WO2022141243A1 - Method and apparatus for preventing arp attack, and system - Google Patents

Method and apparatus for preventing arp attack, and system Download PDF

Info

Publication number
WO2022141243A1
WO2022141243A1 PCT/CN2020/141602 CN2020141602W WO2022141243A1 WO 2022141243 A1 WO2022141243 A1 WO 2022141243A1 CN 2020141602 W CN2020141602 W CN 2020141602W WO 2022141243 A1 WO2022141243 A1 WO 2022141243A1
Authority
WO
WIPO (PCT)
Prior art keywords
arp
mapping relationship
vehicle
terminal
relationship table
Prior art date
Application number
PCT/CN2020/141602
Other languages
French (fr)
Chinese (zh)
Inventor
黄俊瑞
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2020/141602 priority Critical patent/WO2022141243A1/en
Priority to CN202080004589.6A priority patent/CN112789840A/en
Publication of WO2022141243A1 publication Critical patent/WO2022141243A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/255Maintenance or indexing of mapping tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present application relates to the field of communications, and in particular, to a method, device and system for preventing ARP attacks.
  • ARP Address Resolution Protocol
  • the attacker In the in-vehicle environment, the attacker generally uses the cracked vehicle WIFI (Wireless Fidelity, wireless fidelity) password to enter the vehicle network to perform ARP spoofing to attack the terminal device. After the attack is successful, the MAC address of the gateway in the ARP mapping table of the attacker is If it is changed to the attacker's MAC address, the victim's data stream will be sent to the attacker. At this time, the attacker can hijack the traffic to obtain sensitive information.
  • WIFI Wireless Fidelity, wireless fidelity
  • the embodiments of the present application provide a method, device, and system for preventing ARP attacks.
  • the on-board controller of the on-board network generates an ARP mapping relationship table by acquiring the MAC addresses and IP addresses of all access terminals in the on-board network.
  • the ARP mapping relationship The table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the in-vehicle network, and sends the ARP mapping table to all access terminals in the in-vehicle network, so that any access terminal in the in-vehicle network can be controlled according to the in-vehicle control.
  • the ARP mapping relationship table issued by the controller is used for data communication, thereby effectively preventing ARP attacks in the vehicle network and ensuring the reliability of data communication.
  • an embodiment of the present application provides a method for preventing ARP attacks, and the method is used in an in-vehicle controller of an in-vehicle network, including:
  • the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle network
  • the on-board controller generates an ARP mapping relationship table by acquiring the MAC addresses and IP addresses of all access terminals in the on-board network, and the ARP mapping relationship table includes the MAC addresses of all access terminals in the on-board network.
  • the mapping relationship between addresses and IP addresses, and the ARP mapping relationship table is sent to all access terminals in the vehicle network, and the access terminal only receives the ARP mapping relationship table issued by the vehicle controller.
  • the mapping relationship table is used for data communication, so that the ARP mapping relationship table of all access terminals in the vehicle network is maintained by the vehicle controller, thereby ensuring the reliability of data communication between the access terminal and other access terminals.
  • the sending the ARP mapping relationship table to all access terminals in the vehicle network includes:
  • the ARP mapping relationship table is sent to the receiving systems of all access terminals in the in-vehicle network through the issuing system of the in-vehicle controller.
  • the vehicle controller can send the ARP mapping relationship table through the delivery system, and the access terminal can receive the ARP mapping relationship table through the receiving system, which effectively prevents the transmission path from the ARP mapping relationship table in the vehicle network. ARP attack.
  • the sending system is a first application APP
  • the receiving system is a second APP
  • the first APP and the second APP are the same.
  • both the vehicle controller and the access terminal use the same APP (for example, a third-party application of a smartphone) to process the ARP mapping relationship table, thereby enriching the implementation of preventing ARP attacks Way.
  • APP for example, a third-party application of a smartphone
  • the acquiring the MAC addresses and IP addresses of all access terminals in the in-vehicle network includes:
  • the MAC address and IP address of the first terminal are obtained by using the dynamic host configuration protocol DHCP, where the first terminal is used to represent any access terminal in the vehicle network.
  • the on-board controller can obtain the MAC addresses and IP addresses of all access terminals in the on-board network via DHCP, which facilitates the on-board controller to manage the IP addresses of the access terminals, and also facilitates on-board control.
  • the device is used to maintain the ARP mapping relationship table of all access terminals in the in-vehicle network.
  • the obtaining the MAC address and IP address of the first terminal by using DHCP includes:
  • a DHCP address reply message is sent to the first terminal, where the address reply message includes the IP address of the first terminal.
  • the vehicle-mounted controller may carry the DHCP server function.
  • the vehicle-mounted controller includes a gateway, and the gateway may specifically implement the DHCP server function.
  • the DHCP server function refers to the assignment and management of IP addresses of all access terminals in the vehicle network.
  • it also includes:
  • the ARP mapping relationship table is updated to obtain the updated ARP mapping relationship table
  • the updated ARP mapping relationship table is sent to all access terminals in the vehicle-mounted network, so that any access terminal in the vehicle-mounted network performs data communication according to the updated ARP mapping relationship table.
  • the vehicle controller when certain update conditions are met (for example, the ARP mapping relationship table changes), the vehicle controller will actively update and issue the updated ARP mapping relationship table, In this way, any access terminal in the in-vehicle network can avoid using the ARP mapping relationship table before updating for data communication but use the updated ARP mapping relationship table for data communication, thereby ensuring the accuracy of data communication.
  • the updated ARP mapping relationship table when the updated ARP mapping relationship table is sent to all access terminals in the vehicle network, the updated ARP mapping relationship table may be sent to all access terminals through the delivery system of the vehicle controller.
  • the specified update condition includes: a second terminal accesses the in-vehicle network, and the second terminal is used to represent any terminal that is not connected to the in-vehicle network;
  • the described ARP mapping relationship table is updated to obtain the updated ARP mapping relationship table, including:
  • mapping relationship between the MAC address and the IP address of the second terminal is added to the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
  • the in-vehicle controller needs to update the ARP mapping relationship table and issue the updated ARP mapping relationship table, so that the access in the in-vehicle network
  • the terminal can perform data communication with the terminal newly connected to the vehicle network, which improves the communication efficiency.
  • the specified update condition includes: a third terminal disconnects the in-vehicle network, and the third terminal is used to represent any terminal that has accessed the in-vehicle network;
  • the described ARP mapping relationship table is updated to obtain the updated ARP mapping relationship table, including:
  • the in-vehicle controller needs to update the ARP mapping table and deliver the updated ARP mapping table, so that the access terminal in the in-vehicle network can Data communication with terminals disconnected from the in-vehicle network is no longer performed, thus avoiding data loss.
  • it also includes:
  • the ARP attack device is marked, and the data whose target address is the MAC address of the ARP attack device is filtered out.
  • the vehicle controller can actively attract attackers to carry out ARP attacks through virtual terminals, determine the attacker's MAC address, and restrict the attacker's network, which enriches the defense methods to prevent ARP attacks.
  • the detecting whether there is an ARP attack in the in-vehicle network through the virtual terminal of the in-vehicle controller includes:
  • an ARP request message including a target IP address through the virtual terminal, where the target IP address is a known non-existent IP address or an IP address of a known gateway;
  • the ARP attack device is the device that sends the ARP reply message.
  • the ARP request message is broadcast through the virtual terminal, and if an ARP reply message is received, the attacker's MAC address can be determined according to the ARP reply message, and network restrictions are imposed on the attacker (for example, discarding all data pointing to the attacker's MAC address).
  • an embodiment of the present application provides a method for preventing ARP attacks, the method is used for any access terminal in a vehicle network, including:
  • the vehicle-mounted controller of the vehicle-mounted network receives the ARP mapping relationship table sent by the vehicle-mounted controller of the vehicle-mounted network, where the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle-mounted network;
  • Data communication is performed according to the ARP mapping relationship table.
  • the on-board controller generates an ARP mapping relationship table by acquiring the MAC addresses and IP addresses of all access terminals in the on-board network, and the ARP mapping relationship table includes the MAC addresses of all access terminals in the on-board network.
  • the mapping relationship between addresses and IP addresses, and the ARP mapping relationship table is sent to all access terminals in the vehicle network, and the access terminal only receives the ARP mapping relationship table issued by the vehicle controller.
  • the mapping relationship table is used for data communication, so that the ARP mapping relationship table of all access terminals in the vehicle network is maintained by the vehicle controller, thereby ensuring the reliability of data communication between the access terminal and other access terminals.
  • the receiving ARP mapping relationship table sent by the on-board controller of the on-board network includes:
  • the ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller is received by the receiving system of the access terminal.
  • the vehicle controller can send the ARP mapping relationship table through the delivery system, and the access terminal can receive the ARP mapping relationship table through the receiving system, which effectively prevents the in-vehicle network from the transmission path. ARP attack.
  • the sending system is a first application APP
  • the receiving system is a second APP
  • the first APP and the second APP are the same.
  • both the vehicle controller and the access terminal use the same APP (for example, a third-party application of a smartphone) to process the ARP mapping relationship table, thereby enriching the implementation of preventing ARP attacks Way.
  • APP for example, a third-party application of a smartphone
  • it also includes:
  • Data communication is performed according to the updated ARP mapping relationship table.
  • the vehicle controller when certain update conditions are met (for example, the ARP mapping relationship table changes), the vehicle controller will actively update and issue the updated ARP mapping relationship table, In this way, any access terminal in the in-vehicle network can avoid using the ARP mapping relationship table before updating for data communication but use the updated ARP mapping relationship table for data communication, thereby ensuring the accuracy of data communication.
  • the updated ARP mapping relationship table sent by the on-board controller when receiving the updated ARP mapping relationship table sent by the on-board controller, the updated ARP mapping relationship table sent by the delivery system of the on-board controller may be received by the receiving system of the access terminal.
  • the access terminal is a device that accesses the in-vehicle network for the first time and does not include the receiving system; the method further includes:
  • the on-board controller can provide a download mode for the access terminal, thereby ensuring that when the access terminal receives the ARP mapping relationship table, it can use the receiving system downloaded from the on-board controller to receive, Further, ARP attacks in the in-vehicle network are effectively prevented from the transmission path.
  • an embodiment of the present application provides a device for preventing ARP attacks, and the device is used in an in-vehicle controller of an in-vehicle network, including:
  • an acquisition module configured to acquire the media access control MAC addresses of all access terminals in the in-vehicle network and the IP addresses of the interconnection protocol between networks;
  • a generating module is used to generate an ARP mapping relationship table, and the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle network;
  • a first sending module configured to send the ARP mapping relationship table to all access terminals in the in-vehicle network, so that any access terminal in the in-vehicle network performs data communication according to the ARP mapping relationship table.
  • the first sending module includes:
  • the sending submodule is configured to send the ARP mapping relationship table to the receiving systems of all access terminals in the on-board network through the delivery system of the on-board controller.
  • the sending system is a first application APP
  • the receiving system is a second APP
  • the first APP and the second APP are the same.
  • the obtaining module includes:
  • the obtaining submodule is used for obtaining the MAC address and IP address of the first terminal by using the dynamic host configuration protocol DHCP, where the first terminal is used to represent any access terminal in the vehicle network.
  • the obtaining submodule includes:
  • a receiving unit configured to receive a DHCP address request message sent by the first terminal, where the address request message includes the MAC address of the first terminal;
  • a sending unit configured to send a DHCP address reply message to the first terminal, where the address reply message includes the IP address of the first terminal.
  • it also includes:
  • a first detection module configured to detect that a specified update condition for the ARP mapping relationship table is met
  • an update module for updating the ARP mapping relationship table to obtain the updated ARP mapping relationship table
  • the second sending module is configured to send the updated ARP mapping relationship table to all access terminals in the vehicle network, so that any access terminal in the vehicle network can use the updated ARP mapping relationship according to the updated ARP mapping relationship. table for data communication.
  • the specified update condition includes: a second terminal accesses the vehicle network, and the second terminal is used to represent any terminal that is not connected to the vehicle network;
  • the update module include:
  • the adding submodule is configured to add the mapping relationship between the MAC address and the IP address of the second terminal to the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
  • the specified update condition includes: a third terminal disconnects from the in-vehicle network, and the third terminal is used to represent any terminal that has accessed the in-vehicle network;
  • the update module include:
  • a deletion sub-module is configured to delete the mapping relationship between the MAC address and the IP address of the third terminal from the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
  • it also includes:
  • a second detection module configured to detect whether there is an ARP attack in the vehicle network through the virtual terminal of the vehicle controller
  • the marking module is configured to mark the ARP attacking device if it is determined that there is an ARP attack in the vehicle network, and filter out the data whose target address is the MAC address of the ARP attacking device.
  • the second detection module includes:
  • a broadcast submodule configured to broadcast an ARP request message including a target IP address through the virtual terminal, where the target IP address is a known IP address that does not exist or the IP address of a known gateway;
  • the determining submodule is configured to determine that an ARP attack exists in the in-vehicle network if an ARP reply message including the target MAC address is received, and the ARP attack device is the device that sends the ARP reply message.
  • an embodiment of the present application provides a device for preventing ARP attacks, where the device is used for any access terminal in a vehicle network, including:
  • the first receiving module is configured to receive the ARP mapping relationship table sent by the vehicle-mounted controller of the vehicle-mounted network, where the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle-mounted network ;
  • the first communication module is configured to perform data communication according to the ARP mapping relationship table.
  • the first receiving module includes:
  • the receiving sub-module is configured to receive, through the receiving system of the access terminal, the ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller.
  • the sending system is a first application APP
  • the receiving system is a second APP
  • the first APP and the second APP are the same.
  • it also includes:
  • the second receiving module is used for receiving the updated ARP mapping relationship table sent by the on-board controller
  • the second communication module is configured to perform data communication according to the updated ARP mapping relationship table.
  • the access terminal is a device that accesses the in-vehicle network for the first time and does not include the receiving system; the apparatus further includes:
  • a download and installation module is used to download and install the receiving system from a download page provided by the vehicle-mounted controller.
  • an embodiment of the present application provides an apparatus for preventing ARP attacks, the apparatus is used in an in-vehicle controller of an in-vehicle network, and the apparatus includes: a processor, a memory, and a transceiver;
  • the memory for storing computer instructions
  • the processor executes the computer instructions to cause the apparatus to perform the method of the first aspect.
  • an embodiment of the present application provides an apparatus for preventing ARP attacks, the apparatus is used for any access terminal in an in-vehicle network, and the apparatus includes: a processor, a memory, and a transceiver;
  • the memory for storing computer instructions
  • the processor executes the computer instructions to cause the apparatus to perform the method of the second aspect.
  • an embodiment of the present application provides a communication system, including a vehicle-mounted controller and one or more access terminals;
  • the in-vehicle controller includes the device described in the third aspect; the access terminal includes the device described in the fourth aspect.
  • an embodiment of the present application provides a computer storage medium, where the computer storage medium includes computer instructions, when the computer instructions are run on an in-vehicle controller of an in-vehicle network, the in-vehicle controller is made to execute the The method described in one aspect.
  • an embodiment of the present application provides a computer storage medium, where the computer storage medium includes computer instructions, and when the computer instructions are run on a terminal device in a vehicle network, the terminal device is made to execute the second aspect the method described.
  • the present application discloses a method, device and system for preventing ARP attacks.
  • the on-board controller of the on-board network generates an ARP mapping relationship table by acquiring the MAC addresses and IP addresses of all access terminals in the on-board network, and the ARP mapping relationship table includes: The mapping relationship between the MAC addresses and IP addresses of all access terminals in the in-vehicle network, and the ARP mapping table is sent to the receiving system of all access terminals in the in-vehicle network through the issuing system of the in-vehicle controller, so that in the in-vehicle network Any access terminal can perform data communication according to the ARP mapping relationship table, thereby effectively preventing ARP attacks in the in-vehicle network and ensuring the reliability of data communication.
  • Figure 1 is a schematic diagram of an ARP attack scenario
  • Fig. 2 is a kind of vehicle-mounted network schematic diagram
  • FIG. 3 is a schematic diagram of an implementation manner of preventing ARP attacks
  • FIG. 4 is a schematic diagram of an implementation manner of preventing ARP attacks
  • FIG. 5 is a schematic flowchart of a method for preventing an ARP attack provided by an embodiment of the present application
  • FIG. 6 is a schematic flowchart of a method for preventing an ARP attack provided by an embodiment of the present application
  • FIG. 7 is a schematic structural diagram of an apparatus for preventing ARP attacks provided by an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of an apparatus for preventing ARP attacks provided by an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a terminal provided by an embodiment of the present application.
  • first and second are only used for descriptive purposes, and cannot be understood as indicating or implying relative importance or implying the number of indicated technical features. Thus, a feature defined as “first” or “second” may expressly or implicitly include one or more of that feature.
  • the terms “including”, “including”, “having” and their variants mean “including but not limited to” unless specifically emphasized otherwise.
  • ARP The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication.
  • ARP spoofing means that the attacker makes the network communication abnormal by sending wrong ARP information.
  • the attacker In the in-vehicle environment, the attacker usually uses the cracked vehicle WIFI password to enter the vehicle network to conduct ARP spoofing to attack the terminal device. After the attack is successful, the MAC address of the gateway in the attacker's ARP mapping table is changed to the attacker's MAC address. The attacker's data stream becomes sent to the attacker, and the attacker can hijack the traffic to obtain sensitive information.
  • the in-vehicle entertainment system IVI In-Vehicle Infotainment, in-vehicle infotainment system
  • IVI In-Vehicle Infotainment, in-vehicle infotainment system
  • the attacker B performs ARP on the owner's mobile phone A.
  • the gateway list in the ARP mapping table of car owner mobile phone A is: IP-A, MAC-A, and the Internet access path of car owner mobile phone A is: car owner mobile phone A - gateway - Internet;
  • the gateway list in the ARP mapping relationship table of the owner's mobile phone A is changed to: IP-A, MAC-B, and the Internet path of the owner's mobile phone A is changed: the owner's mobile phone A - the attacker B - the gateway - the Internet,
  • the car owner's mobile phone A sends the data that should be sent directly to the gateway to the attacker B, so that the attacker B hijacks the traffic of the car owner's mobile phone A, and can carry out phishing, tampering, sniffing and other attacks.
  • the implementation methods that can be used include: 1.
  • the gateway is bound to the device IP and MAC address, and the terminal is bound to the gateway IP and MAC address; 2. Install an ARP firewall to monitor the ARP mapping table, if an abnormal change request occurs That is, the change action is blocked; 3.
  • the ARP server is used to maintain the ARP mapping table, and the terminal is addressed through the IP and MAC mapping table maintained by the ARP server.
  • the shortcomings of the above-mentioned implementation methods include: 1. Two-way binding requires manual operation. If the ARP mapping table is frequently replaced, a lot of workload will be generated, and it is difficult to configure the connected devices in the in-vehicle environment; 2.
  • the ARP firewall When the ARP firewall is installed in the mobile terminal environment, when the mobile terminal network changes, such as changing the WIFI environment or changing the gateway, the ARP firewall may not be able to correctly refresh the gateway IP and MAC mapping relationship, resulting in denial of service. 3. Additional equipment bearer services are required in the car. If the ARP server is attacked, tampering with the device IP and MAC mapping table will cause all terminals to be attacked by ARP.
  • the present application provides a method, device and system for preventing ARP attacks.
  • the in-vehicle controller of the in-vehicle network generates ARP by acquiring the MAC addresses and IP addresses of all access terminals in the in-vehicle network.
  • Mapping relationship table the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle network, and the ARP mapping relationship table is sent to all access terminals in the vehicle network through the delivery system of the vehicle controller.
  • the terminal receiving system so that any access terminal in the vehicle network can perform data communication according to the ARP mapping relationship table, thereby effectively preventing ARP attacks in the vehicle network and ensuring the reliability of data communication.
  • the in-vehicle network involved in this application may be an in-vehicle local area network, which belongs to the category of local area networks.
  • the in-vehicle network may be a wireless AP (Access Point, access point) function provided by the in-vehicle controller, such as a wireless hotspot, WIFI, and the like.
  • AP Access Point, access point
  • the access terminal involved in this application may also be referred to as UE (User Equipment, user equipment) and the like.
  • Access terminals include but are not limited to handheld devices and vehicle-mounted devices.
  • it can be a mobile phone, a tablet computer, a notebook computer, a UMPC (Ultra-Mobile Personal Computer, an ultra-mobile personal computer), a netbook, or a PDA (Personal Digital Assistant, a personal digital assistant).
  • Fig. 2 is a schematic diagram of an in-vehicle network; as shown in Fig. 2, an in-vehicle controller of the in-vehicle network, such as a CDC (Cockpit Domain Controller, intelligent cockpit domain controller), includes a gateway, a delivery system, and a virtual terminal.
  • an in-vehicle controller of the in-vehicle network such as a CDC (Cockpit Domain Controller, intelligent cockpit domain controller)
  • CDC Chippit Domain Controller, intelligent cockpit domain controller
  • the on-board controller may refer to an operating system that combines software and hardware, and the gateway, the delivery system, and the virtual terminal are all functional modules in the operating system.
  • the function implemented by the gateway is: using DHCP (Dynamic Host Configuration Protocol, dynamic host configuration protocol) to obtain the MAC (Medium Access Control, medium access control) addresses and IP (Internet Protocol, between the network) of all access terminals in the vehicle network interconnection protocol) address, and generate an ARP mapping relationship table according to the MAC addresses and IP addresses of all access terminals in the vehicle network, the ARP mapping relationship table includes the mapping between the MAC addresses and IP addresses of all access terminals in the vehicle network relation.
  • DHCP Dynamic Host Configuration Protocol, dynamic host configuration protocol
  • MAC Medium Access Control
  • IP Internet Protocol, between the network
  • DHCP is a network protocol applied to a local area network, which allows servers to dynamically assign IP addresses and configuration information to clients.
  • the gateway may dynamically allocate IP addresses and configuration information to each terminal in the vehicle network.
  • the function implemented by the delivery system is: sending the ARP mapping relationship table to the receiving systems of all access terminals in the vehicle network.
  • the delivery system may be a delivery software; correspondingly, the receiving system may be receiving software corresponding to the delivered software.
  • the function implemented by the virtual terminal is to send an ARP broadcast request to detect whether there is an ARP attack in the vehicle network. If there is an ARP attack, the gateway will mark the ARP attack device and discard all data pointing to the MAC address of the ARP attack device.
  • the vehicle controller can send the ARP mapping table to the receiving systems of all access terminals in the vehicle network through the delivery system, and detect ARP attacks through the virtual terminal, and the combination of the two can prevent ARP attack.
  • the in-vehicle controller can enable the terminal device to open the download page through the captive portal to download and install The receiving system that receives the ARP mapping table.
  • the terminal device when the terminal device is connected to the in-vehicle network, it will go to the download page to download the software, and the downloaded software is used to receive the ARP mapping relationship table and update the ARP mapping relationship table stored locally by the terminal device according to the received ARP mapping relationship table. .
  • Figure 3 is a schematic diagram of an implementation manner of preventing ARP attacks; as shown in Figure 3, the implementation manner of preventing ARP attacks is to actively update the ARP mapping relationship table, and its specific implementation process includes:
  • the in-vehicle controller (eg, CDC) obtains the IP and MAC address of the access terminal according to DHCP, and generates an ARP mapping relationship table according to the IP and MAC address of the access terminal.
  • the terminal device sends the device MAC to apply for an IP address to the gateway of the vehicle controller, and the gateway of the vehicle controller issues the IP address allocated by the gateway to the terminal device.
  • the terminal device after receiving the IP address assigned by the gateway, the terminal device can connect to the Internet, but may be attacked by ARP.
  • the software is mainly used to receive the ARP mapping relationship table issued by the vehicle controller, and update the ARP mapping relationship table according to the received ARP mapping relationship table.
  • the ARP mapping table saved locally by the terminal device.
  • the on-board controller issues the ARP mapping relationship table through the issuing system, and the receiving system in the terminal updates according to the issued ARP mapping relationship table, which is convenient for preventing ARP attacks in the local area network.
  • the gateway or other terminal of the controller conducts data communication.
  • the terminal only performs data communication with the gateway or other terminals of the vehicle controller according to the ARP mapping relationship table issued by the vehicle controller, which not only prevents ARP attacks in the vehicle network, but also ensures the reliability of data communication.
  • the in-vehicle controller will update the ARP mapping relationship table and issue the updated ARP mapping relationship table.
  • the terminal device and the vehicle-mounted controller perform bidirectional IP and MAC address configuration steps that require manual configuration; and, by flexibly updating the ARP mapping relationship between the vehicle-mounted controller and the access terminal Table, solves the terminal denial of service problem caused by the ARP firewall preventing the update of the normal ARP mapping relationship table caused by changes in the network environment.
  • the gateway binds the device IP and MAC address
  • the terminal binds the gateway IP and MAC address
  • the gateway when a terminal device accesses the network, it is necessary to manually bind the IP address and MAC address on the terminal device and the gateway in both directions; but
  • the present application can automatically bind the issuing system and the receiving system (for example, issuing software and receiving software), so as to solve the trouble of inconvenient manual configuration.
  • the ARP firewall Since the ARP firewall is installed to monitor the ARP mapping table, if an abnormal change request occurs, the change action will be blocked. However, when the ARP firewall is installed in the mobile terminal environment, when the mobile terminal network changes, such as changing the WIFI environment or changing the gateway, the ARP The firewall may cause the gateway IP and MAC mapping relationship to be incorrectly refreshed, resulting in denial of service; while this application flexibly manages the ARP mapping relationship table between the gateway and other terminal devices through the distribution system and the receiving system (for example, the distribution software and the receiving software).
  • the receiving software After the terminal device leaves the in-vehicle network, if the receiving software does not receive the data to update the ARP mapping table, it will no longer maintain the APR table to ensure that the terminal device can still access the Internet normally after leaving the in-vehicle network, thus solving the problems caused by changes in the network environment. Terminal denial of service problem caused by ARP firewall blocking normal ARP mapping table update.
  • Figure 4 is a schematic diagram of an implementation of preventing ARP attacks; as shown in Figure 4, the implementation of preventing ARP attacks is to detect ARP attacks through virtual terminals, and the specific implementation process includes:
  • the in-vehicle controller (eg, CDC) obtains the IP and MAC address of the access terminal according to DHCP, and generates an ARP mapping relationship table according to the IP and MAC address of the access terminal.
  • the terminal device sends the device MAC to apply for an IP address to the gateway of the vehicle controller, and the gateway of the vehicle controller issues the IP address allocated by the gateway to the terminal device.
  • the terminal device after receiving the IP address assigned by the gateway, the terminal device can connect to the Internet, but may be attacked by ARP.
  • the vehicle-mounted controller performs ARP broadcast through the virtual terminal, that is, requests a MAC address of an unused IP address through the virtual terminal broadcast.
  • the ARP broadcast message sent by the virtual terminal is: who has x.x.x.x (addressed IP) tell x.x.x.x (virtual terminal IP).
  • the addressing IP is the IP that is not used in the DHCP service application or the gateway IP.
  • the attacking device will respond with an ARP reply.
  • the ARP reply text responded by the attacking device is: x.x.x.x (addressed IP) is at x:x:x:x:x (attacker MAC).
  • the on-board controller determines whether there is an ARP attack by detecting whether the virtual terminal receives an ARP response.
  • the vehicle-mounted controller records and filters the data whose target address is the attacker's MAC.
  • an attacker can be attracted to conduct an ARP attack through a virtual terminal, and the IP and MAC address of the attacker can be determined, and by acquiring the attacker information, the joint gateway can restrict the network of the attacker.
  • FIG. 5 is a schematic flowchart of a method for preventing ARP attacks provided by an embodiment of the present application, and the method can be used in an on-board controller (eg, CDC) of an on-board network; as shown in FIG. 5 , the method may include the following steps:
  • the in-vehicle controller may obtain the MAC address and IP address of the first terminal by using DHCP, and the first terminal is used to represent any access terminal in the in-vehicle network.
  • the vehicle-mounted controller receives a DHCP address request message sent by the first terminal, where the address request message includes the MAC address of the first terminal; and sends a DHCP address reply message to the first terminal, where the address reply message includes the IP address of the first terminal, which
  • the implementation process is specifically shown in FIG. 3 or FIG. 4 .
  • ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle network.
  • S503 Send the ARP mapping relationship table to all access terminals in the in-vehicle network, so that any access terminal in the in-vehicle network performs data communication according to the ARP mapping relationship table.
  • the in-vehicle controller may send the ARP mapping relationship table to the receiving systems of all access terminals in the in-vehicle network through the delivery system.
  • the delivery system may be the first application APP
  • the receiving system may be the second APP
  • the first APP and the second APP are the same. That is to say, the issuing system and the receiving system can be the same application APP.
  • the in-vehicle controller is responsible for maintaining the ARP mapping relationship table including the mapping relationship between the MAC addresses and IP addresses of all access terminals in the in-vehicle network, and sends the ARP mapping relationship table through the delivery system, and the access terminal receives it through the receiving system.
  • ARP mapping relationship table which effectively prevents ARP attacks in the in-vehicle network from the transmission path; and only after receiving the ARP mapping relationship table issued by the vehicle controller, the access terminal will perform data processing according to the ARP mapping relationship table.
  • the on-board controller maintains the ARP mapping relationship table of all access terminals in the on-board network, thereby ensuring the reliability of data communication between the access terminal and other access terminals.
  • the on-board controller when the on-board controller detects that the specified update condition of the ARP mapping relationship table is satisfied, it can update the ARP mapping relationship table to obtain the updated ARP mapping relationship table; It is sent to all access terminals in the in-vehicle network, so that any access terminal in the in-vehicle network performs data communication according to the updated ARP mapping relationship table.
  • the specified update conditions include: the second terminal is connected to the in-vehicle network, and the second terminal is used to represent any terminal that is not connected to the in-vehicle network; the in-vehicle controller will map the MAC address and IP address of the second terminal. Add to the ARP mapping relationship table, obtain the updated ARP mapping relationship table, and send the updated ARP mapping relationship table to all access terminals in the vehicle network.
  • the specified update conditions include: the third terminal is disconnected from the in-vehicle network, and the third terminal is used to represent any terminal that has been connected to the in-vehicle network; the in-vehicle controller will delete the third terminal's MAC address and The mapping relationship between the IP addresses is obtained, and the updated ARP mapping relationship table is obtained, and the updated ARP mapping relationship table is sent to all access terminals in the vehicle network.
  • the on-board controller is responsible for updating the ARP mapping relationship table, and sending the updated ARP mapping relationship table to all access terminals in the on-board network, so that any access terminal in the on-board network can perform operations according to the updated ARP mapping relationship table.
  • Data communication further ensures the reliability of data communication between the access terminal and other access terminals.
  • the vehicle controller can also detect whether there is an ARP attack in the vehicle network through the virtual terminal; if it is determined that there is an ARP attack in the vehicle network, it will mark the ARP attack device, and filter out the MAC address of the ARP attack device. address data.
  • an ARP request message including the target IP address is broadcast through the virtual terminal, and the target IP address is a known non-existent IP address or an IP address of a known gateway; if an ARP reply including the target MAC address is received message, it is determined that there is an ARP attack in the in-vehicle network, and the ARP attack device is the device that sends the ARP reply message.
  • the vehicle controller can actively attract attackers to carry out ARP attacks through virtual terminals, determine the attacker's MAC address, and restrict the attacker's network, which enriches the defense methods to prevent ARP attacks.
  • FIG. 6 is a schematic flowchart of a method for preventing ARP attacks provided by an embodiment of the present application, and the method can be used for any access terminal in a vehicle-mounted network; as shown in FIG. 6 , the method may include the following steps:
  • the access terminal may receive, through the receiving system, the ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller of the vehicle-mounted network.
  • the delivery system may be the first application APP
  • the receiving system may be the second APP
  • the first APP and the second APP are the same. That is to say, the issuing system and the receiving system can be the same application APP.
  • S602. Perform data communication according to the ARP mapping relationship table.
  • the in-vehicle controller is responsible for maintaining the ARP mapping relationship table including the mapping relationship between the MAC addresses and IP addresses of all access terminals in the in-vehicle network, and sends the ARP mapping relationship table through the delivery system, and the access terminal receives it through the receiving system.
  • ARP mapping relationship table which effectively prevents ARP attacks in the in-vehicle network from the transmission path; and only after receiving the ARP mapping relationship table issued by the vehicle controller, the access terminal will perform data processing according to the ARP mapping relationship table.
  • the on-board controller maintains the ARP mapping relationship table of all access terminals in the on-board network, thereby ensuring the reliability of data communication between the access terminal and other access terminals.
  • the access terminal may also receive, through the receiving system, the updated ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller.
  • the on-board controller is responsible for updating the ARP mapping relationship table, and sending the updated ARP mapping relationship table to all access terminals in the on-board network, so that any access terminal in the on-board network can perform operations according to the updated ARP mapping relationship table.
  • Data communication further ensures the reliability of data communication between the access terminal and other access terminals.
  • the access terminal is a device that accesses the in-vehicle network for the first time and does not include the receiving system; the access terminal can download and install the receiving system from a download page provided by the in-vehicle controller.
  • the on-board controller can provide a download method for the access terminal, thereby ensuring that the access terminal can use the receiving system downloaded from the on-board controller to receive the ARP mapping table, which further effectively prevents the transmission path from being blocked. ARP attacks within in-vehicle networks.
  • Fig. 7 is a structural schematic diagram of a device for preventing ARP attacks provided by an embodiment of the present application, and the device can be used for a vehicle-mounted controller (for example, CDC) of a vehicle-mounted network; as shown in Fig. 7, the device can include:
  • An acquisition module 71 configured to acquire the MAC address of the medium access control of all the access terminals in the vehicle network and the IP address of the interconnection protocol between networks;
  • a generating module 72 configured to generate an ARP mapping relationship table, where the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle network;
  • the first sending module 73 is configured to send the ARP mapping relationship table to all access terminals in the in-vehicle network, so that any access terminal in the in-vehicle network performs data communication according to the ARP mapping relationship table.
  • the first sending module 73 may include:
  • the sending submodule is configured to send the ARP mapping relationship table to the receiving systems of all access terminals in the on-board network through the delivery system of the on-board controller.
  • the sending system is a first application APP
  • the receiving system is a second APP
  • the first APP and the second APP are the same.
  • the obtaining module 71 may include:
  • the obtaining submodule is used for obtaining the MAC address and IP address of the first terminal by using the dynamic host configuration protocol DHCP, where the first terminal is used to represent any access terminal in the vehicle network.
  • the obtaining submodule may include:
  • a receiving unit configured to receive a DHCP address request message sent by the first terminal, where the address request message includes the MAC address of the first terminal;
  • a sending unit configured to send a DHCP address reply message to the first terminal, where the address reply message includes the IP address of the first terminal.
  • the device for preventing ARP attacks may further include:
  • a first detection module configured to detect that a specified update condition for the ARP mapping relationship table is met
  • an update module for updating the ARP mapping relationship table to obtain the updated ARP mapping relationship table
  • the second sending module is configured to send the updated ARP mapping relationship table to all access terminals in the vehicle network, so that any access terminal in the vehicle network can use the updated ARP mapping relationship according to the updated ARP mapping relationship. table for data communication.
  • the specified update condition includes: a second terminal accesses the in-vehicle network, and the second terminal is used to represent any terminal that is not connected to the in-vehicle network; the update module includes:
  • the adding submodule is configured to add the mapping relationship between the MAC address and the IP address of the second terminal to the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
  • the specified update condition includes: a third terminal disconnects the in-vehicle network, and the third terminal is used to represent any terminal that has accessed the in-vehicle network; the update module includes:
  • a deletion sub-module is configured to delete the mapping relationship between the MAC address and the IP address of the third terminal from the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
  • the device for preventing ARP attacks may further include:
  • a second detection module configured to detect whether there is an ARP attack in the vehicle network through the virtual terminal of the vehicle controller
  • the marking module is configured to mark the ARP attack device if it is determined that there is an ARP attack in the vehicle network, and filter out the data whose target address is the MAC address of the ARP attack device.
  • the second detection module includes:
  • a broadcast submodule configured to broadcast an ARP request message including a target IP address through the virtual terminal, where the target IP address is a known IP address that does not exist or the IP address of a known gateway;
  • the determining submodule is configured to determine that an ARP attack exists in the in-vehicle network if an ARP reply message including the target MAC address is received, and the ARP attack device is the device that sends the ARP reply message.
  • the above-mentioned apparatus is used to execute the method for preventing ARP attacks in the above-mentioned FIG. 5, and the corresponding program modules in the apparatus have similar implementation principles and technical effects as described in the above-mentioned method for preventing ARP attacks in FIG. 5.
  • the working process of the apparatus may refer to the corresponding process in the method for preventing ARP attack in the above-mentioned FIG. 5 , which will not be repeated here.
  • FIG. 8 is a schematic structural diagram of an apparatus for preventing ARP attacks provided by an embodiment of the present application, and the apparatus can be used for any access terminal in a vehicle-mounted network; as shown in FIG. 8 , the apparatus may include:
  • the first receiving module 81 is configured to receive the ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller (for example, CDC) of the vehicle-mounted network, where the ARP mapping relationship table includes the information of all access terminals in the vehicle-mounted network.
  • the first communication module 82 is configured to perform data communication according to the ARP mapping relationship table.
  • the first receiving module 81 includes:
  • the receiving sub-module is configured to receive, through the receiving system of the access terminal, the ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller.
  • the sending system is a first application APP
  • the receiving system is a second APP
  • the first APP and the second APP are the same.
  • the device for preventing ARP attacks may further include:
  • the second receiving module is used for receiving the updated ARP mapping relationship table sent by the on-board controller
  • the second communication module is configured to perform data communication according to the updated ARP mapping relationship table.
  • the access terminal is a device that accesses the in-vehicle network for the first time and does not include the receiving system; the device for preventing ARP attacks may further include:
  • a download and installation module is used to download and install the receiving system from a download page provided by the vehicle-mounted controller.
  • the above-mentioned apparatus is used to execute the method for preventing ARP attack in the above-mentioned FIG. 6
  • the corresponding program modules in the apparatus have similar implementation principles and technical effects as described in the above-mentioned method for preventing ARP attack in FIG. 6
  • the working process of the apparatus may refer to the corresponding process in the method for preventing ARP attacks in FIG. 6 , which will not be repeated here.
  • FIG. 9 is a schematic structural diagram of a terminal provided by an embodiment of the present application, where the terminal can implement the functions of the terminal in the foregoing method embodiment.
  • Figure 9 illustrates the main components of the terminal, as shown in Figure 9:
  • the terminal includes at least one processor 611 , at least one transceiver 612 and at least one memory 613 .
  • the processor 611 , the memory 613 and the transceiver 612 are connected.
  • the terminal may further include an output device 614 , an input device 615 and one or more antennas 616 .
  • the antenna 616 is connected to the transceiver 612 , and the output device 614 and the input device 615 are connected to the processor 611 .
  • the processor 611 is mainly used to process communication protocols and communication data, control the entire terminal, execute software programs, and process data of the software programs.
  • the terminal device may include a baseband processor and a central processing unit.
  • the baseband processor is mainly used to process communication protocols and communication data.
  • the central processing unit is mainly used to control the entire terminal equipment, execute software programs, and process data of software programs.
  • the processor in FIG. 9 may integrate the functions of the baseband processor and the central processing unit.
  • the baseband processor and the central processing unit may also be independent processors, interconnected by technologies such as a bus.
  • a terminal device may include multiple baseband processors to adapt to different network standards, a terminal device may include multiple central processors to enhance its processing capability, and various components of the terminal device may be connected through various buses.
  • the baseband processor may also be expressed as a baseband processing circuit or a baseband processing chip.
  • the central processing unit can also be expressed as a central processing circuit or a central processing chip.
  • the function of processing the communication protocol and communication data may be built in the processor, or may be stored in the memory in the form of a software program, and the processor executes the software program to realize the baseband processing function.
  • the memory 613 is mainly used to store software programs and data.
  • the memory 613 may exist independently and be connected to the processor 611 .
  • the memory 613 may be integrated with the processor 611, for example, integrated within a chip, that is, an on-chip memory, or the memory 613 is an independent storage element, which is not limited in this embodiment of the present application.
  • the memory 613 can store program codes for implementing the technical solutions of the embodiments of the present application, and is controlled and executed by the processor 611 .
  • the transceiver 612 can be used for converting the baseband signal to the radio frequency signal and processing the radio frequency signal, and the transceiver 612 can be connected to the antenna 616 .
  • the transceiver 612 includes a transmitter (Tx) and a receiver (Rx).
  • one or more antennas 616 may receive radio frequency signals
  • the receiver Rx of the transceiver 612 is configured to receive the radio frequency signals from the antennas, convert the radio frequency signals into digital baseband signals or digital intermediate frequency signals, and convert the digital
  • the baseband signal or digital intermediate frequency signal is provided to the processor 611, so that the processor 611 performs further processing on the digital baseband signal or digital intermediate frequency signal, such as demodulation processing and decoding processing.
  • the transmitter Tx in the transceiver 612 is used for receiving the modulated digital baseband signal or the digital intermediate frequency signal from the processor 611, and converting the modulated digital baseband signal or the digital intermediate frequency signal into a radio frequency signal, and passing through an or A plurality of antennas 616 transmit the radio frequency signals.
  • the receiver Rx can selectively perform one or more stages of down-mixing processing and analog-to-digital conversion processing on the radio frequency signal to obtain a digital baseband signal or a digital intermediate frequency signal. The order of precedence is adjustable.
  • the transmitter Tx can selectively perform one or more stages of up-mixing processing and digital-to-analog conversion processing on the modulated digital baseband signal or digital intermediate frequency signal to obtain a radio frequency signal, and the up-mixing processing and digital-to-analog conversion processing
  • the sequence of s is adjustable.
  • Digital baseband signals and digital intermediate frequency signals can be collectively referred to as digital signals.
  • the transmitter Tx and the receiver Rx may be implemented by different physical structures/circuits, or may be implemented by the same physical structure/circuit, that is, the transmitter Tx and the receiver Rx may be inherited together.
  • a transceiver may also be referred to as a transceiver unit, a transceiver, a transceiver, or the like.
  • the device used to implement the receiving function in the transceiver unit may be regarded as a receiving unit
  • the device used to implement the transmitting function in the transceiver unit may be regarded as a transmitting unit, that is, the transceiver unit includes a receiving unit and a transmitting unit, and the receiving unit also It can be called a receiver, an input port, a receiving circuit, etc.
  • the sending unit can be called a transmitter, a transmitter, or a transmitting circuit, etc.
  • a combination of Tx, Rx and antenna can be used as a transceiver.
  • Output device 614 displays information in a variety of ways.
  • the output device 614 may be a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display device, a Cathode Ray Tube (CRT) display device, or a projector (projector) Wait.
  • Input device 615 may accept user input in a variety of ways.
  • the input device 615 may be a mouse, a keyboard, a touch screen device, a sensor device, or the like.
  • Embodiments of the present application also provide a communication system, including an on-board controller and one or more access terminals; wherein, the on-board controller can execute a method for preventing ARP attacks on the on-board controller side; the access terminal can A method for preventing ARP attacks on the terminal side is performed.
  • Embodiments of the present application further provide a computer storage medium, where the computer storage medium includes computer instructions, when the computer instructions are executed on the vehicle-mounted controller, the vehicle-mounted controller can execute the method for preventing ARP attacks on the vehicle-mounted controller side .
  • Embodiments of the present application also provide a computer storage medium, where the computer storage medium includes computer instructions, when the computer instructions are executed on the access terminal, the access terminal can execute the method for preventing ARP attacks on the terminal side.
  • processor in the embodiments of the present application may be a central processing unit (central processing unit, CPU), and may also be other general-purpose processors, digital signal processors (digital signal processors, DSP), application-specific integrated circuits (application specific integrated circuit, ASIC), field programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, transistor logic devices, hardware components or any combination thereof.
  • CPU central processing unit
  • DSP digital signal processors
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • a general-purpose processor may be a microprocessor or any conventional processor.
  • the method steps in the embodiments of the present application may be implemented in a hardware manner, or may be implemented in a manner in which a processor executes software instructions.
  • Software instructions can be composed of corresponding software modules, and software modules can be stored in random access memory (RAM), flash memory, read-only memory (ROM), programmable read-only memory (programmable rom) , PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically erasable programmable read-only memory (electrically EPROM, EEPROM), registers, hard disks, removable hard disks, CD-ROMs or known in the art in any other form of storage medium.
  • An exemplary storage medium is coupled to the processor, such that the processor can read information from, and write information to, the storage medium.
  • the storage medium can also be an integral part of the processor.
  • the processor and storage medium may reside in an ASIC.
  • the above-mentioned embodiments it may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
  • software it can be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present application are generated.
  • the computer may be a general purpose computer, special purpose computer, computer network, or other programmable device.
  • the computer instructions may be stored in or transmitted over a computer-readable storage medium.
  • the computer instructions can be sent from one website site, computer, server, or data center to another website site by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.) , computer, server or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that includes an integration of one or more available media.
  • the usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media (eg, solid state disks (SSDs)), and the like.

Abstract

The present application relates to the field of communications, and in particular to a method and apparatus for preventing an ARP attack, and a system. The method is applied to a vehicle-mounted controller of a vehicle-mounted network, and comprises: obtaining MAC addresses and IP addresses of all access terminals in the vehicle-mounted network; generating an ARP mapping relationship table, the ARP mapping relationship table comprising mapping relationships between the MAC addresses and the IP addresses of all the access terminals in the vehicle-mounted network; and sending the ARP mapping relationship table to all the access terminals in the vehicle-mounted network. Therefore, in the present application, any access terminal in the vehicle-mounted network can perform data communication according to the ARP mapping relationship table issued by the vehicle-mounted controller, so that the ARP attack in the vehicle-mounted network is effectively prevented, and the reliability of data communication is also ensured.

Description

防止ARP攻击的方法、装置及系统Method, device and system for preventing ARP attack 技术领域technical field
本申请涉及通信领域,特别涉及一种防止ARP攻击的方法、装置及系统。The present application relates to the field of communications, and in particular, to a method, device and system for preventing ARP attacks.
背景技术Background technique
ARP(Address Resolution Protocol,地址解析协议)的基本功能是通过目标设备的IP地址查询目标设备的MAC地址,以保证通信的顺利进行。而ARP欺骗是指攻击者通过发送错误的ARP信息使网络通信出现异常。The basic function of ARP (Address Resolution Protocol) is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication. ARP spoofing means that the attacker makes the network communication abnormal by sending wrong ARP information.
在车内环境中,攻击者一般采用破解车载WIFI(Wireless Fidelity,无线保真)密码后,进入车载网络进行ARP欺骗攻击终端设备,攻击成功后被攻击者ARP映射关系表中网关的MAC地址被更改为攻击者MAC地址,被攻击者数据流就变为发送给攻击者,此时攻击者即可劫持流量获取敏感信息等。In the in-vehicle environment, the attacker generally uses the cracked vehicle WIFI (Wireless Fidelity, wireless fidelity) password to enter the vehicle network to perform ARP spoofing to attack the terminal device. After the attack is successful, the MAC address of the gateway in the ARP mapping table of the attacker is If it is changed to the attacker's MAC address, the victim's data stream will be sent to the attacker. At this time, the attacker can hijack the traffic to obtain sensitive information.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供了一种防止ARP攻击的方法、装置及系统,车载网络的车载控制器通过获取车载网络内所有接入终端的MAC地址和IP地址,生成ARP映射关系表,该ARP映射关系表包括车载网络内所有接入终端的MAC地址和IP地址之间的映射关系,以及将ARP映射关系表发送至车载网络内所有接入终端,这样车载网络内任一接入终端可以根据车载控制器下发的ARP映射关系表进行数据通信,从而有效地防止了车载网络内的ARP攻击,还保证了数据通信的可靠性。The embodiments of the present application provide a method, device, and system for preventing ARP attacks. The on-board controller of the on-board network generates an ARP mapping relationship table by acquiring the MAC addresses and IP addresses of all access terminals in the on-board network. The ARP mapping relationship The table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the in-vehicle network, and sends the ARP mapping table to all access terminals in the in-vehicle network, so that any access terminal in the in-vehicle network can be controlled according to the in-vehicle control. The ARP mapping relationship table issued by the controller is used for data communication, thereby effectively preventing ARP attacks in the vehicle network and ensuring the reliability of data communication.
第一方面,本申请实施例提供了一种防止ARP攻击的方法,所述方法用于车载网络的车载控制器,包括:In a first aspect, an embodiment of the present application provides a method for preventing ARP attacks, and the method is used in an in-vehicle controller of an in-vehicle network, including:
获取所述车载网络内所有接入终端的介质访问控制MAC地址和网络之间互连协议IP地址;Acquiring the MAC address of the medium access control and the IP address of the interconnection protocol between the networks of all access terminals in the vehicle network;
生成ARP映射关系表,所述ARP映射关系表包括所述车载网络内所有接入终端的MAC地址和IP地址之间的映射关系;generating an ARP mapping relationship table, where the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle network;
将所述ARP映射关系表发送至所述车载网络内所有接入终端,以使所述车载网络内任一接入终端根据所述ARP映射关系表进行数据通信。Sending the ARP mapping relationship table to all access terminals in the vehicle network, so that any access terminal in the vehicle network performs data communication according to the ARP mapping relationship table.
也就是说,本申请实施例中,车载控制器通过获取车载网络内所有接入终端的MAC地址和IP地址,生成ARP映射关系表,该ARP映射关系表包括车载网络内所有接入终端的MAC地址和IP地址之间的映射关系,以及将ARP映射关系表发送至车载网络内所有接入终端,并且,接入终端只有接收到车载控制器下发的ARP映射关系表后,才根据该ARP映射关系表进行数据通信,这样通过车载控制器来维护车载网络内所有接入终端的ARP映射关系表,从而保证了接入终端与其他接入终端进行数据通信的可靠性。That is to say, in the embodiment of the present application, the on-board controller generates an ARP mapping relationship table by acquiring the MAC addresses and IP addresses of all access terminals in the on-board network, and the ARP mapping relationship table includes the MAC addresses of all access terminals in the on-board network. The mapping relationship between addresses and IP addresses, and the ARP mapping relationship table is sent to all access terminals in the vehicle network, and the access terminal only receives the ARP mapping relationship table issued by the vehicle controller. The mapping relationship table is used for data communication, so that the ARP mapping relationship table of all access terminals in the vehicle network is maintained by the vehicle controller, thereby ensuring the reliability of data communication between the access terminal and other access terminals.
在一种可能的实现方式中,所述将所述ARP映射关系表发送至所述车载网络内所有接入终端,包括:In a possible implementation manner, the sending the ARP mapping relationship table to all access terminals in the vehicle network includes:
通过所述车载控制器的下发系统将所述ARP映射关系表发送至所述车载网络内所有接入终端的接收系统。The ARP mapping relationship table is sent to the receiving systems of all access terminals in the in-vehicle network through the issuing system of the in-vehicle controller.
也就是说,在该种实现方式中,车载控制器可以通过下发系统发送ARP映射关系表,接入终端通过接收系统接收ARP映射关系表,这样从传输路径上有效地防止了车载网络内的ARP攻击。That is to say, in this implementation manner, the vehicle controller can send the ARP mapping relationship table through the delivery system, and the access terminal can receive the ARP mapping relationship table through the receiving system, which effectively prevents the transmission path from the ARP mapping relationship table in the vehicle network. ARP attack.
在一种可能的实现方式中,所述下发系统是第一应用APP,所述接收系统是第二APP,所述第一APP和所述第二APP相同。In a possible implementation manner, the sending system is a first application APP, the receiving system is a second APP, and the first APP and the second APP are the same.
也就是说,在该种实现方式中,针对ARP映射关系表,车载控制器和接入终端都采用同一APP(例如,智能手机的第三方应用程序)来处理,从而丰富了防止ARP攻击的实现方式。That is to say, in this implementation manner, both the vehicle controller and the access terminal use the same APP (for example, a third-party application of a smartphone) to process the ARP mapping relationship table, thereby enriching the implementation of preventing ARP attacks Way.
在一种可能的实现方式中,所述获取所述车载网络内所有接入终端的MAC地址和IP地址,包括:In a possible implementation manner, the acquiring the MAC addresses and IP addresses of all access terminals in the in-vehicle network includes:
利用动态主机配置协议DHCP获取第一终端的MAC地址和IP地址,所述第一终端用于表征所述车载网络内的任一接入终端。The MAC address and IP address of the first terminal are obtained by using the dynamic host configuration protocol DHCP, where the first terminal is used to represent any access terminal in the vehicle network.
也就是说,在该种实现方式中,车载控制器可以DHCP获取车载网络内所有接入终端的MAC地址和IP地址,这样便于车载控制器对接入终端的IP地址的管理,还便于车载控制器来维护车载网络内所有接入终端的ARP映射关系表。That is to say, in this implementation, the on-board controller can obtain the MAC addresses and IP addresses of all access terminals in the on-board network via DHCP, which facilitates the on-board controller to manage the IP addresses of the access terminals, and also facilitates on-board control. The device is used to maintain the ARP mapping relationship table of all access terminals in the in-vehicle network.
在一种可能的实现方式中,所述利用DHCP获取第一终端的MAC地址和IP地址,包括:In a possible implementation manner, the obtaining the MAC address and IP address of the first terminal by using DHCP includes:
接收所述第一终端发送的DHCP地址请求消息,所述地址请求消息包括所述第一终端的MAC地址;receiving a DHCP address request message sent by the first terminal, where the address request message includes the MAC address of the first terminal;
向所述第一终端发送DHCP地址回复消息,所述地址回复消息包括所述第一终端的IP地址。A DHCP address reply message is sent to the first terminal, where the address reply message includes the IP address of the first terminal.
也就是说,在该种实现方式中,车载控制器可以承载DHCP服务器功能,比如:车载控制器包括网关,该网关可以具体来实现DHCP服务器功能。其中,DHCP服务器功能指的是为负责车载网络内所有接入终端的IP地址的分配和管理。That is to say, in this implementation manner, the vehicle-mounted controller may carry the DHCP server function. For example, the vehicle-mounted controller includes a gateway, and the gateway may specifically implement the DHCP server function. The DHCP server function refers to the assignment and management of IP addresses of all access terminals in the vehicle network.
在一种可能的实现方式中,还包括:In a possible implementation, it also includes:
检测到满足针对所述ARP映射关系表的指定更新条件;It is detected that the specified update condition for the ARP mapping relationship table is met;
对所述ARP映射关系表进行更新,得到更新后的ARP映射关系表;The ARP mapping relationship table is updated to obtain the updated ARP mapping relationship table;
将所述更新后的ARP映射关系表发送至所述车载网络内所有接入终端,以使所述车载网络内任一接入终端根据所述更新后的ARP映射关系表进行数据通信。The updated ARP mapping relationship table is sent to all access terminals in the vehicle-mounted network, so that any access terminal in the vehicle-mounted network performs data communication according to the updated ARP mapping relationship table.
也就是说,在该种实现方式中,针对ARP映射关系表,满足一定更新条件(例如,ARP映射关系表发生改变)时,车载控制器会主动更新并下发更新后的ARP映射关系表,这样车载网络内任一接入终端可以避免使用更新前的ARP映射关系表进行数据通信而是使用更新后的ARP映射关系表进行数据通信,从而保证了数据通信的准确性。That is to say, in this implementation manner, for the ARP mapping relationship table, when certain update conditions are met (for example, the ARP mapping relationship table changes), the vehicle controller will actively update and issue the updated ARP mapping relationship table, In this way, any access terminal in the in-vehicle network can avoid using the ARP mapping relationship table before updating for data communication but use the updated ARP mapping relationship table for data communication, thereby ensuring the accuracy of data communication.
其中,在将所述更新后的ARP映射关系表发送至所述车载网络内所有接入终端时,可以通过所述车载控制器的下发系统将所述更新后的ARP映射关系表发送至所述车 载网络内所有接入终端的接收系统。Wherein, when the updated ARP mapping relationship table is sent to all access terminals in the vehicle network, the updated ARP mapping relationship table may be sent to all access terminals through the delivery system of the vehicle controller. The receiving system of all access terminals in the vehicle network described above.
在一种可能的实现方式中,所述指定更新条件包括:第二终端接入所述车载网络,所述第二终端用于表征任一未接入所述车载网络的终端;In a possible implementation manner, the specified update condition includes: a second terminal accesses the in-vehicle network, and the second terminal is used to represent any terminal that is not connected to the in-vehicle network;
所述对所述ARP映射关系表进行更新,得到更新后的ARP映射关系表,包括:The described ARP mapping relationship table is updated to obtain the updated ARP mapping relationship table, including:
将所述第二终端的MAC地址和IP地址之间的映射关系添加至所述ARP映射关系表中,得到所述更新后的ARP映射关系表。The mapping relationship between the MAC address and the IP address of the second terminal is added to the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
也就是说,在该种实现方式中,若有新的终端接入车载网络,车载控制器需要对ARP映射关系表进行更新并下发更新后的ARP映射关系表,这样车载网络中的接入终端可以与新接入车载网络的终端进行数据通信,提高了通信效率。That is to say, in this implementation, if a new terminal accesses the in-vehicle network, the in-vehicle controller needs to update the ARP mapping relationship table and issue the updated ARP mapping relationship table, so that the access in the in-vehicle network The terminal can perform data communication with the terminal newly connected to the vehicle network, which improves the communication efficiency.
在一种可能的实现方式中,所述指定更新条件包括:第三终端断开所述车载网络,所述第三终端用于表征任一已接入所述车载网络的终端;In a possible implementation manner, the specified update condition includes: a third terminal disconnects the in-vehicle network, and the third terminal is used to represent any terminal that has accessed the in-vehicle network;
所述对所述ARP映射关系表进行更新,得到更新后的ARP映射关系表,包括:The described ARP mapping relationship table is updated to obtain the updated ARP mapping relationship table, including:
从所述ARP映射关系表中删除所述第三终端的MAC地址和IP地址之间的映射关系,得到所述更新后的ARP映射关系表。Delete the mapping relationship between the MAC address and the IP address of the third terminal from the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
也就是说,在该种实现方式中,若有终端断开车载网络,车载控制器需要对ARP映射关系表进行更新并下发更新后的ARP映射关系表,这样车载网络中的接入终端可以不再与断开车载网络的终端进行数据通信,避免了数据丢失。That is to say, in this implementation, if a terminal disconnects from the in-vehicle network, the in-vehicle controller needs to update the ARP mapping table and deliver the updated ARP mapping table, so that the access terminal in the in-vehicle network can Data communication with terminals disconnected from the in-vehicle network is no longer performed, thus avoiding data loss.
在一种可能的实现方式中,还包括:In a possible implementation, it also includes:
通过所述车载控制器的虚拟终端检测所述车载网络内是否存在ARP攻击;Detecting whether there is an ARP attack in the in-vehicle network through the virtual terminal of the in-vehicle controller;
若确定所述车载网络内存在ARP攻击,则对ARP攻击设备进行标记,并过滤掉目标地址为所述ARP攻击设备的MAC地址的数据。If it is determined that there is an ARP attack in the in-vehicle network, the ARP attack device is marked, and the data whose target address is the MAC address of the ARP attack device is filtered out.
也就是说,在该种实现方式中,车载控制器可以主动通过虚拟终端吸引攻击者进行ARP攻击,并确定攻击者MAC地址,并对攻击者进行网络限制,丰富了防止ARP攻击的防御方式。That is to say, in this implementation, the vehicle controller can actively attract attackers to carry out ARP attacks through virtual terminals, determine the attacker's MAC address, and restrict the attacker's network, which enriches the defense methods to prevent ARP attacks.
在一种可能的实现方式中,所述通过所述车载控制器的虚拟终端检测所述车载网络内是否存在ARP攻击,包括:In a possible implementation manner, the detecting whether there is an ARP attack in the in-vehicle network through the virtual terminal of the in-vehicle controller includes:
通过虚拟终端广播包括目标IP地址的ARP请求消息,所述目标IP地址为已知不存在的IP地址或已知网关的IP地址;Broadcast an ARP request message including a target IP address through the virtual terminal, where the target IP address is a known non-existent IP address or an IP address of a known gateway;
若接收到包括目标MAC地址的ARP应答消息,则确定所述车载网络内存在ARP攻击,ARP攻击设备为发送所述ARP应答消息的设备。If the ARP reply message including the target MAC address is received, it is determined that there is an ARP attack in the vehicle network, and the ARP attack device is the device that sends the ARP reply message.
也就是说,在该种实现方式中,通过虚拟终端来广播ARP请求消息,若接收到ARP应答消息,可以根据ARP应答消息确定攻击者MAC地址,并对攻击者进行网络限制(例如,抛弃所有指向攻击者MAC地址的数据)。That is to say, in this implementation manner, the ARP request message is broadcast through the virtual terminal, and if an ARP reply message is received, the attacker's MAC address can be determined according to the ARP reply message, and network restrictions are imposed on the attacker (for example, discarding all data pointing to the attacker's MAC address).
第二方面,本申请实施例提供了一种防止ARP攻击的方法,所述方法用于车载网络内任一接入终端,包括:In a second aspect, an embodiment of the present application provides a method for preventing ARP attacks, the method is used for any access terminal in a vehicle network, including:
接收所述车载网络的车载控制器发送的ARP映射关系表,所述ARP映射关系表包括所述车载网络内所有接入终端的MAC地址和IP地址之间的映射关系;Receive the ARP mapping relationship table sent by the vehicle-mounted controller of the vehicle-mounted network, where the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle-mounted network;
根据所述ARP映射关系表进行数据通信。Data communication is performed according to the ARP mapping relationship table.
也就是说,本申请实施例中,车载控制器通过获取车载网络内所有接入终端的 MAC地址和IP地址,生成ARP映射关系表,该ARP映射关系表包括车载网络内所有接入终端的MAC地址和IP地址之间的映射关系,以及将ARP映射关系表发送至车载网络内所有接入终端,并且,接入终端只有接收到车载控制器下发的ARP映射关系表后,才根据该ARP映射关系表进行数据通信,这样通过车载控制器来维护车载网络内所有接入终端的ARP映射关系表,从而保证了接入终端与其他接入终端进行数据通信的可靠性。That is to say, in the embodiment of the present application, the on-board controller generates an ARP mapping relationship table by acquiring the MAC addresses and IP addresses of all access terminals in the on-board network, and the ARP mapping relationship table includes the MAC addresses of all access terminals in the on-board network. The mapping relationship between addresses and IP addresses, and the ARP mapping relationship table is sent to all access terminals in the vehicle network, and the access terminal only receives the ARP mapping relationship table issued by the vehicle controller. The mapping relationship table is used for data communication, so that the ARP mapping relationship table of all access terminals in the vehicle network is maintained by the vehicle controller, thereby ensuring the reliability of data communication between the access terminal and other access terminals.
在一种可能的实现方式中,所述接收所述车载网络的车载控制器发送的ARP映射关系表,包括:In a possible implementation manner, the receiving ARP mapping relationship table sent by the on-board controller of the on-board network includes:
通过所述接入终端的接收系统接收所述车载控制器的下发系统发送的ARP映射关系表。The ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller is received by the receiving system of the access terminal.
也就是说,在该种实现方式中,车载控制器可以通过下发系统发送ARP映射关系表,接入终端可以通过接收系统接收ARP映射关系表,这样从传输路径上有效地防止了车载网络内的ARP攻击。That is to say, in this implementation manner, the vehicle controller can send the ARP mapping relationship table through the delivery system, and the access terminal can receive the ARP mapping relationship table through the receiving system, which effectively prevents the in-vehicle network from the transmission path. ARP attack.
在一种可能的实现方式中,所述下发系统是第一应用APP,所述接收系统是第二APP,所述第一APP和所述第二APP相同。In a possible implementation manner, the sending system is a first application APP, the receiving system is a second APP, and the first APP and the second APP are the same.
也就是说,在该种实现方式中,针对ARP映射关系表,车载控制器和接入终端都采用同一APP(例如,智能手机的第三方应用程序)来处理,从而丰富了防止ARP攻击的实现方式。That is to say, in this implementation manner, both the vehicle controller and the access terminal use the same APP (for example, a third-party application of a smartphone) to process the ARP mapping relationship table, thereby enriching the implementation of preventing ARP attacks Way.
在一种可能的实现方式中,还包括:In a possible implementation, it also includes:
接收所述车载控制器发送的更新后的ARP映射关系表;Receive the updated ARP mapping relationship table sent by the on-board controller;
根据所述更新后的ARP映射关系表进行数据通信。Data communication is performed according to the updated ARP mapping relationship table.
也就是说,在该种实现方式中,针对ARP映射关系表,满足一定更新条件(例如,ARP映射关系表发生改变)时,车载控制器会主动更新并下发更新后的ARP映射关系表,这样车载网络内任一接入终端可以避免使用更新前的ARP映射关系表进行数据通信而是使用更新后的ARP映射关系表进行数据通信,从而保证了数据通信的准确性。That is to say, in this implementation manner, for the ARP mapping relationship table, when certain update conditions are met (for example, the ARP mapping relationship table changes), the vehicle controller will actively update and issue the updated ARP mapping relationship table, In this way, any access terminal in the in-vehicle network can avoid using the ARP mapping relationship table before updating for data communication but use the updated ARP mapping relationship table for data communication, thereby ensuring the accuracy of data communication.
其中,在接收所述车载控制器发送的更新后的ARP映射关系表时,可以通过所述接入终端的接收系统接收所述车载控制器的下发系统发送的更新后的ARP映射关系表。Wherein, when receiving the updated ARP mapping relationship table sent by the on-board controller, the updated ARP mapping relationship table sent by the delivery system of the on-board controller may be received by the receiving system of the access terminal.
在一种可能的实现方式中,所述接入终端为首次接入所述车载网络、且不包括所述接收系统的设备;所述方法还包括:In a possible implementation manner, the access terminal is a device that accesses the in-vehicle network for the first time and does not include the receiving system; the method further includes:
从所述车载控制器提供的下载页面下载和安装所述接收系统。Download and install the receiving system from the download page provided by the onboard controller.
也就是说,在该种实现方式中,车载控制器可以为接入终端提供下载方式,从而保证了接入终端在接收ARP映射关系表时,可以使用从车载控制器下载的接收系统来接收,进一步从传输路径上有效地防止了车载网络内的ARP攻击。That is to say, in this implementation manner, the on-board controller can provide a download mode for the access terminal, thereby ensuring that when the access terminal receives the ARP mapping relationship table, it can use the receiving system downloaded from the on-board controller to receive, Further, ARP attacks in the in-vehicle network are effectively prevented from the transmission path.
第三方面,本申请实施例提供了一种防止ARP攻击的装置,所述装置用于车载网络的车载控制器,包括:In a third aspect, an embodiment of the present application provides a device for preventing ARP attacks, and the device is used in an in-vehicle controller of an in-vehicle network, including:
获取模块,用于获取所述车载网络内所有接入终端的介质访问控制MAC地址和网络之间互连协议IP地址;an acquisition module, configured to acquire the media access control MAC addresses of all access terminals in the in-vehicle network and the IP addresses of the interconnection protocol between networks;
生成模块,用于生成ARP映射关系表,所述ARP映射关系表包括所述车载网络 内所有接入终端的MAC地址和IP地址之间的映射关系;A generating module is used to generate an ARP mapping relationship table, and the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle network;
第一发送模块,用于将所述ARP映射关系表发送至所述车载网络内所有接入终端,以使所述车载网络内任一接入终端根据所述ARP映射关系表进行数据通信。A first sending module, configured to send the ARP mapping relationship table to all access terminals in the in-vehicle network, so that any access terminal in the in-vehicle network performs data communication according to the ARP mapping relationship table.
在一种可能的实现方式中,所述第一发送模块包括:In a possible implementation manner, the first sending module includes:
发送子模块,用于通过所述车载控制器的下发系统将所述ARP映射关系表发送至所述车载网络内所有接入终端的接收系统。The sending submodule is configured to send the ARP mapping relationship table to the receiving systems of all access terminals in the on-board network through the delivery system of the on-board controller.
在一种可能的实现方式中,所述下发系统是第一应用APP,所述接收系统是第二APP,所述第一APP和所述第二APP相同。In a possible implementation manner, the sending system is a first application APP, the receiving system is a second APP, and the first APP and the second APP are the same.
在一种可能的实现方式中,所述获取模块包括:In a possible implementation manner, the obtaining module includes:
获取子模块,用于利用动态主机配置协议DHCP获取第一终端的MAC地址和IP地址,所述第一终端用于表征所述车载网络内的任一接入终端。The obtaining submodule is used for obtaining the MAC address and IP address of the first terminal by using the dynamic host configuration protocol DHCP, where the first terminal is used to represent any access terminal in the vehicle network.
在一种可能的实现方式中,所述获取子模块包括:In a possible implementation manner, the obtaining submodule includes:
接收单元,用于接收所述第一终端发送的DHCP地址请求消息,所述地址请求消息包括所述第一终端的MAC地址;a receiving unit, configured to receive a DHCP address request message sent by the first terminal, where the address request message includes the MAC address of the first terminal;
发送单元,用于向所述第一终端发送DHCP地址回复消息,所述地址回复消息包括所述第一终端的IP地址。A sending unit, configured to send a DHCP address reply message to the first terminal, where the address reply message includes the IP address of the first terminal.
在一种可能的实现方式中,还包括:In a possible implementation, it also includes:
第一检测模块,用于检测到满足针对所述ARP映射关系表的指定更新条件;a first detection module, configured to detect that a specified update condition for the ARP mapping relationship table is met;
更新模块,用于对所述ARP映射关系表进行更新,得到更新后的ARP映射关系表;an update module for updating the ARP mapping relationship table to obtain the updated ARP mapping relationship table;
第二发送模块,用于将所述更新后的ARP映射关系表发送至所述车载网络内所有接入终端,以使所述车载网络内任一接入终端根据所述更新后的ARP映射关系表进行数据通信。The second sending module is configured to send the updated ARP mapping relationship table to all access terminals in the vehicle network, so that any access terminal in the vehicle network can use the updated ARP mapping relationship according to the updated ARP mapping relationship. table for data communication.
在一种可能的实现方式中,所述指定更新条件包括:第二终端接入所述车载网络,所述第二终端用于表征任一未接入所述车载网络的终端;所述更新模块包括:In a possible implementation manner, the specified update condition includes: a second terminal accesses the vehicle network, and the second terminal is used to represent any terminal that is not connected to the vehicle network; the update module include:
添加子模块,用于将所述第二终端的MAC地址和IP地址之间的映射关系添加至所述ARP映射关系表中,得到所述更新后的ARP映射关系表。The adding submodule is configured to add the mapping relationship between the MAC address and the IP address of the second terminal to the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
在一种可能的实现方式中,所述指定更新条件包括:第三终端断开所述车载网络,所述第三终端用于表征任一已接入所述车载网络的终端;所述更新模块包括:In a possible implementation manner, the specified update condition includes: a third terminal disconnects from the in-vehicle network, and the third terminal is used to represent any terminal that has accessed the in-vehicle network; the update module include:
删除子模块,用于从所述ARP映射关系表中删除所述第三终端的MAC地址和IP地址之间的映射关系,得到所述更新后的ARP映射关系表。A deletion sub-module is configured to delete the mapping relationship between the MAC address and the IP address of the third terminal from the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
在一种可能的实现方式中,还包括:In a possible implementation, it also includes:
第二检测模块,用于通过所述车载控制器的虚拟终端检测所述车载网络内是否存在ARP攻击;a second detection module, configured to detect whether there is an ARP attack in the vehicle network through the virtual terminal of the vehicle controller;
标记模块,用于若确定所述车载网络内存在ARP攻击,则对ARP攻击设备进行标记,并过滤掉目标地址为所述ARP攻击设备的MAC地址的数据。The marking module is configured to mark the ARP attacking device if it is determined that there is an ARP attack in the vehicle network, and filter out the data whose target address is the MAC address of the ARP attacking device.
在一种可能的实现方式中,所述第二检测模块包括:In a possible implementation, the second detection module includes:
广播子模块,用于通过虚拟终端广播包括目标IP地址的ARP请求消息,所述目标IP地址为已知不存在的IP地址或已知网关的IP地址;A broadcast submodule, configured to broadcast an ARP request message including a target IP address through the virtual terminal, where the target IP address is a known IP address that does not exist or the IP address of a known gateway;
确定子模块,用于若接收到包括目标MAC地址的ARP应答消息,则确定所述车载网络内存在ARP攻击,ARP攻击设备为发送所述ARP应答消息的设备。The determining submodule is configured to determine that an ARP attack exists in the in-vehicle network if an ARP reply message including the target MAC address is received, and the ARP attack device is the device that sends the ARP reply message.
第四方面,本申请实施例提供了一种防止ARP攻击的装置,所述装置用于车载网络内任一接入终端,包括:In a fourth aspect, an embodiment of the present application provides a device for preventing ARP attacks, where the device is used for any access terminal in a vehicle network, including:
第一接收模块,用于接收所述车载网络的车载控制器发送的ARP映射关系表,所述ARP映射关系表包括所述车载网络内所有接入终端的MAC地址和IP地址之间的映射关系;The first receiving module is configured to receive the ARP mapping relationship table sent by the vehicle-mounted controller of the vehicle-mounted network, where the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle-mounted network ;
第一通信模块,用于根据所述ARP映射关系表进行数据通信。The first communication module is configured to perform data communication according to the ARP mapping relationship table.
在一种可能的实现方式中,所述第一接收模块包括:In a possible implementation manner, the first receiving module includes:
接收子模块,用于通过所述接入终端的接收系统接收所述车载控制器的下发系统发送的ARP映射关系表。The receiving sub-module is configured to receive, through the receiving system of the access terminal, the ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller.
在一种可能的实现方式中,所述下发系统是第一应用APP,所述接收系统是第二APP,所述第一APP和所述第二APP相同。In a possible implementation manner, the sending system is a first application APP, the receiving system is a second APP, and the first APP and the second APP are the same.
在一种可能的实现方式中,还包括:In a possible implementation, it also includes:
第二接收模块,用于接收所述车载控制器发送的更新后的ARP映射关系表;The second receiving module is used for receiving the updated ARP mapping relationship table sent by the on-board controller;
第二通信模块,用于根据所述更新后的ARP映射关系表进行数据通信。The second communication module is configured to perform data communication according to the updated ARP mapping relationship table.
在一种可能的实现方式中,所述接入终端为首次接入所述车载网络、且不包括所述接收系统的设备;所述装置还包括:In a possible implementation manner, the access terminal is a device that accesses the in-vehicle network for the first time and does not include the receiving system; the apparatus further includes:
下载安装模块,用于从所述车载控制器提供的下载页面下载和安装所述接收系统。A download and installation module is used to download and install the receiving system from a download page provided by the vehicle-mounted controller.
第五方面,本申请实施例提供了一种防止ARP攻击的装置,所述装置用于车载网络的车载控制器,所述装置包括:处理器、存储器、收发器;In a fifth aspect, an embodiment of the present application provides an apparatus for preventing ARP attacks, the apparatus is used in an in-vehicle controller of an in-vehicle network, and the apparatus includes: a processor, a memory, and a transceiver;
所述存储器用于存储计算机指令;the memory for storing computer instructions;
当所述装置运行时,所述处理器执行所述计算机指令,使得所述装置执行第一方面所述的方法。When the apparatus operates, the processor executes the computer instructions to cause the apparatus to perform the method of the first aspect.
第六方面,本申请实施例提供了一种防止ARP攻击的装置,所述装置用于车载网络内任一接入终端,所述装置包括:处理器、存储器、收发器;In a sixth aspect, an embodiment of the present application provides an apparatus for preventing ARP attacks, the apparatus is used for any access terminal in an in-vehicle network, and the apparatus includes: a processor, a memory, and a transceiver;
所述存储器用于存储计算机指令;the memory for storing computer instructions;
当所述装置运行时,所述处理器执行所述计算机指令,使得所述装置执行第二方面所述的方法。When the apparatus operates, the processor executes the computer instructions to cause the apparatus to perform the method of the second aspect.
第七方面,本申请实施例提供了一种通信系统,包括车载控制器、以及一个或多个接入终端;In a seventh aspect, an embodiment of the present application provides a communication system, including a vehicle-mounted controller and one or more access terminals;
其中,所述车载控制器包含第三方面所述的装置;所述接入终端包含第四方面所述的装置。Wherein, the in-vehicle controller includes the device described in the third aspect; the access terminal includes the device described in the fourth aspect.
第八方面,本申请实施例提供了一种计算机存储介质,所述计算机存储介质包括计算机指令,当所述计算机指令在车载网络的车载控制器上运行时,使得所述车载控制器执行执行第一方面所述的方法。In an eighth aspect, an embodiment of the present application provides a computer storage medium, where the computer storage medium includes computer instructions, when the computer instructions are run on an in-vehicle controller of an in-vehicle network, the in-vehicle controller is made to execute the The method described in one aspect.
第九方面,本申请实施例提供了一种计算机存储介质,所述计算机存储介质包括计算机指令,当所述计算机指令在车载网络内的终端设备上运行时,使得所述终端设备执行第二方面所述的方法。In a ninth aspect, an embodiment of the present application provides a computer storage medium, where the computer storage medium includes computer instructions, and when the computer instructions are run on a terminal device in a vehicle network, the terminal device is made to execute the second aspect the method described.
本申请公开了一种防止ARP攻击的方法、装置及系统,车载网络的车载控制器通过获取车载网络内所有接入终端的MAC地址和IP地址,生成ARP映射关系表,该ARP映射关系表包括车载网络内所有接入终端的MAC地址和IP地址之间的映射关系,以及通过车载控制器的下发系统将ARP映射关系表发送至车载网络内所有接入终端的接收系统,这样车载网络内任一接入终端可以根据所述ARP映射关系表进行数据通信,从而有效地防止了车载网络内的ARP攻击,还保证了数据通信的可靠性。The present application discloses a method, device and system for preventing ARP attacks. The on-board controller of the on-board network generates an ARP mapping relationship table by acquiring the MAC addresses and IP addresses of all access terminals in the on-board network, and the ARP mapping relationship table includes: The mapping relationship between the MAC addresses and IP addresses of all access terminals in the in-vehicle network, and the ARP mapping table is sent to the receiving system of all access terminals in the in-vehicle network through the issuing system of the in-vehicle controller, so that in the in-vehicle network Any access terminal can perform data communication according to the ARP mapping relationship table, thereby effectively preventing ARP attacks in the in-vehicle network and ensuring the reliability of data communication.
附图说明Description of drawings
图1是一种ARP攻击场景示意图;Figure 1 is a schematic diagram of an ARP attack scenario;
图2是一种车载网络示意图;Fig. 2 is a kind of vehicle-mounted network schematic diagram;
图3是一种防止ARP攻击的实现方式示意图;FIG. 3 is a schematic diagram of an implementation manner of preventing ARP attacks;
图4是一种防止ARP攻击的实现方式示意图;FIG. 4 is a schematic diagram of an implementation manner of preventing ARP attacks;
图5是本申请实施例提供的一种防止ARP攻击的方法的流程示意图;5 is a schematic flowchart of a method for preventing an ARP attack provided by an embodiment of the present application;
图6是本申请实施例提供的一种防止ARP攻击的方法的流程示意图;6 is a schematic flowchart of a method for preventing an ARP attack provided by an embodiment of the present application;
图7是本申请实施例提供的一种防止ARP攻击的装置的结构示意图;7 is a schematic structural diagram of an apparatus for preventing ARP attacks provided by an embodiment of the present application;
图8是本申请实施例提供的一种防止ARP攻击的装置的结构示意图;8 is a schematic structural diagram of an apparatus for preventing ARP attacks provided by an embodiment of the present application;
图9是本申请实施例提供的一种终端的结构示意图。FIG. 9 is a schematic structural diagram of a terminal provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合附图,对本申请实施例中的技术方案进行描述。显然,所描述的实施例仅是本申请一部分实施例,而不是全部的实施例。The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments.
在本说明书的描述中“一个实施例”或“一些实施例”等意味着在本申请的一个或多个实施例中包括结合该实施例描述的特定特征、结构或特点。由此,在本说明书中的不同之处出现的语句“在一个实施例中”、“在一些实施例中”、“在其他一些实施例中”、“在另外一些实施例中”等不是必然都参考相同的实施例,而是意味着“一个或多个但不是所有的实施例”,除非是以其他方式另外特别强调。In the description of this specification, "one embodiment" or "some embodiments" etc. means that a particular feature, structure or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," "in other embodiments," etc. in various places in this specification are not necessarily All refer to the same embodiment, but mean "one or more but not all embodiments" unless specifically emphasized otherwise.
其中,在本说明书的描述中,除非另有说明,“/”表示或的意思,例如,A/B可以表示A或B;本文中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,在本申请实施例的描述中,“多个”是指两个或多于两个。Wherein, in the description of this specification, unless otherwise stated, "/" means or means, for example, A/B can mean A or B; "and/or" in this document is only an association to describe the associated object Relation, it means that there can be three kinds of relations, for example, A and/or B can mean that A exists alone, A and B exist at the same time, and B exists alone. In addition, in the description of the embodiments of the present application, "plurality" refers to two or more than two.
在本说明书的描述中,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括一个或者更多个该特征。术语“包括”、“包含”、“具有”及它们的变形都意味着“包括但不限于”,除非是以其他方式另外特别强调。In the description of this specification, the terms "first" and "second" are only used for descriptive purposes, and cannot be understood as indicating or implying relative importance or implying the number of indicated technical features. Thus, a feature defined as "first" or "second" may expressly or implicitly include one or more of that feature. The terms "including", "including", "having" and their variants mean "including but not limited to" unless specifically emphasized otherwise.
ARP的基本功能是通过目标设备的IP地址查询目标设备的MAC地址,以保证通信的顺利进行。而ARP欺骗是指攻击者通过发送错误的ARP信息使网络通信出现异常。The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication. ARP spoofing means that the attacker makes the network communication abnormal by sending wrong ARP information.
在车内环境中,攻击者一般采用破解车载WIFI密码后,进入车载网络进行ARP 欺骗攻击终端设备,攻击成功后被攻击者ARP映射关系表中网关的MAC地址被更改为攻击者MAC地址,被攻击者数据流就变为发送给攻击者,此时攻击者即可劫持流量获取敏感信息等。如图1所示,车载娱乐系统IVI(In-Vehicle Infotainment,车载信息娱乐系统)内包括车主手机A和攻击者B(IP-B,MAC-B);在攻击者B对车主手机A进行ARP攻击之前,车主手机A的ARP映射关系表中的网关列表为:IP-A、MAC-A,车主手机A上网路径为:车主手机A——网关——互联网;在攻击者B对车主手机A进行ARP攻击之后,车主手机A的ARP映射关系表中的网关列表更改为:IP-A、MAC-B,车主手机A上网路径更改:车主手机A——攻击者B——网关——互联网,使得车主手机A将应该直接发给网关的数据,发送给了攻击者B,这样攻击者B就劫持了车主手机A的流量,可以进行钓鱼、篡改、嗅探等攻击。In the in-vehicle environment, the attacker usually uses the cracked vehicle WIFI password to enter the vehicle network to conduct ARP spoofing to attack the terminal device. After the attack is successful, the MAC address of the gateway in the attacker's ARP mapping table is changed to the attacker's MAC address. The attacker's data stream becomes sent to the attacker, and the attacker can hijack the traffic to obtain sensitive information. As shown in Figure 1, the in-vehicle entertainment system IVI (In-Vehicle Infotainment, in-vehicle infotainment system) includes the owner's mobile phone A and the attacker B (IP-B, MAC-B); the attacker B performs ARP on the owner's mobile phone A. Before the attack, the gateway list in the ARP mapping table of car owner mobile phone A is: IP-A, MAC-A, and the Internet access path of car owner mobile phone A is: car owner mobile phone A - gateway - Internet; After the ARP attack, the gateway list in the ARP mapping relationship table of the owner's mobile phone A is changed to: IP-A, MAC-B, and the Internet path of the owner's mobile phone A is changed: the owner's mobile phone A - the attacker B - the gateway - the Internet, The car owner's mobile phone A sends the data that should be sent directly to the gateway to the attacker B, so that the attacker B hijacks the traffic of the car owner's mobile phone A, and can carry out phishing, tampering, sniffing and other attacks.
为了防止ARP攻击,可以采用的实现方式包括:1、网关绑定设备IP与MAC地址、终端绑定网关IP及MAC地址;2、安装ARP防火墙对ARP映射关系表进行监控,如发生异常更改请求即阻断更改动作;3、使用ARP服务器进行ARP映射关系表进行维护,终端通过ARP服务器维护的IP与MAC映射表进行寻址。但是,上述采用的实现方式的不足之处包括:1、双向绑定需要人工操作,如果经常性更换ARP映射表会产生大量工作量,在车内环境中难以做到对连入设备的配置;2、移动端环境下安装ARP防火墙时,当移动端发生网络变化,如更换WIFI环境、更换网关时,ARP防火墙可能导致不能正确刷新网关IP与MAC映射关系导致拒绝服务。3、在车内还需要额外的设备承载服务,ARP服务器遭到攻击篡改设备IP与MAC映射关系表会导致所有终端受到ARP攻击。In order to prevent ARP attacks, the implementation methods that can be used include: 1. The gateway is bound to the device IP and MAC address, and the terminal is bound to the gateway IP and MAC address; 2. Install an ARP firewall to monitor the ARP mapping table, if an abnormal change request occurs That is, the change action is blocked; 3. The ARP server is used to maintain the ARP mapping table, and the terminal is addressed through the IP and MAC mapping table maintained by the ARP server. However, the shortcomings of the above-mentioned implementation methods include: 1. Two-way binding requires manual operation. If the ARP mapping table is frequently replaced, a lot of workload will be generated, and it is difficult to configure the connected devices in the in-vehicle environment; 2. When the ARP firewall is installed in the mobile terminal environment, when the mobile terminal network changes, such as changing the WIFI environment or changing the gateway, the ARP firewall may not be able to correctly refresh the gateway IP and MAC mapping relationship, resulting in denial of service. 3. Additional equipment bearer services are required in the car. If the ARP server is attacked, tampering with the device IP and MAC mapping table will cause all terminals to be attacked by ARP.
因此,为了更好地防止ARP攻击,本申请提供了一种防止ARP攻击的方法、装置及系统,车载网络的车载控制器通过获取车载网络内所有接入终端的MAC地址和IP地址,生成ARP映射关系表,该ARP映射关系表包括车载网络内所有接入终端的MAC地址和IP地址之间的映射关系,通过车载控制器的下发系统将ARP映射关系表发送至车载网络内所有接入终端的接收系统,这样车载网络内任一接入终端可以根据所述ARP映射关系表进行数据通信,从而有效地防护了车载网络内的ARP攻击,还保证了数据通信的可靠性。Therefore, in order to better prevent ARP attacks, the present application provides a method, device and system for preventing ARP attacks. The in-vehicle controller of the in-vehicle network generates ARP by acquiring the MAC addresses and IP addresses of all access terminals in the in-vehicle network. Mapping relationship table, the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle network, and the ARP mapping relationship table is sent to all access terminals in the vehicle network through the delivery system of the vehicle controller. The terminal receiving system, so that any access terminal in the vehicle network can perform data communication according to the ARP mapping relationship table, thereby effectively preventing ARP attacks in the vehicle network and ensuring the reliability of data communication.
需要说明的是:It should be noted:
本申请涉及到的车载网络可以是车内局域网,属于局域网的范畴。具体地,车载网络可以是车载控制器提供的无线AP(Access Point,接入点)功能,比如:无线热点、WIFI等。The in-vehicle network involved in this application may be an in-vehicle local area network, which belongs to the category of local area networks. Specifically, the in-vehicle network may be a wireless AP (Access Point, access point) function provided by the in-vehicle controller, such as a wireless hotspot, WIFI, and the like.
本申请涉及到的接入终端又可以被称为UE(User Equipment,用户设备)等。接入终端包括但不限于手持设备、车载设备。例如,可以为手机、平板电脑、笔记本电脑、UMPC(Ultra-Mobile Personal Computer,超级移动个人计算机)、上网本或者PDA(Personal Digital Assistant,个人数字助理)等。The access terminal involved in this application may also be referred to as UE (User Equipment, user equipment) and the like. Access terminals include but are not limited to handheld devices and vehicle-mounted devices. For example, it can be a mobile phone, a tablet computer, a notebook computer, a UMPC (Ultra-Mobile Personal Computer, an ultra-mobile personal computer), a netbook, or a PDA (Personal Digital Assistant, a personal digital assistant).
下面通过具体实施例进行说明。The following description will be given through specific embodiments.
图2是一种车载网络示意图;如图2所示,车载网络的车载控制器,比如,CDC(Cockpit Domain Controller,智能座舱域控制器),包括网关、下发系统、虚拟终端。Fig. 2 is a schematic diagram of an in-vehicle network; as shown in Fig. 2, an in-vehicle controller of the in-vehicle network, such as a CDC (Cockpit Domain Controller, intelligent cockpit domain controller), includes a gateway, a delivery system, and a virtual terminal.
需要说明的是,在本申请实施例中,车载控制器可以指的是软件与硬件相结合的操作系统,网关、下发系统、虚拟终端均为该操作系统中的功能模块。It should be noted that, in the embodiments of the present application, the on-board controller may refer to an operating system that combines software and hardware, and the gateway, the delivery system, and the virtual terminal are all functional modules in the operating system.
其中,网关实现的功能是:利用DHCP(Dynamic Host Configuration Protocol,动态主机配置协议)获取车载网络内所有接入终端的MAC(Medium Access Control,介质访问控制)地址和IP(Internet Protocol,网络之间互连协议)地址,并根据车载网络内所有接入终端的MAC地址和IP地址生成ARP映射关系表,该ARP映射关系表包括车载网络内所有接入终端的MAC地址和IP地址之间的映射关系。Among them, the function implemented by the gateway is: using DHCP (Dynamic Host Configuration Protocol, dynamic host configuration protocol) to obtain the MAC (Medium Access Control, medium access control) addresses and IP (Internet Protocol, between the network) of all access terminals in the vehicle network interconnection protocol) address, and generate an ARP mapping relationship table according to the MAC addresses and IP addresses of all access terminals in the vehicle network, the ARP mapping relationship table includes the mapping between the MAC addresses and IP addresses of all access terminals in the vehicle network relation.
需要说明的是,DHCP是一个应用于局域网的网络协议,该协议允许服务器向客户端动态分配IP地址和配置信息。在本申请实施例中,网关可以向车载网络中的各个终端动态分配IP地址和配置信息。It should be noted that DHCP is a network protocol applied to a local area network, which allows servers to dynamically assign IP addresses and configuration information to clients. In this embodiment of the present application, the gateway may dynamically allocate IP addresses and configuration information to each terminal in the vehicle network.
下发系统实现的功能是:将ARP映射关系表发送至车载网络内所有接入终端的接收系统。示例性的,该下发系统可以为一个下发软件;与此对应的,接收系统可以是与该下发软件对应的接收软件。The function implemented by the delivery system is: sending the ARP mapping relationship table to the receiving systems of all access terminals in the vehicle network. Exemplarily, the delivery system may be a delivery software; correspondingly, the receiving system may be receiving software corresponding to the delivered software.
虚拟终端实现的功能是:发送ARP广播请求检测车载网络内是否存在ARP攻击,若存在ARP攻击,则通过网关对ARP攻击设备进行标记,以及抛弃所有指向ARP攻击设备的MAC地址的数据。The function implemented by the virtual terminal is to send an ARP broadcast request to detect whether there is an ARP attack in the vehicle network. If there is an ARP attack, the gateway will mark the ARP attack device and discard all data pointing to the MAC address of the ARP attack device.
可见,在本申请实施例中,车载控制器可以通过下发系统将ARP映射关系表发送至车载网络内所有接入终端的接收系统,以及通过虚拟终端检测ARP攻击,二者相结合来防止ARP攻击。It can be seen that in the embodiment of the present application, the vehicle controller can send the ARP mapping table to the receiving systems of all access terminals in the vehicle network through the delivery system, and detect ARP attacks through the virtual terminal, and the combination of the two can prevent ARP attack.
需要说明的是,若终端设备首次接入车载网络,且未安装接收系统时,此时该终端设备接入车载网络后,车载控制器可以通过强制门户使终端设备打开下载页面来下载安装用于接收ARP映射关系表的接收系统。示例性的,终端设备接入车载网络时会转入下载页面进行软件下载,该下载的软件用于接收ARP映射关系表、以及根据接收到ARP映射关系表更新终端设备本地保存的ARP映射关系表。It should be noted that if the terminal device is connected to the in-vehicle network for the first time and the receiving system is not installed, after the terminal device is connected to the in-vehicle network, the in-vehicle controller can enable the terminal device to open the download page through the captive portal to download and install The receiving system that receives the ARP mapping table. Exemplarily, when the terminal device is connected to the in-vehicle network, it will go to the download page to download the software, and the downloaded software is used to receive the ARP mapping relationship table and update the ARP mapping relationship table stored locally by the terminal device according to the received ARP mapping relationship table. .
图3是一种防止ARP攻击的实现方式示意图;如图3所示,该防止ARP攻击的实现方式为主动更新ARP映射关系表,其具体实现过程包括:Figure 3 is a schematic diagram of an implementation manner of preventing ARP attacks; as shown in Figure 3, the implementation manner of preventing ARP attacks is to actively update the ARP mapping relationship table, and its specific implementation process includes:
(1)当终端设备接入车载网络时,车载控制器(例如,CDC)根据DHCP获取接入终端的IP与MAC地址,并根据接入终端的IP与MAC地址生成ARP映射关系表。示例性的,终端设备发送设备MAC向车载控制器的网关申请IP地址,车载控制器的网关向终端设备下发网关分配的IP地址。(1) When the terminal device is connected to the in-vehicle network, the in-vehicle controller (eg, CDC) obtains the IP and MAC address of the access terminal according to DHCP, and generates an ARP mapping relationship table according to the IP and MAC address of the access terminal. Exemplarily, the terminal device sends the device MAC to apply for an IP address to the gateway of the vehicle controller, and the gateway of the vehicle controller issues the IP address allocated by the gateway to the terminal device.
需要说明的是,终端设备接收到网关分配的IP地址后,此时可以进行联网,但可能遭到ARP攻击。It should be noted that after receiving the IP address assigned by the gateway, the terminal device can connect to the Internet, but may be attacked by ARP.
(2)首次连入车载网络的终端设备联网时将会转入下载页面进行软件下载,该软件主要用于接收车载控制器下发的地ARP映射关系表、以及根据接收到ARP映射关系表更新终端设备本地保存的ARP映射关系表。(2) When the terminal device connected to the vehicle network for the first time is connected to the Internet, it will be transferred to the download page for software download. The software is mainly used to receive the ARP mapping relationship table issued by the vehicle controller, and update the ARP mapping relationship table according to the received ARP mapping relationship table. The ARP mapping table saved locally by the terminal device.
(3)车载控制器通过下发系统下发ARP映射关系表,终端内接收系统根据下发的ARP映射关系表进行更新,便于防护局域网内的ARP攻击,以及根据下发ARP映射关系表与车载控制器的网关或其他终端进行数据通信。(3) The on-board controller issues the ARP mapping relationship table through the issuing system, and the receiving system in the terminal updates according to the issued ARP mapping relationship table, which is convenient for preventing ARP attacks in the local area network. The gateway or other terminal of the controller conducts data communication.
需要说明的是,终端只根据车载控制器下发的ARP映射关系表与车载控制器的网 关或其他终端进行数据通信,不但防护了车载网络内的ARP攻击,还保证了数据通信的可靠性。It should be noted that the terminal only performs data communication with the gateway or other terminals of the vehicle controller according to the ARP mapping relationship table issued by the vehicle controller, which not only prevents ARP attacks in the vehicle network, but also ensures the reliability of data communication.
(4)任一设备接入车载网络或断开车载网络,车载控制器均会更新ARP映射关系表,并下发更新后的ARP映射关系表。(4) When any device is connected to the in-vehicle network or disconnected from the in-vehicle network, the in-vehicle controller will update the ARP mapping relationship table and issue the updated ARP mapping relationship table.
由此,通过上述方案,可以解决在车辆环境中,终端设备与车载控制器进行双向IP、MAC地址进行需要人工进行配置的步骤;以及,通过灵活更新车载控制器与接入终端的ARP映射关系表,解决了网络环境产生变化产生的由于ARP防火墙阻止正常ARP映射关系表更新导致的终端拒绝服务问题。具体的Therefore, through the above solution, it can be solved that in the vehicle environment, the terminal device and the vehicle-mounted controller perform bidirectional IP and MAC address configuration steps that require manual configuration; and, by flexibly updating the ARP mapping relationship between the vehicle-mounted controller and the access terminal Table, solves the terminal denial of service problem caused by the ARP firewall preventing the update of the normal ARP mapping relationship table caused by changes in the network environment. specific
可以理解,由于网关绑定设备IP与MAC地址、终端绑定网关IP及MAC地址,当有终端设备接入网络时需要人工在终端设备及网关上进行IP地址和MAC地址的双向绑定;但本申请可以通过下发系统和接收系统(例如,下发软件和接收软件)进行自动绑定,解决人工配置不便的麻烦。It can be understood that because the gateway binds the device IP and MAC address, and the terminal binds the gateway IP and MAC address, when a terminal device accesses the network, it is necessary to manually bind the IP address and MAC address on the terminal device and the gateway in both directions; but The present application can automatically bind the issuing system and the receiving system (for example, issuing software and receiving software), so as to solve the trouble of inconvenient manual configuration.
由于安装ARP防火墙对ARP映射关系表进行监控,如发生异常更改请求即阻断更改动作,但移动端环境下安装ARP防火墙时,当移动端发生网络变化,如更换WIFI环境、更换网关时,ARP防火墙可能导致不能正确刷新网关IP与MAC映射关系导致拒绝服务;而本申请通过下发系统和接收系统(例如,下发软件和接收软件)灵活管理网关与其他终端设备的ARP映射关系表,当终端设备离开车载网络后,接收软件未收到更新ARP映射关系表的数据,则不再对APR表进行维护,保证终端设备离开车载网络后依然可以正常上网,从而解决了网络环境产生变化产生的由于ARP防火墙阻止正常ARP映射关系表更新导致的终端拒绝服务问题。Since the ARP firewall is installed to monitor the ARP mapping table, if an abnormal change request occurs, the change action will be blocked. However, when the ARP firewall is installed in the mobile terminal environment, when the mobile terminal network changes, such as changing the WIFI environment or changing the gateway, the ARP The firewall may cause the gateway IP and MAC mapping relationship to be incorrectly refreshed, resulting in denial of service; while this application flexibly manages the ARP mapping relationship table between the gateway and other terminal devices through the distribution system and the receiving system (for example, the distribution software and the receiving software). After the terminal device leaves the in-vehicle network, if the receiving software does not receive the data to update the ARP mapping table, it will no longer maintain the APR table to ensure that the terminal device can still access the Internet normally after leaving the in-vehicle network, thus solving the problems caused by changes in the network environment. Terminal denial of service problem caused by ARP firewall blocking normal ARP mapping table update.
图4是一种防止ARP攻击的实现方式示意图;如图4所示,该防止ARP攻击的实现方式为通过虚拟终端检测ARP攻击,其具体实现过程包括:Figure 4 is a schematic diagram of an implementation of preventing ARP attacks; as shown in Figure 4, the implementation of preventing ARP attacks is to detect ARP attacks through virtual terminals, and the specific implementation process includes:
(1)当终端设备接入车载网络时,车载控制器(例如,CDC)根据DHCP获取接入终端的IP与MAC地址,并根据接入终端的IP与MAC地址生成ARP映射关系表。示例性的,终端设备发送设备MAC向车载控制器的网关申请IP地址,车载控制器的网关向终端设备下发网关分配的IP地址。(1) When the terminal device is connected to the in-vehicle network, the in-vehicle controller (eg, CDC) obtains the IP and MAC address of the access terminal according to DHCP, and generates an ARP mapping relationship table according to the IP and MAC address of the access terminal. Exemplarily, the terminal device sends the device MAC to apply for an IP address to the gateway of the vehicle controller, and the gateway of the vehicle controller issues the IP address allocated by the gateway to the terminal device.
需要说明的是,终端设备接收到网关分配的IP地址后,此时可以进行联网,但可能遭到ARP攻击。It should be noted that after receiving the IP address assigned by the gateway, the terminal device can connect to the Internet, but may be attacked by ARP.
(2)车载控制器通过虚拟终端进行ARP广播,即通过虚拟终端广播请求一个未使用IP地址的MAC地址。示例性的,虚拟终端发出的ARP广播报文为:who has x.x.x.x(寻址的IP)tell x.x.x.x(虚拟终端IP)。其中,寻址IP为未在DHCP服务申请使用的IP或者是网关IP。(2) The vehicle-mounted controller performs ARP broadcast through the virtual terminal, that is, requests a MAC address of an unused IP address through the virtual terminal broadcast. Exemplarily, the ARP broadcast message sent by the virtual terminal is: who has x.x.x.x (addressed IP) tell x.x.x.x (virtual terminal IP). Wherein, the addressing IP is the IP that is not used in the DHCP service application or the gateway IP.
(3)如果车载网络内设备存在ARP攻击倾向,则攻击设备会回应ARP应答。示例性的,攻击设备回应的ARP应答文为:x.x.x.x(寻址的IP)is at x:x:x:x:x:x(攻击者MAC)。(3) If the device in the vehicle network has an ARP attack tendency, the attacking device will respond with an ARP reply. Exemplarily, the ARP reply text responded by the attacking device is: x.x.x.x (addressed IP) is at x:x:x:x:x:x (attacker MAC).
(4)车载控制器通过检测虚拟终端是否接收到ARP应答来判断是否存在ARP攻击。(4) The on-board controller determines whether there is an ARP attack by detecting whether the virtual terminal receives an ARP response.
具体地,若虚拟终端接收到ARP应答,则确定进行ARP应答的设备正进行ARP攻击,车载控制器进行记录并且过滤目标地址为攻击者MAC的数据。Specifically, if the virtual terminal receives an ARP response, it is determined that the device performing the ARP response is conducting an ARP attack, and the vehicle-mounted controller records and filters the data whose target address is the attacker's MAC.
由此,通过上述方案,可以通过虚拟终端吸引攻击者进行ARP攻击,并确定攻击者IP及MAC地址,以及通过获取攻击者信息,联合网关对攻击者进行网络限制。Therefore, through the above solution, an attacker can be attracted to conduct an ARP attack through a virtual terminal, and the IP and MAC address of the attacker can be determined, and by acquiring the attacker information, the joint gateway can restrict the network of the attacker.
接下来,请参阅图5,图5是本申请实施例提供的一种防止ARP攻击的方法的流程示意图,该方法可以用于车载网络的车载控制器(例如,CDC);如图5所示,该方法可以包括以下步骤:Next, please refer to FIG. 5 . FIG. 5 is a schematic flowchart of a method for preventing ARP attacks provided by an embodiment of the present application, and the method can be used in an on-board controller (eg, CDC) of an on-board network; as shown in FIG. 5 , the method may include the following steps:
S501、获取车载网络内所有接入终端的MAC地址和IP地址。S501. Acquire the MAC addresses and IP addresses of all access terminals in the vehicle network.
作为一个实施例,如图2所示,车载控制器可以利用DHCP获取第一终端的MAC地址和IP地址,第一终端用于表征车载网络内的任一接入终端。比如:车载控制器接收第一终端发送的DHCP地址请求消息,地址请求消息包括第一终端的MAC地址;并向第一终端发送DHCP地址回复消息,地址回复消息包括第一终端的IP地址,其实现过程具体如图3或图4中所示。As an embodiment, as shown in FIG. 2 , the in-vehicle controller may obtain the MAC address and IP address of the first terminal by using DHCP, and the first terminal is used to represent any access terminal in the in-vehicle network. For example: the vehicle-mounted controller receives a DHCP address request message sent by the first terminal, where the address request message includes the MAC address of the first terminal; and sends a DHCP address reply message to the first terminal, where the address reply message includes the IP address of the first terminal, which The implementation process is specifically shown in FIG. 3 or FIG. 4 .
S502、生成ARP映射关系表,该ARP映射关系表包括车载网络内所有接入终端的MAC地址和IP地址之间的映射关系。S502. Generate an ARP mapping relationship table, where the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle network.
S503、将ARP映射关系表发送至车载网络内所有接入终端,以使车载网络内任一接入终端根据ARP映射关系表进行数据通信。S503: Send the ARP mapping relationship table to all access terminals in the in-vehicle network, so that any access terminal in the in-vehicle network performs data communication according to the ARP mapping relationship table.
作为一个实施例,如图2所示,车载控制器可以通过下发系统将ARP映射关系表发送至车载网络内所有接入终端的接收系统。其中,下发系统可以是第一应用APP,接收系统可以是第二APP,第一APP和第二APP相同。也就是说,下发系统和接收系统可以为同一款应用APP。As an embodiment, as shown in FIG. 2 , the in-vehicle controller may send the ARP mapping relationship table to the receiving systems of all access terminals in the in-vehicle network through the delivery system. The delivery system may be the first application APP, the receiving system may be the second APP, and the first APP and the second APP are the same. That is to say, the issuing system and the receiving system can be the same application APP.
可见,车载控制器负责维护包括车载网络内所有接入终端的MAC地址和IP地址之间的映射关系的ARP映射关系表,并通过下发系统发送ARP映射关系表,接入终端通过接收系统接收ARP映射关系表,这样从传输路径上有效地防止了车载网络内的ARP攻击;并且,接入终端只有接收到车载控制器下发的ARP映射关系表后,才根据该ARP映射关系表进行数据通信,这样通过车载控制器来维护车载网络内所有接入终端的ARP映射关系表,从而保证了接入终端与其他接入终端进行数据通信的可靠性。It can be seen that the in-vehicle controller is responsible for maintaining the ARP mapping relationship table including the mapping relationship between the MAC addresses and IP addresses of all access terminals in the in-vehicle network, and sends the ARP mapping relationship table through the delivery system, and the access terminal receives it through the receiving system. ARP mapping relationship table, which effectively prevents ARP attacks in the in-vehicle network from the transmission path; and only after receiving the ARP mapping relationship table issued by the vehicle controller, the access terminal will perform data processing according to the ARP mapping relationship table. In this way, the on-board controller maintains the ARP mapping relationship table of all access terminals in the on-board network, thereby ensuring the reliability of data communication between the access terminal and other access terminals.
作为一个实施例,车载控制器在检测到满足所述ARP映射关系表的指定更新条件时,可以对ARP映射关系表进行更新,得到更新后的ARP映射关系表;将更新后的ARP映射关系表发送至车载网络内所有接入终端,以使车载网络内任一接入终端根据更新后的ARP映射关系表进行数据通信。As an embodiment, when the on-board controller detects that the specified update condition of the ARP mapping relationship table is satisfied, it can update the ARP mapping relationship table to obtain the updated ARP mapping relationship table; It is sent to all access terminals in the in-vehicle network, so that any access terminal in the in-vehicle network performs data communication according to the updated ARP mapping relationship table.
比如:指定更新条件包括:第二终端接入车载网络,第二终端用于表征任一未接入车载网络的终端;车载控制器会将第二终端的MAC地址和IP地址之间的映射关系添加至ARP映射关系表中,得到更新后的ARP映射关系表,并将更新后的ARP映射关系表发送至车载网络内所有接入终端。For example, the specified update conditions include: the second terminal is connected to the in-vehicle network, and the second terminal is used to represent any terminal that is not connected to the in-vehicle network; the in-vehicle controller will map the MAC address and IP address of the second terminal. Add to the ARP mapping relationship table, obtain the updated ARP mapping relationship table, and send the updated ARP mapping relationship table to all access terminals in the vehicle network.
又比如:指定更新条件包括:第三终端断开车载网络,第三终端用于表征任一已接入车载网络的终端;车载控制器会从ARP映射关系表中删除第三终端的MAC地址和IP地址之间的映射关系,得到更新后的ARP映射关系表,并将更新后的ARP映射关系表发送至车载网络内所有接入终端。Another example: the specified update conditions include: the third terminal is disconnected from the in-vehicle network, and the third terminal is used to represent any terminal that has been connected to the in-vehicle network; the in-vehicle controller will delete the third terminal's MAC address and The mapping relationship between the IP addresses is obtained, and the updated ARP mapping relationship table is obtained, and the updated ARP mapping relationship table is sent to all access terminals in the vehicle network.
可见,车载控制器负责更新ARP映射关系表,并将更新后的ARP映射关系表发 送至车载网络内所有接入终端,这样车载网络内任一接入终端可以根据更新后的ARP映射关系表进行数据通信,进一步保证了接入终端与其他接入终端进行数据通信的可靠性。It can be seen that the on-board controller is responsible for updating the ARP mapping relationship table, and sending the updated ARP mapping relationship table to all access terminals in the on-board network, so that any access terminal in the on-board network can perform operations according to the updated ARP mapping relationship table. Data communication further ensures the reliability of data communication between the access terminal and other access terminals.
作为一个实施例,车载控制器还可以通过虚拟终端检测车载网络内是否存在ARP攻击;若确定车载网络内存在ARP攻击,则对ARP攻击设备进行标记,并过滤掉目标地址为ARP攻击设备的MAC地址的数据。As an embodiment, the vehicle controller can also detect whether there is an ARP attack in the vehicle network through the virtual terminal; if it is determined that there is an ARP attack in the vehicle network, it will mark the ARP attack device, and filter out the MAC address of the ARP attack device. address data.
比如:如图4所示,通过虚拟终端广播包括目标IP地址的ARP请求消息,目标IP地址为已知不存在的IP地址或已知网关的IP地址;若接收到包括目标MAC地址的ARP应答消息,则确定车载网络内存在ARP攻击,ARP攻击设备为发送ARP应答消息的设备。For example, as shown in Figure 4, an ARP request message including the target IP address is broadcast through the virtual terminal, and the target IP address is a known non-existent IP address or an IP address of a known gateway; if an ARP reply including the target MAC address is received message, it is determined that there is an ARP attack in the in-vehicle network, and the ARP attack device is the device that sends the ARP reply message.
可见,车载控制器可以主动通过虚拟终端吸引攻击者进行ARP攻击,并确定攻击者MAC地址,并对攻击者进行网络限制,丰富了防止ARP攻击的防御方式。It can be seen that the vehicle controller can actively attract attackers to carry out ARP attacks through virtual terminals, determine the attacker's MAC address, and restrict the attacker's network, which enriches the defense methods to prevent ARP attacks.
图6是本申请实施例提供的一种防止ARP攻击的方法的流程示意图,该方法可以用于车载网络内任一接入终端;如图6所示,该方法可以包括以下步骤:6 is a schematic flowchart of a method for preventing ARP attacks provided by an embodiment of the present application, and the method can be used for any access terminal in a vehicle-mounted network; as shown in FIG. 6 , the method may include the following steps:
S601、接收车载网络的车载控制器(例如,CDC)发送的ARP映射关系表,该ARP映射关系表包括车载网络内所有接入终端的MAC地址和IP地址之间的映射关系。S601. Receive an ARP mapping relationship table sent by an on-board controller (eg, CDC) of the on-board network, where the ARP mapping relationship table includes the mapping relationship between MAC addresses and IP addresses of all access terminals in the on-board network.
作为一个实施例,如图2所述,接入终端可以通过接收系统接收车载网络的车载控制器的下发系统发送的ARP映射关系表。其中,下发系统可以是第一应用APP,接收系统可以是第二APP,第一APP和第二APP相同。也就是说,下发系统和接收系统可以为同一款应用APP。As an embodiment, as shown in FIG. 2 , the access terminal may receive, through the receiving system, the ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller of the vehicle-mounted network. The delivery system may be the first application APP, the receiving system may be the second APP, and the first APP and the second APP are the same. That is to say, the issuing system and the receiving system can be the same application APP.
S602、根据ARP映射关系表进行数据通信。S602. Perform data communication according to the ARP mapping relationship table.
可见,车载控制器负责维护包括车载网络内所有接入终端的MAC地址和IP地址之间的映射关系的ARP映射关系表,并通过下发系统发送ARP映射关系表,接入终端通过接收系统接收ARP映射关系表,这样从传输路径上有效地防止了车载网络内的ARP攻击;并且,接入终端只有接收到车载控制器下发的ARP映射关系表后,才根据该ARP映射关系表进行数据通信,这样通过车载控制器来维护车载网络内所有接入终端的ARP映射关系表,从而保证了接入终端与其他接入终端进行数据通信的可靠性。It can be seen that the in-vehicle controller is responsible for maintaining the ARP mapping relationship table including the mapping relationship between the MAC addresses and IP addresses of all access terminals in the in-vehicle network, and sends the ARP mapping relationship table through the delivery system, and the access terminal receives it through the receiving system. ARP mapping relationship table, which effectively prevents ARP attacks in the in-vehicle network from the transmission path; and only after receiving the ARP mapping relationship table issued by the vehicle controller, the access terminal will perform data processing according to the ARP mapping relationship table. In this way, the on-board controller maintains the ARP mapping relationship table of all access terminals in the on-board network, thereby ensuring the reliability of data communication between the access terminal and other access terminals.
作为一个实施例,如图2所述,接入终端还可以通过接收系统接收车载控制器的下发系统发送的更新后的ARP映射关系表。As an embodiment, as shown in FIG. 2 , the access terminal may also receive, through the receiving system, the updated ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller.
可见,车载控制器负责更新ARP映射关系表,并将更新后的ARP映射关系表发送至车载网络内所有接入终端,这样车载网络内任一接入终端可以根据更新后的ARP映射关系表进行数据通信,进一步保证了接入终端与其他接入终端进行数据通信的可靠性。It can be seen that the on-board controller is responsible for updating the ARP mapping relationship table, and sending the updated ARP mapping relationship table to all access terminals in the on-board network, so that any access terminal in the on-board network can perform operations according to the updated ARP mapping relationship table. Data communication further ensures the reliability of data communication between the access terminal and other access terminals.
作为一个实施例,接入终端为首次接入所述车载网络、且不包括接收系统的设备;该接入终端可以从车载控制器提供的下载页面下载和安装接收系统。As an embodiment, the access terminal is a device that accesses the in-vehicle network for the first time and does not include the receiving system; the access terminal can download and install the receiving system from a download page provided by the in-vehicle controller.
可见,车载控制器可以为接入终端提供下载方式,从而保证了接入终端在接收ARP映射关系表时,可以使用从车载控制器下载的接收系统来接收,进一步从传输路径上有效地防止了车载网络内的ARP攻击。It can be seen that the on-board controller can provide a download method for the access terminal, thereby ensuring that the access terminal can use the receiving system downloaded from the on-board controller to receive the ARP mapping table, which further effectively prevents the transmission path from being blocked. ARP attacks within in-vehicle networks.
图7是本申请实施例提供的一种防止ARP攻击的装置的结构示意图,该装置可以 用于车载网络的车载控制器(例如,CDC);如图7所示,该装置可以包括:Fig. 7 is a structural schematic diagram of a device for preventing ARP attacks provided by an embodiment of the present application, and the device can be used for a vehicle-mounted controller (for example, CDC) of a vehicle-mounted network; as shown in Fig. 7, the device can include:
获取模块71,用于获取所述车载网络内所有接入终端的介质访问控制MAC地址和网络之间互连协议IP地址;An acquisition module 71, configured to acquire the MAC address of the medium access control of all the access terminals in the vehicle network and the IP address of the interconnection protocol between networks;
生成模块72,用于生成ARP映射关系表,所述ARP映射关系表包括所述车载网络内所有接入终端的MAC地址和IP地址之间的映射关系;A generating module 72, configured to generate an ARP mapping relationship table, where the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle network;
第一发送模块73,用于将所述ARP映射关系表发送至所述车载网络内所有接入终端,以使所述车载网络内任一接入终端根据所述ARP映射关系表进行数据通信。The first sending module 73 is configured to send the ARP mapping relationship table to all access terminals in the in-vehicle network, so that any access terminal in the in-vehicle network performs data communication according to the ARP mapping relationship table.
作为一个实施例,所述第一发送模块73可以包括:As an embodiment, the first sending module 73 may include:
发送子模块,用于通过所述车载控制器的下发系统将所述ARP映射关系表发送至所述车载网络内所有接入终端的接收系统。The sending submodule is configured to send the ARP mapping relationship table to the receiving systems of all access terminals in the on-board network through the delivery system of the on-board controller.
作为一个实施例,所述下发系统是第一应用APP,所述接收系统是第二APP,所述第一APP和所述第二APP相同。As an embodiment, the sending system is a first application APP, the receiving system is a second APP, and the first APP and the second APP are the same.
作为一个实施例,所述获取模块71可以包括:As an embodiment, the obtaining module 71 may include:
获取子模块,用于利用动态主机配置协议DHCP获取第一终端的MAC地址和IP地址,所述第一终端用于表征所述车载网络内的任一接入终端。The obtaining submodule is used for obtaining the MAC address and IP address of the first terminal by using the dynamic host configuration protocol DHCP, where the first terminal is used to represent any access terminal in the vehicle network.
作为一个实施例,所述获取子模块可以包括:As an embodiment, the obtaining submodule may include:
接收单元,用于接收所述第一终端发送的DHCP地址请求消息,所述地址请求消息包括所述第一终端的MAC地址;a receiving unit, configured to receive a DHCP address request message sent by the first terminal, where the address request message includes the MAC address of the first terminal;
发送单元,用于向所述第一终端发送DHCP地址回复消息,所述地址回复消息包括所述第一终端的IP地址。A sending unit, configured to send a DHCP address reply message to the first terminal, where the address reply message includes the IP address of the first terminal.
作为一个实施例,该防止ARP攻击的装置还可以包括:As an embodiment, the device for preventing ARP attacks may further include:
第一检测模块,用于检测到满足针对所述ARP映射关系表的指定更新条件;a first detection module, configured to detect that a specified update condition for the ARP mapping relationship table is met;
更新模块,用于对所述ARP映射关系表进行更新,得到更新后的ARP映射关系表;an update module for updating the ARP mapping relationship table to obtain the updated ARP mapping relationship table;
第二发送模块,用于将所述更新后的ARP映射关系表发送至所述车载网络内所有接入终端,以使所述车载网络内任一接入终端根据所述更新后的ARP映射关系表进行数据通信。The second sending module is configured to send the updated ARP mapping relationship table to all access terminals in the vehicle network, so that any access terminal in the vehicle network can use the updated ARP mapping relationship according to the updated ARP mapping relationship. table for data communication.
作为一个实施例,所述指定更新条件包括:第二终端接入所述车载网络,所述第二终端用于表征任一未接入所述车载网络的终端;所述更新模块包括:As an embodiment, the specified update condition includes: a second terminal accesses the in-vehicle network, and the second terminal is used to represent any terminal that is not connected to the in-vehicle network; the update module includes:
添加子模块,用于将所述第二终端的MAC地址和IP地址之间的映射关系添加至所述ARP映射关系表中,得到所述更新后的ARP映射关系表。The adding submodule is configured to add the mapping relationship between the MAC address and the IP address of the second terminal to the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
作为一个实施例,所述指定更新条件包括:第三终端断开所述车载网络,所述第三终端用于表征任一已接入所述车载网络的终端;所述更新模块包括:As an embodiment, the specified update condition includes: a third terminal disconnects the in-vehicle network, and the third terminal is used to represent any terminal that has accessed the in-vehicle network; the update module includes:
删除子模块,用于从所述ARP映射关系表中删除所述第三终端的MAC地址和IP地址之间的映射关系,得到所述更新后的ARP映射关系表。A deletion sub-module is configured to delete the mapping relationship between the MAC address and the IP address of the third terminal from the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
作为一个实施例,该防止ARP攻击的装置还可以包括:As an embodiment, the device for preventing ARP attacks may further include:
第二检测模块,用于通过所述车载控制器的虚拟终端检测所述车载网络内是否存在ARP攻击;a second detection module, configured to detect whether there is an ARP attack in the vehicle network through the virtual terminal of the vehicle controller;
标记模块,用于若确定所述车载网络内存在ARP攻击,则对ARP攻击设备进行 标记,并过滤掉目标地址为所述ARP攻击设备的MAC地址的数据。The marking module is configured to mark the ARP attack device if it is determined that there is an ARP attack in the vehicle network, and filter out the data whose target address is the MAC address of the ARP attack device.
作为一个实施例,所述第二检测模块包括:As an embodiment, the second detection module includes:
广播子模块,用于通过虚拟终端广播包括目标IP地址的ARP请求消息,所述目标IP地址为已知不存在的IP地址或已知网关的IP地址;A broadcast submodule, configured to broadcast an ARP request message including a target IP address through the virtual terminal, where the target IP address is a known IP address that does not exist or the IP address of a known gateway;
确定子模块,用于若接收到包括目标MAC地址的ARP应答消息,则确定所述车载网络内存在ARP攻击,ARP攻击设备为发送所述ARP应答消息的设备。The determining submodule is configured to determine that an ARP attack exists in the in-vehicle network if an ARP reply message including the target MAC address is received, and the ARP attack device is the device that sends the ARP reply message.
应当理解的是,上述装置用于执行上述图5中的防止ARP攻击的方法,装置中的相应的程序模块,其实现原理和技术效果与上述图5中的防止ARP攻击的方法中的描述类似,该装置的工作过程可参考上述图5中的防止ARP攻击的方法中的对应过程,此处不再赘述。It should be understood that the above-mentioned apparatus is used to execute the method for preventing ARP attacks in the above-mentioned FIG. 5, and the corresponding program modules in the apparatus have similar implementation principles and technical effects as described in the above-mentioned method for preventing ARP attacks in FIG. 5. , the working process of the apparatus may refer to the corresponding process in the method for preventing ARP attack in the above-mentioned FIG. 5 , which will not be repeated here.
图8是本申请实施例提供的一种防止ARP攻击的装置的结构示意图,该装置可以用于车载网络内任一接入终端;如图8所示,该装置可以包括:FIG. 8 is a schematic structural diagram of an apparatus for preventing ARP attacks provided by an embodiment of the present application, and the apparatus can be used for any access terminal in a vehicle-mounted network; as shown in FIG. 8 , the apparatus may include:
第一接收模块81,用于接收所述车载网络的车载控制器(例如,CDC)的下发系统发送的ARP映射关系表,所述ARP映射关系表包括所述车载网络内所有接入终端的MAC地址和IP地址之间的映射关系;The first receiving module 81 is configured to receive the ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller (for example, CDC) of the vehicle-mounted network, where the ARP mapping relationship table includes the information of all access terminals in the vehicle-mounted network. The mapping relationship between MAC address and IP address;
第一通信模块82,用于根据所述ARP映射关系表进行数据通信。The first communication module 82 is configured to perform data communication according to the ARP mapping relationship table.
作为一个实施例,所述第一接收81模块包括:As an embodiment, the first receiving module 81 includes:
接收子模块,用于通过所述接入终端的接收系统接收所述车载控制器的下发系统发送的ARP映射关系表。The receiving sub-module is configured to receive, through the receiving system of the access terminal, the ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller.
作为一个实施例,所述下发系统是第一应用APP,所述接收系统是第二APP,所述第一APP和所述第二APP相同。As an embodiment, the sending system is a first application APP, the receiving system is a second APP, and the first APP and the second APP are the same.
作为一个实施例,该防止ARP攻击的装置还可以包括:As an embodiment, the device for preventing ARP attacks may further include:
第二接收模块,用于接收所述车载控制器发送的更新后的ARP映射关系表;The second receiving module is used for receiving the updated ARP mapping relationship table sent by the on-board controller;
第二通信模块,用于根据所述更新后的ARP映射关系表进行数据通信。The second communication module is configured to perform data communication according to the updated ARP mapping relationship table.
作为一个实施例,所述接入终端为首次接入所述车载网络、且不包括所述接收系统的设备;该防止ARP攻击的装置装置还可以包括:As an embodiment, the access terminal is a device that accesses the in-vehicle network for the first time and does not include the receiving system; the device for preventing ARP attacks may further include:
下载安装模块,用于从所述车载控制器提供的下载页面下载和安装所述接收系统。A download and installation module is used to download and install the receiving system from a download page provided by the vehicle-mounted controller.
应当理解的是,上述装置用于执行上述图6中的防止ARP攻击的方法,装置中的相应的程序模块,其实现原理和技术效果与上述图6中的防止ARP攻击的方法中的描述类似,该装置的工作过程可参考上述图6中的防止ARP攻击的方法中的对应过程,此处不再赘述。It should be understood that the above-mentioned apparatus is used to execute the method for preventing ARP attack in the above-mentioned FIG. 6 , and the corresponding program modules in the apparatus have similar implementation principles and technical effects as described in the above-mentioned method for preventing ARP attack in FIG. 6 . , the working process of the apparatus may refer to the corresponding process in the method for preventing ARP attacks in FIG. 6 , which will not be repeated here.
图9是本申请实施例提供的一种终端的结构示意图,该终端可以实现上述方法实施例中终端的功能。为了便于说明,图9示意了终端的主要部件,如图9所示:FIG. 9 is a schematic structural diagram of a terminal provided by an embodiment of the present application, where the terminal can implement the functions of the terminal in the foregoing method embodiment. For ease of description, Figure 9 illustrates the main components of the terminal, as shown in Figure 9:
终端包括至少一个处理器611、至少一个收发器612和至少一个存储器613。处理器611、存储器613和收发器612相连。可选的,终端还可以包括输出设备614、输入设备615和一个或多个天线616。天线616与收发器612相连,输出设备614、输入设备615与处理器611相连。The terminal includes at least one processor 611 , at least one transceiver 612 and at least one memory 613 . The processor 611 , the memory 613 and the transceiver 612 are connected. Optionally, the terminal may further include an output device 614 , an input device 615 and one or more antennas 616 . The antenna 616 is connected to the transceiver 612 , and the output device 614 and the input device 615 are connected to the processor 611 .
处理器611主要用于对通信协议以及通信数据进行处理,以及对整个终端进行控制,执行软件程序,处理软件程序的数据。The processor 611 is mainly used to process communication protocols and communication data, control the entire terminal, execute software programs, and process data of the software programs.
作为一种可选的实现方式,所述终端设备可以包括基带处理器和中央处理器。基带处理器主要用于对通信协议以及通信数据进行处理。中央处理器主要用于对整个终端设备进行控制,执行软件程序,处理软件程序的数据。As an optional implementation manner, the terminal device may include a baseband processor and a central processing unit. The baseband processor is mainly used to process communication protocols and communication data. The central processing unit is mainly used to control the entire terminal equipment, execute software programs, and process data of software programs.
图9中的处理器可以集成基带处理器和中央处理器的功能,本领域技术人员可以理解,基带处理器和中央处理器也可以是各自独立的处理器,通过总线等技术互联。本领域技术人员可以理解,终端设备可以包括多个基带处理器以适应不同的网络制式,终端设备可以包括多个中央处理器以增强其处理能力,终端设备的各个部件可以通过各种总线连接。所述基带处理器也可以表述为基带处理电路或者基带处理芯片。所述中央处理器也可以表述为中央处理电路或者中央处理芯片。对通信协议以及通信数据进行处理的功能可以内置在处理器中,也可以以软件程序的形式存储在存储器中,由处理器执行软件程序以实现基带处理功能。The processor in FIG. 9 may integrate the functions of the baseband processor and the central processing unit. Those skilled in the art can understand that the baseband processor and the central processing unit may also be independent processors, interconnected by technologies such as a bus. Those skilled in the art can understand that a terminal device may include multiple baseband processors to adapt to different network standards, a terminal device may include multiple central processors to enhance its processing capability, and various components of the terminal device may be connected through various buses. The baseband processor may also be expressed as a baseband processing circuit or a baseband processing chip. The central processing unit can also be expressed as a central processing circuit or a central processing chip. The function of processing the communication protocol and communication data may be built in the processor, or may be stored in the memory in the form of a software program, and the processor executes the software program to realize the baseband processing function.
存储器613主要用于存储软件程序和数据。存储器613可以是独立存在,与处理器611相连。可选的,存储器613可以和处理器611集成在一起,例如集成在一个芯片之内,即片内存储器,或者存储器613为独立的存储元件,本申请实施例对此不做限定。其中,存储器613能够存储执行本申请实施例的技术方案的程序代码,并由处理器611来控制执行,被执行的各类计算机程序代码也可被视为是处理器611的驱动程序。The memory 613 is mainly used to store software programs and data. The memory 613 may exist independently and be connected to the processor 611 . Optionally, the memory 613 may be integrated with the processor 611, for example, integrated within a chip, that is, an on-chip memory, or the memory 613 is an independent storage element, which is not limited in this embodiment of the present application. The memory 613 can store program codes for implementing the technical solutions of the embodiments of the present application, and is controlled and executed by the processor 611 .
收发器612可以用于基带信号与射频信号的转换以及对射频信号的处理,收发器612可以与天线616相连。收发器612包括发射机(transmitter,Tx)和接收机(receiver,Rx)。具体地,一个或多个天线616可以接收射频信号,该收发器612的接收机Rx用于从天线接收所述射频信号,并将射频信号转换为数字基带信号或数字中频信号,并将该数字基带信号或数字中频信号提供给所述处理器611,以便处理器611对该数字基带信号或数字中频信号做进一步的处理,例如解调处理和译码处理。此外,收发器612中的发射机Tx用于从处理器611接收经过调制的数字基带信号或数字中频信号,并将该经过调制的数字基带信号或数字中频信号转换为射频信号,并通过一个或多个天线616发送所述射频信号。具体地,接收机Rx可以选择性地对射频信号进行一级或多级下混频处理和模数转换处理以得到数字基带信号或数字中频信号,所述下混频处理和模数转换处理的先后顺序是可调整的。发射机Tx可以选择性地对经过调制的数字基带信号或数字中频信号时进行一级或多级上混频处理和数模转换处理以得到射频信号,所述上混频处理和数模转换处理的先后顺序是可调整的。数字基带信号和数字中频信号可以统称为数字信号。可选的,发射机Tx和接收机Rx可以是由不同的物理结构/电路实现,或者可以由同一物理结构/电路实现,也就是说发射机Tx和接收机Rx可以继承在一起。The transceiver 612 can be used for converting the baseband signal to the radio frequency signal and processing the radio frequency signal, and the transceiver 612 can be connected to the antenna 616 . The transceiver 612 includes a transmitter (Tx) and a receiver (Rx). Specifically, one or more antennas 616 may receive radio frequency signals, and the receiver Rx of the transceiver 612 is configured to receive the radio frequency signals from the antennas, convert the radio frequency signals into digital baseband signals or digital intermediate frequency signals, and convert the digital The baseband signal or digital intermediate frequency signal is provided to the processor 611, so that the processor 611 performs further processing on the digital baseband signal or digital intermediate frequency signal, such as demodulation processing and decoding processing. In addition, the transmitter Tx in the transceiver 612 is used for receiving the modulated digital baseband signal or the digital intermediate frequency signal from the processor 611, and converting the modulated digital baseband signal or the digital intermediate frequency signal into a radio frequency signal, and passing through an or A plurality of antennas 616 transmit the radio frequency signals. Specifically, the receiver Rx can selectively perform one or more stages of down-mixing processing and analog-to-digital conversion processing on the radio frequency signal to obtain a digital baseband signal or a digital intermediate frequency signal. The order of precedence is adjustable. The transmitter Tx can selectively perform one or more stages of up-mixing processing and digital-to-analog conversion processing on the modulated digital baseband signal or digital intermediate frequency signal to obtain a radio frequency signal, and the up-mixing processing and digital-to-analog conversion processing The sequence of s is adjustable. Digital baseband signals and digital intermediate frequency signals can be collectively referred to as digital signals. Optionally, the transmitter Tx and the receiver Rx may be implemented by different physical structures/circuits, or may be implemented by the same physical structure/circuit, that is, the transmitter Tx and the receiver Rx may be inherited together.
收发器也可以称为收发单元、收发机、收发装置等。可选的,可以将收发单元中用于实现接收功能的器件视为接收单元,将收发单元中用于实现发送功能的器件视为发送单元,即收发单元包括接收单元和发送单元,接收单元也可以称为接收机、输入口、接收电路等,发送单元可以称为发射机、发射器或者发射电路等。或者,可以将Tx、Rx和天线的组合成为收发器。A transceiver may also be referred to as a transceiver unit, a transceiver, a transceiver, or the like. Optionally, the device used to implement the receiving function in the transceiver unit may be regarded as a receiving unit, and the device used to implement the transmitting function in the transceiver unit may be regarded as a transmitting unit, that is, the transceiver unit includes a receiving unit and a transmitting unit, and the receiving unit also It can be called a receiver, an input port, a receiving circuit, etc., and the sending unit can be called a transmitter, a transmitter, or a transmitting circuit, etc. Alternatively, a combination of Tx, Rx and antenna can be used as a transceiver.
输出设备614以多种方式来显示信息。例如,输出设备614可以是液晶显示器 (Liquid Crystal Display,LCD)、发光二级管(Light Emitting Diode,LED)显示设备、阴极射线管(Cathode Ray Tube,CRT)显示设备、或投影仪(projector)等。输入设备615可以以多种方式接受用户的输入。例如,输入设备615可以是鼠标、键盘、触摸屏设备或传感设备等。 Output device 614 displays information in a variety of ways. For example, the output device 614 may be a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display device, a Cathode Ray Tube (CRT) display device, or a projector (projector) Wait. Input device 615 may accept user input in a variety of ways. For example, the input device 615 may be a mouse, a keyboard, a touch screen device, a sensor device, or the like.
本申请实施例还提供了一种通信系统,包括车载控制器、以及一个或多个接入终端;其中,车载控制器可以执行用于车载控制器侧的防止ARP攻击的方法;接入终端可以执行用于终端侧的防止ARP攻击的方法。Embodiments of the present application also provide a communication system, including an on-board controller and one or more access terminals; wherein, the on-board controller can execute a method for preventing ARP attacks on the on-board controller side; the access terminal can A method for preventing ARP attacks on the terminal side is performed.
本申请实施例还提供了一种计算机存储介质,该计算机存储介质包括计算机指令,当计算机指令在车载控制器上运行时,使得车载控制器可以执行用于车载控制器侧的防止ARP攻击的方法。Embodiments of the present application further provide a computer storage medium, where the computer storage medium includes computer instructions, when the computer instructions are executed on the vehicle-mounted controller, the vehicle-mounted controller can execute the method for preventing ARP attacks on the vehicle-mounted controller side .
本申请实施例还提供了一种计算机存储介质,该计算机存储介质包括计算机指令,当计算机指令在接入终端上运行时,使得接入终端可以执行用于终端侧的防止ARP攻击的方法。Embodiments of the present application also provide a computer storage medium, where the computer storage medium includes computer instructions, when the computer instructions are executed on the access terminal, the access terminal can execute the method for preventing ARP attacks on the terminal side.
可以理解的是,本申请的实施例中的处理器可以是中央处理单元(central processing unit,CPU),还可以是其他通用处理器、数字信号处理器(digital signal processor,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现场可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、晶体管逻辑器件,硬件部件或者其任意组合。通用处理器可以是微处理器,也可以是任何常规的处理器。It can be understood that the processor in the embodiments of the present application may be a central processing unit (central processing unit, CPU), and may also be other general-purpose processors, digital signal processors (digital signal processors, DSP), application-specific integrated circuits (application specific integrated circuit, ASIC), field programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, transistor logic devices, hardware components or any combination thereof. A general-purpose processor may be a microprocessor or any conventional processor.
本申请的实施例中的方法步骤可以通过硬件的方式来实现,也可以由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成,软件模块可以被存放于随机存取存储器(random access memory,RAM)、闪存、只读存储器(read-only memory,ROM)、可编程只读存储器(programmable rom,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)、寄存器、硬盘、移动硬盘、CD-ROM或者本领域熟知的任何其它形式的存储介质中。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于ASIC中。The method steps in the embodiments of the present application may be implemented in a hardware manner, or may be implemented in a manner in which a processor executes software instructions. Software instructions can be composed of corresponding software modules, and software modules can be stored in random access memory (RAM), flash memory, read-only memory (ROM), programmable read-only memory (programmable rom) , PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically erasable programmable read-only memory (electrically EPROM, EEPROM), registers, hard disks, removable hard disks, CD-ROMs or known in the art in any other form of storage medium. An exemplary storage medium is coupled to the processor, such that the processor can read information from, and write information to, the storage medium. Of course, the storage medium can also be an integral part of the processor. The processor and storage medium may reside in an ASIC.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者通过所述计算机可读存储介质进行传输。所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例 如,DVD)、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented in software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted over a computer-readable storage medium. The computer instructions can be sent from one website site, computer, server, or data center to another website site by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.) , computer, server or data center. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that includes an integration of one or more available media. The usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media (eg, solid state disks (SSDs)), and the like.
可以理解的是,在本申请的实施例中涉及的各种数字编号仅为描述方便进行的区分,并不用来限制本申请的实施例的范围。It can be understood that, the various numbers and numbers involved in the embodiments of the present application are only for the convenience of description, and are not used to limit the scope of the embodiments of the present application.

Claims (35)

  1. 一种防止ARP攻击的方法,其特征在于,所述方法用于车载网络的车载控制器,包括:A method for preventing ARP attacks, characterized in that the method is used in a vehicle-mounted controller of a vehicle-mounted network, comprising:
    获取所述车载网络内所有接入终端的介质访问控制MAC地址和网络之间互连协议IP地址;Acquiring the MAC address of the medium access control and the IP address of the interconnection protocol between the networks of all access terminals in the vehicle network;
    生成ARP映射关系表,所述ARP映射关系表包括所述车载网络内所有接入终端的MAC地址和IP地址之间的映射关系;generating an ARP mapping relationship table, where the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle network;
    将所述ARP映射关系表发送至所述车载网络内所有接入终端,以使所述车载网络内任一接入终端根据所述ARP映射关系表进行数据通信。Sending the ARP mapping relationship table to all access terminals in the vehicle network, so that any access terminal in the vehicle network performs data communication according to the ARP mapping relationship table.
  2. 根据权利要求1所述的方法,其特征在于,所述将所述ARP映射关系表发送至所述车载网络内所有接入终端,包括:The method according to claim 1, wherein the sending the ARP mapping relationship table to all access terminals in the in-vehicle network comprises:
    通过所述车载控制器的下发系统将所述ARP映射关系表发送至所述车载网络内所有接入终端的接收系统。The ARP mapping relationship table is sent to the receiving systems of all access terminals in the in-vehicle network through the issuing system of the in-vehicle controller.
  3. 根据权利要求2所述的方法,其特征在于,所述下发系统是第一应用APP,所述接收系统是第二APP,所述第一APP和所述第二APP相同。The method according to claim 2, wherein the sending system is a first application APP, the receiving system is a second APP, and the first APP and the second APP are the same.
  4. 根据权利要求1所述的方法,其特征在于,所述获取所述车载网络内所有接入终端的MAC地址和IP地址,包括:The method according to claim 1, wherein the acquiring the MAC addresses and IP addresses of all access terminals in the in-vehicle network comprises:
    利用动态主机配置协议DHCP获取第一终端的MAC地址和IP地址,所述第一终端用于表征所述车载网络内的任一接入终端。The MAC address and IP address of the first terminal are obtained by using the dynamic host configuration protocol DHCP, where the first terminal is used to represent any access terminal in the vehicle network.
  5. 根据权利要求4所述的方法,其特征在于,所述利用DHCP获取第一终端的MAC地址和IP地址,包括:The method according to claim 4, wherein the obtaining the MAC address and the IP address of the first terminal by using DHCP comprises:
    接收所述第一终端发送的DHCP地址请求消息,所述地址请求消息包括所述第一终端的MAC地址;receiving a DHCP address request message sent by the first terminal, where the address request message includes the MAC address of the first terminal;
    向所述第一终端发送DHCP地址回复消息,所述地址回复消息包括所述第一终端的IP地址。A DHCP address reply message is sent to the first terminal, where the address reply message includes the IP address of the first terminal.
  6. 根据权利要求1所述的方法,其特征在于,还包括:The method of claim 1, further comprising:
    检测到满足针对所述ARP映射关系表的指定更新条件;It is detected that the specified update condition for the ARP mapping relationship table is met;
    对所述ARP映射关系表进行更新,得到更新后的ARP映射关系表;The ARP mapping relationship table is updated to obtain the updated ARP mapping relationship table;
    将所述更新后的ARP映射关系表发送至所述车载网络内所有接入终端,以使所述车载网络内任一接入终端根据所述更新后的ARP映射关系表进行数据通信。The updated ARP mapping relationship table is sent to all access terminals in the vehicle-mounted network, so that any access terminal in the vehicle-mounted network performs data communication according to the updated ARP mapping relationship table.
  7. 根据权利要求6所述的方法,其特征在于,所述指定更新条件包括:第二终端接入所述车载网络,所述第二终端用于表征任一未接入所述车载网络的终端;The method according to claim 6, wherein the specified update condition comprises: a second terminal accessing the in-vehicle network, and the second terminal is used to represent any terminal that is not connected to the in-vehicle network;
    所述对所述ARP映射关系表进行更新,得到更新后的ARP映射关系表,包括:The described ARP mapping relationship table is updated to obtain the updated ARP mapping relationship table, including:
    将所述第二终端的MAC地址和IP地址之间的映射关系添加至所述ARP映射关系表中,得到所述更新后的ARP映射关系表。The mapping relationship between the MAC address and the IP address of the second terminal is added to the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
  8. 根据权利要求6所述的方法,其特征在于,所述指定更新条件包括:第三终端断开所述车载网络,所述第三终端用于表征任一已接入所述车载网络的终端;The method according to claim 6, wherein the specified update condition comprises: a third terminal disconnects the vehicle network, and the third terminal is used to represent any terminal that has accessed the vehicle network;
    所述对所述ARP映射关系表进行更新,得到更新后的ARP映射关系表,包括:The described ARP mapping relationship table is updated to obtain the updated ARP mapping relationship table, including:
    从所述ARP映射关系表中删除所述第三终端的MAC地址和IP地址之间的映射关系,得到所述更新后的ARP映射关系表。Delete the mapping relationship between the MAC address and the IP address of the third terminal from the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
  9. 根据权利要求1所述的方法,其特征在于,还包括:The method of claim 1, further comprising:
    通过所述车载控制器的虚拟终端检测所述车载网络内是否存在ARP攻击;Detecting whether there is an ARP attack in the in-vehicle network through the virtual terminal of the in-vehicle controller;
    若确定所述车载网络内存在ARP攻击,则对ARP攻击设备进行标记,并过滤掉目标地址为所述ARP攻击设备的MAC地址的数据。If it is determined that there is an ARP attack in the in-vehicle network, the ARP attack device is marked, and the data whose target address is the MAC address of the ARP attack device is filtered out.
  10. 根据权利要求9所述的方法,其特征在于,所述通过所述车载控制器的虚拟终端检测所述车载网络内是否存在ARP攻击,包括:The method according to claim 9, wherein the detecting whether there is an ARP attack in the in-vehicle network through the virtual terminal of the in-vehicle controller comprises:
    通过虚拟终端广播包括目标IP地址的ARP请求消息,所述目标IP地址为已知不存在的IP地址或已知网关的IP地址;Broadcast an ARP request message including a target IP address through the virtual terminal, where the target IP address is a known non-existent IP address or an IP address of a known gateway;
    若接收到包括目标MAC地址的ARP应答消息,则确定所述车载网络内存在ARP攻击,ARP攻击设备为发送所述ARP应答消息的设备。If the ARP reply message including the target MAC address is received, it is determined that there is an ARP attack in the vehicle network, and the ARP attack device is the device that sends the ARP reply message.
  11. 一种防止ARP攻击的方法,其特征在于,所述方法用于车载网络内任一接入终端,包括:A method for preventing ARP attacks, wherein the method is used for any access terminal in a vehicle network, comprising:
    接收所述车载网络的车载控制器发送的ARP映射关系表,所述ARP映射关系表包括所述车载网络内所有接入终端的MAC地址和IP地址之间的映射关系;Receive the ARP mapping relationship table sent by the vehicle-mounted controller of the vehicle-mounted network, where the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle-mounted network;
    根据所述ARP映射关系表进行数据通信。Data communication is performed according to the ARP mapping relationship table.
  12. 根据权利要求11所述的方法,其特征在于,所述接收所述车载网络的车载控制器发送的ARP映射关系表,包括:The method according to claim 11, wherein the receiving the ARP mapping relationship table sent by the on-board controller of the on-board network comprises:
    通过所述接入终端的接收系统接收所述车载控制器的下发系统发送的ARP映射关系表。The ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller is received by the receiving system of the access terminal.
  13. 根据权利要求12所述的方法,其特征在于,所述下发系统是第一应用APP,所述接收系统是第二APP,所述第一APP和所述第二APP相同。The method according to claim 12, wherein the sending system is a first application APP, the receiving system is a second APP, and the first APP and the second APP are the same.
  14. 根据权利要求11所述的方法,其特征在于,还包括:The method of claim 11, further comprising:
    接收所述车载控制器发送的更新后的ARP映射关系表;Receive the updated ARP mapping relationship table sent by the on-board controller;
    根据所述更新后的ARP映射关系表进行数据通信。Data communication is performed according to the updated ARP mapping relationship table.
  15. 根据权利要求12或13所述的方法,其特征在于,所述接入终端为首次接入所述车载网络、且不包括所述接收系统的设备;所述方法还包括:The method according to claim 12 or 13, wherein the access terminal is a device that accesses the in-vehicle network for the first time and does not include the receiving system; the method further comprises:
    从所述车载控制器提供的下载页面下载和安装所述接收系统。Download and install the receiving system from the download page provided by the onboard controller.
  16. 一种防止ARP攻击的装置,其特征在于,所述装置用于车载网络的车载控制器,包括:A device for preventing ARP attacks, characterized in that the device is used for a vehicle-mounted controller of a vehicle-mounted network, comprising:
    获取模块,用于获取所述车载网络内所有接入终端的介质访问控制MAC地址和网络之间互连协议IP地址;an acquisition module, configured to acquire the media access control MAC addresses of all access terminals in the in-vehicle network and the IP addresses of the interconnection protocol between networks;
    生成模块,用于生成ARP映射关系表,所述ARP映射关系表包括所述车载网络内所有接入终端的MAC地址和IP地址之间的映射关系;A generating module, configured to generate an ARP mapping relationship table, where the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle network;
    第一发送模块,用于将所述ARP映射关系表发送至所述车载网络内所有接入终端,以使所述车载网络内任一接入终端根据所述ARP映射关系表进行数据通信。The first sending module is configured to send the ARP mapping relationship table to all access terminals in the vehicle network, so that any access terminal in the vehicle network can perform data communication according to the ARP mapping relationship table.
  17. 根据权利要求16所述的装置,其特征在于,所述第一发送模块包括:The apparatus according to claim 16, wherein the first sending module comprises:
    发送子模块,用于通过所述车载控制器的下发系统将所述ARP映射关系表发送至所述车载网络内所有接入终端的接收系统。The sending submodule is configured to send the ARP mapping relationship table to the receiving systems of all access terminals in the on-board network through the delivery system of the on-board controller.
  18. 根据权利要求17所述的装置,其特征在于,所述下发系统是第一应用APP,所述接收系统是第二APP,所述第一APP和所述第二APP相同。The apparatus according to claim 17, wherein the sending system is a first application APP, the receiving system is a second APP, and the first APP and the second APP are the same.
  19. 根据权利要求16所述的装置,其特征在于,所述获取模块包括:The apparatus according to claim 16, wherein the acquiring module comprises:
    获取子模块,用于利用动态主机配置协议DHCP获取第一终端的MAC地址和IP地址,所述第一终端用于表征所述车载网络内的任一接入终端。The obtaining submodule is used for obtaining the MAC address and IP address of the first terminal by using the dynamic host configuration protocol DHCP, where the first terminal is used to represent any access terminal in the vehicle network.
  20. 根据权利要求19所述的装置,其特征在于,所述获取子模块包括:The apparatus according to claim 19, wherein the obtaining submodule comprises:
    接收单元,用于接收所述第一终端发送的DHCP地址请求消息,所述地址请求消息包括所述第一终端的MAC地址;a receiving unit, configured to receive a DHCP address request message sent by the first terminal, where the address request message includes the MAC address of the first terminal;
    发送单元,用于向所述第一终端发送DHCP地址回复消息,所述地址回复消息包括所述第一终端的IP地址。A sending unit, configured to send a DHCP address reply message to the first terminal, where the address reply message includes the IP address of the first terminal.
  21. 根据权利要求16所述的装置,其特征在于,还包括:The apparatus of claim 16, further comprising:
    第一检测模块,用于检测到满足针对所述ARP映射关系表的指定更新条件;a first detection module, configured to detect that a specified update condition for the ARP mapping relationship table is met;
    更新模块,用于对所述ARP映射关系表进行更新,得到更新后的ARP映射关系表;an update module, for updating the ARP mapping relationship table to obtain the updated ARP mapping relationship table;
    第二发送模块,用于将所述更新后的ARP映射关系表发送至所述车载网络内所有接入终端,以使所述车载网络内任一接入终端根据所述更新后的ARP映射关系表进行数据通信。The second sending module is configured to send the updated ARP mapping relationship table to all access terminals in the vehicle network, so that any access terminal in the vehicle network can use the updated ARP mapping relationship according to the updated ARP mapping relationship. table for data communication.
  22. 根据权利要求21所述的装置,其特征在于,所述指定更新条件包括:第二终端接入所述车载网络,所述第二终端用于表征任一未接入所述车载网络的终端;所述更新模块包括:The device according to claim 21, wherein the specified update condition comprises: a second terminal accesses the in-vehicle network, and the second terminal is used to represent any terminal that is not connected to the in-vehicle network; The update module includes:
    添加子模块,用于将所述第二终端的MAC地址和IP地址之间的映射关系添加至 所述ARP映射关系表中,得到所述更新后的ARP映射关系表。The adding submodule is configured to add the mapping relationship between the MAC address and the IP address of the second terminal to the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
  23. 根据权利要求21所述的装置,其特征在于,所述指定更新条件包括:第三终端断开所述车载网络,所述第三终端用于表征任一已接入所述车载网络的终端;所述更新模块包括:The device according to claim 21, wherein the specified update condition comprises: a third terminal disconnects from the in-vehicle network, and the third terminal is used to represent any terminal that has accessed the in-vehicle network; The update module includes:
    删除子模块,用于从所述ARP映射关系表中删除所述第三终端的MAC地址和IP地址之间的映射关系,得到所述更新后的ARP映射关系表。The deletion sub-module is configured to delete the mapping relationship between the MAC address and the IP address of the third terminal from the ARP mapping relationship table to obtain the updated ARP mapping relationship table.
  24. 根据权利要求16所述的装置,其特征在于,还包括:The apparatus of claim 16, further comprising:
    第二检测模块,用于通过所述车载控制器的虚拟终端检测所述车载网络内是否存在ARP攻击;a second detection module, configured to detect whether there is an ARP attack in the vehicle network through the virtual terminal of the vehicle controller;
    标记模块,用于若确定所述车载网络内存在ARP攻击,则对ARP攻击设备进行标记,并过滤掉目标地址为所述ARP攻击设备的MAC地址的数据。The marking module is configured to mark the ARP attacking device if it is determined that there is an ARP attack in the vehicle network, and filter out the data whose target address is the MAC address of the ARP attacking device.
  25. 根据权利要求24所述的装置,其特征在于,所述第二检测模块包括:The device according to claim 24, wherein the second detection module comprises:
    广播子模块,用于通过虚拟终端广播包括目标IP地址的ARP请求消息,所述目标IP地址为已知不存在的IP地址或已知网关的IP地址;A broadcast submodule, configured to broadcast an ARP request message including a target IP address through the virtual terminal, where the target IP address is a known IP address that does not exist or the IP address of a known gateway;
    确定子模块,用于若接收到包括目标MAC地址的ARP应答消息,则确定所述车载网络内存在ARP攻击,ARP攻击设备为发送所述ARP应答消息的设备。The determining submodule is configured to determine that an ARP attack exists in the in-vehicle network if an ARP reply message including the target MAC address is received, and the ARP attack device is the device that sends the ARP reply message.
  26. 一种防止ARP攻击的装置,其特征在于,所述装置用于车载网络内任一接入终端,包括:A device for preventing ARP attacks, characterized in that the device is used for any access terminal in a vehicle-mounted network, comprising:
    第一接收模块,用于接收所述车载网络的车载控制器发送的ARP映射关系表,所述ARP映射关系表包括所述车载网络内所有接入终端的MAC地址和IP地址之间的映射关系;The first receiving module is used to receive the ARP mapping relationship table sent by the vehicle-mounted controller of the vehicle-mounted network, where the ARP mapping relationship table includes the mapping relationship between the MAC addresses and IP addresses of all access terminals in the vehicle-mounted network ;
    第一通信模块,用于根据所述ARP映射关系表进行数据通信。The first communication module is configured to perform data communication according to the ARP mapping relationship table.
  27. 根据权利要求26所述的装置,其特征在于,所述第一接收模块包括:The apparatus according to claim 26, wherein the first receiving module comprises:
    接收子模块,用于通过所述接入终端的接收系统接收所述车载控制器的下发系统发送的ARP映射关系表。The receiving sub-module is configured to receive, through the receiving system of the access terminal, the ARP mapping relationship table sent by the delivery system of the vehicle-mounted controller.
  28. 根据权利要求27所述的装置,其特征在于,所述下发系统是第一应用APP,所述接收系统是第二APP,所述第一APP和所述第二APP相同。The device according to claim 27, wherein the sending system is a first application APP, the receiving system is a second APP, and the first APP and the second APP are the same.
  29. 根据权利要求26所述的装置,其特征在于,还包括:The apparatus of claim 26, further comprising:
    第二接收模块,用于接收所述车载控制器发送的更新后的ARP映射关系表;The second receiving module is used for receiving the updated ARP mapping relationship table sent by the on-board controller;
    第二通信模块,用于根据所述更新后的ARP映射关系表进行数据通信。The second communication module is configured to perform data communication according to the updated ARP mapping relationship table.
  30. 根据权利要求27或28所述的装置,其特征在于,所述接入终端为首次接入所述车载网络、且不包括所述接收系统的设备;所述装置还包括:The apparatus according to claim 27 or 28, wherein the access terminal is a device that accesses the in-vehicle network for the first time and does not include the receiving system; the apparatus further comprises:
    下载安装模块,用于从所述车载控制器提供的下载页面下载和安装所述接收系统。A download and installation module is used to download and install the receiving system from a download page provided by the vehicle-mounted controller.
  31. 一种防止ARP攻击的装置,其特征在于,所述装置用于车载网络的车载控制器,所述装置包括:处理器、存储器、收发器;A device for preventing ARP attacks, characterized in that the device is used in a vehicle-mounted controller of a vehicle-mounted network, and the device comprises: a processor, a memory, and a transceiver;
    所述存储器用于存储计算机指令;the memory for storing computer instructions;
    当所述装置运行时,所述处理器执行所述计算机指令,使得所述装置执行权利要求1-10任一项所述的方法。When the apparatus operates, the processor executes the computer instructions to cause the apparatus to perform the method of any one of claims 1-10.
  32. 一种防止ARP攻击的装置,其特征在于,所述装置用于车载网络内任一接入终端,所述装置包括:处理器、存储器、收发器;A device for preventing ARP attacks, characterized in that the device is used for any access terminal in a vehicle-mounted network, and the device includes: a processor, a memory, and a transceiver;
    所述存储器用于存储计算机指令;the memory for storing computer instructions;
    当所述装置运行时,所述处理器执行所述计算机指令,使得所述装置执行权利要求11-15任一项所述的方法。When the apparatus operates, the processor executes the computer instructions, causing the apparatus to perform the method of any of claims 11-15.
  33. 一种通信系统,其特征在于,包括车载控制器、以及一个或多个接入终端;A communication system, comprising a vehicle-mounted controller and one or more access terminals;
    其中,所述车载控制器包含权利要求16-25任一项所述的装置;所述接入终端包含权利要求26-30任一项所述的装置。Wherein, the in-vehicle controller includes the device according to any one of claims 16-25; the access terminal includes the device according to any one of claims 26-30.
  34. 一种计算机存储介质,其特征在于,所述计算机存储介质包括计算机指令,当所述计算机指令在车载网络的车载控制器上运行时,使得所述车载控制器执行执行权利要求1-10任一项所述的方法。A computer storage medium, characterized in that the computer storage medium comprises computer instructions, when the computer instructions are executed on the vehicle-mounted controller of the vehicle-mounted network, the vehicle-mounted controller is made to execute any one of claims 1-10. method described in item.
  35. 一种计算机存储介质,其特征在于,所述计算机存储介质包括计算机指令,当所述计算机指令在车载网络内的终端设备上运行时,使得所述终端设备执行权利要求11-15任一项所述的方法。A computer storage medium, characterized in that, the computer storage medium includes computer instructions, when the computer instructions are executed on a terminal device in a vehicle-mounted network, the terminal device is made to execute any one of claims 11-15. method described.
PCT/CN2020/141602 2020-12-30 2020-12-30 Method and apparatus for preventing arp attack, and system WO2022141243A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2020/141602 WO2022141243A1 (en) 2020-12-30 2020-12-30 Method and apparatus for preventing arp attack, and system
CN202080004589.6A CN112789840A (en) 2020-12-30 2020-12-30 Method, device and system for preventing ARP attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/141602 WO2022141243A1 (en) 2020-12-30 2020-12-30 Method and apparatus for preventing arp attack, and system

Publications (1)

Publication Number Publication Date
WO2022141243A1 true WO2022141243A1 (en) 2022-07-07

Family

ID=75753987

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/141602 WO2022141243A1 (en) 2020-12-30 2020-12-30 Method and apparatus for preventing arp attack, and system

Country Status (2)

Country Link
CN (1) CN112789840A (en)
WO (1) WO2022141243A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115208606A (en) * 2022-03-28 2022-10-18 深圳铸泰科技有限公司 Method, system and storage medium for implementing network security protection

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635713A (en) * 2009-06-09 2010-01-27 北京安天电子设备有限公司 Method and system for preventing local area network ARP defection attacks
CN105530330A (en) * 2015-12-07 2016-04-27 中国电子科技集团公司第十研究所 Method for improving operation efficiency of ARP protocol in space information network
CN110062061A (en) * 2019-04-29 2019-07-26 清华大学 Address resolution mapping method based on IP/MAC exchange
US20200389436A1 (en) * 2018-11-05 2020-12-10 Sumitomo Electric Industries, Ltd. On-vehicle communication device, communication control method, and communication control program

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100493009C (en) * 2003-10-29 2009-05-27 华为技术有限公司 Method for preventing main computer from being counterfeited in IP ethernet
US7471684B2 (en) * 2004-10-21 2008-12-30 International Machines Corporation Preventing asynchronous ARP cache poisoning of multiple hosts
CN101175080A (en) * 2007-07-26 2008-05-07 杭州华三通信技术有限公司 Method and system for preventing ARP message attack
CN101179566B (en) * 2007-11-24 2012-08-15 华为技术有限公司 Method and apparatus for preventing ARP packet attack
CN101616131A (en) * 2008-06-24 2009-12-30 重庆广用通信技术有限责任公司 A kind of method of defensing attack of Arp virus
CN108574673A (en) * 2017-03-10 2018-09-25 武汉安天信息技术有限责任公司 ARP message aggression detection method and device applied to gateway
CN108234522B (en) * 2018-03-01 2021-01-22 深圳市共进电子股份有限公司 Method and device for preventing Address Resolution Protocol (ARP) attack, computer equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635713A (en) * 2009-06-09 2010-01-27 北京安天电子设备有限公司 Method and system for preventing local area network ARP defection attacks
CN105530330A (en) * 2015-12-07 2016-04-27 中国电子科技集团公司第十研究所 Method for improving operation efficiency of ARP protocol in space information network
US20200389436A1 (en) * 2018-11-05 2020-12-10 Sumitomo Electric Industries, Ltd. On-vehicle communication device, communication control method, and communication control program
CN110062061A (en) * 2019-04-29 2019-07-26 清华大学 Address resolution mapping method based on IP/MAC exchange

Also Published As

Publication number Publication date
CN112789840A (en) 2021-05-11

Similar Documents

Publication Publication Date Title
US7474655B2 (en) Restricting communication service
US20130250801A1 (en) Method and apparatus for auto-registering devices in a wireless network
US20080019365A1 (en) Host operating system bypass for packets destined for a virtual machine
US20050210291A1 (en) Storage area network system using internet protocol, security system, security management program and storage device
US9401889B2 (en) Port-based dynamic network parameter assignment
WO2022141243A1 (en) Method and apparatus for preventing arp attack, and system
CN113366459A (en) Network switch with endpoints and direct memory access controller for in-vehicle data transfer
CN102075588B (en) Method and system for realizing network address translation (NAT) transversing and equipment
WO2022257763A1 (en) Routing method and apparatus, device, and storage medium
CN113473493A (en) Communication method and device
US20220385698A1 (en) Method and apparatus for controlling network service of internet of things terminal, and storage medium
CN103516820A (en) Port forwarding method and apparatus based on MAC address
US11863516B2 (en) Method, apparatus and system for realizing carrier grade network address translation
CN115174310A (en) PDN dialing and configuration method, system, device, equipment and storage medium
EP3796602B1 (en) Network system, network operation center, network device, and program
KR101374487B1 (en) System and method for providing multimedia service using virtual ip in home gateway
US7080116B2 (en) Network blocking device for paid Internet services
US20160330614A1 (en) Wireless communication device, wireless communication network, and identification-number setting method
JP2004104355A (en) Method and apparatus for managing network address and network address management system
CN111800340A (en) Data packet forwarding method and device
CN106302860B (en) SDN-based free address resolution protocol sending method, device and system
CN112601229B (en) Device and method for detecting illegality
US9544202B2 (en) Dynamic assignment and enforcement of application-driven per-connection service level agreements
CN114025009B (en) Method, system, proxy server and device for forwarding request
CN112448878B (en) PPPoE transparent transmission method, PPPoE server and electronic equipment

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20967584

Country of ref document: EP

Kind code of ref document: A1