CN102571816A - Method and system for preventing attack caused by neighbor learning - Google Patents
Method and system for preventing attack caused by neighbor learning Download PDFInfo
- Publication number
- CN102571816A CN102571816A CN2012100340076A CN201210034007A CN102571816A CN 102571816 A CN102571816 A CN 102571816A CN 2012100340076 A CN2012100340076 A CN 2012100340076A CN 201210034007 A CN201210034007 A CN 201210034007A CN 102571816 A CN102571816 A CN 102571816A
- Authority
- CN
- China
- Prior art keywords
- neighbor
- message
- binding information
- binding
- dhcpv6
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 230000008569 process Effects 0.000 claims abstract description 13
- 230000006399 behavior Effects 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 7
- 238000004321 preservation Methods 0.000 claims description 5
- 230000008676 import Effects 0.000 claims description 4
- 238000013478 data encryption standard Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 6
- 238000012795 verification Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 241000700605 Viruses Species 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a method for preventing attack caused by neighbor learning. The method comprises the following steps that: a threshold value of the quantity of incomplete neighbor table entries, which is allowed by a convergence switchboard, is set; an access switchboard monitors the request process of a dynamic host configuration protocol for Internet protocol version 6 (DHCPv6) of a client by DHCPv6 snooping, creates and stores binding information, and transmits the binding information to the convergence switchboard; the convergence switchboard receives the binding information and stores the binding information in a binding information table; when forwarding an Internet protocol version 6 (IPv6) message, if a link-layer address corresponding to a destination address of the IPv6 message does not exist, the convergence switchboard detects and judges whether the quantity of the incomplete neighbor table entries in a neighbor table reaches the threshold value; if the quantity of the incomplete neighbor table entries does not reach the threshold value, a neighbor request message is transmitted to a neighbor node; and if the quantity of the incomplete neighbor table entries reaches the threshold value, whether the address of the neighbor node is in the binding information table is judged, if the address of the neighbor node is in the binding information table, a neighbor request message is transmitted, and if the address of the neighbor node is not in the binding information table, the neighbor request message is not transmitted. The method and the system effectively solve the problem of attack caused by neighbor learning in an IPv6.
Description
Technical field
The present invention relates to the Computer Data Communication field, relate in particular to the method and system that a kind of neighbours of preventing learn to attack.
Background technology
At present, virus and the Internet worm are the most nerve-wracking attacks.Yet; This circulation way is at IPV6 (Internet Protocol Version 6; Version number is 6 Internet protocol) network in just no longer suitable because host machine part 64 bits normally in IPv6 address this means that the host number that an IPv6 network segment can hold is far longer than IPv4 (Internet Protocol Version 4; Version number is 4 Internet protocol) network segment, make with the address scan to be that the virus and the Internet worm of means had little scope for one's talents in the IPv6 network.
But the characteristics that the IPv6 address space is bigger maybe be by long-range malicious attacker utilization.Long-range malicious attacker malice is sent a large amount of destination addresses and is belonged to an IPv6 network segment; But in fact these addresses do not exist packet in this IPv6 network, will cause these packets like this when arriving last-hop Router, make this router that a large amount of neighbours' learning behaviors take place; Generate a large amount of invalid neighbor entries; Not only strengthened the burden of router processor (CPU), and normal neighbor entry also can't be generated, this is actually a kind of Denial of Service attack; But should attack and only be directed against global unicast address, inapplicable link local address.Wherein, Neighbours' learning behavior is meant: node sends to other nodes in the network with the address configuration information such as link layer address (Link-Layer Address), complete IP address, nodename of self through the neighbor request message in the Neighbor Discovery Protocol; And receive the node of this neighbor request message configuration informations such as the link layer address of self, complete IP address, nodename are returned to the node that sends the neighbor request message through the neighbor advertisement message in the Neighbor Discovery Protocol; Like this; Send the node of neighbor request message and other nodes in the network and just can know the other side address of node configuration information; Thereby carry out normal neighbor table operation according to address configuration information, for example, set up new neighbor entry in the neighbor table with the other side address of node configuration information adding oneself; Or revise original neighbor entry etc., accomplish neighbours' study.
Summary of the invention
To above-mentioned technical problem, the method and system that the object of the present invention is to provide a kind of neighbours of preventing to learn to attack, it has effectively solved the problem that the neighbours that exist in the IPv6 network learn to attack.
For achieving the above object, the present invention realizes through following technical scheme:
The method that a kind of neighbours of preventing learn to attack, said method comprises the steps:
A, the threshold value of the imperfect state neighbor entry that convergence switch allows is set;
B, access switch are intercepted the DHCPv6 request process of monitoring client through DHCPv6, create and the preservation binding information, and this binding information is sent to said convergence switch;
C, convergence switch receive binding information, and it is saved in the binding information table;
D, convergence switch are when transmitting the IPv6 message; If the destination address link corresponding layer address of this message does not exist; Whether the quantity that then detects imperfect state neighbor entry in the neighbor table reaches said threshold value, if do not reach, then sends the neighbor request message to neighbor node; If reach, the neighbor request message in said binding information table, if exist, is then sent in the address of then inquiring about this neighbor node whether, if do not exist, does not then send the neighbor request message;
After E, convergence switch are received the neighbor advertisement message corresponding with said neighbor request message, the quantity of imperfect state neighbor entry in its neighbor table is subtracted 1.
Special, said step B also comprises:
Access switch issues the rule of DHCPv6 message redirecting to this exchange processor to exchange chip; After exchange chip is received the DHCPv6 message; Do not carry out hardware and transmit behavior, but, carry out software by processor and resolve and transmit said message redirecting to access switch processor.
Special, said step B further comprises:
Access switch joins DHCPv6 with said binding information and intercepts in the binding message; And said binding message encrypted with hash handle; Then, the address according to the convergence switch of the reception binding information of access switch configuration is sent to convergence switch with said binding information.
Special, the step C of institute specifically comprises:
Convergence switch parses DHCPv6 and intercepts the binding information of binding in the message, and this binding information is saved in the local binding information table, and wherein, said binding message is meant the binding message that all access switch of being connected with said convergence switch import into.
Special; Among the said step D; If the quantity of imperfect state neighbor entry does not reach threshold value in the neighbor table, then send the neighbor request message, and in said neighbor table, insert a neighbor entry to neighbor node; State is set to imperfect state, and the quantity of imperfect state neighbor entry in the neighbor table is added 1.
Special, said step e specifically also comprises:
Convergence switch is according to the inquiry neighbor table of the destination address of the IPv6 stem of neighbor advertisement message; If find the neighbor entry corresponding with this destination address; Then the link layer address with said neighbor entry is updated to the link layer address that carries in the neighbor advertisement message; And the state of this neighbor entry is set to reachable state, and the quantity of imperfect state neighbor entry in the neighbor table is subtracted 1.
The invention also discloses the system that a kind of neighbours of preventing learn to attack, said system comprises:
Access switch is connected with client, intercepts the DHCPv6 request process of monitoring client through DHCPv6, creates and the preservation binding information, and this binding information is sent to convergence switch;
Convergence switch is connected with access switch, and the threshold value of the imperfect state neighbor entry of permission is set above that, and the binding information of receiving is saved in the binding information table; And when transmitting the IPv6 message; If the destination address link corresponding layer address of this message does not exist, whether the quantity that then detects imperfect state neighbor entry in the neighbor table reaches said threshold value, if do not reach; Then send the neighbor request message to neighbor node; And in said neighbor table, inserting a neighbor entry, state is set to imperfect state, and the quantity of imperfect state neighbor entry in the neighbor table is added 1; If reach, the neighbor request message in said binding information table, if do not exist, is not then sent in the address of then inquiring about this neighbor node whether, if exist, then sends the neighbor request message.
Special, said access switch specifically also is used for
Issue the rule of DHCPv6 message redirecting to this exchange processor to exchange chip; After exchange chip is received the DHCPv6 message; Do not carry out hardware and transmit behavior, but, carry out software by processor and resolve and transmit said message redirecting to access switch processor; Said binding information is joined DHCPv6 intercepts in the binding message; And said binding message encrypted with hash handle; Then, the address according to the convergence switch of the reception binding information of access switch configuration is sent to convergence switch with said binding information.
Special, said convergence switch also is used for
Parse DHCPv6 and intercept the binding information of binding in the message, and this binding information is saved in the local binding information table, wherein, said binding message is meant the binding message that all access switch of being connected with said convergence switch import into.
Special, said convergence switch specifically also is used for
Destination address inquiry neighbor table according to the IPv6 stem of the neighbor advertisement message of receiving corresponding with the neighbor request message; If find the neighbor entry corresponding with this destination address; Then the link layer address with said neighbor entry is updated to the link layer address that carries in the neighbor advertisement message; And the state of this neighbor entry is set to reachable state, and the quantity of imperfect state neighbor entry in the neighbor table is subtracted 1.
Beneficial effect of the present invention does, the method and system that said a kind of neighbours of preventing learn to attack is through being provided with the threshold value of the imperfect state neighbor entry that convergence switch allows; The quantity of imperfect state neighbor entry is when surpassing threshold value in neighbor table; According to the binding information table of intercepting acquisition through DHCPv6; Judge the accessibility of neighbor node; Thereby avoided malicious data is unwrapped a large amount of neighbours of exhibition study, effectively solved the problem that the neighbours that exist in the IPv6 network learn to attack.
Description of drawings
Fig. 1 prevents the method flow diagram that neighbours learn to attack for what the embodiment of the invention provided;
The DHCPv6 that Fig. 2 provides for the embodiment of the invention intercepts and binds the message format sketch map;
The convergence switch that Fig. 3 provides for the embodiment of the invention is to the process chart of imperfect state neighbor entry;
Fig. 4 prevents the system block diagram that neighbours learn to attack for what the embodiment of the invention provided.
Embodiment
For making the object of the invention, technical scheme and advantage clearer, the present invention is described further below in conjunction with accompanying drawing and embodiment.
Please with reference to shown in Figure 1, Fig. 1 prevents the method flow diagram that neighbours learn to attack for what the embodiment of the invention provided.
Prevent in the present embodiment that the method that neighbours learn to attack from comprising the steps:
Access switch enables after DHCPv6 intercepts; Issue the rule of DHCPv6 message redirecting to exchange chip to this exchange processor (CPU); After exchange chip is received the DHCPv6 message; Do not carry out hardware and transmit behavior, but, carry out software by processor and resolve and transmit said message redirecting to access switch processor.
Concrete snoop procedure is following:
(1) after access switch is intercepted the DHCPv6 request message of intercepting and capturing client through DHCPv6; Binding table according to source medium access control (MAC) address lookup access switch; If this Media Access Control address is in binding table; Then said DHCPv6 request message is forwarded from trusted port; Otherwise access switch can be created an interim request (REQUEST) binding table earlier, is used to write down the Media Access Control address of client, Transaction Identifier number (Transaction-ID), port and VLAN (the Virtual Local Area Network of DHCPv6 request message; VLAN) information, and then the DHCPv6 request message forwarded from trusted port.
(2) after access switch is intercepted the DHCPv6 response message of intercepting and capturing client through DHCPv6; Resolve Transaction Identifier number, the Internet digital distribution mechanism (Internet Assigned Numbers Authority, the IPv6 address of IANA) distributing and effective life cycle of DHCPv6 response message.Number search the query requests binding table according to Transaction Identifier; If there is the correspondent transaction identification number; Then create a binding information, be used to write down Media Access Control address, IPv6 address, rental period, virtual local area network No. and the port numbers of client (being the DHCPv6 client).
The binding information that step 104, access switch will be created and preserve joins DHCPv6 and intercepts in (SNOOPING) binding message; And said binding message encrypted with hash handle; Then; Address according to the convergence switch of the reception binding information of access switch configuration is sent to convergence switch with said binding information.
DHCPv6 between access switch and the convergence switch intercept bind message use User Datagram Protocol (User Datagram Protocol, UDP) be connected on the network after, propagate.In order to guarantee fail safe and anti-tamper, can intercept DHCPv6 and bind message and encrypt with hash and handle.The data encryption standard of sharing key is adopted in encryption of the present invention, and (Data Encryption Standard, DES) mode, hash adopt Message Digest Algorithm 5 (Message Digest Algorithm MD5 is called for short MD5) mode.
As shown in Figure 2, the DHCPv6 that Fig. 2 provides for the embodiment of the invention intercepts and binds the message format sketch map.
DHCPv6 intercepts the binding message and is carried in the User Datagram Protocol, and the implication of this each field of message is following:
Version: version number is 1 at present;
Type: type is 1 at present, and expression comprises binding information;
SeqNo: sequence number, message of every transmission adds 1;
SecretLen: the length of encrypted message;
Signature:DHCPv6 intercepts the MD5 hash result of binding all fields in the message, and wherein 16octets represents 16 hytes;
SwitchIPAddr: the IPv4 address of switch;
SwitchID: switch identification number (ID), generally get the Media Access Control address of exchange processor, wherein 6octets represents 6 hytes;
Count: bind quantity;
ClientMAC: rent the Media Access Control address of the client of address, wherein 6octets represents 6 hytes;
Reserved: keep, insert 0;
ClientVlanId: the VLAN ID of the switch that client inserts number;
PortNum: the switch ports themselves at client place number;
ClientIP: the IPv6 address of client, wherein 16octets represents 16 hytes;
Effective life cycle of ClientValidLifetime:DHCPv6 addresses distributed;
BindingTimeStamp: the timestamp that distributes the address.
The DES key is by client configuration, and access switch must be guaranteed consistent with the key of convergence switch.Send DHCPv6 intercept bind message before, encrypt earlier, after carry out hash and handle, process is following:
Begin from the SwitchIPAddr field; Until the said binding message content of ending carries out des encryption; Ciphertext is isometric with expressly; Ciphertext is put into DHCPv6 and is intercepted the message zone that the SwitchIPAddr field of binding message begins, and ciphertext length places DHCPv6 to intercept the SecretLen field of binding message, gives the hash processing unit then.Intercept the binding message for the DHCPv6 behind the access switch des encryption; When calculating the MD5 hash; The at first zero clearing of Signature field is made hash operations to whole binding message then, after hash operation is accomplished; Hashed value is inserted the Signature field, and at this moment DHCPv6 intercepts the binding message and just can send access switch.
Convergence switch carries out hash computations earlier after receiving DHCPv6 binding message, deciphering finally parses binding information wherein again, and detailed process is following:
When carrying out hash computations, the first value of backup Signature field, the MD5 hashed value of whole message is calculated in Signature field zero clearing more then; If hashed value is the same with the value of the Signature field of backup, then hash verification success continues that DHCPv6 is intercepted the binding message and makes the DES decryption processing.If the hash verification failure then abandons this DHCPv6 and intercepts the binding message.The successful DHCPv6 of MD5 hash verification for receiving intercepts the binding message; Convergence switch begins position after the Signature field; And length is carried out the DES decryption processing by the binding message content of SecretLen field appointment, restores the DHCPv6 that begins from the SwitchIPAddr field and intercepts the binding message content.
When step 106, convergence switch are the IPv6 message of this network segment at the forwarding destination address,,, handle as follows with reference to shown in Figure 3 if the destination address link corresponding layer address (Link-Layer Address) of this message does not exist:
Whether the quantity of imperfect state neighbor entry reaches said threshold value in step 1061, the detection neighbor table.
After step 107, convergence switch are received the neighbor advertisement message corresponding with said neighbor request message, the quantity of imperfect state neighbor entry in its neighbor table is subtracted 1.
After convergence switch is received the neighbor advertisement message; Inquiry neighbor table according to the destination address of the IPv6 stem of neighbor advertisement message; If look into the neighbor entry corresponding with this destination address; Then the link layer address with said neighbor entry is updated to the link layer address that carries in the neighbor advertisement message, and the state of this neighbor entry is set to reach (Reachable) state, and the quantity of imperfect state neighbor entry subtracts 1 in the neighbor table.
With reference to shown in Figure 4, Fig. 4 prevents the system block diagram that neighbours learn to attack for what the embodiment of the invention provided.
Prevent in the present embodiment that the system that neighbours learn to attack from comprising: access switch 402 and convergence switch 403.Wherein, said convergence switch 403 is the three-layer network switching equipment, connects a plurality of IPv6 network segments.
Said access switch 402 is connected with client 401, and trusted port is set, and intercepts the DHCPv6 request process of monitoring client 401 through DHCPv6, creates and the preservation binding information, and this binding information is sent to convergence switch 403.
The detailed process of monitoring: after (1) access switch 402 is intercepted the DHCPv6 request message of intercepting and capturing client 401 through DHCPv6; Binding table according to source medium access control (MAC) address lookup access switch 402; If this Media Access Control address is in binding table; Then said DHCPv6 request message is forwarded from trusted port; Otherwise access switch 402 can be created an interim request (REQUEST) binding table earlier, is used to write down the Media Access Control address of client 401, Transaction Identifier number (Transaction-ID), port and VLAN (the Virtual Local Area Network of DHCPv6 request message; VLAN) information, and then the DHCPv6 request message forwarded from trusted port.(2) after access switch 402 is intercepted the DHCPv6 response message of intercepting and capturing client 401 through DHCPv6; Resolve Transaction Identifier number, the Internet digital distribution mechanism (Internet Assigned Numbers Authority, the IPv6 address of IANA) distributing and effective life cycle of DHCPv6 response message.Number search the query requests binding table according to Transaction Identifier; If there is the correspondent transaction identification number; Then create a binding information, be used to write down Media Access Control address, IPv6 address, rental period, virtual local area network No. and the port numbers of client 401 (being the DHCPv6 client).
The binding information that access switch 402 obtains monitoring joins DHCPv6 and intercepts in the binding message; And said binding message encrypted with hash handle; Then; Address according to the convergence switch 403 of the reception binding information of access switch 402 configuration is sent to convergence switch 403 with said binding information.
In order to guarantee fail safe and anti-tamper, can intercept DHCPv6 and bind message and encrypt with hash and handle.The data encryption standard mode of sharing key is adopted in encryption of the present invention, and hash adopts the Message Digest Algorithm 5 mode.
The DES key is by client 401 configurations, and access switch 402 must be guaranteed consistent with the key of convergence switch 403.Send DHCPv6 intercept bind message before, encrypt earlier, after carry out hash and handle, process is following:
Begin from the SwitchIPAddr field; Until the said binding message content of ending carries out des encryption; Ciphertext is isometric with expressly; Ciphertext is put into DHCPv6 and is intercepted the message zone that the SwitchIPAddr field of binding message begins, and ciphertext length places DHCPv6 to intercept the SecretLen field of binding message, gives the hash processing unit then.DHCPv6 for after the access switch 402DES encryption intercepts the binding message; When calculating the MD5 hash; The at first zero clearing of Signature field is made hash operations to whole binding message then, after hash operation is accomplished; Hashed value is inserted the Signature field, and at this moment DHCPv6 intercepts the binding message and just can send access switch 402.
Said convergence switch 403 is connected with several access switch 402, and the threshold value of the imperfect state neighbor entry of permission is set above that, and the binding information of receiving is saved in the binding information table; And when transmitting the IPv6 message; If the destination address link corresponding layer address of this message does not exist, whether the quantity that then detects imperfect state neighbor entry in the neighbor table reaches said threshold value, if do not reach; Then send the neighbor request message to neighbor node; And in said neighbor table, inserting a neighbor entry, state is set to imperfect state, and the quantity of imperfect state neighbor entry in the neighbor table is added 1; If reach, the neighbor request message in said binding information table, if do not exist, is not then sent in the address of then inquiring about this neighbor node whether, if exist, then sends the neighbor request message.
When carrying out hash computations, the first value of backup Signature field, the MD5 hashed value of whole message is calculated in Signature field zero clearing more then; If hashed value is the same with the value of the Signature field of backup, then hash verification success continues that DHCPv6 is intercepted the binding message and makes the DES decryption processing.If the hash verification failure then abandons this DHCPv6 and intercepts the binding message.The successful DHCPv6 of MD5 hash verification for receiving intercepts the binding message; 403 pairs of convergence switches position after the Signature field begins; And length is carried out the DES decryption processing by the binding message content of SecretLen field appointment, restores the DHCPv6 that begins from the SwitchIPAddr field and intercepts the binding message content.
After convergence switch 403 is received the neighbor advertisement message corresponding with said neighbor request message; Inquiry neighbor table according to the destination address of the IPv6 stem of neighbor advertisement message; If look into the neighbor entry corresponding with this destination address; Then the link layer address with said neighbor entry is updated to the link layer address that carries in the neighbor advertisement message, and the state of this neighbor entry is set to reachable state, and the quantity of imperfect state neighbor entry in the neighbor table is subtracted 1.
The embodiment of the invention provides prevents the system that neighbours learn to attack, through the threshold value of the imperfect state neighbor entry that convergence switch 403 allows is set; The quantity of imperfect state neighbor entry is when surpassing threshold value in neighbor table; According to the binding information table of intercepting acquisition through DHCPv6; Judge the accessibility of neighbor node; Thereby avoided malicious data is unwrapped a large amount of neighbours of exhibition study, effectively solved the problem that the neighbours that exist in the IPv6 network learn to attack.
Above-mentioned preferred embodiment of the present invention and the institute's application technology principle of being merely, any technical staff who is familiar with the present technique field is in the technical scope that the present invention discloses, and the variation that can expect easily or replacement all should be encompassed in protection scope of the present invention.
Claims (10)
1. a method that prevents that neighbours from learning to attack is characterized in that, comprises the steps:
A, the threshold value of imperfect (Incomplete) state neighbor entry that convergence switch allows is set;
B, access switch are intercepted the DHCPv6 request process that (SNOOPING) monitors client through the IPv6 version (DHCPv6) of DHCP, create and the preservation binding information, and this binding information is sent to said convergence switch;
C, convergence switch receive binding information, and it is saved in the binding information table;
D, convergence switch are when transmitting the IPv6 message; If the destination address link corresponding layer address of this message does not exist; Whether the quantity that then detects imperfect state neighbor entry in the neighbor table reaches said threshold value, if do not reach, then sends the neighbor request message to neighbor node; If reach, the neighbor request message in said binding information table, if exist, is then sent in the address of then inquiring about this neighbor node whether, if do not exist, does not then send the neighbor request message;
After E, convergence switch are received the neighbor advertisement message corresponding with said neighbor request message, the quantity of imperfect state neighbor entry in its neighbor table is subtracted 1.
2. the method that the neighbours of preventing according to claim 1 learn to attack is characterized in that, said step B also comprises:
Access switch issues the rule of DHCPv6 message redirecting to this exchange processor to exchange chip; After exchange chip is received the DHCPv6 message; Do not carry out hardware and transmit behavior, but, carry out software by processor and resolve and transmit said message redirecting to access switch processor.
3. the method that the neighbours of preventing according to claim 2 learn to attack is characterized in that, said step B further comprises:
Access switch joins DHCPv6 with said binding information and intercepts in the binding message; And said binding message encrypted with hash handle; Then, the address according to the convergence switch of the reception binding information of access switch configuration is sent to convergence switch with said binding information.
4. the method that the neighbours of preventing according to claim 3 learn to attack is characterized in that, the step C of institute specifically comprises:
Convergence switch parses DHCPv6 and intercepts the binding information of binding in the message, and this binding information is saved in the local binding information table, and wherein, said binding message is meant the binding message that all access switch of being connected with said convergence switch import into.
5. the method that the neighbours of preventing according to claim 4 learn to attack; It is characterized in that, among the said step D, if the quantity of imperfect state neighbor entry does not reach threshold value in the neighbor table; Then send the neighbor request message to neighbor node; And in said neighbor table, inserting a neighbor entry, state is set to imperfect state, and the quantity of imperfect state neighbor entry in the neighbor table is added 1.
6. the method that the neighbours of preventing according to claim 5 learn to attack is characterized in that, said step e specifically also comprises:
Convergence switch is according to the inquiry neighbor table of the destination address of the IPv6 stem of neighbor advertisement message; If find the neighbor entry corresponding with this destination address; Then the link layer address with said neighbor entry is updated to the link layer address that carries in the neighbor advertisement message; And the state of this neighbor entry is set to reach (Reachable) state, and the quantity of imperfect state neighbor entry in the neighbor table is subtracted 1.
7. a system that prevents that neighbours from learning to attack is characterized in that, comprising:
Access switch is connected with client, intercepts the DHCPv6 request process of monitoring client through DHCPv6, creates and the preservation binding information, and this binding information is sent to convergence switch;
Convergence switch is connected with access switch, and the threshold value of the imperfect state neighbor entry of permission is set above that, and the binding information of receiving is saved in the binding information table; And when transmitting the IPv6 message; If the destination address link corresponding layer address of this message does not exist, whether the quantity that then detects imperfect state neighbor entry in the neighbor table reaches said threshold value, if do not reach; Then send the neighbor request message to neighbor node; And in said neighbor table, inserting a neighbor entry, state is set to imperfect state, and the quantity of imperfect state neighbor entry in the neighbor table is added 1; If reach, the neighbor request message in said binding information table, if do not exist, is not then sent in the address of then inquiring about this neighbor node whether, if exist, then sends the neighbor request message.
8. the system that the neighbours of preventing according to claim 7 learn to attack is characterized in that said access switch specifically also is used for
Issue the rule of DHCPv6 message redirecting to this exchange processor to exchange chip; After exchange chip is received the DHCPv6 message; Do not carry out hardware and transmit behavior, but, carry out software by processor and resolve and transmit said message redirecting to access switch processor; Said binding information is joined DHCPv6 intercepts in the binding message; And said binding message encrypted with hash handle; Then, the address according to the convergence switch of the reception binding information of access switch configuration is sent to convergence switch with said binding information.
9. the system that the neighbours of preventing according to claim 8 learn to attack is characterized in that said convergence switch also is used for
Parse DHCPv6 and intercept the binding information of binding in the message, and this binding information is saved in the local binding information table, wherein, said binding message is meant the binding message that all access switch of being connected with said convergence switch import into.
10. the system that the neighbours of preventing according to claim 9 learn to attack is characterized in that said convergence switch specifically also is used for
Destination address inquiry neighbor table according to the IPv6 stem of the neighbor advertisement message of receiving corresponding with the neighbor request message; If find the neighbor entry corresponding with this destination address; Then the link layer address with said neighbor entry is updated to the link layer address that carries in the neighbor advertisement message; And the state of this neighbor entry is set to reachable state, and the quantity of imperfect state neighbor entry in the neighbor table is subtracted 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210034007.6A CN102571816B (en) | 2012-02-15 | 2012-02-15 | A kind of method and system preventing neighbor learning attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210034007.6A CN102571816B (en) | 2012-02-15 | 2012-02-15 | A kind of method and system preventing neighbor learning attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102571816A true CN102571816A (en) | 2012-07-11 |
| CN102571816B CN102571816B (en) | 2015-09-30 |
Family
ID=46416290
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210034007.6A Active CN102571816B (en) | 2012-02-15 | 2012-02-15 | A kind of method and system preventing neighbor learning attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102571816B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103560960A (en) * | 2013-11-04 | 2014-02-05 | 神州数码网络(北京)有限公司 | Access control list dynamic updating method and Ethernet switch |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070130427A1 (en) * | 2005-11-17 | 2007-06-07 | Nortel Networks Limited | Method for defending against denial-of-service attack on the IPV6 neighbor cache |
| CN101022340A (en) * | 2007-03-30 | 2007-08-22 | 武汉烽火网络有限责任公司 | Intelligent control method for realizing city Ethernet exchanger switch-in security |
| CN101631130A (en) * | 2009-08-27 | 2010-01-20 | 杭州华三通信技术有限公司 | Route advertising method and device among direct-connecting EBGP neighbors |
| CN101764734A (en) * | 2008-12-25 | 2010-06-30 | 中兴通讯股份有限公司 | Method for improving neighbor discovery safety in IPv6 (Internet Protocol Version 6) environment and broadband access equipment |
-
2012
- 2012-02-15 CN CN201210034007.6A patent/CN102571816B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070130427A1 (en) * | 2005-11-17 | 2007-06-07 | Nortel Networks Limited | Method for defending against denial-of-service attack on the IPV6 neighbor cache |
| CN101022340A (en) * | 2007-03-30 | 2007-08-22 | 武汉烽火网络有限责任公司 | Intelligent control method for realizing city Ethernet exchanger switch-in security |
| CN101764734A (en) * | 2008-12-25 | 2010-06-30 | 中兴通讯股份有限公司 | Method for improving neighbor discovery safety in IPv6 (Internet Protocol Version 6) environment and broadband access equipment |
| CN101631130A (en) * | 2009-08-27 | 2010-01-20 | 杭州华三通信技术有限公司 | Route advertising method and device among direct-connecting EBGP neighbors |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103560960A (en) * | 2013-11-04 | 2014-02-05 | 神州数码网络(北京)有限公司 | Access control list dynamic updating method and Ethernet switch |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102571816B (en) | 2015-09-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9654502B2 (en) | Protecting address resolution protocol neighbor discovery cache against denial of service attacks | |
| US8037530B1 (en) | Method and apparatus for providing adaptive self-synchronized dynamic address translation as an intrusion detection sensor | |
| CN102223365B (en) | User access method and device based on SSL (Secure Socket Layer) VPN (Virtual Private Network) gateway cluster | |
| CN102546661B (en) | A kind of method and system preventing IPv6 gateway neighbours spoofing attack | |
| CN103297563B (en) | A kind of method preventing repeated address detection attack of identity-based certification | |
| CN102546428A (en) | System and method for internet protocol version 6 (IPv6) message switching based on dynamic host configuration protocol for IPv6 (DHCPv6) interception | |
| CN101674306B (en) | Address resolution protocol message processing method and switch | |
| CN112332901B (en) | A kind of mobile access authentication method and device for integration of heaven and earth | |
| Hassan et al. | Enhancing security for IPv6 neighbor discovery protocol using cryptography | |
| CN103402197B (en) | A kind of position based on IPv6 technology and path concealment guard method | |
| CN102437966A (en) | Layer-3 switching system and method based on layer-2 DHCP (Dynamic Host Configuration Protocol) SNOOPING | |
| CN102572013A (en) | Method and system for realizing proxy address resolution protocol (ARP) based on gratuitous ARP | |
| CN102546663A (en) | Method and device for preventing duplication address detection attack | |
| CN102546429A (en) | Method and system for authenticating intra-site automatic tunnel addressing protocol (ISATAP) tunnels based on dynamic host configuration protocol (DHCP) monitoring | |
| CN101552677B (en) | Processing method and exchange equipment for address detected message | |
| CN102594882A (en) | Neighbor discovery proxy method and system based on Dynamic Host Configuration Protocol for Internet Protocol Version 6 (DHCPv6) monitoring | |
| Ahmed et al. | Improving security for IPv6 neighbor discovery | |
| Praptodiyono et al. | Improvement of address resolution security in IPv6 local network using trust-ND | |
| Limmaneewichid et al. | P-ARP: A novel enhanced authentication scheme for securing ARP | |
| Li et al. | SDN-Ti: a general solution based on SDN to attacker traceback and identification in IPv6 networks | |
| Hilgenstieler et al. | Extensions to the source path isolation engine for precise and efficient log-based IP traceback | |
| CN102571816B (en) | A kind of method and system preventing neighbor learning attack | |
| Song et al. | An Anti-DoS Duplicate Address Detection Model. | |
| CN102546307A (en) | Method and system for realizing proxy ARP (Address Resolution Protocol) function based on DHCP (Dynamic Host Configuration Protocol) interception | |
| KR101188308B1 (en) | Pseudo packet monitoring system for address resolution protocol spoofing monitoring of malicious code and pseudo packet monitoring method therefor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee after: Beijing Shenzhou Digital Cloud Information Technology Co.,Ltd. Country or region after: China Address before: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee before: DIGITAL CHINA NETWORKS (BEIJING) Ltd. Country or region before: China |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240814 Address after: 100085 No.301, 3rd floor, 9 shangdijiu street, Haidian District, Beijing Patentee after: Beijing Shenzhou Digital Cloud Information Technology Co.,Ltd. Country or region after: China Patentee after: Shenzhou Kuntai (Xiamen) Information Technology Co.,Ltd. Address before: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee before: Beijing Shenzhou Digital Cloud Information Technology Co.,Ltd. Country or region before: China |
|
| TR01 | Transfer of patent right |