step 101c is the same as that of step 101a, and will not be described again.
  • Step 102c Instruct the RA attacking the access device of the host that the RA attacking host accesses the network.
  • the access device of the RA attacking host refers to the device that accesses the network by the RA attacking host.
  • the RA attacking host is prevented from accessing the network.
  • the RA attacking host can prevent the network from transmitting a large number of RA messages.
  • the ANCP is used.
  • the GSM-based signaling indicates that the access device of the RA attacking the host is closed, or the MAC address of the attacking host is blacklisted on the port facing the RA attacking host, that is, the access device is facing the RA.
  • the port that attacks the host discards the 4 messages to or from the RA attacking host.
  • FIG. 1 is a schematic flowchart of an implementation process of another RA attack defense method according to an embodiment of the present invention. As shown in FIG. 1d, the method includes the following steps:
  • Step 101d Determine, according to the received RA message, that the RA attacks the host.
  • step 101d The processing of step 101d is the same as that of step 101a, and will not be described again.
  • Step 102d Simulate the RA attacking host attacker to send a new RA message, where the lifetime of the new RA message carrying the prefix is less than the lifetime of the prefix carried by the RA message sent by the RA attacking host.
  • the RA message sent by the RA attacking host includes a lifetime parameter, which specifies the effective time of the prefix carried by the RA message, and the value ranges from 0 to 9000 seconds, as step 102d.
  • the simulated RA attacking host sends a new RA message, that is, an RA message whose source MAC address is consistent with the MAC address of the RA attacking host, and the lifetime parameter of the new RA message is smaller than the survival of the RA message sent by the RA attacking host.
  • the period parameter in this way, can cause the RA attacking host to expect the prefix of the IP address configured by other hosts in the VLAN (that is, the prefix carried by the RA attacking the RA message sent by the host) to be quickly invalidated, thereby achieving the purpose of preventing the RA attack.
  • step 102d may be arbitrarily combined with one or more of step 102a, step 102b, and step 102c, and one or more of step 102a, step 102b, step 102c, and step 102d are performed.
  • the sequence can be arbitrarily reversed. The following steps are performed to perform the steps of step 102a, step 102b, step 102c, and step 102d.
  • the source IP address is prohibited from containing the specific prefix and the RA attack host sends the message to the network side, and the packet is redirected to the portal server, where the specific prefix is carried by the RA message sent by the RA attacking host.
  • the prefix indicates that the access device of the RA attacking host is prohibited from accessing the network by the RA attacking host; again, the simulated RA attacking host sends a new RA message, and the lifetime of the new RA message carrying the prefix is smaller than that sent by the RA attacking host.
  • the lifetime of the prefix carried by the RA message can be effectively implemented by the processing of one or more of the steps 102a, 102b, 102c, and 102d.
  • the embodiment of the invention further describes a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute at least one drawing of FIG. 1a, FIG. 1b, FIG. 1c and FIG.
  • FIG. 2 is a schematic structural diagram of an RA attack defense device according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
  • the determining unit 21 is configured to determine, according to the received RA message, an RA attacking host, And triggering at least one of the first processing unit 22, the second processing unit 23, the third processing unit 24, and the fourth processing unit 25;
  • the first processing unit 21 is configured to notify the NMS of the information of the RA attacking host.
  • the second processing unit 22 is configured to block the source IP address from containing the specific prefix and the RA attacking host sending the packet. Forwarding to the network side, and redirecting the packet containing the specific prefix and the packet sent by the RA attacking host to the Portal server, where the specific prefix is a prefix carried by the RA message sent by the RA attacking host;
  • the third processing unit 23 is configured to instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network;
  • the fourth processing unit 24 is configured to simulate that the RA attacking host sends a new RA message, and the lifetime of the new RA message carrying the prefix is less than the lifetime of the prefix carried by the RA message sent by the RA attacking host.
  • the determining unit 21 is further configured to send an RS message to the host of the VLAN corresponding to the user-side port by using the user-side port, and determine, as the host that returns the RA message to the user-side port, the RS message.
  • the host that is attacked by the RA; or the host that will actively send the multicast RA message to the user-side port is determined to be the host that performs the A attack.
  • the RS message sent by the determining unit 21 to the host of the VLAN corresponding to the user-side port by the user-side port carries the same source MAC address and/or source MAC address prefix as the last sent RS message, or carries There are different source MAC addresses and/or source MAC address prefixes.
  • the first processing unit 22 is further configured to notify at least one of the following information to the NMS: the media access control MAC address of the RA attacking host; the location information of the RA attacking host; the RA attack The prefix carried by the RA message sent by the host.
  • the first processing unit 22 is further configured to notify at least one of the following information to the NMS: the user side port of the RA attacking host; the user side VLAN of the RA attacking host Information: The RA attacks the access device of the host and the user-side port information of the access device.
  • the first processing unit 22 is further configured to determine the access device and the access device according to the DHCPv4 Option 82 or the DHCPv6 Option 18 when the IP address is obtained through the DHCPv4 before the RA attacking host sends the RA message.
  • User-side port information or, determining the user-side port information of the access device and the access device according to the PPPoE Circuit ID when the IP address is obtained by the PPP method before the RA attacking host sends the RA message.
  • the second processing unit 23 is further configured to: after redirecting the packet to the portal server, notify the host that sends the source IP address that includes the specific prefix, and the corresponding processing policy to the RA.
  • the attacking host advertises the attack behavior of the RA host and the corresponding processing policy; the second processing unit sends a corresponding processing policy to the host that sends the source IP address to include the specific prefix, including at least one of the following policies: The function of releasing the configured IP address; restarting the host; dialing the service hotline; and the corresponding processing policy advertised by the second processing unit to the RA attacking host, including at least one of the following policies: prompting the user relationship attack process; Ill; call the service hotline.
  • the third processing unit 24 is further configured to instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network by using ANCP signaling or universal GSMP signaling.
  • the determining unit 21, the first processing unit 22, the second processing unit 23, the third processing unit 24, and the fourth processing unit 25 may be implemented by a central processing unit (CPU) in the RA attack defense device. , Digital Signal Processor (DSP) or Field Programmable Gate Array (FPGA).
  • CPU central processing unit
  • DSP Digital Signal Processor
  • FPGA Field Programmable Gate Array
  • FIG. 3 is a schematic structural diagram of a BNG according to an embodiment of the present invention.
  • the BNG includes an RA attack defense device, where the RA attack defense device includes:
  • the RA attack defense device further includes: a first processing unit 22; a second processing unit 23; a third processing unit 24 and a fourth processing unit 25;
  • the function is the same as described above.
  • FIG. 4A is a schematic diagram of a network topology of the RA attack defense according to the embodiment of the present invention.
  • the user terminal UE, User Equipment 1 1.
  • UE 2 UE 3 accesses BNG through access point (AN, Access Node) 1, BNG 1 provides port A for user-side access to AN 1 for AN 1 access, BNG 1 and NMS maintain chain Road connection.
  • AN Access Node
  • FIG. 4b is a schematic flowchart of the implementation of the RA attack defense according to the embodiment of the present invention. Based on the network topology shown in FIG. 4a, the processing steps of the RA attack defense are as shown in FIG. 4b, and the following steps are included:
  • Step 401 BNG 1 actively sends an RS message with the source MAC address being MAC 1 to VLAN 1 through port A.
  • Step 402 The AN 1 forwards the received RS message to UE 1, UE 2, and UE 3 in VLAN 1.
  • the UE 1 that sends the RA message is a malicious UE that performs an A attack.
  • the AN sends an RA message to the BNG based on the mapping between the maintained MAC address and the port.
  • Step 405 The BNG 1 sends the MAC address 2 of the carried UE 1 and the prefix Prefix 1 carried by the RA message to the network management system NMS.
  • the BNG advertises to the NMS that the UE 1 whose MAC address is MAC 2 is performing an RA attack, and the prefix of the RS message sent by the BNG is Prefix 1.
  • Step 406 The BNG 1 acquires the access device information of the UE 1, and the user side port information of the access device is sent to the NMS.
  • the NMS can accurately and quickly locate the UE 1 location according to the received access device information and the access device user-side port information.
  • the BNG 1 determines the DHCPv4 Option 82 or the DHCPv6 Option 18 when the IP address is obtained by the DHCPv4 before the UE 1 sends the RA message through the MAC address of the UE 1;
  • the BNG 1 determines the PPPoE Circuit ID information when the UE 1 obtains an IP address through the PPP mode by using the MAC address of the UE 1;
  • the access device information of the UE 1 and the user-side port information of the access device are extracted from the DHCPv4 82, DHCPv6 18, or PPPoE Circuit ID information.
  • step 401 to step 406 are repeatedly performed, wherein the RS message sent by the BNG 1 to the VLAN 1 in step 401 uses a different MAC address than the previous one of the RS messages to masquerade as a different UE to the VLAN.
  • the potential malicious UE within 1 sends an RS message, and determines the UE that sends the corresponding RA message as the malicious UE that performs the RA attack.
  • the BNG 1 can determine the MAC address of the malicious UE and the prefix Prefix 2 of the RS message sent by the malicious UE according to the received RS message, and notify the NMS in time;
  • the access device information of the malicious UE and the user-side port information of the information access device can be obtained in time, and the NMS is advertised to facilitate the NMS to quickly and accurately locate the malicious UE.
  • FIG. 5a is a schematic diagram of a network topology of the RA attack defense according to the embodiment of the present invention. As shown in FIG. 5a, the UE 4, the UE 5, and the UE 6 pass the AN 2 Access BNG 2, BNG 2 maintains a link connection with the NMS and the Portal server.
  • Figure 5b is a schematic flowchart of the implementation of the RA attack defense according to the embodiment of the present invention. Based on the network topology shown in Figure 5a, the processing procedure of the RA attack defense is as shown in Figure 5b, and includes the following steps:
  • Step 501 The UE 5 actively sends a multicast RA message.
  • the source MAC address of the multicast RA message is the network card address MAC 5, A of the UE 5.
  • the prefix carried by the message is Prefix 2, and the UE 5 that actively sends the multicast RA message is a malicious UE that performs an RA attack.
  • Step 502 The AN 2 broadcasts the RA message broadcast by the UE 5 in the VLAN 2.
  • UE 4, UE 6, and BNG 2 in VLAN 2 receive the RA message.
  • Step 503 After receiving the RA message, the BNG 2 generates a mandatory redirection policy.
  • the BNG 2 records the prefix prefix 2 of the RA message, the source MAC address MAC 5 in the RA message, and generates a redirection policy according to the recorded Prefix 2, MAC 5, and the redirection policy is configured as follows: 2 Redirect the packets of the UE with the IPv6 address to the Portal server prompt page, and redirect the packets from the UE with the source MAC address to the Portal server prompt page.
  • Step 504 UE 4 and UE 6 configure a local IPv6 address according to Prefix 2 in the RA message.
  • Step 505 The UE 5 sends a Hypertext Transfer Protocol (HTTP) to the BNG 2 through the AN.
  • HTTP Hypertext Transfer Protocol
  • Step 507 The source MAC address of the source is MAC 5, and the message is forwarded by the AN to BNG 2.
  • the portal server prompts the information of the ongoing attack behavior of the UE 5 to be forwarded to the UE 5 through the BNG 2 and the AN 2.
  • the BNG 2 After receiving the packet of the UE 5, the BNG 2 redirects the packet of the UE 5 to the portal server prompt page according to the redirection policy generated in step 503, and prompts the UE 5 to perform the RA attack and the corresponding processing policy.
  • the method includes at least one of the following: prompting to close the attack process; killing the Trojan or virus; calling the service hotline.
  • the source IP address of the packet contains the prefix Prefix 2, and the packet is forwarded by the AN 2 to the BNG 2.
  • the portal server prompts the information of the ongoing attack behavior of the UE 5 to be forwarded to the UE 6 through the BNG 2 and the AN 2.
  • the BNG 2 After receiving the packet of the UE 6, the BNG 2 redirects the packet of the UE 6 to the portal server prompt page according to the redirection policy generated in step 503, prompting the UE 6 to perform the gateway spoofing by the UE 5;
  • the processing policy includes at least one of the following: prompting to set a masking function (for example, masking an RA message from the UE 5); releasing an IPv6 address configured by the UE 6; restarting the UE 6; dialing a service hotline processing, and the like. The processing is the same and will not be described again.
  • the packets of the malicious UE in the VLAN 2 can be redirected to the Portal server page, and the RA attack information and the corresponding processing policy are prompted.
  • the VLAN 2 is configured according to the RA message sent by the malicious UE,
  • the BNG 2 can redirect the packet sent by the UE configured with the invalid IPv6 address to the Portal server page, and prompt the corresponding RA attack information and the corresponding processing policy.
  • FIG. 6a is a schematic diagram of the network topology of the RA attack defense according to the embodiment of the present invention.
  • the UE 7 accesses the BNG 3 through the AN 3, BNG 3 provides access to AN 3 through port B.
  • FIG. 6b is a schematic flowchart of the implementation of the RA attack defense according to the embodiment of the present invention. Based on the network topology shown in Figure 6a, the processing steps of the RA attack defense are as shown in Figure 6b, and the following steps are included:
  • Step 601 ?? Step 602 The UE 7 sends an RA message to the BNG 3 through the AN 3.
  • the RA message includes a unicast message and a multicast A message, and the source MAC address carried is the MAC address MAC 7 of the UE 7; and the UE 8 that sends the RA message is determined to be a malicious UE.
  • the multicast RA message is actively sent by the UE 7.
  • the unicast RA message is a unicast RA message received from the UE 7 after the BNG 3 sends an RS message to the UE in the VLAN.
  • Step 603 The BNG 3 determines, according to the received RA message, that the access device that connects the UE 7 to the network is AN 3, and the access port that the AN 3 provides to the UE 7 is the port B.
  • the BNG 3 determines the DHCPv4 Option 82 or DHCPv6 Option 18 information when the UE 8 obtains the IP address through the DHCP before sending the RA message through the MAC address of the UE 7; and determines, by using the MAC address of the UE 7, the UE 7 passes the PPP before sending the RA message. PPPoE Circuit ID information when the IP address is obtained.
  • the information of the access device AN 3 corresponding to the UE 7 and the port (port B) provided by the BNG to the user side of the AN 3 are extracted from the information obtained above.
  • Step 604 BNG 3 sends an instruction to AN 3 to indicate that AN 3 closes port B or blacklists MAC 7 at port B.
  • Blacklisting MAC 8 on port B means discarding packets destined for or from MAC 8 through port B.
  • the package of control instructions between BNG 3 and AN 3 can be either ANCP or GSMP.
  • the RS message sent by the malicious UE determines the access port of the AN and the AN that the malicious UE provides access to, and indicates the AN.
  • blacklisting the provided access port or the MAC address of the malicious UE on the access port it is possible to prevent the malicious UE from continuing the A attack and causing the network to crash.
  • FIG. 7a is a schematic diagram of a network topology of RA attack defense according to an embodiment of the present invention. As shown in FIG. 7a, UE 8, UE 9, and UE 10 are connected through AN 4. Enter BNG 4.
  • Figure 7b is a schematic flowchart of the implementation of the RA attack defense according to the embodiment of the present invention. The processing procedure of the RA attack defense is as shown in Figure 7b.
  • Step 701 ?? Step 702 The UE 9 sends an RA message to the BNG 4 through the AN 4.
  • the RA message includes a unicast RA message and a multicast A message, and the source MAC address of the RA message is the MAC address MAC 9 of the UE 9;
  • the multicast RA message is actively sent by the UE 9, and the unicast RA message is a unicast RA message received from the UE 9 after the BNG 4 sends an RS message to the UE in the VLAN.
  • Step 703 The BNG 4 encapsulates a new multicast RA message according to the received RA message, the priority of which is higher than the priority of the received RA message, and the lifetime parameter carried is less than the lifetime of the received RA message, and The prefix information carried is the same as the prefix information carried by the received RA message.
  • Step 704 to step 705 The BNG 4 sends the encapsulated new multicast RA message to the VLAN 4 where the UE 9 is located through the AN 4 .
  • Step 706 The UE 8, the UE 9, and the UE 10 in the VLAN 4 configure an IPv6 address according to the received RA message of the step 703.
  • the UE in the VLAN 4 configures the IPv6 address according to the RA message with the high priority; and, due to the lifetime of the RA message with the high priority (set to 100 seconds) is lower than the lifetime in the RA message received in step 701 (set to 9000 seconds;), therefore, the value of the IPv6 prefix lifetime maintained by the UE 10 and the UE 11 is small, and will be after the lifetime is reached. Configure a new IPv6 address.
  • the malicious UE is spoofed to send a new multicast RA message, so that the malicious UE expects the IPv6 prefix of the other UE to have a shorter lifetime, for example, if the new multicast is used.
  • the lifetime of the prefix information of the RA message is 100s, the prefix information will be invalidated quickly. This prevents the malicious UE from intercepting the information of other UEs and ensures network security.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps that are configured to implement the functions specified in one or more blocks of the flowchart or in a block or blocks of the flowchart.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Multimedia (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed is a router advertisement (RA) attack prevention method, a device, equipment and a computer storage medium, said method comprising: in accordance with a received RA message, determining an RA attack host; executing at least one of the following operations: notifying a network management system of RA attack host information; prohibiting a source Internet Protocol (IP) address from including a packet having a specific prefix and a sending packet of said determined RA attack host being forwarded to a network side, and redirecting said packet to an entrance server prompt page, said specific prefix being the prefix carried by the RA message sent by said RA attack host; instructing the access equipment of said RA attack host to prohibit the RA attack host from gaining network access; simulating said RA attack host attacker in sending a new RA message, said new RA message carrying a prefix which has a shorter lifetime than the lifetime of the prefix carried in the RA message sent by said RA attack host.

Description

路由器通告攻击防范方法、 装置、 设备及计算机存储介质 技术领域  Router advertisement attack prevention method, device, device and computer storage medium
本发明涉及通信技术, 尤其涉及一种路由器通告 (RA, Router Advertisement )攻击防范方法、 装置、 设备及计算机存储介质。 背景技术  The present invention relates to communications technologies, and in particular, to a router advertisement (RA, Router Advertisement) attack defense method, device, device, and computer storage medium. Background technique
随着互联网的快速普及和数据通信技术的飞速发展, 网际协议(IP, Internet Protocol )终端数量激增, 当前因特网协议第四版( IPv4, Internet Protocol version 4 )公网地址已经告磬, 而网络地址转换(NAT, Network Address Translation )技术又存在性能、 应用层支持诸多限制, 编码长度更 长、 地址空间更多的因特网协议第六版 ( IPv6, Internet Protocol version 6 ) 技术的普及对全球运营商和用户来说都是势在必行的重大课题。  With the rapid spread of the Internet and the rapid development of data communication technologies, the number of Internet Protocol (IP) terminals has proliferated. The current Internet Protocol version 4 (IPv4, Internet Protocol version 4) public network address has been warned, and the network address has been The NAT (Network Address Translation) technology has many limitations, such as performance and application layer support. The sixth edition (IPv6, Internet Protocol version 6) technology with longer encoding length and more address space is popular for global operators and Users are a major issue that is imperative.
当前限制 IPv6技术普及的困难主要集中在政策支持、 技术升级困难、 应用支持较少等方面, 而随着 IPv4地址空间的分配完毕、 终端市场的大规 模发展对 IPv6的需求越来越大,各国政府都在积极支持 IPv6的推广,各大 内容服务商(ICP, Internet Content Provider )和应用开发商也在大规模地升 级现有基于 IPv4的应用对 IPv6的支持能力。 当前运营商 IPv6技术升级面 临的成本压力是阻碍 IPv6技术普及的最重要因素之一, 哪些设备需要优先 升级对 IPv6的支持能力成为运营商的重要研究课题。  The current difficulties in limiting the popularity of IPv6 technology mainly focus on policy support, technical upgrade difficulties, and less application support. With the completion of the allocation of IPv4 address space and the large-scale development of the terminal market, the demand for IPv6 is increasing. The government is actively supporting the promotion of IPv6, and major content providers (ICPs, Internet Content Providers) and application developers are also upgrading their existing IPv4-based applications to support IPv6 on a large scale. The current cost pressure on IPv6 technology upgrades is one of the most important factors hindering the popularity of IPv6 technology. Which devices need to be upgraded to support IPv6 has become an important research topic for operators.
接入网是运营商网络中规模最大、 投资成本最高的区域, 接入网络中 哪些设备需要优先支持 IPv6能力,是运营商 IPv6升级计划中最为关注的焦 点课题之一。  The access network is the largest and most expensive investment network in the carrier network. Which devices in the access network need to support IPv6 in priority, is one of the most concerned topics in the operator's IPv6 upgrade plan.
在支持 IPv6的接入网络中,一般的网络拓朴结构是由 IPv6宽带网络网 关(BNG, Broadband Network Gateway ), 二层接入设备、 IPv6主机构成。 通常由 BNG向接入网络发送路由器通告( RA, Router Advertisement )消息, 包括 IPv6前缀、 链路最大传输单元(MTU, Maximum Transmission Unit ) 等信息, IPv6主机收到 RA后,生成 IPv6地址,并将默认路由指向发送 RA 消息的设备即 BNG, 从而可以进行 IPv6网络通信。 如果恶意的 IPv6主机 主动发送 RA消息, 该 RA消息包括恶意的 IPv6主机组播发送的 RA消息、 恶意的 IPv6 主机接收到同广播域的其它主机的路由器请求(RS, Router Solicitation )后主动回复的单播 A消息,使 IPv6主机将默认路由指向恶意 的 IPv6主机, 那么就可截获主机的用户信息, 影响网络安全; 并且, 也可 能导致主机获得的无效地址从而连接网络; 此外, 恶意主机发送大量的 RA 消息来攻击网络容易造成网络瘫痪。 In an IPv6-capable access network, the general network topology consists of an IPv6 Broadband Network Gateway (BNG), a Layer 2 access device, and an IPv6 host. Generally, the BNG sends a Router Advertisement (RA) message to the access network, including the IPv6 prefix and the Maximum Transmission Unit (MTU). After receiving the RA, the IPv6 host generates an IPv6 address. The default route points to the device that sends the RA message, BNG, so that IPv6 network communication can be performed. If a malicious IPv6 host actively sends an RA message, the RA message includes the RA message sent by the malicious IPv6 host multicast, and the malicious IPv6 host receives the router request (RS, Router Solicitation) of other hosts in the broadcast domain and responds actively. The unicast A message enables the IPv6 host to point the default route to the malicious IPv6 host, so that the user information of the host can be intercepted, which affects the network security. Moreover, the host may obtain an invalid address to connect to the network. In addition, the malicious host sends a large number of messages. The RA message to attack the network is prone to network paralysis.
针对上述问题, 当前的普遍的釆用的技术方案是升级二层接入设备使 其支持所谓安全 RA技术,即在二层接入设备的用户侧端口通过命令配置拒 绝接收恶意的 RA消息, 这样在一定程度上防止恶意 RA的转发,保证网络 的正常工作, 但这就需要将二层接入设备升级到三层网络设备并支持 IPv6 报文的处理功能, 相应地, 需要进行软件升级甚至硬件替换, 但大规模的 接入设备的升级和替换必然导致运营商升级成本增大, 影响 IPv6技术的普 及。 此外, 手动配置二层设备的安全 RA功能也需要投入大量的运维成本, 增大了运营商的 IPv6技术升级的实施成本。  In response to the above problem, the current common technical solution is to upgrade the Layer 2 access device to support the so-called secure RA technology, that is, the user side port of the Layer 2 access device refuses to receive the malicious RA message through command configuration. To prevent the forwarding of malicious RAs to a certain extent, to ensure the normal operation of the network, it is necessary to upgrade the Layer 2 access device to the Layer 3 network device and support the processing of IPv6 packets. Accordingly, software upgrades or even hardware are required. Replacement, but the upgrade and replacement of large-scale access devices will inevitably lead to increased carrier upgrade costs, affecting the popularity of IPv6 technology. In addition, manually configuring the security RA function of the Layer 2 device also requires a large amount of operation and maintenance costs, which increases the implementation cost of the operator's IPv6 technology upgrade.
综上所述,对于如何低成本且有效地防范恶意主机的 RA攻击,相关技 术尚无解决方案。 发明内容  In summary, there is no solution for how to low-cost and effectively prevent RA attacks from malicious hosts. Summary of the invention
本发明实施例提供一种 RA攻击防范方法、装置、设备及计算机存储介 质, 能够解决相关技术无法有效地防范恶意主机的 RA攻击的问题。  The embodiments of the present invention provide a method, a device, a device, and a computer storage medium for defending against RA attacks, which can solve the problem that the related technologies cannot effectively prevent RA attacks by malicious hosts.
本发明实施例的技术方案是这样实现的:  The technical solution of the embodiment of the present invention is implemented as follows:
本发明实施例提供了一种 RA攻击防范方法, 所述方法包括: 根据接收的 RA消息确定 RA攻击主机; 执行以下操作至少之一: 向网络管理系统(NMS, Network Management System )通告所述 RA 攻击主机的信息; The embodiment of the invention provides a method for preventing an RA attack, and the method includes: Determining the RA attacking host according to the received RA message; performing at least one of the following operations: advertising the information of the RA attacking host to a network management system (NMS);
禁止源 IP地址包含特定前缀的报文、 以及所述 RA攻击主机的发送报 文向网络侧转发,并重定向所述包含特定前缀的"¾文、以及所述 RA攻击主 机发送的报文至入口 (Portal )服务器, 所述特定前缀为所述 RA攻击主机 发送的 RA消息携带的前缀;  Disabling the packet whose source IP address contains the specific prefix and the sending packet of the RA attacking host forward to the network side, and redirecting the packet containing the specific prefix and the packet sent by the RA attacking host to the portal (Portal) server, the specific prefix is a prefix carried by the RA message sent by the RA attacking host;
指示所述 RA攻击主机的接入设备禁止所述 RA攻击主机访问网络; 模拟所述 RA攻击主机发送新的 RA消息,所述新的 RA消息携带前缀 的生存期小于所述 RA攻击主机发送的 RA消息携带前缀的生存期。  The access device that instructs the RA attacking host to prohibit the RA attacking host from accessing the network; simulating the RA attacking host to send a new RA message, where the lifetime of the new RA message carrying the prefix is smaller than that sent by the RA attacking host The RA message carries the lifetime of the prefix.
优选地, 所述根据接收的 RA消息确定 RA攻击主机, 包括:  Preferably, the determining, according to the received RA message, the RA attacking the host includes:
通过用户侧端口向所述用户侧端口对应的虚拟局域网 ( VLAN, Virtual Local Area Network )的主机发送 RS消息, 将针对所述 RS消息向所述用户 侧端口返回 RA消息的主机确定为进行 RA攻击的主机; 或,  Sending an RS message to the host of the virtual local area network (VLAN) corresponding to the user-side port, and determining, by the user-side port, the host that returns the RA message to the user-side port as the RA attack. Host; or,
将向用户侧端口主动发送组播 RA消息的主机确定为进行 A攻击的主 机。  The host that actively sends the multicast RA message to the user-side port is determined to be the host that performs the A attack.
优选地, 所述发送的 RS 消息携带有与上次发送的 RS 消息相同的源 MAC地址和 /或源 MAC地址前缀, 或携带有不同的源 MAC地址和 /或源 MAC地址前缀。  Preferably, the sent RS message carries the same source MAC address and/or source MAC address prefix as the last sent RS message, or carries a different source MAC address and/or source MAC address prefix.
优选地, 所述 RA攻击主机的信息包括以下信息的至少之一: 所述 RA 攻击主机的 MAC地址; 所述 RA攻击主机的位置信息; 所述 RA攻击主机 发送的 RA消息携带的前缀。  Preferably, the information of the RA attacking host includes at least one of the following information: a MAC address of the RA attacking the host; a location information of the RA attacking the host; and a prefix carried by the RA attacking the RA message sent by the host.
优选地, 所述 RA攻击主机的信息包括以下的信息的至少之一: 所述 RA攻击主机的用户侧端口信息; 所述 RA攻击主机的用户侧 VLAN信息; 所述 RA攻击主机的接入设备及所述接入设备的用户侧端口信息。 优选地, 所述向 NMS通告所述 RA攻击主机的接入设备及所述接入设 备的用户侧端口信息之前, 所述方法还包括: Preferably, the information of the RA attacking host includes at least one of the following information: user-side port information of the RA attacking host; user-side VLAN information of the RA attacking host; and access device of the RA attacking host And user side port information of the access device. Preferably, before the advertised to the NMS, the access device of the RA attacking host and the user-side port information of the access device, the method further includes:
根据所述 RA攻击主机发送 RA消息之前通过动态主机设置协议第四版 本 ( DHCPv4 , Dynamic Host Configuration Protocol version 4 )菝取 IP地址 时的 DHCPv4功能(Option ) 82或动态主机设置协议第六版本(DHCPv6, Dynamic Host Configuration Protocol version 6 ) 功能 ( Option ) 18, 确定 所述 RA攻击主机的接入设备及所述接入设备的用户侧端口信息; 或, 根据所述 RA 攻击主机发送 RA 消息之前通过点对点协议(PPP,  According to the RA attack host, before sending the RA message, the DHCPv4 function (Option) 82 or the dynamic host setting protocol version 6 (DHCPv6) when the IP address is retrieved through the dynamic host configuration protocol version 4 (DHCPv4, Dynamic Host Configuration Protocol version 4) The dynamic host configuration protocol version 6 (Option) 18, determining the access device of the RA attacking host and the user-side port information of the access device; or, peer-to-peer according to the RA attacking host before sending the RA message Agreement (PPP,
( PPPoE Circuit ID, Point-to-Point Protocol over Ethernet Circuit IDentity ), 确定所述 RA攻击主机的接入设备及所述接入设备的用户侧端口信息。 The access device of the RA attacking host and the user-side port information of the access device are determined by the PP-E-Phase.
优选地, 所述重定向所述报文至 Portal服务器后, 所述方法还包括: 向 发送源 IP地址包含特定前缀的主机通告受到 RA攻击的信息以及相应的处 理策略,向所述 RA攻击主机通告所述 RA主机的攻击行为以及相应的处理 策略。  Preferably, after the redirecting the packet to the Portal server, the method further includes: notifying the host that sends the source IP address to the specific prefix, the information of the RA attack, and the corresponding processing policy, to the RA attacking host. The attack behavior of the RA host and the corresponding processing policy are advertised.
优选地, 所述向发送源 IP地址包含特定前缀的主机通告的相应的处理 策略, 包括以下策略的至少之一: 提示设置屏蔽功能; 释放配置的 IP地址; 重启主机; 拨打良务热线;  Preferably, the corresponding processing policy that is advertised to the host whose source IP address includes a specific prefix includes at least one of the following policies: prompting to set a masking function; releasing the configured IP address; restarting the host; dialing a service hotline;
所述向所述 RA攻击主机通告的相应的处理策略,包括以下策略的至少 之一: 提示关闭攻击进程; 查杀木马或病毒; 拨打服务热线。  The corresponding processing policy advertised to the RA attacking host includes at least one of the following: prompting to close the attack process; killing a Trojan or a virus; and dialing a service hotline.
优选地,所述指示所述 RA攻击主机的接入设备禁止所述 RA攻击主机 访问网络, 包括:  Preferably, the access device that indicates the RA attacking host prohibits the RA attacking host from accessing the network, including:
通过接入点控制协议 ( ANCP, Access Node Control Protocol )信令或通 用交换机管理协议( GSMP, General Switch Management Protocol )信令指 示所述 RA攻击主机的接入设备禁止所述 RA攻击主机访问网络。 本发明实施例还提供一种 RA攻击防范装置, 所述装置包括: 确定单 元、 第一处理单元、 第二处理单元、 第三处理单元和第四处理单元; 其中, 所述确定单元, 配置为根据接收的 RA消息确定 RA攻击主机, 并触发 所述第一处理单元、 所述第二处理单元、 所述第三处理单元和所述第四处 理单元中的至少一个处理单元; The access device of the RA attacking host is instructed by the Access Point Control Protocol (ANCP) signaling or the General Switch Management Protocol (GSMP) signaling to prohibit the RA attacking host from accessing the network. The embodiment of the present invention further provides an RA attack defense apparatus, where the apparatus includes: a determining unit, a first processing unit, a second processing unit, a third processing unit, and a fourth processing unit; wherein the determining unit is configured to Determining an RA attacking host according to the received RA message, and triggering at least one of the first processing unit, the second processing unit, the third processing unit, and the fourth processing unit;
所述第一处理单元, 配置为向 NMS通告所述 RA攻击主机的信息; 所述第二处理单元, 配置为禁止源 IP地址包含特定前缀的 文、 以及 所述确定的 RA攻击主机发送的报文向网络侧转发,并重定向所述包含特定 前缀的报文、 以及所述 RA攻击主机发送的报文至 Portal服务器, 所述特定 前缀为所述 RA攻击主机发送的 RA消息携带的前缀;  The first processing unit is configured to notify the NMS of the information of the RA attacking host; the second processing unit is configured to block the source IP address from containing the specific prefix, and the determined RA attacking host sending the message. Forwarding to the network side, and redirecting the packet containing the specific prefix and the packet sent by the RA attacking host to the Portal server, where the specific prefix is a prefix carried by the RA message sent by the RA attacking host;
所述第三处理单元,配置为指示所述 RA攻击主机的接入设备禁止所述 RA攻击主机访问网络;  The third processing unit is configured to instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network;
所述第四处理单元, 配置为模拟所述 RA攻击主机发送新的 RA消息, 所述新的 RA消息携带前缀的生存期小于所述 RA攻击主机发送的 RA消息 携带的前缀的生存期。  The fourth processing unit is configured to simulate that the RA attacking host sends a new RA message, where the lifetime of the new RA message carrying the prefix is less than the lifetime of the prefix carried by the RA message sent by the RA attacking host.
优选地, 所述确定单元, 还配置为通过用户侧端口向所述用户侧端口 对应的 VLAN的主机发送 RS消息,将针对所述 RS消息向所述用户侧端口 返回 RA消息的主机确定为进行 RA攻击的主机; 或,  Preferably, the determining unit is further configured to send an RS message to the host of the VLAN corresponding to the user-side port by using the user-side port, and determine, by the host that returns the RA message to the user-side port, The host of the RA attack; or,
将向用户侧端口主动发送组播 RA消息的主机确定为进行 A攻击的主 机。  The host that actively sends the multicast RA message to the user-side port is determined to be the host that performs the A attack.
优选地,所述确定单元向所述用户侧端口对应的 VLAN的主机发送 RS 消息携带有与上次发送的 RS消息相同的源 MAC地址和 /或源 MAC地址前 缀, 或携带有不同的源 MAC地址和 /或源 MAC地址前缀。  Preferably, the determining unit sends an RS message to the host of the VLAN corresponding to the user-side port, carrying the same source MAC address and/or source MAC address prefix as the last sent RS message, or carrying a different source MAC address. Address and / or source MAC address prefix.
优选地, 所述第一处理单元, 还配置为向 NMS通告以下信息的至少之 一: 所述 RA攻击主机的 MAC地址; 所述 RA攻击主机的位置信息; 所述 RA攻击主机发送的 RA消息携带的前缀。 Preferably, the first processing unit is further configured to notify at least one of the following information to the NMS: the MAC address of the RA attacking host; the location information of the RA attacking host; The RA carries the prefix carried by the RA message sent by the host.
优选地, 所述第一处理单元, 还配置为向 NMS通告以下信息的至少之 一: 所述 RA攻击主机的用户侧端口; 所述 RA攻击主机的用户侧 VLAN 信息; 所述 RA攻击主机的接入设备及所述接入设备的用户侧端口信息。  Preferably, the first processing unit is further configured to notify at least one of the following information to the NMS: the user side port of the RA attacking host; the user side VLAN information of the RA attacking host; Access device and user side port information of the access device.
优选地, 所述第一处理单元, 还配置为根据所述 RA攻击主机发送 RA 消息之前通过 DHCPv4获取 IP地址时的 DHCPv4 Option 82或 DHCPv6 Option 18, 确定所述接入设备及所述接入设备的用户侧端口信息; 或, 根据所述 RA攻击主机发送 A消息之前通过 PPP方式获取 IP地址时 的 PPPoE Circuit ID确定所述接入设备及所述接入设备的用户侧端口信息。  Preferably, the first processing unit is further configured to determine the access device and the access device according to the DHCPv4 Option 82 or the DHCPv6 Option 18 when the IP address is obtained through the DHCPv4 before the RA attacking host sends the RA message. User-side port information; or, the user-side port information of the access device and the access device is determined according to the PPPoE Circuit ID when the IP address is obtained by the PPP method before the RA attacking host sends the A message.
优选地,所述第二处理单元,还配置为重定向所述报文至 Portal服务器 后, 向发送源 IP地址包含特定前缀的主机通告受到 RA攻击的信息以及相 应的处理策略,向所述 RA攻击主机通告所述 RA主机的攻击行为以及相应 的处理策略。  Preferably, the second processing unit is further configured to: after redirecting the packet to the Portal server, notifying the host that sends the source IP address to the specific prefix to the information that is attacked by the RA and the corresponding processing policy, to the RA The attacking host advertises the attack behavior of the RA host and the corresponding processing policy.
优选地, 所述第二处理单元向发送源 IP地址包含特定前缀的主机通告 的相应的处理策略, 包括以下策略的至少之一:  Preferably, the second processing unit sends a corresponding processing policy to the host that sends the source IP address to include a specific prefix, including at least one of the following policies:
提示设置屏蔽功能;释放配置的 IP地址; 重启主机;拨打服务热线; 所述第二处理单元向 RA攻击主机通告的相应的处理策略,包括以下策 略的至少之一:  Prompt to set the masking function; release the configured IP address; restart the host; dial the service hotline; and the corresponding processing policy advertised by the second processing unit to the RA attacking host, including at least one of the following policies:
提示用户关系攻击进程; 查杀木马或病毒; 拨打服务热线。  Prompt user relationship attack process; kill Trojan or virus; call service hotline.
优选地, 所述第三处理单元, 还配置为通过 ANCP信令或 GSMP信令 指示所述 RA攻击主机的接入设备禁止所述 RA攻击主机访问网络。  Preferably, the third processing unit is further configured to instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network by using ANCP signaling or GSMP signaling.
本发明实施例还提供一种 BNG,所述 BNG包括以上所述的 RA攻击防 范装置。  An embodiment of the present invention further provides a BNG, where the BNG includes the RA attack defense device described above.
本发明实施例还提供一种计算机存储介质, 所述计算机存储介质中存 储有计算机可执行指令, 所述计算机可执行指令用于执行以上所述的 RA 攻击防范方法。 An embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer executable instructions, where the computer executable instructions are used to execute the RA described above. Attack prevention method.
本发明实施例的技术方案中,在确定发送 RA消息的主机即 RA攻击主 机时, 通过向 NMS通告所述 RA攻击主机的信息, 包括接入设备信息及所 述接入设备的用户侧端口信息, 可以方便 NMS对 RA攻击主机快速准确定 位;  In the technical solution of the embodiment of the present invention, the information about the RA attacking host, including the access device information and the user-side port information of the access device, is notified to the NMS when the RA that is the host that sends the RA message is attacked by the host. , it is convenient for the NMS to quickly and accurately locate the RA attacking host;
禁止源 IP地址包含特定前缀的报文和所确定的 RA攻击主机的发送报 文向网络侧转发,并重定向所述报文至 Portal服务器,所述特定前缀为所述 RA攻击主机发送的 RA消息携带的前缀,可以使 RA攻击主机以及受到 RA 攻击主机的主机及时进行相应的处理: 使发起 RA攻击的主机及时停止 RA 攻击, 使受到 RA攻击的主机避免再次受到 RA攻击;  Disabling the packet whose source IP address contains the specific prefix and the determined packet of the RA attacking host forwards the packet to the network side, and redirects the packet to the Portal server. The specific prefix is the RA message sent by the RA attacking host. The host is configured to prevent the RA attacking host and the host that is attacked by the RA from responding to the RA attack in a timely manner.
指示所述 RA攻击主机的接入设备所述 RA攻击主机访问网络,避免了 RA攻击主机频繁发送 RA消息造成网络瘫痪、 以及对其他主机的安全造成 威胁的问题;  Instructing the access device of the RA attacking host to access the network by the RA attacking host, thereby avoiding the problem that the RA attacking host frequently sending RA messages causes network defects and threats to other hosts;
模拟所述 RA攻击主机攻击者发送新的 RA消息,所述新的 RA消息携 带前缀的生存期小于所述 RA攻击主机发送的 RA消息携带的前缀的生存 期,可以避免受到 RA攻击的主机由于配置 RA攻击主机发送的 RA消息携 带的前缀, 导致受到 RA攻击的主机信息泄露的问题。 附图说明  The RA attacker is simulated to send a new RA message, and the lifetime of the new RA message carrying the prefix is smaller than the lifetime of the prefix carried by the RA message sent by the RA attacking host, so that the host that is attacked by the RA can be avoided. Configures the prefix carried by the RA message sent by the RA attacking host. As a result, the host information that is attacked by the RA is leaked. DRAWINGS
图 1 a为本发明实施例的 RA攻击防范方法的实现流程示意图一; 图 lb为本发明实施例的 RA攻击防范方法的实现流程示意图二; 图 lc为本发明实施例的 RA攻击防范方法的实现流程示意图三; 图 1 d为本发明实施例的 R A攻击防范方法的实现流程示意图四; 图 2为本发明实施例的 RA攻击防范装置的组成结构示意图; 图 3为本发明实施例的 BNG的组成结构示意图;  FIG. 1 is a schematic flowchart of an implementation process of an RA attack defense method according to an embodiment of the present invention; FIG. 1B is a schematic flowchart 2 of an implementation method of an RA attack defense method according to an embodiment of the present invention; FIG. 1 is a schematic structural diagram of an implementation of an RA attack defense apparatus according to an embodiment of the present invention; FIG. 2 is a schematic structural diagram of an RA attack defense apparatus according to an embodiment of the present invention; Schematic diagram of the composition;
图 4a为本发明实施例的 RA攻击防范的组网拓朴示意图一; 图 4b为本发明实施例的 RA攻击防范的实现流程示意图五; FIG. 4a is a schematic diagram 1 of a networking topology of an RA attack defense according to an embodiment of the present invention; 4b is a schematic flowchart 5 of an implementation process of RA attack defense according to an embodiment of the present invention;
图 5a为本发明实施例的 RA攻击防范的组网拓朴示意图二;  FIG. 5a is a second schematic diagram of a network topology for RA attack defense according to an embodiment of the present invention;
图 5b为本发明实施例的 RA攻击防范的实现流程示意图六;  FIG. 5b is a schematic flowchart 6 of an implementation process of RA attack defense according to an embodiment of the present invention;
图 6a为本发明实施例的 RA攻击防范的组网拓朴示意图三;  6a is a schematic diagram 3 of a networking topology of RA attack defense according to an embodiment of the present invention;
图 6b为本发明实施例的 RA攻击防范的实现流程示意图七;  6b is a schematic flowchart 7 of an implementation process of RA attack defense according to an embodiment of the present invention;
图 7a为本发明实施例的 RA攻击防范的组网拓朴示意图四;  FIG. 7a is a schematic diagram 4 of a networking topology for defending against RA attacks according to an embodiment of the present invention;
图 7b为本发明实施例的 RA攻击防范的实现流程示意图八。 具体实施方式  FIG. 7b is a schematic diagram 8 of an implementation process of RA attack defense according to an embodiment of the present invention. detailed description
下面结合附图及具体实施例对本发明作进一步详细说明, 需要说明的 本发明实施例记载了一种 RA攻击防范方法, 图 la为本发明实施例的 RA攻击防范方法的实现流程示意图一, 如图 la所示, 包括:  The present invention will be further described in detail with reference to the accompanying drawings and specific embodiments. FIG. 1 is a schematic diagram of an implementation process of the RA attack prevention method according to the embodiment of the present invention. As shown in Figure la, it includes:
步骤 101a: 根据接收的 RA消息确定 RA攻击主机。  Step 101a: Determine, according to the received RA message, that the RA attacks the host.
根据接收的 RA消息确定 RA攻击主机时,通过用户侧端口向用户侧端 口对应的 VLAN的主机发送 RS消息, 将针对 RS消息向用户侧端口返回 RA消息的主机确定为进行 RA攻击的主机; 或将向用户侧端口主动发送组 播 RA消息的主机确定为进行 A攻击的主机。  When the RA attacking host is determined according to the received RA message, the host side port sends an RS message to the host of the VLAN corresponding to the user side port, and the host that returns the RA message to the user side port for the RS message is determined as the host that performs the RA attack; or The host that actively sends the multicast RA message to the user-side port is determined to be the host that performs the A attack.
作为步骤 101a的一个实施方式, 通过用户侧端口向用户侧端口对应的 VLAN的主机发送 RS消息,可以携带与上次发送的 RS消息不同的源 MAC 地址和 /或源 MAC地址前缀, 以伪装为不同的主机对潜在的 RA攻击主机 进行欺骗。 当然, 也可以携带与上次发送的 RS消息相同的源 MAC地址和 /或源 MAC地址前缀。  As an implementation of the step 101a, the user side port sends an RS message to the host of the VLAN corresponding to the user side port, and may carry a source MAC address and/or a source MAC address prefix different from the last sent RS message, so as to be disguised as Different hosts spoof potential RA attack hosts. Of course, it can also carry the same source MAC address and/or source MAC address prefix as the last RS message sent.
步骤 102a: 向 NMS通告所述 RA攻击主机的信息。  Step 102a: Advertise the information of the RA attacking host to the NMS.
其中, 向 NMS通告 RA攻击主机的信息包括以下信息的至少之一: R A攻击主机的 MAC地址; RA攻击主机的位置信息; A攻击主机发送的 R A消息携带的前缀; RA攻击主机的信息包括以下信息的至少之一: RA攻 击主机的用户侧端口和 VLAN信息; RA攻击主机的接入设备及所述接入 设备的用户侧端口信息; 所述接入设备及所述接入设备的用户侧端口信息, 可以根据 A攻击主机发送 A消息之前通过 DHCPv4获取 IP地址时的 D HCPv4 Option82或 DHCPv6 Option 18确定, 或 4艮据所述 RA攻击主机发 送 RA消息之前通过 PPP方式获取 IP地址时的 PPPoE Circuit ID确定。 The information for advertising the RA attacking host to the NMS includes at least one of the following information: a MAC address of the RA attacking the host; a location information of the RA attacking the host; A attacking the R sent by the host. A prefix carried by the A message; the information of the RA attacking host includes at least one of the following information: the user side port and VLAN information of the RA attacking host; the access device of the RA attacking host and the user side port information of the access device; The user-side port information of the access device and the access device may be determined according to D HCPv4 Option 82 or DHCPv6 Option 18 when the A-speech host obtains an IP address through DHCPv4 before sending an A message, or 4 attacks the host according to the RA The PPPoE Circuit ID is determined when the IP address is obtained through PPP before the RA message is sent.
本发明实施例还记载了一种 RA攻击防范方法, 图 lb为本发明实施例 的又一 RA攻击防范方法的实现流程示意图二, 如图 lb所示, 包括以下步 骤:  The embodiment of the present invention further describes an RA attack defense method, and FIG. 1B is a schematic flowchart 2 of another implementation manner of the RA attack defense method according to the embodiment of the present invention. As shown in FIG. 1b, the method includes the following steps:
步骤 101b: 根据接收的 RA消息确定 RA攻击主机。  Step 101b: Determine, according to the received RA message, that the RA attacks the host.
步骤 101b的处理与步骤 101a相同, 不再赘述。  The processing of step 101b is the same as that of step 101a, and will not be described again.
步骤 102b: 禁止源 IP地址包含特定前缀的 文和所确定的 RA攻击主 机的发送报文向网络侧转发,并重定向所述报文至 Portal服务器,所述特定 前缀为所述 RA攻击主机发送的 RA消息携带的前缀。  Step 102b: The source IP address is prohibited from being sent by the RA attack host, and the packet sent by the RA attack host is forwarded to the network server, and the specific prefix is sent by the RA attack host. The prefix carried by the RA message.
与 RA攻击主机处于同一 VLAN的主机接收到 RA攻击主机的发送的 RA消息后, 根据 A消息携带的前缀生成 IP地址, 如此, 受到 RA攻击的 主机发送的报文的源 IP地址包含攻击主机发送的 RA消息携带的前缀, 作 为步骤 102b的一个实施方式, 截获源 IP地址包含 RA攻击主机发送的 RA 消息携带的前缀的报文(即受到 RA攻击的主机发送的报文), 禁止所截获 的报文向网络侧转发, 并重定向截获报文至 Portal服务器页面, 通过 Portal 服务器页面向受到 RA攻击的主机受到 RA攻击的信息以及相应的处理策 略, 所述策略包括以下策略的至少之一: 提示设置屏蔽功能(例如屏蔽来 自攻击主机的报文) '释放配置的 IP地址, 重启主机 '拨打服务热线;  After receiving the RA message sent by the RA attacking host, the host that is in the same VLAN as the RA attacking host generates an IP address based on the prefix carried by the A message. Therefore, the source IP address of the packet sent by the host attacked by the RA includes the attacking host. The prefix carried in the RA message, as an implementation of the step 102b, intercepts the packet whose source IP address contains the prefix carried by the RA message sent by the RA attacking host (that is, the packet sent by the host attacked by the RA), and prohibits the intercepted The packet is forwarded to the network side, and the intercepted packet is redirected to the portal server page. The information about the RA attack and the corresponding processing policy are received by the host that is attacked by the RA through the portal server page. The policy includes at least one of the following policies: Set the masking function (for example, mask the packets from the attacking host) 'Release the configured IP address, restart the host' to dial the service hotline;
根据攻击主机发送的 RA消息的源 MAC地址,截获攻击主机发送的报 文,禁止所截获的报文向网络侧转发,并重定向截获报文至 Portal服务器页 面,通过 Portal服务器页面向 RA攻击主机通告其进行的 RA攻击行为以及 相应的处理策略, 所述策略包括以下策略的至少之一: 提示关闭攻击进程; 查杀木马或病毒; 拨打服务热线。 The packet sent by the attacking host is intercepted according to the source MAC address of the RA message sent by the attacking host. The intercepted packet is forwarded to the network and the intercepted packet is redirected to the Portal server page. The RA attacking host is advertised to the RA attacking host through the Portal server page and the corresponding processing policy. The policy includes at least one of the following policies: prompting to close the attack process; killing the Trojan or virus; dialing the service hotline.
本发明实施例还记载了一种 RA攻击防范方法, 图 lc为本发明实施例 的另一 RA攻击防范方法的实现流程示意图三, 如图 lc所示, 包括以下步 骤:  The embodiment of the present invention further describes an RA attack defense method, and FIG. 1c is a schematic flowchart 3 of an implementation process of another RA attack defense method according to an embodiment of the present invention. As shown in FIG. 1c, the method includes the following steps:
步骤 101c: 根据接收的 RA消息确定 RA攻击主机。  Step 101c: Determine, according to the received RA message, that the RA attacks the host.
步骤 101c的处理与步骤 101a相同, 不再赘述。  The processing of step 101c is the same as that of step 101a, and will not be described again.
步骤 102c: 指示 RA攻击主机的接入设备所述 RA攻击主机访问网络。  Step 102c: Instruct the RA attacking the access device of the host that the RA attacking host accesses the network.
RA攻击主机的接入设备是指将 RA攻击主机接入网络的设备, 禁止 RA攻击主机接入网络可以避免 RA攻击主机发送大量 RA消息导致网络瘫 痪, 作为步骤 102c的一个实施方式, 通过 ANCP信令或 GSMP信令指示 RA攻击主机的接入设备, 在面向 RA攻击主机的端口关闭, 或者在面向 RA攻击主机的端口上将攻击主机的 MAC地址列入黑名单, 即接入设备在 面向 RA攻击主机的端口上丟弃去往或来自 RA攻击主机的 4艮文。  The access device of the RA attacking host refers to the device that accesses the network by the RA attacking host. The RA attacking host is prevented from accessing the network. The RA attacking host can prevent the network from transmitting a large number of RA messages. As an implementation of step 102c, the ANCP is used. The GSM-based signaling indicates that the access device of the RA attacking the host is closed, or the MAC address of the attacking host is blacklisted on the port facing the RA attacking host, that is, the access device is facing the RA. The port that attacks the host discards the 4 messages to or from the RA attacking host.
本发明实施例还记载了一种 RA攻击防范方法, 图 Id为本发明实施例 的另一 RA攻击防范方法的实现流程示意图四, 如图 Id所示, 包括以下步 骤:  The embodiment of the present invention further describes a method for preventing an RA attack. FIG. 1 is a schematic flowchart of an implementation process of another RA attack defense method according to an embodiment of the present invention. As shown in FIG. 1d, the method includes the following steps:
步骤 101d: 根据接收的 RA消息确定 RA攻击主机。  Step 101d: Determine, according to the received RA message, that the RA attacks the host.
步骤 101d的处理与步骤 101a相同, 不再赘述。  The processing of step 101d is the same as that of step 101a, and will not be described again.
步骤 102d: 模拟所述 RA攻击主机攻击者发送新的 RA消息, 所述新 的 RA消息携带前缀的生存期小于所述 RA攻击主机发送的 RA消息携带的 前缀的生存期。  Step 102d: Simulate the RA attacking host attacker to send a new RA message, where the lifetime of the new RA message carrying the prefix is less than the lifetime of the prefix carried by the RA message sent by the RA attacking host.
RA攻击主机发送的 RA消息中包括生存期参数, 该参数指定 RA消息 携带的前缀的有效时间, 其取值范围在 0 ~ 9000秒之间, 作为步骤 102d的 一个实施方式, 模拟 RA攻击主机发送新的 RA消息, 即发送源 MAC地址 与 RA攻击主机的 MAC地址一致的 RA消息, 且新的 RA消息的生存期参 数小于 RA攻击主机发送的 RA消息的生存期参数, 如此, 可使 RA攻击主 机期望 VLAN中的其他主机配置的 IP地址的前缀(即 RA攻击主机发送的 RA消息携带的前缀)很快失效, 达到防范 RA攻击的目的。 The RA message sent by the RA attacking host includes a lifetime parameter, which specifies the effective time of the prefix carried by the RA message, and the value ranges from 0 to 9000 seconds, as step 102d. In one embodiment, the simulated RA attacking host sends a new RA message, that is, an RA message whose source MAC address is consistent with the MAC address of the RA attacking host, and the lifetime parameter of the new RA message is smaller than the survival of the RA message sent by the RA attacking host. The period parameter, in this way, can cause the RA attacking host to expect the prefix of the IP address configured by other hosts in the VLAN (that is, the prefix carried by the RA attacking the RA message sent by the host) to be quickly invalidated, thereby achieving the purpose of preventing the RA attack.
需要说明的是,上述实施例中,步骤 102d可以与步骤 102a、步骤 102b、 步骤 102c中的一个或多个任意组合, 且步骤 102a、 步骤 102b、 步骤 102c 和步骤 102d中的一个或多个执行的顺序可以任意对调;下面以执行步骤 101 之后, 顺序执行步骤 102a、 步骤 102b、 步骤 102c和步骤 102d为例进行说 明, 当确定 RA攻击主机时, 首先, 向 NMS通告所述 RA攻击主机的信息; 其次, 禁止源 IP地址包含特定前缀的 文和 RA攻击主机的发送^艮文向网 络侧转发, 并重定向所述报文至 Portal服务器, 所述特定前缀为 RA攻击主 机发送的 RA消息携带的前缀; 再次, 指示 RA攻击主机的接入设备禁止 RA攻击主机访问网络; 再次, 模拟 RA攻击主机发送新的 RA消息, 所述 新的 RA消息携带前缀的生存期小于所述 RA攻击主机发送的 RA消息携带 的前缀的生存期。如此,通过步骤 102a、 步骤 102b、 步骤 102c和步骤 102d 中的一个或多个的处理, 可以有效地实现对 RA攻击主机的防范。  It should be noted that, in the foregoing embodiment, step 102d may be arbitrarily combined with one or more of step 102a, step 102b, and step 102c, and one or more of step 102a, step 102b, step 102c, and step 102d are performed. The sequence can be arbitrarily reversed. The following steps are performed to perform the steps of step 102a, step 102b, step 102c, and step 102d. When determining that the RA attacks the host, first, the information of the RA attacking host is notified to the NMS. Secondly, the source IP address is prohibited from containing the specific prefix and the RA attack host sends the message to the network side, and the packet is redirected to the portal server, where the specific prefix is carried by the RA message sent by the RA attacking host. The prefix indicates that the access device of the RA attacking host is prohibited from accessing the network by the RA attacking host; again, the simulated RA attacking host sends a new RA message, and the lifetime of the new RA message carrying the prefix is smaller than that sent by the RA attacking host. The lifetime of the prefix carried by the RA message. Thus, the defense against the RA attacking host can be effectively implemented by the processing of one or more of the steps 102a, 102b, 102c, and 102d.
本发明实施例还记载了一种计算机存储介质, 所述计算机存储介质 中存储有计算机可执行指令, 所述计算机可执行指令用于执行图 la、 图 lb、 图 lc和图 Id至少一个附图所示的 RA攻击防范方法。  The embodiment of the invention further describes a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute at least one drawing of FIG. 1a, FIG. 1b, FIG. 1c and FIG. The RA attack prevention method shown.
本发明实施例还记载了一种 RA攻击防范装置,图 2为本发明实施例的 RA攻击防范装置的组成结构示意图, 如图 2所示, 包括:  The embodiment of the present invention further describes an RA attack defense device. FIG. 2 is a schematic structural diagram of an RA attack defense device according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
确定单元 21、 第一处理单元 22、 第二处理单元 23、 第三处理单元 24 和第四处理单元 25;  Determining unit 21, first processing unit 22, second processing unit 23, third processing unit 24 and fourth processing unit 25;
其中, 确定单元 21, 配置为根据接收的 RA消息确定 RA攻击主机, 并触发第一处理单元 22、 第二处理单元 23、 第三处理单元 24和第四处理 单元 25中的至少一个处理单元; The determining unit 21 is configured to determine, according to the received RA message, an RA attacking host, And triggering at least one of the first processing unit 22, the second processing unit 23, the third processing unit 24, and the fourth processing unit 25;
所述第一处理单元 21, 配置为向 NMS通告所述 RA攻击主机的信息; 所述第二处理单元 22,配置为禁止源 IP地址包含特定前缀的 文和所 述 RA攻击主机的发送报文向网络侧转发,并重定向所述包含特定前缀的报 文和所述 RA攻击主机发送的报文至 Portal服务器, 所述特定前缀为所述 RA攻击主机发送的 RA消息携带的前缀;  The first processing unit 21 is configured to notify the NMS of the information of the RA attacking host. The second processing unit 22 is configured to block the source IP address from containing the specific prefix and the RA attacking host sending the packet. Forwarding to the network side, and redirecting the packet containing the specific prefix and the packet sent by the RA attacking host to the Portal server, where the specific prefix is a prefix carried by the RA message sent by the RA attacking host;
所述第三处理单元 23, 配置为指示所述 RA攻击主机的接入设备禁止 所述 RA攻击主机访问网络;  The third processing unit 23 is configured to instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network;
所述第四处理单元 24, 配置为模拟所述 RA攻击主机发送新的 RA消 息, 所述新的 RA消息携带前缀的生存期小于所述 RA攻击主机发送的 RA 消息携带的前缀的生存期。  The fourth processing unit 24 is configured to simulate that the RA attacking host sends a new RA message, and the lifetime of the new RA message carrying the prefix is less than the lifetime of the prefix carried by the RA message sent by the RA attacking host.
其中, 所述确定单元 21, 还配置为通过用户侧端口向所述用户侧端口 对应的 VLAN的主机发送 RS消息,将针对所述 RS消息向所述用户侧端口 返回 RA消息的主机确定为进行 RA攻击的主机; 或,将向用户侧端口主动 发送组播 RA消息的主机确定为进行 A攻击的主机。  The determining unit 21 is further configured to send an RS message to the host of the VLAN corresponding to the user-side port by using the user-side port, and determine, as the host that returns the RA message to the user-side port, the RS message. The host that is attacked by the RA; or the host that will actively send the multicast RA message to the user-side port is determined to be the host that performs the A attack.
其中, 所述确定单元 21 通过用户侧端口向所述用户侧端口对应的 VLAN的主机发送的 RS消息携带有与上次发送的 RS消息相同的源 MAC 地址和 /或源 MAC地址前缀, 或携带有不同的源 MAC地址和 /或源 MAC 地址前缀。  The RS message sent by the determining unit 21 to the host of the VLAN corresponding to the user-side port by the user-side port carries the same source MAC address and/or source MAC address prefix as the last sent RS message, or carries There are different source MAC addresses and/or source MAC address prefixes.
其中, 所述第一处理单元 22, 还配置为向 NMS通告以下的信息的至 少之一: 所述 RA攻击主机的媒体接入控制 MAC地址; 所述 RA攻击主机 的位置信息; 所述 RA攻击主机发送的 RA消息携带的前缀。  The first processing unit 22 is further configured to notify at least one of the following information to the NMS: the media access control MAC address of the RA attacking host; the location information of the RA attacking host; the RA attack The prefix carried by the RA message sent by the host.
其中, 所述第一处理单元 22, 还配置为向 NMS通告以下的信息的至 少之一:所述 RA攻击主机的用户侧端口;所述 RA攻击主机的用户侧 VLAN 信息; 所述 RA攻击主机的接入设备及所述接入设备的用户侧端口信息。 其中, 所述第一处理单元 22,还配置为根据所述 RA攻击主机发送 RA 消息之前通过 DHCPv4获取 IP地址时的 DHCPv4 Option 82或 DHCPv6 Option 18, 确定所述接入设备及所述接入设备的用户侧端口信息; 或, 根 据所述 RA攻击主机发送 RA消息之前通过 PPP方式获取 IP地址时的 PPPoE Circuit ID确定所述接入设备及所述接入设备的用户侧端口信息。 The first processing unit 22 is further configured to notify at least one of the following information to the NMS: the user side port of the RA attacking host; the user side VLAN of the RA attacking host Information: The RA attacks the access device of the host and the user-side port information of the access device. The first processing unit 22 is further configured to determine the access device and the access device according to the DHCPv4 Option 82 or the DHCPv6 Option 18 when the IP address is obtained through the DHCPv4 before the RA attacking host sends the RA message. User-side port information; or, determining the user-side port information of the access device and the access device according to the PPPoE Circuit ID when the IP address is obtained by the PPP method before the RA attacking host sends the RA message.
其中, 所述第二处理单元 23, 还配置为重定向所述报文至 Portal服务 器后, 向发送源 IP地址包含特定前缀的主机通告受到 RA攻击的信息以及 相应的处理策略,向所述 RA攻击主机通告所述 RA主机的攻击行为以及相 应的处理策略; 所述第二处理单元向发送源 IP地址包含特定前缀的主机通 告的相应的处理策略, 包括以下策略的至少之一: 提示设置屏蔽功能; 释 放配置的 IP地址; 重启主机; 拨打服务热线; 所述第二处理单元向 RA攻 击主机通告的相应的处理策略, 包括以下策略的至少之一: 提示用户关系 攻击进程; 查杀木马或病; 拨打服务热线。  The second processing unit 23 is further configured to: after redirecting the packet to the portal server, notify the host that sends the source IP address that includes the specific prefix, and the corresponding processing policy to the RA. The attacking host advertises the attack behavior of the RA host and the corresponding processing policy; the second processing unit sends a corresponding processing policy to the host that sends the source IP address to include the specific prefix, including at least one of the following policies: The function of releasing the configured IP address; restarting the host; dialing the service hotline; and the corresponding processing policy advertised by the second processing unit to the RA attacking host, including at least one of the following policies: prompting the user relationship attack process; Ill; call the service hotline.
其中, 所述第三处理单元 24, 还配置为通过 ANCP信令或通用 GSMP 信令指示所述 RA攻击主机的接入设备禁止所述 RA攻击主机访问网络。  The third processing unit 24 is further configured to instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network by using ANCP signaling or universal GSMP signaling.
实际应用中, 所述确定单元 21、 第一处理单元 22、 第二处理单元 23、 第三处理单元 24和第四处理单元 25可由 RA攻击防范装置中的中央处理器 ( CPU, Central Processing Unit )、 数字信号处理器 (DSP, Digital Signal Processor )或现场可编程门阵列 ( FPGA, Field Programmable Gate Array ) 实现。  In an actual application, the determining unit 21, the first processing unit 22, the second processing unit 23, the third processing unit 24, and the fourth processing unit 25 may be implemented by a central processing unit (CPU) in the RA attack defense device. , Digital Signal Processor (DSP) or Field Programmable Gate Array (FPGA).
本发明实施例还记载一种 BNG, 图 3为本发明实施例的 BNG的组成 结构示意图, 如图 3所示, 所述 BNG包括 RA攻击防范装置, 所述 RA攻 击防范装置包括: 确定单元 21 ; 所述 RA攻击防范装置还包括: 第一处理 单元 22、; 第二处理单元 23; 第三处理单元 24和第四处理单元 25; 各单元 功能与以上所述相同。 The embodiment of the present invention further describes a BNG. FIG. 3 is a schematic structural diagram of a BNG according to an embodiment of the present invention. As shown in FIG. 3, the BNG includes an RA attack defense device, where the RA attack defense device includes: The RA attack defense device further includes: a first processing unit 22; a second processing unit 23; a third processing unit 24 and a fourth processing unit 25; The function is the same as described above.
下面本发明实施例以 BNG主动探测并向网络管理系统发送告警为例进 行说明, 图 4a为本发明实施例的 RA攻击防范的网络拓朴示意图一, 如图 4a所示,用户终端( UE, User Equipment ) 1、 UE 2、 UE 3通过接入点( AN, Access Node )接入 BNG 1, BNG 1向 AN 1设备提供面向用户侧的端口 A 供 AN 1接入, BNG 1与 NMS保持链路连接。  The following is an example of a network topology in which the BNG actively detects and sends an alarm to the network management system. FIG. 4A is a schematic diagram of a network topology of the RA attack defense according to the embodiment of the present invention. As shown in FIG. 4a, the user terminal (UE, User Equipment 1 1. UE 2, UE 3 accesses BNG through access point (AN, Access Node) 1, BNG 1 provides port A for user-side access to AN 1 for AN 1 access, BNG 1 and NMS maintain chain Road connection.
图 4b为本发明实施例的 RA攻击防范的实现流程示意图五,基于图 4a 所示的网络拓朴结构, RA攻击防范的处理步骤如图 4b所示, 包括以下步 骤:  FIG. 4b is a schematic flowchart of the implementation of the RA attack defense according to the embodiment of the present invention. Based on the network topology shown in FIG. 4a, the processing steps of the RA attack defense are as shown in FIG. 4b, and the following steps are included:
步骤 401: BNG 1主动通过端口 A向 VLAN 1发送源 MAC地址为 MAC 1的 RS消息。  Step 401: BNG 1 actively sends an RS message with the source MAC address being MAC 1 to VLAN 1 through port A.
步骤 402: AN 1向 VLAN 1内的 UE 1、 UE 2、 UE 3转发所接收的 RS 消息。  Step 402: The AN 1 forwards the received RS message to UE 1, UE 2, and UE 3 in VLAN 1.
步骤 403 ~步骤 404: UE 1通过 AN 1向 BNG 1发送目的 MAC地址为 MAC 1的 RA消息。  Step 403 ~ Step 404: The UE 1 sends an RA message whose destination MAC address is MAC 1 to the BNG 1 through the AN 1 .
发送 RA消息的 UE 1为进行 A攻击的恶意 UE。  The UE 1 that sends the RA message is a malicious UE that performs an A attack.
AN根据维护的 MAC地址和端口的映射关系,将 RA消息发送给 BNG。 步骤 405: BNG 1将接收的 RA消息中的携带的 UE 1的 MAC地址 MAC 2及 RA消息携带的前缀 Prefix 1发送给网管系统 NMS。  The AN sends an RA message to the BNG based on the mapping between the maintained MAC address and the port. Step 405: The BNG 1 sends the MAC address 2 of the carried UE 1 and the prefix Prefix 1 carried by the RA message to the network management system NMS.
BNG通过步骤 405的处理,向 NMS通告 MAC地址为 MAC 2的 UE 1 在进行 RA攻击, 其发送的 RS消息的前缀为 Prefix 1。  The BNG advertises to the NMS that the UE 1 whose MAC address is MAC 2 is performing an RA attack, and the prefix of the RS message sent by the BNG is Prefix 1.
步骤 406: BNG 1获取 UE 1的接入设备信息、 接入设备用户侧端口信 息发送给 NMS。  Step 406: The BNG 1 acquires the access device information of the UE 1, and the user side port information of the access device is sent to the NMS.
NMS根据所接收的接入设备信息、 接入设备用户侧端口信息, 可以精 确快速地定位 UE 1位置。 UE 1发送 RA消息之前通过 DHCP获取 IP地址时, BNG 1通过 UE 1的 MAC地址确定 UE 1发送 RA消息之前通过 DHCPv4获取 IP地址时的 DHCPv4 Option 82或 DHCPv6 Option 18; UE 1发送 RA消息之前通过 P PP方式获取 IP地址时, BNG 1通过 UE 1的 MAC地址确定 UE 1通过 P PP方式获取 IP地址时的 PPPoE Circuit ID信息; The NMS can accurately and quickly locate the UE 1 location according to the received access device information and the access device user-side port information. When the UE 1 obtains the IP address through the DHCP message before the UE 1 sends the RA message, the BNG 1 determines the DHCPv4 Option 82 or the DHCPv6 Option 18 when the IP address is obtained by the DHCPv4 before the UE 1 sends the RA message through the MAC address of the UE 1; When the PPP mode obtains an IP address, the BNG 1 determines the PPPoE Circuit ID information when the UE 1 obtains an IP address through the PPP mode by using the MAC address of the UE 1;
从上述 DHCPv4 82、 DHCPv6 18或 PPPoE Circuit ID信息中提取 UE 1的接入设备信息及接入设备用户侧端口信息。  The access device information of the UE 1 and the user-side port information of the access device are extracted from the DHCPv4 82, DHCPv6 18, or PPPoE Circuit ID information.
步骤 406之后,重复执行步骤 401 ~步骤 406,其中, BNG 1在步骤 401 中向 VLAN 1发送的 RS消息使用与前一次发送 RS消息时釆用不同的 MAC 地址, 以伪装成不同的 UE向 VLAN 1内的潜在恶意 UE发送 RS消息, 并 将发送相应的 RA消息的 UE确定为进行 RA攻击的恶意 UE。  After step 406, step 401 to step 406 are repeatedly performed, wherein the RS message sent by the BNG 1 to the VLAN 1 in step 401 uses a different MAC address than the previous one of the RS messages to masquerade as a different UE to the VLAN. The potential malicious UE within 1 sends an RS message, and determines the UE that sends the corresponding RA message as the malicious UE that performs the RA attack.
通过实施上述步骤, 当 VLAN 1内存在进行 RA攻击的 UE时, BNG 1 能够根据接收的 RS消息确定进行恶意 UE的 MAC地址以及恶意 UE发送 的 RS消息的前缀 Prefix 2, 并及时向 NMS通告; 并且, 还可以及时获取恶 意 UE的接入设备信息和信息接入设备用户侧端口信息, 并通告 NMS, 以 方便 NMS对恶意 UE快速准确定位。  By performing the above steps, when there is a UE performing the RA attack in the VLAN 1, the BNG 1 can determine the MAC address of the malicious UE and the prefix Prefix 2 of the RS message sent by the malicious UE according to the received RS message, and notify the NMS in time; In addition, the access device information of the malicious UE and the user-side port information of the information access device can be obtained in time, and the NMS is advertised to facilitate the NMS to quickly and accurately locate the malicious UE.
下面以 BNG执行被动监听以及强制重定向为例进行说明, 图 5a为本 发明实施例的 RA攻击防范的网络拓朴示意图二, 如图 5a所示, UE 4、 UE 5、 UE 6通过 AN 2接入 BNG 2, BNG 2与 NMS以及 Portal服务器保持链 路连接。  The following is an example of performing passive monitoring and forced redirection of the BNG. FIG. 5a is a schematic diagram of a network topology of the RA attack defense according to the embodiment of the present invention. As shown in FIG. 5a, the UE 4, the UE 5, and the UE 6 pass the AN 2 Access BNG 2, BNG 2 maintains a link connection with the NMS and the Portal server.
图 5b为本发明实施例的 RA攻击防范的实现流程示意图六,基于图 5a 所示的网络拓朴结构, RA攻击防范的处理步骤如图 5b所示, 包括以下步 骤:  Figure 5b is a schematic flowchart of the implementation of the RA attack defense according to the embodiment of the present invention. Based on the network topology shown in Figure 5a, the processing procedure of the RA attack defense is as shown in Figure 5b, and includes the following steps:
步骤 501: UE 5主动发送组播 RA消息。  Step 501: The UE 5 actively sends a multicast RA message.
其中, 组播 RA消息的源 MAC地址为 UE 5的网卡地址 MAC 5, A 消息携带的前缀为 Prefix 2,主动发送组播 RA消息的 UE 5为进行 RA攻击 的恶意 UE。 The source MAC address of the multicast RA message is the network card address MAC 5, A of the UE 5. The prefix carried by the message is Prefix 2, and the UE 5 that actively sends the multicast RA message is a malicious UE that performs an RA attack.
步骤 502: AN 2将 UE 5广播的 RA消息在 VLAN 2内进行广播。  Step 502: The AN 2 broadcasts the RA message broadcast by the UE 5 in the VLAN 2.
VLAN 2中的 UE 4、 UE 6及 BNG 2都收到该 RA消息。  UE 4, UE 6, and BNG 2 in VLAN 2 receive the RA message.
步骤 503: BNG 2收到该 RA消息后, 生成强制重定向策略。  Step 503: After receiving the RA message, the BNG 2 generates a mandatory redirection policy.
步骤 503中, BNG 2记录 RA消息携带的前缀 Prefix 2、 RA消息中的 源 MAC地址 MAC 5, 并根据记录的 Prefix 2、 MAC 5生成重定向策略, 该 重定向策略配置为: 将根据该 Prefix 2配置 IPv6地址的 UE的报文重定向 至 Portal服务器提示页面,将源地址为 MAC 5的 UE的报文重定向至 Portal 服务器提示页面。  In step 503, the BNG 2 records the prefix prefix 2 of the RA message, the source MAC address MAC 5 in the RA message, and generates a redirection policy according to the recorded Prefix 2, MAC 5, and the redirection policy is configured as follows: 2 Redirect the packets of the UE with the IPv6 address to the Portal server prompt page, and redirect the packets from the UE with the source MAC address to the Portal server prompt page.
步骤 504: UE 4和 UE 6根据 RA消息中的 Prefix 2配置了本地 IPv6地 址。  Step 504: UE 4 and UE 6 configure a local IPv6 address according to Prefix 2 in the RA message.
步骤 505 ~步骤 506: UE 5通过 AN向 BNG 2发送超文本传输协议 ( HTTP, Hyper Text Transfer Protocol) )才艮文。  Step 505 ~ Step 506: The UE 5 sends a Hypertext Transfer Protocol (HTTP) to the BNG 2 through the AN.
该才艮文的源 MAC地址为 MAC 5, 且所述 文由 AN转发至 BNG 2。 步骤 507 ~步骤 508: BNG 2将 UE 5的报文重定向到 Portal服务器提 示页面, 由 Portal服务器提示 UE 5正在进行的攻击行为。  The source MAC address of the source is MAC 5, and the message is forwarded by the AN to BNG 2. Step 507 ~ Step 508: The BNG 2 redirects the UE 5 packet to the portal server prompt page, and the Portal server prompts the UE 5 for the ongoing attack behavior.
步骤 508中, Portal服务器提示 UE 5正在进行的攻击行为的信息依次 通过 BNG 2和 AN 2转发给 UE 5。  In step 508, the portal server prompts the information of the ongoing attack behavior of the UE 5 to be forwarded to the UE 5 through the BNG 2 and the AN 2.
BNG 2收到 UE 5的报文后,根据步骤 503生成的重定向策略,将 UE 5 的报文重定向到 Portal服务器提示页面, 提示 UE 5正在进行 RA攻击以及 相应的处理策略, 所述处理方法包括以下至少之一: 提示关闭攻击进程; 查杀木马或病毒; 拨打服务热线处理。  After receiving the packet of the UE 5, the BNG 2 redirects the packet of the UE 5 to the portal server prompt page according to the redirection policy generated in step 503, and prompts the UE 5 to perform the RA attack and the corresponding processing policy. The method includes at least one of the following: prompting to close the attack process; killing the Trojan or virus; calling the service hotline.
步骤 509 ~步骤 510: UE 6通过 AN向 BNG 2发送 HTTP报文。  Step 509 ~ Step 510: The UE 6 sends an HTTP message to the BNG 2 through the AN.
报文的源 IP地址包含前缀 Prefix 2, 所述报文由 AN 2转发至 BNG 2。 步骤 511 ~步骤 512: BNG 2将 UE 6的报文重定向到 Portal服务器提 示页面, 由 Portal服务器提示 UE 5正在进行 RA攻击。 The source IP address of the packet contains the prefix Prefix 2, and the packet is forwarded by the AN 2 to the BNG 2. Step 511 to step 512: The BNG 2 redirects the packet of the UE 6 to the portal server prompt page, and the Portal server prompts the UE 5 to perform the RA attack.
步骤 512中, Portal服务器提示 UE 5正在进行的攻击行为的信息依次 通过 BNG 2和 AN 2转发给 UE 6。  In step 512, the portal server prompts the information of the ongoing attack behavior of the UE 5 to be forwarded to the UE 6 through the BNG 2 and the AN 2.
BNG 2收到 UE 6的报文后,根据步骤 503生成的重定向策略,将 UE 6 的报文重定向到 Portal服务器提示页面, 提示 UE 6已经被 UE 5进行了网 关欺骗; 还可以通告相应的处理策略, 所述处理策略包括以下策略的至少 之一: 提示设置屏蔽功能(例如屏蔽来自 UE 5的 RA消息); 释放 UE 6配 置的 IPv6地址; 重启 UE 6; 拨打服务热线处理等。 的处理相同, 不再赘述。  After receiving the packet of the UE 6, the BNG 2 redirects the packet of the UE 6 to the portal server prompt page according to the redirection policy generated in step 503, prompting the UE 6 to perform the gateway spoofing by the UE 5; The processing policy includes at least one of the following: prompting to set a masking function (for example, masking an RA message from the UE 5); releasing an IPv6 address configured by the UE 6; restarting the UE 6; dialing a service hotline processing, and the like. The processing is the same and will not be described again.
通过实施上述步骤,能够将 VLAN 2内的恶意 UE的报文重定向至 Portal 服务器页面, 提示正在进行的 RA攻击信息以及相应的处理策略; 并且, 当 VLAN 2存在根据恶意 UE发送的 RA消息配置无效 IPv6地址的 UE时, BNG 2能够将配置无效 IPv6地址的 UE发送的报文重定向至 Portal服务器页面, 提示相应的 RA攻击信息以及对应的处理策略。  By performing the above steps, the packets of the malicious UE in the VLAN 2 can be redirected to the Portal server page, and the RA attack information and the corresponding processing policy are prompted. Moreover, when the VLAN 2 is configured according to the RA message sent by the malicious UE, When a UE with an invalid IPv6 address is invalid, the BNG 2 can redirect the packet sent by the UE configured with the invalid IPv6 address to the Portal server page, and prompt the corresponding RA attack information and the corresponding processing policy.
下面本发明实施例以 BNG与 AN设备联动为例进行说明, 图 6a为本 发明实施例的 RA攻击防范的网络拓朴示意图三, 如图 6a所示, UE 7通过 AN 3接入 BNG 3, BNG 3通过端口 B向 AN 3提供接入。  The following is a description of the linkage between the BNG and the AN device, and FIG. 6a is a schematic diagram of the network topology of the RA attack defense according to the embodiment of the present invention. As shown in FIG. 6a, the UE 7 accesses the BNG 3 through the AN 3, BNG 3 provides access to AN 3 through port B.
图 6b为本发明实施例的 RA攻击防范的实现流程示意图七,基于图 6a 所示的网络拓朴结构, RA攻击防范的处理步骤如图 6b所示, 包括以下步 骤:  Figure 6b is a schematic flowchart of the implementation of the RA attack defense according to the embodiment of the present invention. Based on the network topology shown in Figure 6a, the processing steps of the RA attack defense are as shown in Figure 6b, and the following steps are included:
步骤 601 ~步骤 602: UE 7通过 AN 3向 BNG 3发送 RA消息。  Step 601 ~ Step 602: The UE 7 sends an RA message to the BNG 3 through the AN 3.
该 RA消息包括单播消息和组播 A消息, 且携带的源 MAC地址为 UE 7的 MAC地址 MAC 7; 并确定发送 RA消息的 UE 8为恶意 UE。 组播 RA消息由 UE 7主动发送,单播 RA消息是当 BNG 3向所处 VLAN 内的 UE发送 RS消息后, 接收的来自 UE 7的单播 RA消息。 The RA message includes a unicast message and a multicast A message, and the source MAC address carried is the MAC address MAC 7 of the UE 7; and the UE 8 that sends the RA message is determined to be a malicious UE. The multicast RA message is actively sent by the UE 7. The unicast RA message is a unicast RA message received from the UE 7 after the BNG 3 sends an RS message to the UE in the VLAN.
步骤 603: BNG 3根据接收的 RA消息确定将 UE 7接入网络的接入设 备为 AN 3、 以及 AN 3提供给 UE 7的接入端口为端口 B。  Step 603: The BNG 3 determines, according to the received RA message, that the access device that connects the UE 7 to the network is AN 3, and the access port that the AN 3 provides to the UE 7 is the port B.
BNG 3通过所述 UE 7的 MAC地址确定 UE 8发送 RA消息之前通过 DHCP获取 IP地址时的 DHCPv4 Option 82或 DHCPv6 Option 18信息; 通 过所述 UE 7的 MAC地址确定 UE 7发送 RA消息之前通过 PPP方式获取 IP地址时的 PPPoE Circuit ID信息;  The BNG 3 determines the DHCPv4 Option 82 or DHCPv6 Option 18 information when the UE 8 obtains the IP address through the DHCP before sending the RA message through the MAC address of the UE 7; and determines, by using the MAC address of the UE 7, the UE 7 passes the PPP before sending the RA message. PPPoE Circuit ID information when the IP address is obtained.
从上述获取的信息中提取 UE 7对应的接入设备 AN 3 的信息、 以及 BNG提供给 AN 3的面向用户侧的端口 (端口 B )。  The information of the access device AN 3 corresponding to the UE 7 and the port (port B) provided by the BNG to the user side of the AN 3 are extracted from the information obtained above.
步骤 604: BNG 3向 AN 3发送指示 AN 3关闭端口 B或在端口 B将 MAC 7列入黑名单的指令。  Step 604: BNG 3 sends an instruction to AN 3 to indicate that AN 3 closes port B or blacklists MAC 7 at port B.
在端口 B将 MAC 8列入黑名单是指将通过端口 B去往或来自 MAC 8 的报文丟弃。  Blacklisting MAC 8 on port B means discarding packets destined for or from MAC 8 through port B.
BNG 3和 AN 3之间的控制指令的封装釆用可以 ANCP或 GSMP。 步骤 605 ~步骤 606: AN 3关闭端口 B或在端口 B将 MAC 8列入黑名 单, 并向 BNG 3发送控制指令执行完毕。  The package of control instructions between BNG 3 and AN 3 can be either ANCP or GSMP. Step 605 ~ Step 606: AN 3 closes port B or puts MAC 8 in black list on port B, and sends a control command to BNG 3 to complete the execution.
通过实施上述步骤, 当确定接收 UE发送的 RS消息 (即确定该 UE为 恶意 UE )时, 通过恶意 UE发送的 RS消息确定将恶意 UE提供接入的 AN 及 AN的接入端口,并指示 AN在关闭提供的接入端口或在接入端口将恶意 UE的 MAC地址列入黑名单, 能够防止恶意 UE继续进行 A攻击造成网 络瘫痪。  By performing the above steps, when it is determined that the RS message sent by the UE is received (ie, the UE is determined to be a malicious UE), the RS message sent by the malicious UE determines the access port of the AN and the AN that the malicious UE provides access to, and indicates the AN. By blacklisting the provided access port or the MAC address of the malicious UE on the access port, it is possible to prevent the malicious UE from continuing the A attack and causing the network to crash.
下面以 BNG进行反制操作为例对本发明进行说明, 图 7a为本发明实 施例的 RA攻击防范的网络拓朴示意图四, 如图 7a所示, UE 8、 UE 9、 UE 10通过 AN 4接入 BNG 4。 图 7b为本发明实施例的 RA攻击防范的实现流程示意图八,基于图 7a 所示的网络拓朴结构, RA攻击防范的处理步骤如图 7b所示, 包括: The following is a description of the present invention by using BNG as a counter-operation. FIG. 7a is a schematic diagram of a network topology of RA attack defense according to an embodiment of the present invention. As shown in FIG. 7a, UE 8, UE 9, and UE 10 are connected through AN 4. Enter BNG 4. Figure 7b is a schematic flowchart of the implementation of the RA attack defense according to the embodiment of the present invention. The processing procedure of the RA attack defense is as shown in Figure 7b.
步骤 701 ~步骤 702: UE 9通过 AN 4向 BNG 4发送 RA消息。  Step 701 ~ Step 702: The UE 9 sends an RA message to the BNG 4 through the AN 4.
该 RA消息包括单播 RA消息和组播 A消息, 且 RA消息的源 MAC 地址为 UE 9的 MAC地址 MAC 9;  The RA message includes a unicast RA message and a multicast A message, and the source MAC address of the RA message is the MAC address MAC 9 of the UE 9;
组播 RA消息由 UE 9主动发送,单播 RA消息是当 BNG 4向所处 VLAN 内的 UE发送 RS消息后, 接收的来自 UE 9的单播 RA消息。  The multicast RA message is actively sent by the UE 9, and the unicast RA message is a unicast RA message received from the UE 9 after the BNG 4 sends an RS message to the UE in the VLAN.
步骤 703: BNG 4根据所接收的 RA消息封装新的组播 RA消息, 其优 先级高于所接收的 RA消息的优先级、 携带的生存期参数少于所接收的 RA 消息的生存期, 且携带的前缀信息与所接收的 RA 消息携带的前缀信息相 同。  Step 703: The BNG 4 encapsulates a new multicast RA message according to the received RA message, the priority of which is higher than the priority of the received RA message, and the lifetime parameter carried is less than the lifetime of the received RA message, and The prefix information carried is the same as the prefix information carried by the received RA message.
步骤 704〜步骤 705: BNG 4 向通过 AN 4向 UE 9所在 VLAN 4发送 所封装的新的组播 RA消息。  Step 704 to step 705: The BNG 4 sends the encapsulated new multicast RA message to the VLAN 4 where the UE 9 is located through the AN 4 .
步骤 706: VLAN 4内的 UE 8、 UE 9、 UE 10根据接收的步骤 703所组 装的 RA消息配置 IPv6地址。  Step 706: The UE 8, the UE 9, and the UE 10 in the VLAN 4 configure an IPv6 address according to the received RA message of the step 703.
由于步骤 703中 BNG 4组装的 RA消息的优先级高, 因此, VLAN 4 中的 UE根据该优先级高的 RA消息配置 IPv6地址; 并且, 由于该优先级 高的 RA消息的生存期(设为 100秒)低于步骤 701中所接收的 RA消息中 的生存期(设为 9000秒;), 因此, UE 10、 UE 11本地维护的 IPv6前缀生存 期的数值较小, 在生存期到达后将配置新的 IPv6地址。  Since the priority of the RA message assembled by the BNG 4 in the step 703 is high, the UE in the VLAN 4 configures the IPv6 address according to the RA message with the high priority; and, due to the lifetime of the RA message with the high priority (set to 100 seconds) is lower than the lifetime in the RA message received in step 701 (set to 9000 seconds;), therefore, the value of the IPv6 prefix lifetime maintained by the UE 10 and the UE 11 is small, and will be after the lifetime is reached. Configure a new IPv6 address.
通过实施上述步骤, 当检测到进行 A攻击的 UE时, 通过伪装恶意 UE发送新的组播 RA消息, 使恶意 UE期望其他 UE配置的 IPv6前缀的生 存期变短, 例如, 若新的组播 RA消息的前缀信息的生存期为 100s时, 该 前缀信息将很快失效, 避免了配置恶意 UE期望配置的 IPv6地址前缀, 使 恶意 UE无法截获其他 UE的信息, 保证了网络安全。 本领域内的技术人员应明白, 本发明的实施例可提供为方法、 系统、 或计算机程序产品。 因此, 本发明可釆用硬件实施例、 软件实施例、 或结 合软件和硬件方面的实施例的形式。 而且, 本发明可釆用在一个或多个其 中包含有计算机可用程序代码的计算机可用存储介质 (包括但不限于磁盘 存储器和光学存储器等 )上实施的计算机程序产品的形式。 By performing the above steps, when the UE performing the A attack is detected, the malicious UE is spoofed to send a new multicast RA message, so that the malicious UE expects the IPv6 prefix of the other UE to have a shorter lifetime, for example, if the new multicast is used. When the lifetime of the prefix information of the RA message is 100s, the prefix information will be invalidated quickly. This prevents the malicious UE from intercepting the information of other UEs and ensures network security. Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can be embodied in the form of one or more computer program products embodied on a computer usable storage medium (including but not limited to disk storage and optical storage, etc.) in which computer usable program code is embodied.
本发明是参照根据本发明实施例的方法、 设备(系统)、 和计算机程序 产品的流程图和 /或方框图来描述的。 应理解可由计算机程序指令实现流程 图和 /或方框图中的每一流程和 /或方框、以及流程图和 /或方框图中的流程和 /或方框的结合。 可提供这些计算机程序指令到通用计算机、 专用计算机、 嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器, 使得 通过计算机或其他可编程数据处理设备的处理器执行的指令产生配置为实 现在流程图一个流程或多个流程和 /或方框图一个方框或多个方框中指定的 功能的装置。  The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart and/or block diagrams, and combinations of flow and / or blocks in the flowcharts and / or block diagrams can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine that causes configuration of instructions executed by a processor of a computer or other programmable data processing device Means for implementing the functions specified in a block or blocks of a flow or a flow and/or a block diagram of a flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理 设备以特定方式工作的计算机可读存储器中, 使得存储在该计算机可读存 储器中的指令产生包括指令装置的制造品, 该指令装置实现在流程图一个 流程或多个流程和 /或方框图一个方框或多个方框中指定的功能。  The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备 上, 使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机 实现的处理, 从而在计算机或其他可编程设备上执行的指令提供配置为实 现在流程图一个流程或多个流程和 /或方框图一个方框或多个方框中指定的 功能的步骤。  These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps that are configured to implement the functions specified in one or more blocks of the flowchart or in a block or blocks of the flowchart.
以上所述仅是本发明的优选实施方式, 应当指出, 对于本技术领域的 普通技术人员来说, 在不脱离本发明原理的前提下, 还可以做出若干改进 和润饰, 这些改进和润饰也应视为本发明的保护范围。  The above description is only a preferred embodiment of the present invention, and it should be noted that those skilled in the art can also make several improvements and retouchings without departing from the principles of the present invention. It should be considered as the scope of protection of the present invention.

Claims

权利要求书 claims
1、 一种路由器通告 RA攻击防范方法, 所述方法包括: 1. A router advertisement RA attack prevention method, the method includes:
根据接收的 RA消息确定 RA攻击主机; Determine the RA attack host based on the received RA message;
执行以下操作至少之一: Do at least one of the following:
向网络管理系统 NMS通告所述 RA攻击主机的信息; Notify the network management system NMS of the information of the RA attacking host;
禁止源网际协议 IP地址包含特定前缀的报文、 以及所述 RA攻击主机 发送的报文向网络侧转发, 并重定向所述包含特定前缀的报文、 以及所述 Prohibit the packets whose source Internet Protocol IP address contains a specific prefix, and the packets sent by the RA attack host from being forwarded to the network side, and redirect the packets containing the specific prefix, and the packets sent by the RA attack host.
RA攻击主机发送的报文至 Portal服务器, 所述特定前缀为所述 RA攻击主 机发送的 RA消息携带的前缀; The RA attack host sends a message to the Portal server, and the specific prefix is the prefix carried in the RA message sent by the RA attack host;
指示所述 RA攻击主机的接入设备禁止所述 RA攻击主机访问网络; 模拟所述 RA攻击主机发送新的 RA消息,所述新的 RA消息携带前缀 的生存期小于所述 RA攻击主机发送的 RA消息携带前缀的生存期。 Instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network; simulate the RA attacking host to send a new RA message, and the new RA message carries a prefix with a lifetime shorter than that sent by the RA attacking host. RA messages carry the lifetime of the prefix.
2、 根据权利要求 1所述的方法, 其中, 所述根据接收的 RA消息确定 RA攻击主机, 包括: 2. The method according to claim 1, wherein the determining the RA attacking host according to the received RA message includes:
通过用户侧端口向所述用户侧端口对应的虚拟局域网 VLAN的主机发 送路由器请求 RS消息, 将针对所述 RS消息向所述用户侧端口返回 RA消 息的主机确定为进行 RA攻击的主机; 或, Send a router request RS message to the host of the virtual LAN VLAN corresponding to the user-side port through the user-side port, and determine the host that returns the RA message to the user-side port in response to the RS message as the host that performs the RA attack; or,
将向用户侧端口主动发送组播 RA消息的主机确定为进行 A攻击的主 机。 The host that actively sends multicast RA messages to the user-side port is determined to be the host that carries out the A attack.
3、 根据权利要求 2所述的方法, 其中, 所述发送的 RS消息携带有与 上次发送的 RS消息相同的源媒体接入控制 MAC地址和 /或源 MAC地址前 缀, 或携带有不同的源 MAC地址和 /或源 MAC地址前缀。 3. The method according to claim 2, wherein the sent RS message carries the same source media access control MAC address and/or source MAC address prefix as the last sent RS message, or carries a different Source MAC address and/or source MAC address prefix.
4、 根据权利要求 1所述的方法, 其中, 4. The method according to claim 1, wherein,
所述 RA攻击主机的信息包括以下信息的至少之一:所述 RA攻击主机 的 MAC地址; 所述 RA攻击主机的位置信息; 所述 RA攻击主机发送的 RA消息携带的前缀。 The information of the RA attacking host includes at least one of the following information: the MAC address of the RA attacking host; the location information of the RA attacking host; the information sent by the RA attacking host The prefix carried in the RA message.
5、 根据权利要求 1所述的方法, 其中, 所述 RA攻击主机的信息包括 以下的信息的至少之一: 所述 RA攻击主机的用户侧端口信息; 所述 RA攻 击主机的用户侧 VLAN信息; 所述 RA攻击主机的接入设备及所述接入设 备的用户侧端口信息。 5. The method according to claim 1, wherein the information of the RA attacking host includes at least one of the following information: user-side port information of the RA attacking host; user-side VLAN information of the RA attacking host ; The access device of the RA attack host and the user-side port information of the access device.
6、 根据权利要求 5所述的方法, 其中, 所述向 NMS通告所述 RA攻 击主机的接入设备及所述接入设备的用户侧端口信息之前, 所述方法还包 括: 6. The method according to claim 5, wherein before notifying the access device of the RA attack host and the user-side port information of the access device to the NMS, the method further includes:
根据所述 RA攻击主机发送 RA消息之前通过动态主机设置协议第四版 本 DHCPv4获取 IP地址时的 DHCPv4功能 Option 82或动态主机设置协议 第六版本 DHCPv6 Option 18, 确定所述 RA攻击主机的接入设备、 及所述 接入设备的用户侧端口信息; 或, Determine the access device of the RA attacking host based on the DHCPv4 function Option 82 or the Dynamic Host Setting Protocol version 6 DHCPv6 Option 18 when the RA attacking host obtains an IP address through DHCPv4 version 4 before sending the RA message. , and the user-side port information of the access device; or,
根据所述 RA攻击主机发送 RA消息之前通过点对点协议 PPP方式获 取 IP地址时的以太网点对点协议电路序列号 PPPoE Circuit ID, 确定所述 RA攻击主机的接入设备、 及所述接入设备的用户侧端口信息。 Determine the access device of the RA attacking host and the user of the access device based on the PPPoE Circuit ID of the Ethernet point-to-point protocol circuit sequence number when the IP address is obtained through the Point-to-Point Protocol PPP method before the RA attacking host sends the RA message. Side port information.
7、 根据权利要求 1所述的方法, 其中, 所述重定向所述报文至 Portal 服务器后, 所述方法还包括: 向发送源 IP地址包含特定前缀的主机通告受 到 RA攻击的信息以及相应的处理策略, 向所述 RA攻击主机通告所述 RA 主机的攻击行为以及相应的处理策略。 7. The method according to claim 1, wherein, after redirecting the message to the Portal server, the method further includes: notifying the host whose source IP address contains a specific prefix of information about being attacked by RA and corresponding information. processing strategy, and notify the RA host of the attack behavior and the corresponding processing strategy to the RA attacking host.
8、 根据权利要求 1所述的方法, 其中, 8. The method according to claim 1, wherein,
所述向发送源 IP地址包含特定前缀的主机通告的相应的处理策略, 包 括以下策略的至少之一: 提示设置屏蔽功能; 释放配置的 IP地址; 重启主 机; 拨打服务热线; The corresponding processing strategy notified to the host whose source IP address contains a specific prefix includes at least one of the following strategies: Prompt to set the shielding function; Release the configured IP address; Restart the host; Call the service hotline;
所述向 RA攻击主机通告的相应的处理策略, 包括以下策略的至少之 一: 提示关闭攻击进程; 查杀木马或病毒; 拨打服务热线。 The corresponding processing strategy notified to the RA attack host includes at least one of the following strategies: Prompt to close the attack process; Check and kill Trojans or viruses; Call the service hotline.
9、 根据权利要求 1至 8任一项所述的方法, 其中, 所述指示所述 RA 攻击主机的接入设备禁止所述 RA攻击主机访问网络, 包括: 9. The method according to any one of claims 1 to 8, wherein the instructing the access device of the RA attacking host to prohibit the RA attacking host from accessing the network includes:
通过接入点控制协议 ANCP信令或通用交换机管理协议 GSMP信令指 示所述 RA攻击主机的接入设备禁止所述 RA攻击主机访问网络。 Instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network through Access Point Control Protocol ANCP signaling or General Switch Management Protocol GSMP signaling.
10、 一种路由器通告 RA攻击防范装置, 所述装置包括: 确定单元、 第一处理单元、 第二处理单元、 第三处理单元和第四处理单元; 其中, 确定单元, 配置为根据接收的 RA消息确定 RA攻击主机, 并触发所述 第一处理单元、 所述第二处理单元、 所述第三处理单元和所述第四处理单 元中的至少一个处理单元; 10. A router advertisement RA attack prevention device, the device includes: a determining unit, a first processing unit, a second processing unit, a third processing unit and a fourth processing unit; wherein, the determining unit is configured to determine based on the received RA The message determines that the RA attacks the host and triggers at least one of the first processing unit, the second processing unit, the third processing unit and the fourth processing unit;
所述第一处理单元, 配置为向网络管理系统 NMS通告所述 RA攻击主 机的信息; The first processing unit is configured to notify the network management system NMS of the information of the RA attack host;
所述第二处理单元, 配置为禁止源网际协议 IP地址包含特定前缀的才艮 文、以及所确定的 RA攻击主机发送的^艮文向网络侧转发,并重定向所述包 含特定前缀的报文、 以及所确定的 RA攻击主机发送的报文至入口 Portal 服务器, 所述特定前缀为所述 RA攻击主机发送的 RA消息携带的前缀; 所述第三处理单元,配置为指示所述 RA攻击主机的接入设备禁止所述 RA攻击主机访问网络; The second processing unit is configured to prohibit messages whose source Internet Protocol IP address contains a specific prefix and messages sent by the determined RA attack host from being forwarded to the network side, and to redirect the messages containing the specific prefix. , and the message sent by the determined RA attacking host to the portal server, the specific prefix is the prefix carried in the RA message sent by the RA attacking host; The third processing unit is configured to instruct the RA attacking host The access device prohibits the RA attacking host from accessing the network;
所述第四处理单元, 配置为模拟所述 RA攻击主机发送新的 RA消息, 所述新的 RA消息携带前缀的生存期小于所述 RA攻击主机发送的 RA消息 携带的前缀的生存期。 The fourth processing unit is configured to simulate the RA attacking host to send a new RA message, and the lifetime of the prefix carried by the new RA message is shorter than the lifetime of the prefix carried by the RA message sent by the RA attacking host.
11、 根据权利要求 10所述的装置, 其中, 11. The device according to claim 10, wherein,
所述确定单元, 还配置为通过用户侧端口向所述用户侧端口对应的虚 拟局域网 VLAN的主机发送 RS消息,将针对所述 RS消息向所述用户侧端 口返回 RA消息的主机确定为进行 A攻击的主机; 或, The determining unit is further configured to send an RS message to the host of the virtual LAN VLAN corresponding to the user-side port through the user-side port, and determine the host that returns the RA message to the user-side port in response to the RS message to perform A. The attacking host; or,
将向用户侧端口主动发送组播 RA消息的主机确定为进行 A攻击的主 机。 Determine the host that actively sends multicast RA messages to the user-side port as the host for A attack. machine.
12、 根据权利要求 11所述的装置, 其中, S消息携带有与上次发送的 RS消息相同的源媒体接入控制 MAC地址和 / 或源 MAC地址前缀,或携带有不同的源 MAC地址和 /或源 MAC地址前缀。 12. The device according to claim 11, wherein the S message carries the same source media access control MAC address and/or source MAC address prefix as the last sent RS message, or carries a different source MAC address and /or source MAC address prefix.
13、 根据权利要求 10所述的装置, 其中, 13. The device according to claim 10, wherein,
所述第一处理单元, 还配置为向 NMS通告以下信息的至少之一: 所述 RA攻击主机的媒体接入控制 MAC地址; 所述 RA攻击主机的位置信息; 所述 RA攻击主机发送的 RA消息携带的前缀。 The first processing unit is further configured to notify at least one of the following information to the NMS: the media access control MAC address of the RA attacking host; the location information of the RA attacking host; the RA sent by the RA attacking host The prefix carried by the message.
14、 根据权利要求 10所述的装置, 其中, 14. The device according to claim 10, wherein,
所述第一处理单元, 还配置为向 NMS通告以下的信息的至少之一: 所 述 RA攻击主机的用户侧端口信息; 所述 RA攻击主机的用户侧 VLAN信 息; 所述 RA攻击主机的接入设备及所述接入设备用户侧端口信息。 The first processing unit is further configured to notify at least one of the following information to the NMS: user-side port information of the RA attacking host; user-side VLAN information of the RA attacking host; interface of the RA attacking host access device and the user-side port information of the access device.
15、 根据权利要求 14所述的装置, 其中, 15. The device according to claim 14, wherein,
所述第一处理单元,还配置为根据所述 RA攻击主机发送 RA消息之前 通过动态主机设置协议第四版本 DHCPv4获取 IP地址时的 DHCPv4功能 Option 82或动态主机设置协议第六版本 DHCPv6 Option 18, 确定所述接入 设备及所述接入设备的用户侧端口信息; 或, The first processing unit is further configured to obtain an IP address through DHCPv4, version 4 of the Dynamic Host Settings Protocol, according to the DHCPv4 function Option 82 or the DHCPv6 Option 18 of the sixth version of the Dynamic Host Settings Protocol before the RA attack host sends the RA message, Determine the access device and user-side port information of the access device; or,
根据所述 RA攻击主机发送 RA消息之前通过点对点协议 PPP方式获 取 IP地址时的以太网点对点协议电路序列号 PPPoE Circuit ID,确定所述接 入设备、 及所述接入设备的用户侧端口信息。 Determine the access device and the user-side port information of the access device based on the Ethernet point-to-point protocol circuit serial number PPPoE Circuit ID when the RA attack host obtains the IP address through the point-to-point protocol PPP method before sending the RA message.
16、 根据权利要求 10所述的装置, 其中, 16. The device according to claim 10, wherein,
所述第二处理单元, 还配置为重定向所述报文至入口 Portal服务器后, 向发送源 IP地址包含特定前缀的主机通告受到 RA攻击的信息以及相应的 处理策略,向所述 RA攻击主机通告所述 RA主机的攻击行为以及相应的处 理策略。 The second processing unit is also configured to, after redirecting the message to the portal server, notify the host whose source IP address contains a specific prefix of the information being attacked by the RA and the corresponding processing strategy, and notify the RA attacking host Notify the RA host of the attack behavior and corresponding measures. management strategy.
17、 根据权利要求 10所述的装置, 其中, 17. The device according to claim 10, wherein,
所述第二处理单元向发送源 IP地址包含特定前缀的主机通告的相应的 处理策略, 包括以下策略的至少之一: The corresponding processing strategy announced by the second processing unit to the host whose sending source IP address contains a specific prefix includes at least one of the following strategies:
提示设置屏蔽功能、释放配置的 IP地址; 重启主机;拨打服务热线; 所述第二处理单元向 RA攻击主机通告的相应的处理策略,包括以下策 略的至少之一: Prompt to set the shielding function and release the configured IP address; Restart the host; Call the service hotline; The corresponding processing strategy notified by the second processing unit to the RA attack host includes at least one of the following strategies:
提示用户关系攻击进程; 查杀木马或病毒; 拨打服务热线。 Prompt the user about the attack process; check for Trojans or viruses; call the service hotline.
18、 根据权利要求 10至 17任一项所述的装置, 其中, 18. The device according to any one of claims 10 to 17, wherein,
所述第三处理单元, 还配置为通过接入点控制协议 ANCP信令或通用 交换机管理协议 GSMP信令, 指示所述 RA攻击主机的接入设备禁止所述 RA攻击主机访问网络。 The third processing unit is further configured to instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network through access point control protocol ANCP signaling or general switch management protocol GSMP signaling.
19、 一种宽带网络网关 BNG, 所述 BNG包括权利要求 10至 18任一 项所述的 RA攻击防范装置。 19. A broadband network gateway BNG, the BNG comprising the RA attack prevention device described in any one of claims 10 to 18.
20、 一种计算机存储介质, 所述计算机存储介质中存储有计算机可 执行指令, 所述计算机可执行指令用于执行权利要求 1至 9任一项所述 的路由器通告 RA攻击防范方法。 20. A computer storage medium, in which computer executable instructions are stored, and the computer executable instructions are used to execute the router advertisement RA attack prevention method described in any one of claims 1 to 9.
PCT/CN2014/077811 2013-08-20 2014-05-19 Router advertisement attack prevention method, device, equipment and computer storage medium WO2014173343A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310364782.2A CN104426839A (en) 2013-08-20 2013-08-20 Router advertisement attack prevention method, apparatus and device
CN201310364782.2 2013-08-20

Publications (1)

Publication Number Publication Date
WO2014173343A1 true WO2014173343A1 (en) 2014-10-30

Family

ID=51791073

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/077811 WO2014173343A1 (en) 2013-08-20 2014-05-19 Router advertisement attack prevention method, device, equipment and computer storage medium

Country Status (2)

Country Link
CN (1) CN104426839A (en)
WO (1) WO2014173343A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107370680A (en) * 2016-05-12 2017-11-21 中兴通讯股份有限公司 A kind of multicast routing entry control method, device and communication system
CN109472139B (en) * 2017-12-25 2022-04-19 北京安天网络安全技术有限公司 Method and system for preventing Lesox virus from secondarily encrypting host document
CN111431913B (en) * 2020-03-30 2022-06-21 中国人民解放军战略支援部队信息工程大学 Router advertisement protection mechanism existence detection method and device
CN112367257B (en) * 2020-10-30 2022-10-21 新华三技术有限公司 Route notification method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1499396A (en) * 2002-10-24 2004-05-26 �Ҵ���˾ Method and device for maintaining internet field names data
CN101651696A (en) * 2009-09-17 2010-02-17 杭州华三通信技术有限公司 Method and device for preventing neighbor discovery (ND) attack
CN101690082A (en) * 2007-06-06 2010-03-31 思科技术公司 Secure neighbor discovery router for defending host nodes from rogue routers
CN102244651A (en) * 2010-05-14 2011-11-16 杭州华三通信技术有限公司 Method for preventing attack of illegal neighbor discovery protocol message and access equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5517733B2 (en) * 2010-05-12 2014-06-11 株式会社日立ソリューションズ Content distribution system, gateway device, and program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1499396A (en) * 2002-10-24 2004-05-26 �Ҵ���˾ Method and device for maintaining internet field names data
CN101690082A (en) * 2007-06-06 2010-03-31 思科技术公司 Secure neighbor discovery router for defending host nodes from rogue routers
CN101651696A (en) * 2009-09-17 2010-02-17 杭州华三通信技术有限公司 Method and device for preventing neighbor discovery (ND) attack
CN102244651A (en) * 2010-05-14 2011-11-16 杭州华三通信技术有限公司 Method for preventing attack of illegal neighbor discovery protocol message and access equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZHANG, HONG ET AL.: "Detection of RA Spoofing Attack Based on IPv6", COMPUTER ENGINEERING, vol. 37, no. S1, 31 December 2011 (2011-12-31), pages 156 - 159 *

Also Published As

Publication number Publication date
CN104426839A (en) 2015-03-18

Similar Documents

Publication Publication Date Title
US9838427B2 (en) Dynamic service handling using a honeypot
US10375110B2 (en) Luring attackers towards deception servers
Ferguson et al. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing
Yu et al. PSI: Precise Security Instrumentation for Enterprise Networks.
EP2713581A1 (en) Virtual honeypot
US20170195162A1 (en) Improved assignment and distribution of network configuration parameters to devices
EP3041190B1 (en) Dynamic service handling using a honeypot
Masoud et al. On preventing ARP poisoning attack utilizing Software Defined Network (SDN) paradigm
US11968174B2 (en) Systems and methods for blocking spoofed traffic
JP7544401B2 (en) Ensuring separation of control and user planes in mobile networks
WO2010072096A1 (en) Method and broadband access device for improving the security of neighbor discovery in ipv6 environment
WO2011140795A1 (en) Method and switching device for preventing media access control address spoofing attack
Yang et al. Typical dos/ddos threats under ipv6
WO2010022574A1 (en) A method and apparatus for realizing forwarding the reversal transmission path of the unique address
WO2011020254A1 (en) Method and device for preventing network attacks
WO2012075850A1 (en) Method and system for preventing mac address cheat, and switch
WO2014173343A1 (en) Router advertisement attack prevention method, device, equipment and computer storage medium
US20210344639A1 (en) System And Method For Remotely Filtering Network Traffic Of A Customer Premise Device
JP2020137006A (en) Address resolution control method, network system, server device, terminal and program
OConnor Detecting and responding to data link layer attacks
US20180115563A1 (en) Mitigation of Malicious Software in a Mobile Communications Network
Shah et al. Security Issues in Next Generation IP and Migration Networks
Sharma Ipv6 and ipv4 security challenge analysis and best-practice scenario
JP2011055299A (en) Service protecting system
Ouseph et al. Prevention of MITM attack caused by rogue router advertisements in IPv6

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14787773

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14787773

Country of ref document: EP

Kind code of ref document: A1